STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Windows Server 2022 Security Technical Implementation Guide

Version

V2R8

Benchmark ID

MS_Windows_Server_2022_STIG

Total Checks

282

Tags

windows

CAT I: 31CAT II: 239CAT III: 12

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (282)

V-254238MEDIUMWindows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.V-254239MEDIUMWindows Server 2022 passwords for the built-in Administrator account must be changed at least every 60 days.V-254240HIGHWindows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.V-254241MEDIUMWindows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.V-254242MEDIUMWindows Server 2022 manually managed application account passwords must be at least 14 characters in length.V-254243MEDIUMWindows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.V-254244MEDIUMWindows Server 2022 shared user accounts must not be permitted.V-254245MEDIUMWindows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.V-254246MEDIUMWindows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.V-254247MEDIUMWindows Server 2022 must be maintained at a supported servicing level.V-254248MEDIUMWindows Server 2022 must use an antivirus program.V-254249MEDIUMWindows Server 2022 must have a host-based intrusion detection and prevention service installed.V-254250HIGHWindows Server 2022 local volumes must use a format that supports NTFS attributes.V-254251MEDIUMWindows Server 2022 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.V-254252MEDIUMWindows Server 2022 permissions for program file directories must conform to minimum requirements.V-254253MEDIUMWindows Server 2022 permissions for the Windows installation directory must conform to minimum requirements.V-254254MEDIUMWindows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.V-254255LOWWindows Server 2022 nonadministrative accounts or groups must only have print permissions on printer shares.V-254256MEDIUMWindows Server 2022 outdated or unused accounts must be removed or disabled.V-254257MEDIUMWindows Server 2022 accounts must require passwords.V-254258MEDIUMWindows Server 2022 passwords must be configured to expire.V-254259MEDIUMWindows Server 2022 system files must be monitored for unauthorized changes.V-254260MEDIUMWindows Server 2022 nonsystem-created file shares must limit access to groups that require it.V-254261MEDIUMWindows Server 2022 must have software certificate installation files removed.V-254262HIGHWindows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.V-254263MEDIUMWindows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.V-254264MEDIUMWindows Server 2022 must have the roles and features required by the system documented.V-254265MEDIUMWindows Server 2022 must have a host-based firewall installed and enabled.V-254267MEDIUMWindows Server 2022 must automatically remove or disable temporary user accounts after 72 hours.V-254268MEDIUMWindows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.V-254269MEDIUMWindows Server 2022 must not have the Fax Server role installed.V-254270MEDIUMWindows Server 2022 must not have the Microsoft FTP service installed unless required by the organization.V-254271MEDIUMWindows Server 2022 must not have the Peer Name Resolution Protocol installed.V-254272MEDIUMWindows Server 2022 must not have Simple TCP/IP Services installed.V-254273MEDIUMWindows Server 2022 must not have the Telnet Client installed.V-254274MEDIUMWindows Server 2022 must not have the TFTP Client installed.V-254275MEDIUMWindows Server 2022 must not the Server Message Block (SMB) v1 protocol installed.V-254276MEDIUMWindows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.V-254277MEDIUMWindows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.V-254278MEDIUMWindows Server 2022 must not have Windows PowerShell 2.0 installed.V-254279MEDIUMWindows Server 2022 FTP servers must be configured to prevent anonymous logons.V-254280MEDIUMWindows Server 2022 FTP servers must be configured to prevent access to the system drive.V-254281LOWThe Windows Server 2022 time service must synchronize with an appropriate DOD time source.V-254282MEDIUMWindows Server 2022 must have orphaned security identifiers (SIDs) removed from user rights.V-254283MEDIUMWindows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.V-254284MEDIUMWindows Server 2022 must have Secure Boot enabled.V-254285MEDIUMWindows Server 2022 account lockout duration must be configured to 15 minutes or greater.V-254286MEDIUMWindows Server 2022 must have the number of allowed bad logon attempts configured to three or less.V-254287MEDIUMWindows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.V-254288MEDIUMWindows Server 2022 password history must be configured to 24 passwords remembered.V-254289MEDIUMWindows Server 2022 maximum password age must be configured to 60 days or less.V-254290MEDIUMWindows Server 2022 minimum password age must be configured to at least one day.V-254291MEDIUMWindows Server 2022 minimum password length must be configured to 14 characters.V-254292MEDIUMWindows Server 2022 must have the built-in Windows password complexity policy enabled.V-254293HIGHWindows Server 2022 reversible password encryption must be disabled.V-254294MEDIUMWindows Server 2022 audit records must be backed up to a different system or media than the system being audited.V-254295MEDIUMWindows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.V-254296MEDIUMWindows Server 2022 permissions for the Application event log must prevent access by nonprivileged accounts.V-254297MEDIUMWindows Server 2022 permissions for the Security event log must prevent access by nonprivileged accounts.V-254298MEDIUMWindows Server 2022 permissions for the System event log must prevent access by nonprivileged accounts.V-254299MEDIUMWindows Server 2022 Event Viewer must be protected from unauthorized modification and deletion.V-254300MEDIUMWindows Server 2022 must be configured to audit Account Logon - Credential Validation successes.V-254301MEDIUMWindows