STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Windows 10 Security Technical Implementation Guide

Version

V2R9

Benchmark ID

MS_Windows_10_STIG

Total Checks

260

Tags

windows

CAT I: 29CAT II: 212CAT III: 19

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (260)

V-220697MEDIUMDomain-joined systems must use Windows 10 Enterprise Edition 64-bit version.V-220698MEDIUMWindows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.V-220699MEDIUMWindows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.V-220700LOWSecure Boot must be enabled on Windows 10 systems.V-220701MEDIUMWindows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).V-220702HIGHWindows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.V-220703HIGHWindows 10 systems must use a BitLocker PIN for pre-boot authentication.V-220704HIGHWindows 10 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.V-220705MEDIUMThe operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.V-220706HIGHWindows 10 systems must be maintained at a supported servicing level.V-220707HIGHThe Windows 10 system must use an anti-virus program.V-220708HIGHLocal volumes must be formatted using NTFS.V-220709MEDIUMAlternate operating systems must not be permitted on the same system.V-220710MEDIUMNon system-created file shares on a system must limit access to groups that require it.V-220711LOWUnused accounts must be disabled or removed from the system after 35 days of inactivity.V-220712HIGHOnly accounts responsible for the administration of a system must have Administrator rights on the system.V-220713MEDIUMOnly accounts responsible for the backup operations must be members of the Backup Operators group.V-220714MEDIUMOnly authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems.V-220715LOWStandard local user accounts must not exist on a system in a domain.V-220716MEDIUMAccounts must be configured to require password expiration.V-220717MEDIUMPermissions for system files and directories must conform to minimum requirements.V-220718HIGHInternet Information System (IIS) or its subcomponents must not be installed on a workstation.V-220719MEDIUMSimple Network Management Protocol (SNMP) must not be installed on the system.V-220720MEDIUMSimple TCP/IP Services must not be installed on the system.V-220721MEDIUMThe Telnet Client must not be installed on the system.V-220722MEDIUMThe TFTP Client must not be installed on the system.V-220723MEDIUMSoftware certificate installation files must be removed from Windows 10.V-220724MEDIUMA host-based firewall must be installed and enabled on the system.V-220725MEDIUMInbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts.V-220726HIGHData Execution Prevention (DEP) must be configured to at least OptOut.V-220727HIGHStructured Exception Handling Overwrite Protection (SEHOP) must be enabled.V-220728MEDIUMThe Windows PowerShell 2.0 feature must be disabled on the system.V-220729MEDIUMThe Server Message Block (SMB) v1 protocol must be disabled on the system.V-220730MEDIUMThe Server Message Block (SMB) v1 protocol must be disabled on the SMB server.V-220731MEDIUMThe Server Message Block (SMB) v1 protocol must be disabled on the SMB client.V-220732MEDIUMThe Secondary Logon service must be disabled on Windows 10.V-220733MEDIUMOrphaned security identifiers (SIDs) must be removed from user rights on Windows 10.V-220734MEDIUMBluetooth must be turned off unless approved by the organization.V-220735MEDIUMBluetooth must be turned off when not in use.V-220736MEDIUMThe system must notify the user when a Bluetooth device attempts to connect.V-220737HIGHAdministrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.V-220738MEDIUMWindows 10 nonpersistent VM sessions must not exceed 24 hours.V-220739MEDIUMWindows 10 account lockout duration must be configured to 15 minutes or greater.V-220740MEDIUMThe number of allowed bad logon attempts must be configured to 3 or less.V-220741MEDIUMThe period of time before the bad logon counter is reset must be configured to 15 minutes.V-220742MEDIUMThe password history must be configured to 24 passwords remembered.V-220743MEDIUMThe maximum password age must be configured to 60 days or less.V-220744MEDIUMThe minimum password age must be configured to at least 1 day.V-220745MEDIUMPasswords must, at a minimum, be 14 characters.V-220746MEDIUMThe built-in Microsoft password complexity filter must be enabled.V-220747HIGHReversible password encryption must be disabled.V-220748MEDIUMThe system must be configured to audit Account Logon - Credential Validation failures.V-220749MEDIUMThe