STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Windows Server 2016 Security Technical Implementation Guide

Version

V2R10

Benchmark ID

Windows_Server_2016_STIG

Total Checks

273

Tags

windows

CAT I: 35CAT II: 225CAT III: 13

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (273)

V-224819HIGHUsers with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.V-224820MEDIUMPasswords for the built-in Administrator account must be changed at least every 60 days.V-224821HIGHAdministrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.V-224822MEDIUMMembers of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.V-224823MEDIUMManually managed application account passwords must be at least 14 characters in length.V-224824MEDIUMManually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.V-224825MEDIUMShared user accounts must not be permitted on the system.V-224826MEDIUMWindows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.V-224827MEDIUMWindows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.V-224828HIGHSystems must be maintained at a supported servicing level.V-224829HIGHThe Windows Server 2016 system must use an anti-virus program.V-224830MEDIUMServers must have a host-based intrusion detection or prevention system.V-224831HIGHLocal volumes must use a format that supports NTFS attributes.V-224832MEDIUMPermissions for the system drive root directory (usually C:\) must conform to minimum requirements.V-224833MEDIUMPermissions for program file directories must conform to minimum requirements.V-224834MEDIUMPermissions for the Windows installation directory must conform to minimum requirements.V-224835MEDIUMDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.V-224836LOWNon-administrative accounts or groups must only have print permissions on printer shares.V-224837MEDIUMOutdated or unused accounts must be removed from the system or disabled.V-224838MEDIUMWindows Server 2016 accounts must require passwords.V-224839MEDIUMPasswords must be configured to expire.V-224840MEDIUMSystem files must be monitored for unauthorized changes.V-224841MEDIUMNon-system-created file shares on a system must limit access to groups that require it.V-224842MEDIUMSoftware certificate installation files must be removed from Windows Server 2016.V-224843HIGHSystems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.V-224844MEDIUMProtection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.V-224845MEDIUMThe roles and features required by the system must be documented.V-224846MEDIUMA host-based firewall must be installed and enabled on the system.V-224847MEDIUMWindows Server 2016 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).V-224848MEDIUMWindows Server 2016 must automatically remove or disable temporary user accounts after 72 hours.V-224849MEDIUMWindows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.V-224850MEDIUMThe Fax Server role must not be installed.V-224851MEDIUMThe Microsoft FTP service must not be installed unless required.V-224852MEDIUMThe Peer Name Resolution Protocol must not be installed.V-224853MEDIUMSimple TCP/IP Services must not be installed.V-224854MEDIUMThe Telnet Client must not be installed.V-224855MEDIUMThe TFTP Client must not be installed.V-224856MEDIUMThe Server Message Block (SMB) v1 protocol must be uninstalled.V-224857MEDIUMThe Server Message Block (SMB) v1 protocol must be disabled on the SMB server.V-224858MEDIUMThe Server Message Block (SMB) v1 protocol must be disabled on the SMB client.V-224859MEDIUMWindows PowerShell 2.0 must not be installed.V-224860MEDIUMFTP servers must be configured to prevent anonymous logons.V-224861MEDIUMFTP servers must be configured to prevent access to the system drive.V-224862LOWThe time service must synchronize with an appropriate DoD time source.V-224863MEDIUMOrphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.V-224864LOWSecure Boot must be enabled on Windows Server 2016 systems.V-224865LOWWindows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.V-224866MEDIUMWindows 2016 account lockout duration must be configured to 15 minutes or greater.V-224867MEDIUMWindows Server 2016 must have the number of allowed bad logon attempts configured to three or less.V-224868MEDIUMWindows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.V-224869MEDIUMWindows Server 2016 password history must be configured to 24 passwords remembered.V-224870MEDIUMWindows Server 2016 maximum password age must be configured to 60 days or less.V-224871MEDIUMWindows Server 2016 minimum password age must be configured to at least one day.V-224872MEDIUMWindows Server 2016 minimum password length must be configured to 14 characters.V-224873MEDIUMWindows Server 2016 must have the built-in Windows password complexity policy enabled.V-224874HIGHWindows Server 2016 reversible password encryption must be disabled.V-224875MEDIUMAudit records must be backed up to a different system or media than the system being audited.V-224876MEDIUMWindows Server 2016 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.V-224877MEDIUMPermissions for the Application event log must prevent access by non-privileged accounts.V-224878MEDIUMPermissions for the Security event log must prevent access by non-privileged accounts.V-224879MEDIUMPermissions for the System event log must prevent access by non-privileged accounts.V-224880MEDIUMEvent Viewer must be protected from unauthorized modification and deletion.V-224881MEDIUMWindows Server 2016 must be configured to audit Account Logon - Credential Validation successes.V-224882MEDIUMWindows Server 2016 must be configured to audit Account Logon - Credential Validation failures.V-224883MEDIUMWindows Server 2016 must be configured to audit Account Management - Other Account Management Events successes.V-224884MEDIUMWindows Server 2016 must be configured to audit Account Management - Security Group Management successes.V-224885MEDIUMWindows Server 2016 must be configured to audit Account Management - User Account