Server 2022 must be configured to audit Account Logon - Credential Validation failures.V-254302MEDIUMWindows Server 2022 must be configured to audit Account Management - Other Account Management Events successes.V-254303MEDIUMWindows Server 2022 must be configured to audit Account Management - Security Group Management successes.V-254304MEDIUMWindows Server 2022 must be configured to audit Account Management - User Account Management successes.V-254305MEDIUMWindows Server 2022 must be configured to audit Account Management - User Account Management failures.V-254306MEDIUMWindows Server 2022 must be configured to audit Detailed Tracking - Plug and Play Events successes.V-254307MEDIUMWindows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes.V-254309MEDIUMWindows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures.V-254310MEDIUMWindows Server 2022 must be configured to audit Logon/Logoff - Group Membership successes.V-254311MEDIUMWindows Server 2022 must be configured to audit logoff successes.V-254312MEDIUMWindows Server 2022 must be configured to audit logon successes.V-254313MEDIUMWindows Server 2022 must be configured to audit logon failures.V-254314MEDIUMWindows Server 2022 must be configured to audit Logon/Logoff - Special Logon successes.V-254315MEDIUMWindows Server 2022 must be configured to audit Object Access - Other Object Access Events successes.V-254316MEDIUMWindows Server 2022 must be configured to audit Object Access - Other Object Access Events failures.V-254317MEDIUMWindows Server 2022 must be configured to audit Object Access - Removable Storage successes.V-254318MEDIUMWindows Server 2022 must be configured to audit Object Access - Removable Storage failures.V-254319MEDIUMWindows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes.V-254320MEDIUMWindows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures.V-254321MEDIUMWindows Server 2022 must be configured to audit Policy Change - Authentication Policy Change successes.V-254322MEDIUMWindows Server 2022 must be configured to audit Policy Change - Authorization Policy Change successes.V-254323MEDIUMWindows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes.V-254324MEDIUMWindows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures.V-254325MEDIUMWindows Server 2022 must be configured to audit System - IPsec Driver successes.V-254326MEDIUMWindows Server 2022 must be configured to audit System - IPsec Driver failures.V-254327MEDIUMWindows Server 2022 must be configured to audit System - Other System Events successes.V-254328MEDIUMWindows Server 2022 must be configured to audit System - Other System Events failures.V-254329MEDIUMWindows Server 2022 must be configured to audit System - Security State Change successes.V-254330MEDIUMWindows Server 2022 must be configured to audit System - Security System Extension successes.V-254331MEDIUMWindows Server 2022 must be configured to audit System - System Integrity successes.V-254332MEDIUMWindows Server 2022 must be configured to audit System - System Integrity failures.V-254333MEDIUMWindows Server 2022 must prevent the display of slide shows on the lock screen.V-254334MEDIUMWindows Server 2022 must have WDigest Authentication disabled.V-254335LOWWindows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.V-254336LOWWindows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.V-254337LOWWindows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.V-254338LOWWindows Server 2022 must be configured to ignore NetBIOS name release requests except from WINS servers.V-254339MEDIUMWindows Server 2022 insecure logons to an SMB server must be disabled.V-254340MEDIUMWindows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.V-254341MEDIUMWindows Server 2022 command line data must be included in process creation events.V-254342MEDIUMWindows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials.V-254343MEDIUMWindows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.V-254344MEDIUMWindows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.V-254345MEDIUMWindows Server 2022 group policy objects must be reprocessed even if they have not changed.V-254346MEDIUMWindows Server 2022 downloading print driver packages over HTTP must be turned off.V-254347MEDIUMWindows Server 2022 printing over HTTP must be turned off.V-254348MEDIUMWindows Server 2022 network selection user interface (UI) must not be displayed on the logon screen.V-254349MEDIUMWindows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery).V-254350MEDIUMWindows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in).V-254351LOWWindows Server 2022 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.V-254352HIGHWindows Server 2022 Autoplay must be turned off for nonvolume devices.V-254353HIGHWindows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands.V-254354HIGHWindows Server 2022 AutoPlay must be disabled for all drives.V-254355MEDIUMWindows Server 2022 administrator accounts must not be enumerated during elevation.V-254356MEDIUMWindows Server 2022 Diagnostic Data must be configured to send "required diagnostic data" or "optional diagnostic data".V-254357LOWWindows Server 2022 Windows Update must not obtain updates from other PCs on the internet.V-254358MEDIUMWindows Server 2022 Application event log size must be configured to 32768 KB or greater.V-254359MEDIUMThe Windows Server 2022 security event log size must be configured to a value that holds at least one week's worth of audit records.V-254360MEDIUMWindows Server 2022 System event log size must be configured to 32768 KB or greater.V-254361MEDIUMWindows Server 2022 Microsoft Defender antivirus SmartScreen must be enabled.V-254362MEDIUMWindows Server 2022 Explorer Data Execution Prevention must be enabled.V-254363LOWWindows Server 2022 Turning off File Explorer heap termination on corruption must be disabled.V-254364MEDIUMWindows Server 2022 File Explorer shell protocol must run in protected mode.V-254365MEDIUMWindows Server 2022 must not save passwords