system must be configured to audit Account Logon - Credential Validation successes.V-220750MEDIUMThe system must be configured to audit Account Management - Security Group Management successes.V-220751MEDIUMThe system must be configured to audit Account Management - User Account Management failures.V-220752MEDIUMThe system must be configured to audit Account Management - User Account Management successes.V-220753MEDIUMThe system must be configured to audit Detailed Tracking - PNP Activity successes.V-220754MEDIUMThe system must be configured to audit Detailed Tracking - Process Creation successes.V-220755MEDIUMThe system must be configured to audit Logon/Logoff - Account Lockout failures.V-220756MEDIUMThe system must be configured to audit Logon/Logoff - Group Membership successes.V-220757MEDIUMThe system must be configured to audit Logon/Logoff - Logoff successes.V-220758MEDIUMThe system must be configured to audit Logon/Logoff - Logon failures.V-220759MEDIUMThe system must be configured to audit Logon/Logoff - Logon successes.V-220760MEDIUMThe system must be configured to audit Logon/Logoff - Special Logon successes.V-220761MEDIUMWindows 10 must be configured to audit Object Access - File Share failures.V-220762MEDIUMWindows 10 must be configured to audit Object Access - File Share successes.V-220763MEDIUMWindows 10 must be configured to audit Object Access - Other Object Access Events successes.V-220764MEDIUMWindows 10 must be configured to audit Object Access - Other Object Access Events failures.V-220765MEDIUMThe system must be configured to audit Object Access - Removable Storage failures.V-220766MEDIUMThe system must be configured to audit Object Access - Removable Storage successes.V-220767MEDIUMThe system must be configured to audit Policy Change - Audit Policy Change successes.V-220768MEDIUMThe system must be configured to audit Policy Change - Authentication Policy Change successes.V-220769MEDIUMThe system must be configured to audit Policy Change - Authorization Policy Change successes.V-220770MEDIUMThe system must be configured to audit Privilege Use - Sensitive Privilege Use failures.V-220771MEDIUMThe system must be configured to audit Privilege Use - Sensitive Privilege Use successes.V-220772MEDIUMThe system must be configured to audit System - IPSec Driver failures.V-220773MEDIUMThe system must be configured to audit System - Other System Events successes.V-220774MEDIUMThe system must be configured to audit System - Other System Events failures.V-220775MEDIUMThe system must be configured to audit System - Security State Change successes.V-220776MEDIUMThe system must be configured to audit System - Security System Extension successes.V-220777MEDIUMThe system must be configured to audit System - System Integrity failures.V-220778MEDIUMThe system must be configured to audit System - System Integrity successes.V-220779MEDIUMThe Application event log size must be configured to 32768 KB or greater.V-220780MEDIUMThe Security event log size must be configured to 1024000 KB or greater.V-220781MEDIUMThe System event log size must be configured to 32768 KB or greater.V-220782MEDIUMWindows 10 permissions for the Application event log must prevent access by non-privileged accounts.V-220783MEDIUMWindows 10 permissions for the Security event log must prevent access by non-privileged accounts.V-220784MEDIUMWindows 10 permissions for the System event log must prevent access by non-privileged accounts.V-220786MEDIUMWindows 10 must be configured to audit Other Policy Change Events Failures.V-220787MEDIUMWindows 10 must be configured to audit other Logon/Logoff Events Successes.V-220788MEDIUMWindows 10 must be configured to audit other Logon/Logoff Events Failures.V-220789MEDIUMWindows 10 must be configured to audit Detailed File Share Failures.V-220790MEDIUMWindows 10 must be configured to audit MPSSVC Rule-Level Policy Change Successes.V-220791MEDIUMWindows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures.V-220792MEDIUMCamera access from the lock screen must be disabled.V-220793MEDIUMWindows 10 must cover or disable the built-in or attached camera when not in use.V-220794MEDIUMThe display of slide shows on the lock screen must be disabled.V-220795MEDIUMIPv6 source routing must be configured to highest protection.V-220796MEDIUMThe system must be configured to prevent IP source routing.V-220797LOWThe system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.V-220798LOWThe system must be configured to ignore NetBIOS name release requests except from WINS