STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-3 (4) — Access Enforcement

CCI-002165

Definition

Enforce organization-defined discretionary access control policies over defined subjects and objects.

Parent Control

AC-3 (4)Access EnforcementAccess Control

Linked STIG Checks (155)

V-274013CAT IIAmazon Linux 2023 must not be configured to bypass password requirements for privilege escalation.Amazon Linux 2023 Security Technical Implementation Guide V-274151CAT IIAmazon Linux 2023 must restrict the use of the "su" command.Amazon Linux 2023 Security Technical Implementation Guide V-274169CAT IIAmazon Linux 2023 must enable discretionary access control on hardlinks.Amazon Linux 2023 Security Technical Implementation Guide V-274170CAT IIAmazon Linux 2023 must enable kernel parameters to enforce discretionary access control on symlinks.Amazon Linux 2023 Security Technical Implementation Guide V-222426CAT IIThe application must enforce organization-defined discretionary access control policies over defined subjects and objects.Application Security and Development Security Technical Implementation Guide V-276005CAT IIAx-OS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-219322CAT IIIPam_Apparmor must be configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user, change security attributes, and to confine all non-privileged users from executing functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238360CAT IIThe Ubuntu operating system must be configured to use AppArmor.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260556CAT IIUbuntu 22.04 LTS must have the "apparmor" package installed.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270659CAT IIUbuntu 24.04 LTS must have AppArmor installed.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-269363CAT IIAlmaLinux OS 9 must restrict the use of the "su" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233530CAT IIPostgreSQL must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261914CAT IIPostgreSQL must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206585CAT IIThe DBMS must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.Database Security Requirements Guide V-235781CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235782CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-224191CAT IIEDB Postgres Advanced Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-259272CAT IIThe EDB Postgres Advanced Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-203692CAT IIThe operating system must allow operating system admins to pass information to any other operating system admin or user.General Purpose Operating System Security Requirements Guide V-203693CAT IIThe operating system must allow operating system admins to grant their privileges to other operating system admins.General Purpose Operating System Security Requirements Guide V-203694CAT IIThe operating system must allow operating system admins to change security attributes on users, the operating system, or the operating systems components.General Purpose Operating System Security Requirements Guide V-217460CAT IIIf the HP FlexFabric Switch uses discretionary access control, the HP FlexFabric Switch must enforce organization-defined discretionary access control policies over defined subjects and objects.HP FlexFabric Switch NDM Security Technical Implementation Guide V-215333CAT IIAIX must use Trusted Execution (TE) Check policy.IBM AIX 7.x Security Technical Implementation Guide V-215400CAT IIAIX must allow admins to send a message to all the users who logged in currently.IBM AIX 7.x Security Technical Implementation Guide V-215401CAT IIAIX must allow admins to send a message to a user who logged in currently.IBM AIX 7.x Security Technical Implementation Guide V-215404CAT IIAIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.IBM AIX 7.x Security Technical Implementation Guide V-252571CAT IIThe IBM Aspera Console private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252572CAT IIThe IBM Aspera Console private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252573CAT IIThe IBM Aspera Console private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252576CAT IIThe IBM Aspera Faspex private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252593CAT IIThe IBM Aspera Faspex private/secret cryptographic keys file must be group-owned by faspex to prevent unauthorized read access.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252594CAT IIThe IBM Aspera Faspex private/secret cryptographic keys file must be owned by faspex to prevent unauthorized read access.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252610CAT IIThe IBM Aspera Shares private/secret cryptographic keys file must be group-owned by nobody to prevent unauthorized read access.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252611CAT IIThe IBM Aspera Shares private/secret cryptographic keys file must be owned by nobody to prevent unauthorized read access.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252612CAT IIThe IBM Aspera Shares private/secret cryptographic keys file must have a mode of 0400 or less permissive to prevent unauthorized read access.