in the Remote Desktop Client.V-254366MEDIUMWindows Server 2022 Remote Desktop Services must prevent drive redirection.V-254367MEDIUMWindows Server 2022 Remote Desktop Services must always prompt a client for passwords upon connection.V-254368MEDIUMWindows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.V-254369MEDIUMWindows Server 2022 Remote Desktop Services must be configured with the client connection encryption set to High Level.V-254370MEDIUMWindows Server 2022 must prevent attachments from being downloaded from RSS feeds.V-254371MEDIUMWindows Server 2022 must disable Basic authentication for RSS feeds over HTTP.V-254372MEDIUMWindows Server 2022 must prevent Indexing of encrypted files.V-254373MEDIUMWindows Server 2022 must prevent users from changing installation options.V-254374HIGHWindows Server 2022 must disable the Windows Installer Always install with elevated privileges option.V-254375MEDIUMWindows Server 2022 users must be notified if a web-based program attempts to install software.V-254376MEDIUMWindows Server 2022 must disable automatically signing in the last interactive user after a system-initiated restart.V-254377MEDIUMWindows Server 2022 PowerShell script block logging must be enabled.V-254378HIGHWindows Server 2022 Windows Remote Management (WinRM) client must not use Basic authentication.V-254379MEDIUMWindows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic.V-254380MEDIUMWindows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication.V-254381HIGHWindows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication.V-254382MEDIUMWindows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic.V-254383MEDIUMWindows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials.V-254384MEDIUMWindows Server 2022 must have PowerShell Transcription enabled.V-254385HIGHWindows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system.V-254386MEDIUMWindows Server 2022 Kerberos user logon restrictions must be enforced.V-254387MEDIUMWindows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.V-254388MEDIUMWindows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less.V-254389MEDIUMWindows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.V-254390MEDIUMWindows Server 2022 computer clock synchronization tolerance must be limited to five minutes or less.V-254391HIGHWindows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access.V-254392HIGHWindows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions.V-254393HIGHWindows Server 2022 Active Directory Group Policy objects must have proper access control permissions.V-254394HIGHWindows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.V-254395HIGHWindows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.V-254396MEDIUMWindows Server 2022 data files owned by users must be on a different logical partition from the directory server data files.V-254397MEDIUMWindows Server 2022 domain controllers must run on a machine dedicated to that function.V-254398MEDIUMWindows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.V-254399HIGHWindows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access.V-254400LOWWindows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.V-254401MEDIUMWindows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings.V-254402MEDIUMWindows Server 2022 Active Directory Domain object must be configured with proper audit settings.V-254403MEDIUMWindows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings.V-254404MEDIUMWindows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.V-254405MEDIUMWindows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings.V-254406MEDIUMWindows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings.V-254407MEDIUMWindows Server 2022 must be configured to audit Account Management - Computer Account Management successes.V-254408MEDIUMWindows Server 2022 must be configured to audit DS Access - Directory Service Access successes.V-254409MEDIUMWindows Server 2022 must be configured to audit DS Access - Directory Service Access failures.V-254410MEDIUMWindows Server 2022 must be configured to audit DS Access - Directory Service Changes successes.V-254412MEDIUMWindows Server 2022 domain controllers must have a PKI server certificate.V-254413HIGHWindows Server 2022 domain controller PKI certificates must be issued by the DOD PKI or an approved External Certificate Authority (ECA).V-254414HIGHWindows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).V-254415MEDIUMWindows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.V-254416MEDIUMWindows Server 2022 domain controllers must require LDAP access signing.V-254417MEDIUMWindows Server 2022 domain controllers must be configured to allow reset of machine account passwords.V-254418MEDIUMWindows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.V-254419MEDIUMWindows Server 2022 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.V-254420MEDIUMWindows Server 2022 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.V-254421MEDIUMWindows Server 2022 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.V-254422MEDIUMWindows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.V-254423MEDIUMWindows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.V-254424MEDIUMWindows Server 2022 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.V-254425MEDIUMWindows Server 2022 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.V-254426MEDIUMWindows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.V-254427MEDIUMThe password for the krbtgt account on a domain must be reset at least every 180 days.V-254428HIGHWindows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system.V-254429MEDIUMWindows Server 2022 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.V-254430MEDIUMWindows Server 2022 local users on domain-joined member servers must not be enumerated.V-254431MEDIUMWindows Server 2022 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems.V-254432MEDIUMWindows Server 2022 must limit the caching of logon