servers.V-220799MEDIUMLocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.V-220800MEDIUMWDigest Authentication must be disabled.V-220801MEDIUMRun as different user must be removed from context menus.V-220802MEDIUMInsecure logons to an SMB server must be disabled.V-220803MEDIUMInternet connection sharing must be disabled.V-220805MEDIUMWindows 10 must be configured to prioritize ECC Curves with longer key lengths first.V-220806MEDIUMSimultaneous connections to the internet or a Windows domain must be limited.V-220807MEDIUMConnections to non-domain networks when connected to a domain authenticated network must be blocked.V-220808MEDIUMWi-Fi Sense must be disabled.V-220809MEDIUMCommand line data must be included in process creation events.V-220810MEDIUMWindows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.V-220811LOWVirtualization Based Security must be enabled on Windows 10 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.V-220812HIGHCredential Guard must be running on Windows 10 domain-joined systems.V-220813MEDIUMEarly Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.V-220814MEDIUMGroup Policy objects must be reprocessed even if they have not changed.V-220815MEDIUMDownloading print driver packages over HTTP must be prevented.V-220816MEDIUMWeb publishing and online ordering wizards must be prevented from downloading a list of providers.V-220817MEDIUMPrinting over HTTP must be prevented.V-220818MEDIUMSystems must at least attempt device authentication using certificates.V-220819MEDIUMThe network selection user interface (UI) must not be displayed on the logon screen.V-220820MEDIUMLocal users on domain-joined computers must not be enumerated.V-220821MEDIUMUsers must be prompted for a password on resume from sleep (on battery).V-220822MEDIUMThe user must be prompted for a password on resume from sleep (plugged in).V-220823HIGHSolicited Remote Assistance must not be allowed.V-220824MEDIUMUnauthenticated RPC clients must be restricted from connecting to the RPC server.V-220825LOWThe setting to allow Microsoft accounts to be optional for modern style apps must be enabled.V-220826LOWThe Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.V-220827HIGHAutoplay must be turned off for non-volume devices.V-220828HIGHThe default autorun behavior must be configured to prevent autorun commands.V-220829HIGHAutoplay must be disabled for all drives.V-220830MEDIUMEnhanced anti-spoofing for facial recognition must be enabled on Window 10.V-220831LOWMicrosoft consumer experiences must be turned off.V-220832MEDIUMAdministrator accounts must not be enumerated during elevation.V-220833MEDIUMIf Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.V-220834MEDIUMWindows Telemetry must not be configured to Full.V-220835LOWWindows Update must not obtain updates from other PCs on the internet.V-220836MEDIUMThe Windows Defender SmartScreen for Explorer must be enabled.V-220837MEDIUMExplorer Data Execution Prevention must be enabled.V-220838LOWTurning off File Explorer heap termination on corruption must be disabled.V-220839MEDIUMFile Explorer shell protocol must run in protected mode.V-220840MEDIUMUsers must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.V-220841MEDIUMUsers must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.V-220842MEDIUMWindows 10 must be configured to prevent certificate error overrides in Microsoft Edge.V-220843MEDIUMThe password manager function in the Edge browser must be disabled.V-220844MEDIUMThe Windows Defender SmartScreen filter for Microsoft Edge must be enabled.V-220845MEDIUMWindows 10 must be configured to disable Windows Game Recording and Broadcasting.V-220846MEDIUMThe use of a hardware security device with Windows Hello for Business must be enabled.V-220847MEDIUMWindows 10 must be configured to require a minimum pin length of six characters or greater.V-220848MEDIUMPasswords must not be saved in the Remote Desktop Client.V-220849MEDIUMLocal drives must be prevented from sharing with Remote Desktop Session Hosts.V-220850MEDIUMRemote Desktop Services must always prompt a client for passwords upon connection.V-220851MEDIUMThe Remote Desktop Session Host must require secure RPC communications.V-220852MEDIUMRemote Desktop Services must be configured with the client connection encryption set to the required level.V-220853MEDIUMAttachments must be prevented from being downloaded from RSS feeds.V-220854MEDIUMBasic authentication for RSS feeds over HTTP must not be used.V-220855MEDIUMIndexing of encrypted files must be turned off.V-220856MEDIUMUsers