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252646CAT IIThe IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252647CAT IIThe IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252648CAT IIThe IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-65135CAT IIIf the DataPower Gateway uses discretionary access control, the DataPower Gateway must enforce organization-defined discretionary access control policies over defined subjects and objects.IBM DataPower Network Device Management Security Technical Implementation Guide V-213921CAT IIISQL Server must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.MS SQL Server 2016 Database Security Technical Implementation Guide V-205543CAT IIThe Mainframe Product must enforce organization-defined discretionary access control policies over defined subjects and objects.Mainframe Product Security Requirements Guide V-253722CAT IIMariaDB must enforce discretionary access control policies, as defined by the data owner, over defined subjects, and objects.MariaDB Enterprise 10.x Security Technical Implementation Guide V-255316CAT IIAzure SQL Database must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.Microsoft Azure SQL Database Security Technical Implementation Guide V-276232CAT IIAzure SQL Managed Instance must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-271186CAT IISQL Server must enforce discretionary access control (DAC) policies, as defined by the data owner, over defined subjects and objects.Microsoft SQL Server 2022 Database Security Technical Implementation Guide V-220717CAT IIPermissions for system files and directories must conform to minimum requirements.Microsoft Windows 10 Security Technical Implementation Guide V-253269CAT IOnly accounts responsible for the administration of a system must have Administrator rights on the system.Microsoft Windows 11 Security Technical Implementation Guide V-253271CAT IIOnly authorized user accounts must be allowed to create or run virtual machines on Windows 11 systems.Microsoft Windows 11 Security Technical Implementation Guide V-253274CAT IIPermissions for system files and directories must conform to minimum requirements.Microsoft Windows 11 Security Technical Implementation Guide V-224832CAT IIPermissions for the system drive root directory (usually C:\) must conform to minimum requirements.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224833CAT IIPermissions for program file directories must conform to minimum requirements.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224834CAT IIPermissions for the Windows installation directory must conform to minimum requirements.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205734CAT IIWindows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205735CAT IIWindows Server 2019 permissions for program file directories must conform to minimum requirements.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205736CAT IIWindows Server 2019 permissions for the Windows installation directory must conform to minimum requirements.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254251CAT IIWindows Server 2022 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254252CAT IIWindows Server 2022 permissions for program file directories must conform to minimum requirements.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254253CAT IIWindows Server 2022 permissions for the Windows installation directory must conform to minimum requirements.Microsoft Windows Server 2022 Security Technical Implementation Guide V-277998CAT IIWindows Server 2025 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.Microsoft Windows Server 2025 Security Technical Implementation Guide V-277999CAT IIWindows Server 2025 permissions for program file directories must conform to minimum requirements.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278000CAT IIWindows Server 2025 permissions for the Windows installation directory must conform to minimum requirements.Microsoft Windows Server 2025 Security Technical Implementation Guide V-221186CAT IIMongoDB must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252145CAT IIMongoDB must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265935CAT IIMongoDB must enforce discretionary access control (DAC) policies, as defined by the data owner, over defined subjects and objects.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279372CAT IIMongoDB must enforce Discretionary Access Control (DAC) policies, as defined by the data owner, over defined subjects and objects.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-202091CAT IIIf the network device uses discretionary access control, the network device must enforce organization-defined discretionary access control policies over defined subjects and objects.Network Device Management Security Requirements Guide V-254129CAT IINutanix AOS must enforce discretionary access control on symlinks and hardlinks.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279543CAT IINutanix OS must enable kernel parameters to enforce Discretionary Access Control (DAC) on hardlinks.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279544CAT IINutanix OS must enable kernel parameters to enforce discretionary access control on symlinks.