Management successes.V-224886MEDIUMWindows Server 2016 must be configured to audit Account Management - User Account Management failures.V-224887MEDIUMWindows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes.V-224888MEDIUMWindows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes.V-224890MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures.V-224891MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes.V-224892MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Logoff successes.V-224893MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Logon successes.V-224894MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Logon failures.V-224895MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes.V-224896MEDIUMWindows 2016 must be configured to audit Object Access - Other Object Access Events successes.V-224897MEDIUMWindows 2016 must be configured to audit Object Access - Other Object Access Events failures.V-224898MEDIUMWindows Server 2016 must be configured to audit Object Access - Removable Storage successes.V-224899MEDIUMWindows Server 2016 must be configured to audit Object Access - Removable Storage failures.V-224900MEDIUMWindows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes.V-224901MEDIUMWindows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures.V-224902MEDIUMWindows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes.V-224903MEDIUMWindows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes.V-224904MEDIUMWindows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes.V-224905MEDIUMWindows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures.V-224906MEDIUMWindows Server 2016 must be configured to audit System - IPsec Driver successes.V-224907MEDIUMWindows Server 2016 must be configured to audit System - IPsec Driver failures.V-224908MEDIUMWindows Server 2016 must be configured to audit System - Other System Events successes.V-224909MEDIUMWindows Server 2016 must be configured to audit System - Other System Events failures.V-224910MEDIUMWindows Server 2016 must be configured to audit System - Security State Change successes.V-224911MEDIUMWindows Server 2016 must be configured to audit System - Security System Extension successes.V-224912MEDIUMWindows Server 2016 must be configured to audit System - System Integrity successes.V-224913MEDIUMWindows Server 2016 must be configured to audit System - System Integrity failures.V-224914MEDIUMThe display of slide shows on the lock screen must be disabled.V-224915MEDIUMWDigest Authentication must be disabled on Windows Server 2016.V-224916LOWInternet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.V-224917LOWSource routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.V-224918LOWWindows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.V-224919LOWWindows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers.V-224920MEDIUMInsecure logons to an SMB server must be disabled.V-224921MEDIUMHardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.V-224922MEDIUMCommand line data must be included in process creation events.V-224923MEDIUMWindows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.V-224924MEDIUMEarly Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.V-224925MEDIUMGroup Policy objects must be reprocessed even if they have not changed.V-224926MEDIUMDownloading print driver packages over HTTP must be prevented.V-224927MEDIUMPrinting over HTTP must be prevented.V-224928MEDIUMThe network selection user interface (UI) must not be displayed on the logon screen.V-224929MEDIUMUsers must be prompted to authenticate when the system wakes from sleep (on battery).V-224930MEDIUMUsers must be prompted to authenticate when the system wakes from sleep (plugged in).V-224931LOWThe Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.V-224932HIGHAutoPlay must be turned off for non-volume devices.V-224933HIGHThe default AutoRun behavior must be configured to prevent AutoRun commands.V-224934HIGHAutoPlay must be disabled for all drives.V-224935MEDIUMAdministrator accounts must not be enumerated during elevation.V-224936MEDIUMWindows Telemetry must be configured to Security or Basic.V-224937MEDIUMThe Application event log size must be configured to 32768 KB or greater.V-224938MEDIUMThe Security event log size must be configured to 196608 KB or greater.V-224939MEDIUMThe System event log size must be configured to 32768 KB or greater.V-224940MEDIUMWindows Server 2016 Windows SmartScreen must be enabled.V-224941MEDIUMExplorer Data Execution Prevention must be enabled.V-224942LOWTurning off File Explorer heap termination on corruption must be disabled.V-224943MEDIUMFile Explorer shell protocol must run in protected mode.V-224944MEDIUMPasswords must not be saved in the Remote Desktop Client.V-224945MEDIUMLocal drives must be prevented from sharing with Remote Desktop Session Hosts.V-224946MEDIUMRemote Desktop Services must always prompt a client for passwords upon connection.V-224947MEDIUMThe Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications.V-224948MEDIUMRemote Desktop Services must be configured with the client connection encryption set to High Level.V-224949MEDIUMAttachments must be prevented from being downloaded from RSS feeds.V-224951MEDIUMBasic authentication for RSS feeds over HTTP must not be used.V-224952MEDIUMIndexing of encrypted files must be turned off.V-224953MEDIUMUsers must be prevented from changing installation options.V-224954HIGHThe Windows Installer Always install with elevated privileges option must be disabled.V-224955MEDIUMUsers must be notified if a web-based program attempts to install software.V-224956MEDIUMAutomatically signing in the last interactive user after a system-initiated restart must be disabled.V-224957MEDIUMPowerShell script block logging must be enabled.V-224958HIGHThe Windows Remote Management (WinRM) client must not use Basic authentication.V-224959MEDIUMThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.V-224960MEDIUMThe Windows