must be prevented from changing installation options.V-220857HIGHThe Windows Installer Always install with elevated privileges must be disabled.V-220858MEDIUMUsers must be notified if a web-based program attempts to install software.V-220859MEDIUMAutomatically signing in the last interactive user after a system-initiated restart must be disabled.V-220860MEDIUMPowerShell script block logging must be enabled on Windows 10.V-220861MEDIUMThe Windows Explorer Preview pane must be disabled for Windows 10.V-220862HIGHThe Windows Remote Management (WinRM) client must not use Basic authentication.V-220863MEDIUMThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.V-220865HIGHThe Windows Remote Management (WinRM) service must not use Basic authentication.V-220866MEDIUMThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.V-220867MEDIUMThe Windows Remote Management (WinRM) service must not store RunAs credentials.V-220868MEDIUMThe Windows Remote Management (WinRM) client must not use Digest authentication.V-220869MEDIUMWindows 10 must be configured to prevent Windows apps from being activated by voice while the system is locked.V-220870MEDIUMThe convenience PIN for Windows 10 must be disabled.V-220871MEDIUMWindows Ink Workspace must be configured to disallow access above the lock.V-220872LOWWindows 10 should be configured to prevent users from receiving suggestions for third-party or additional applications.V-220902MEDIUMWindows 10 Kernel (Direct Memory Access) DMA Protection must be enabled.V-220903MEDIUMThe DoD Root CA certificates must be installed in the Trusted Root Store.V-220904MEDIUMThe External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.V-220905MEDIUMThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.V-220906MEDIUMThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.V-220907MEDIUMDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.V-220908MEDIUMThe built-in administrator account must be disabled.V-220909MEDIUMThe built-in guest account must be disabled.V-220910MEDIUMLocal accounts with blank passwords must be restricted to prevent access from the network.V-220911MEDIUMThe built-in administrator account must be renamed.V-220912MEDIUMThe built-in guest account must be renamed.V-220913MEDIUMAudit policy using subcategories must be enabled.V-220914MEDIUMOutgoing secure channel traffic must be encrypted or signed.V-220915MEDIUMOutgoing secure channel traffic must be encrypted when possible.V-220916MEDIUMOutgoing secure channel traffic must be signed when possible.V-220917LOWThe computer account password must not be prevented from being reset.V-220918LOWThe maximum age for machine account passwords must be configured to 30 days or less.V-220919MEDIUMThe system must be configured to require a strong session key.V-220920MEDIUMThe machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.V-220921MEDIUMThe required legal notice must be configured to display before console logon.V-220922LOWThe Windows dialog box title for the legal banner must be configured.V-220923LOWCaching of logon credentials must be limited.V-220924MEDIUMThe Smart Card removal option must be configured to Force Logoff or Lock Workstation.V-220925MEDIUMThe Windows SMB client must be configured to always perform SMB packet signing.V-220926MEDIUMUnencrypted passwords must not be sent to third-party SMB Servers.V-220927MEDIUMThe Windows SMB server must be configured to always perform SMB packet signing.V-220928HIGHAnonymous SID/Name translation must not be allowed.V-220929HIGHAnonymous enumeration of SAM accounts must not be allowed.V-220930HIGHAnonymous enumeration of shares must be restricted.V-220931MEDIUMThe system must be configured to prevent anonymous users from having the same rights as the Everyone group.V-220932HIGHAnonymous access to Named Pipes and Shares must be restricted.V-220933MEDIUMRemote calls to the Security Account Manager (SAM) must be restricted to Administrators.V-220934MEDIUMNTLM must be prevented from falling back to a Null session.V-220935MEDIUMPKU2U authentication using online identities must be prevented.V-220936MEDIUMKerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.V-220937HIGHThe system must be configured to prevent the storage of the LAN Manager hash of passwords.V-220938HIGHThe LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.V-220939MEDIUMThe system must be configured to the required LDAP client signing level.V-220940MEDIUMThe system must be configured to meet the minimum session security requirement for NTLM SSP based clients.V-220941MEDIUMThe