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279585CAT IINutanix OS must limit the ability of nonprivileged users to grant other users direct access to the contents of their home directories/folders.Nutanix Acropolis GPOS Security Technical Implementation Guide V-238438CAT IIThe DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and includes or excludes access to the granularity of a single user.Oracle Database 11.2g Security Technical Implementation Guide V-238450CAT IIDatabases utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.Oracle Database 11.2g Security Technical Implementation Guide V-238451CAT IIA DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.Oracle Database 11.2g Security Technical Implementation Guide V-237703CAT IIThe DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and including or excluding access to the granularity of a single user.Oracle Database 12c Security Technical Implementation Guide V-237715CAT IIDatabases utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.Oracle Database 12c Security Technical Implementation Guide V-237716CAT IIA DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.Oracle Database 12c Security Technical Implementation Guide V-221707CAT IIThe Oracle Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Oracle Linux 7 Security Technical Implementation Guide V-221716CAT IIThe Oracle Linux operating system must enable SELinux.Oracle Linux 7 Security Technical Implementation Guide V-228570CAT IIThe Oracle Linux operating system must enable the SELinux targeted policy.Oracle Linux 7 Security Technical Implementation Guide V-250309CAT IIThe Oracle Linux operating system must confine SELinux users to roles that conform to least privilege.Oracle Linux 7 Security Technical Implementation Guide V-250310CAT IIThe Oracle Linux operating system must not allow privileged accounts to utilize SSH.Oracle Linux 7 Security Technical Implementation Guide V-250311CAT IIThe Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.Oracle Linux 7 Security Technical Implementation Guide V-248577CAT IIOL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on symlinks.Oracle Linux 8 Security Technical Implementation Guide V-248578CAT IIOL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on hardlinks.Oracle Linux 8 Security Technical Implementation Guide V-271723CAT IIOL 9 must restrict the use of the su command.Oracle Linux 9 Security Technical Implementation Guide V-271740CAT IIOL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.Oracle Linux 9 Security Technical Implementation Guide V-271741CAT IIOL 9 must enable kernel parameters to enforce discretionary access control on symlinks.Oracle Linux 9 Security Technical Implementation Guide V-235179CAT IIThe MySQL Database Server 8.0 must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.Oracle MySQL 8.0 Security Technical Implementation Guide V-214067CAT IIPostgreSQL must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.PostgreSQL 9.x Security Technical Implementation Guide V-281205CAT IIRHEL 10 must restrict the use of the "su" command.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281309CAT IIRHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on hardlinks.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281310CAT IIRHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281320CAT IIRHEL 10 must disable acquiring, saving, and processing core dumps.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-204392CAT IThe Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204444CAT IIThe Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204453CAT IIThe Red Hat Enterprise Linux operating system must enable SELinux.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204454CAT IIThe Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204463CAT IIThe Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204464CAT IIThe Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-250312CAT IIThe Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-250313CAT IIThe Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-250314CAT IIThe Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-230267CAT IIRHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230268CAT IIRHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-257801CAT IIRHEL 9 must enable kernel parameters to enforce discretionary access control (DAC) on hardlinks.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257802CAT IIRHEL 9 must enable kernel parameters to enforce discretionary access (DAC) control on symlinks.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258088CAT IIRHEL 9 must restrict the use of the "su" command.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-251186CAT IIRedis Enterprise DBMS must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.Redis Enterprise 6.x Security Technical Implementation Guide V-251187CAT IIRedis Enterprise DBMS must enforce access control lists, as defined by the data owner, over defined subjects and objects.Redis Enterprise 6.x Security Technical Implementation Guide V-261369CAT ISLEM 5 must use a Linux Security Module configured to enforce limits on system services.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217158CAT IIThe SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217168CAT IIAll SUSE operating system files and directories must have a valid owner.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-217169CAT IIAll SUSE operating system files and directories must have a valid group owner.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-240980CAT IIControl of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.Tanium 7.0 Security Technical Implementation Guide V-240981CAT IIThe ability to uninstall the Tanium Client service must be disabled on all managed clients.Tanium 7.0 Security Technical Implementation Guide V-240982CAT IIThe permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.Tanium 7.0 Security Technical Implementation Guide V-241034CAT IIThe Tanium Server directory must be restricted with appropriate permissions.Tanium 7.0 Security Technical Implementation Guide V-241035CAT IIThe Tanium Server http directory and sub-directories must be restricted with appropriate permissions.Tanium 7.0 Security Technical Implementation Guide V-241036CAT IIThe permissions on the Tanium Server registry keys must be restricted to only the Tanium service account and the [Tanium Admins] group.Tanium 7.0 Security