Remote Management (WinRM) client must not use Digest authentication.V-224961HIGHThe Windows Remote Management (WinRM) service must not use Basic authentication.V-224962MEDIUMThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.V-224963MEDIUMThe Windows Remote Management (WinRM) service must not store RunAs credentials.V-224964HIGHOnly administrators responsible for the domain controller must have Administrator rights on the system.V-224965MEDIUMKerberos user logon restrictions must be enforced.V-224966MEDIUMThe Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.V-224967MEDIUMThe Kerberos user ticket lifetime must be limited to 10 hours or less.V-224968MEDIUMThe Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.V-224969MEDIUMThe computer clock synchronization tolerance must be limited to 5 minutes or less.V-224970HIGHPermissions on the Active Directory data files must only allow System and Administrators access.V-224971HIGHThe Active Directory SYSVOL directory must have the proper access control permissions.V-224972HIGHActive Directory Group Policy objects must have proper access control permissions.V-224973HIGHThe Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.V-224974HIGHDomain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions.V-224975MEDIUMData files owned by users must be on a different logical partition from the directory server data files.V-224976MEDIUMDomain controllers must run on a machine dedicated to that function.V-224977MEDIUMSeparate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.V-224978HIGHDirectory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.V-224979LOWThe directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.V-224980MEDIUMActive Directory Group Policy objects must be configured with proper audit settings.V-224981MEDIUMThe Active Directory Domain object must be configured with proper audit settings.V-224982MEDIUMThe Active Directory Infrastructure object must be configured with proper audit settings.V-224983MEDIUMThe Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.V-224984MEDIUMThe Active Directory AdminSDHolder object must be configured with proper audit settings.V-224985MEDIUMThe Active Directory RID Manager$ object must be configured with proper audit settings.V-224986MEDIUMWindows Server 2016 must be configured to audit Account Management - Computer Account Management successes.V-224987MEDIUMWindows Server 2016 must be configured to audit DS Access - Directory Service Access successes.V-224988MEDIUMWindows Server 2016 must be configured to audit DS Access - Directory Service Access failures.V-224989MEDIUMWindows Server 2016 must be configured to audit DS Access - Directory Service Changes successes.V-224991MEDIUMDomain controllers must have a PKI server certificate.V-224992HIGHDomain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).V-224993HIGHPKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).V-224994MEDIUMActive Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.V-224995MEDIUMDomain controllers must require LDAP access signing.V-224996MEDIUMDomain controllers must be configured to allow reset of machine account passwords.V-224997MEDIUMThe Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.V-224998MEDIUMThe Add workstations to domain user right must only be assigned to the Administrators group.V-224999MEDIUMThe Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.V-225000MEDIUMThe Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.V-225001MEDIUMThe Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.V-225002MEDIUMThe Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.V-225003MEDIUMThe Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.V-225004MEDIUMThe Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.V-225005MEDIUMThe Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.V-225006MEDIUMThe password for the krbtgt account on a domain must be reset at least every 180 days.V-225007HIGHOnly administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system.V-225008MEDIUMLocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.V-225009MEDIUMLocal users on domain-joined computers must not be enumerated.V-225010MEDIUMUnauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server.V-225011MEDIUMCaching of logon credentials must be limited.V-225012HIGHWindows Server 2016 must be running Credential Guard on domain-joined member servers.V-225013MEDIUMRemote calls to the Security Account Manager (SAM) must be restricted to Administrators.V-225014MEDIUMThe "Access this computer from the network" user right must only be assigned to the Administrators and Authenticated Users groups on member servers.V-225015MEDIUMThe "Deny access to this computer from the network" user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and from unauthenticated access on all systems.V-225016MEDIUMThe "Deny log on as a batch job" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.V-225017MEDIUMThe "Deny log on as a service" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.V-225018MEDIUMThe "Deny log on locally" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.V-225019MEDIUMThe "Deny log on through Remote Desktop Services" user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.V-225020MEDIUMThe "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on member servers.V-225021MEDIUMThe DoD Root CA certificates must be installed in the Trusted Root Store.V-225022MEDIUMThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.V-225023MEDIUMThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.V-225024MEDIUMWindows Server 2016 built-in guest account must be disabled.V-225025HIGHLocal accounts with blank passwords must be restricted to prevent access from the network.V-225026MEDIUMWindows Server 2016 built-in administrator account must be renamed.V-225027MEDIUMWindows Server 2016 built-in guest account must be renamed.V-225028MEDIUMAudit policy using subcategories must be enabled.V-225029MEDIUMThe setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.V-225030MEDIUMThe setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.V-225031MEDIUMThe setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.V-225032MEDIUMThe computer account password must not be prevented from being reset.V-225033MEDIUMThe maximum age for machine account passwords must be configured to 30 days or less.V-225034MEDIUMWindows Server 2016 must be configured to require a strong session key.V-225035MEDIUMThe machine inactivity limit must be set to 15 minutes, locking the system with the screen saver.V-225036MEDIUMThe required legal notice must be configured to display before console logon.V-225037LOWThe Windows dialog box title for the legal banner must be configured with the appropriate text.V-225038MEDIUMThe Smart Card removal option must be configured to Force Logoff or Lock Workstation.V-225039MEDIUMThe setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.V-225040MEDIUMThe setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.V-225041MEDIUMUnencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.V-225042MEDIUMThe setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.V-225043MEDIUMThe setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.V-225044HIGHAnonymous SID/Name translation must not be allowed.V-225045HIGHAnonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.V-225046HIGHAnonymous enumeration of shares must not be allowed.V-225047MEDIUMWindows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.V-225048HIGHAnonymous access to Named Pipes and Shares must be restricted.V-225049MEDIUMServices using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.V-225050MEDIUMNTLM must be prevented from falling back to a Null session.V-225051MEDIUMPKU2U authentication using online identities must be prevented.V-225052MEDIUMKerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.V-225053HIGHWindows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.V-225054HIGHThe LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.V-225055MEDIUMWindows Server 2016 must be configured to at least negotiate signing for LDAP client signing.V-225056MEDIUMSession security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.V-225057MEDIUMSession security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.V-225058MEDIUMUsers must be required to enter a password to access private keys stored on the computer.V-225059MEDIUMWindows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.V-225060LOWThe default permissions of global system objects must be strengthened.V-225061MEDIUMUser Account Control approval mode for the built-in Administrator must be enabled.V-225062MEDIUMUIAccess applications must not be allowed to prompt for elevation without using the secure desktop.V-225063MEDIUMUser Account Control must, at a minimum, prompt administrators for consent on the secure desktop.V-225064MEDIUMUser Account Control must automatically deny standard user requests for elevation.V-225065MEDIUMUser Account Control must be configured to detect application installations and prompt for elevation.V-225066MEDIUMUser Account Control must only elevate UIAccess applications that are installed in secure locations.V-225067MEDIUMUser Account Control must run all administrators in Admin Approval Mode, enabling UAC.V-225068MEDIUMUser Account Control must virtualize file and registry write failures to per-user locations.V-225069MEDIUMZone information must be preserved when saving attachments.V-225070MEDIUMThe Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.V-225071HIGHThe Act as part of the operating system user right must not be assigned to any groups or accounts.V-225072MEDIUMThe Allow log on locally user right must only be assigned to the Administrators group.V-225073MEDIUMThe Back up files and directories user right must only be assigned to the Administrators group.V-225074MEDIUMThe Create a pagefile user right must only be assigned to the Administrators group.V-225076MEDIUMThe Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-225077MEDIUMThe Create permanent shared objects user right must not be assigned to any groups or accounts.V-225078MEDIUMThe Create symbolic links user right must only be assigned to the Administrators group.V-225079HIGHThe Debug programs user right must only be assigned to the Administrators group.V-225080MEDIUMThe Force shutdown from a remote system user right must only be assigned to the Administrators group.V-225081MEDIUMThe Generate security audits user right must only be assigned to Local Service and Network Service.V-225082MEDIUMThe Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-225083MEDIUMThe Increase scheduling priority user right must only be assigned to the Administrators group.V-225084MEDIUMThe Load and unload device drivers user right must only be assigned to the Administrators group.V-225085MEDIUMThe Lock pages in memory user right must not be assigned to any groups or accounts.V-225086MEDIUMThe Manage auditing and security log user right must only be assigned to the Administrators group.V-225087MEDIUMThe Modify firmware environment values user right must only be assigned to the Administrators group.V-225088MEDIUMThe Perform volume maintenance tasks user right must only be assigned to the Administrators group.V-225089MEDIUMThe Profile single process user right must only be assigned to the Administrators group.V-225091HIGHThe Create a token object user right must not be assigned to any groups or accounts.V-225092MEDIUMThe Restore files and directories user right must only be assigned to the Administrators group.V-225093MEDIUMThe Take ownership of files or other objects user right must only be assigned to the Administrators group.V-236000MEDIUMThe Windows Explorer Preview pane must be disabled for Windows Server 2016.V-257502MEDIUMWindows Server 2016 must have PowerShell Transcription enabled.V-271430HIGHWindows Server 2016 must be configured for name-based strong mappings for certificates.