system must be configured to meet the minimum session security requirement for NTLM SSP based servers.V-220942MEDIUMThe system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.V-220943LOWThe default permissions of global system objects must be increased.V-220944MEDIUMUser Account Control approval mode for the built-in Administrator must be enabled.V-220945MEDIUMUser Account Control must, at minimum, prompt administrators for consent on the secure desktop.V-220946MEDIUMWindows 10 must use multifactor authentication for local and network access to privileged and nonprivileged accounts.V-220947MEDIUMUser Account Control must automatically deny elevation requests for standard users.V-220948MEDIUMUser Account Control must be configured to detect application installations and prompt for elevation.V-220949MEDIUMUser Account Control must only elevate UIAccess applications that are installed in secure locations.V-220950MEDIUMUser Account Control must run all administrators in Admin Approval Mode, enabling UAC.V-220951MEDIUMUser Account Control must virtualize file and registry write failures to per-user locations.V-220952MEDIUMPasswords for enabled local Administrator accounts must be changed at least every 60 days.V-220954LOWToast notifications to the lock screen must be turned off.V-220955MEDIUMZone information must be preserved when saving attachments.V-220956MEDIUMThe Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.V-220957MEDIUMThe Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups.V-220958HIGHThe Act as part of the operating system user right must not be assigned to any groups or accounts.V-220959MEDIUMThe Allow log on locally user right must only be assigned to the Administrators and Users groups.V-220960MEDIUMThe Back up files and directories user right must only be assigned to the Administrators group.V-220961MEDIUMThe Change the system time user right must only be assigned to Administrators and Local Service and NT SERVICE\autotimesvc.V-220962MEDIUMThe Create a pagefile user right must only be assigned to the Administrators group.V-220963HIGHThe Create a token object user right must not be assigned to any groups or accounts.V-220964MEDIUMThe Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-220965MEDIUMThe Create permanent shared objects user right must not be assigned to any groups or accounts.V-220966MEDIUMThe Create symbolic links user right must only be assigned to the Administrators group.V-220967HIGHThe Debug programs user right must only be assigned to the Administrators group.V-220968MEDIUMThe Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.V-220969MEDIUMThe "Deny log on as a batch job" user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.V-220970MEDIUMThe Deny log on as a service user right on Windows 10 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.V-220971MEDIUMThe Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.V-220972MEDIUMThe Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.V-220973MEDIUMThe Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.V-220974MEDIUMThe Force shutdown from a remote system user right must only be assigned to the Administrators group.V-220975MEDIUMThe Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-220976MEDIUMThe Load and unload device drivers user right must only be assigned to the Administrators group.V-220977MEDIUMThe Lock pages in memory user right must not be assigned to any groups or accounts.V-220978MEDIUMThe Manage auditing and security log user right must only be assigned to the Administrators group.V-220979MEDIUMThe Modify firmware environment values user right must only be assigned to the Administrators group.V-220980MEDIUMThe Perform volume maintenance tasks user right must only be assigned to the Administrators group.V-220981MEDIUMThe Profile single process user right must only be assigned to the Administrators group.V-220982MEDIUMThe Restore files and directories user right must only be assigned to the Administrators group.V-220983MEDIUMThe Take ownership of files or other objects user right must only be assigned to the Administrators group.V-250319MEDIUMHardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.V-252896MEDIUMPowerShell Transcription must be enabled on Windows 10.V-252903LOWVirtualization-based protection of code integrity must be enabled.V-256894MEDIUMInternet Explorer must be disabled for Windows 10.V-257589MEDIUMWindows 10 must have command line process auditing events enabled for failures.V-257593MEDIUMWindows 10 must not have portproxy enabled or in use.