Technical Implementation Guide V-241037CAT IIThe Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions.Tanium 7.0 Security Technical Implementation Guide V-234039CAT IIControl of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.Tanium 7.3 Security Technical Implementation Guide V-234040CAT IIThe ability to uninstall the Tanium Client service must be disabled on all managed clients.Tanium 7.3 Security Technical Implementation Guide V-234041CAT IIThe permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.Tanium 7.3 Security Technical Implementation Guide V-234095CAT IIThe Tanium Server directory must be restricted with appropriate permissions.Tanium 7.3 Security Technical Implementation Guide V-234096CAT IIThe Tanium Server http directory and sub-directories must be restricted with appropriate permissions.Tanium 7.3 Security Technical Implementation Guide V-234097CAT IIThe permissions on the Tanium Server registry keys must be restricted to only the Tanium service account and the [Tanium Admins] group.Tanium 7.3 Security Technical Implementation Guide V-234098CAT IIThe Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions.Tanium 7.3 Security Technical Implementation Guide V-254930CAT IIControl of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254931CAT IIThe ability to uninstall the Tanium Client service must be disabled on all managed clients.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254932CAT IIThe permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253809CAT IIControl of the Tanium Client service must be restricted to SYSTEM access only for all managed clients.Tanium 7.x Security Technical Implementation Guide V-253810CAT IIThe ability to uninstall the Tanium Client service must be disabled on all managed clients.Tanium 7.x Security Technical Implementation Guide V-253811CAT IIThe permissions on the Tanium Client directory must be restricted to only the SYSTEM account on all managed clients.Tanium 7.x Security Technical Implementation Guide V-253852CAT IIThe Tanium Server directory must be restricted with appropriate permissions.Tanium 7.x Security Technical Implementation Guide V-253853CAT IIThe Tanium Server http directory and subdirectories must be restricted with appropriate permissions.Tanium 7.x Security Technical Implementation Guide V-253854CAT IIThe permissions on the Tanium Server registry keys must be restricted to only the Tanium service account and the [Tanium Admins] group.Tanium 7.x Security Technical Implementation Guide V-253855CAT IIThe Tanium Server Logs and TDL_Logs directories must be restricted with appropriate permissions.Tanium 7.x Security Technical Implementation Guide V-253136CAT IITOSS must enable kernel parameters to enforce discretionary access control on symlinks.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-253137CAT IITOSS must enable kernel parameters to enforce discretionary access control on hardlinks.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282553CAT IITOSS 5 must enable kernel parameters to enforce discretionary access control on hardlinks.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282554CAT IITOSS 5 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-207441CAT IIThe VMM must implement discretionary access controls to allow VMM admins to pass information to any other VMM admin, user, or guest VM.Virtual Machine Manager Security Requirements Guide V-207442CAT IIThe VMM must implement discretionary access controls to allow VMM admins to grant their privileges to other VMM admins.Virtual Machine Manager Security Requirements Guide V-207443CAT IIThe VMM must implement discretionary access controls to allow VMM admins to change security attributes on users, guest VMs, the VMM, or the VMMs components.Virtual Machine Manager Security Requirements Guide V-207444CAT IIThe VMM must implement discretionary access controls to allow VMM admins to choose the security attributes to be associated with newly created or revised guest VMs.Virtual Machine Manager Security Requirements Guide V-73249CAT IIPermissions for the system drive root directory (usually C:\) must conform to minimum requirements.Windows Server 2016 Security Technical Implementation Guide V-73249CAT IIPermissions for the system drive root directory (usually C:\) must conform to minimum requirements.Windows Server 2016 Security Technical Implementation Guide V-73251CAT IIPermissions for program file directories must conform to minimum requirements.Windows Server 2016 Security Technical Implementation Guide V-73251CAT IIPermissions for program file directories must conform to minimum requirements.Windows Server 2016 Security Technical Implementation Guide V-73253CAT IIPermissions for the Windows installation directory must conform to minimum requirements.Windows Server 2016 Security Technical Implementation Guide V-73253CAT IIPermissions for the Windows installation directory must conform to minimum requirements.Windows Server 2016 Security Technical Implementation Guide V-93019CAT IIWindows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.Windows Server 2019 Security Technical Implementation Guide V-93021CAT IIWindows Server 2019 permissions for program file directories must conform to minimum requirements.Windows Server 2019 Security Technical Implementation Guide V-93023CAT IIWindows Server 2019 permissions for the Windows installation directory must conform to minimum requirements.Windows Server 2019 Security Technical Implementation Guide V-269581CAT IIXylok Security Suite must not allow local user or groups.Xylok Security Suite 20.x Security Technical Implementation Guide