credentials to four or less on domain-joined member servers.V-254433MEDIUMWindows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.V-254434MEDIUMWindows Server 2022 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems.V-254435MEDIUMWindows Server 2022 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.V-254436MEDIUMWindows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.V-254437MEDIUMWindows Server 2022 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.V-254438MEDIUMWindows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.V-254439MEDIUMWindows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.V-254440MEDIUMWindows Server 2022 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.V-254441HIGHWindows Server 2022 must be running Credential Guard on domain-joined member servers.V-254442MEDIUMWindows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.V-254443MEDIUMWindows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.V-254444MEDIUMWindows Server 2022 must have the US DOD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.V-254445MEDIUMWindows Server 2022 must have the built-in guest account disabled.V-254446HIGHWindows Server 2022 must prevent local accounts with blank passwords from being used from the network.V-254447MEDIUMWindows Server 2022 built-in administrator account must be renamed.V-254448MEDIUMWindows Server 2022 built-in guest account must be renamed.V-254449MEDIUMWindows Server 2022 must force audit policy subcategory settings to override audit policy category settings.V-254450MEDIUMWindows Server 2022 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.V-254451MEDIUMWindows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled.V-254452MEDIUMWindows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.V-254453MEDIUMWindows Server 2022 computer account password must not be prevented from being reset.V-254454MEDIUMWindows Server 2022 maximum age for machine account passwords must be configured to 30 days or less.V-254455MEDIUMWindows Server 2022 must be configured to require a strong session key.V-254456MEDIUMWindows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.V-254457MEDIUMWindows Server 2022 required legal notice must be configured to display before console logon.V-254458LOWWindows Server 2022 title for legal banner dialog box must be configured with the appropriate text.V-254459MEDIUMWindows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation.V-254460MEDIUMWindows Server 2022 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.V-254461MEDIUMWindows Server 2022 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.V-254462MEDIUMWindows Server 2022 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.V-254463MEDIUMWindows Server 2022 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.V-254464MEDIUMWindows Server 2022 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.V-254465HIGHWindows Server 2022 must not allow anonymous SID/Name translation.V-254466HIGHWindows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.V-254467HIGHWindows Server 2022 must not allow anonymous enumeration of shares.V-254468MEDIUMWindows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group.V-254469HIGHWindows Server 2022 must restrict anonymous access to Named Pipes and Shares.V-254470MEDIUMWindows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.V-254471MEDIUMWindows Server 2022 must prevent NTLM from falling back to a Null session.V-254472MEDIUMWindows Server 2022 must prevent PKU2U authentication using online identities.V-254473MEDIUMWindows Server 2022 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.V-254474HIGHWindows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords.V-254475HIGHWindows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.V-254476MEDIUMWindows Server 2022 must be configured to at least negotiate signing for LDAP client signing.V-254477MEDIUMWindows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.V-254478MEDIUMWindows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.V-254479MEDIUMWindows Server 2022 users must be required to enter a password to access private keys stored on the computer.V-254480MEDIUMWindows Server 2022 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.V-254481LOWWindows Server 2022 default permissions of global system objects must be strengthened.V-254482MEDIUMWindows Server 2022 User Account Control (UAC) approval mode for the built-in Administrator must be enabled.V-254483MEDIUMWindows Server 2022 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.V-254484MEDIUMWindows Server 2022 User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop.V-254485MEDIUMWindows Server 2022 User Account Control (UAC) must automatically deny standard user requests for elevation.V-254486MEDIUMWindows Server 2022 User Account Control (UAC) must be configured to detect application installations and prompt for elevation.V-254487MEDIUMWindows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.V-254488MEDIUMWindows Server 2022 User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC.V-254489MEDIUMWindows Server 2022 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.V-254490MEDIUMWindows Server 2022 must preserve zone information when saving attachments.V-254491MEDIUMWindows Server 2022 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.V-254492HIGHWindows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts.V-254493MEDIUMWindows Server 2022 Allow log on locally user right must only be assigned to the Administrators group.V-254494MEDIUMWindows Server 2022 back up files and directories user right must only be assigned to the Administrators group.V-254495MEDIUMWindows Server 2022 create a pagefile user right must only be assigned to the Administrators group.V-254496HIGHWindows Server 2022 create a token object user right must not be assigned to any groups or accounts.V-254497MEDIUMWindows Server 2022 create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-254498MEDIUMWindows Server 2022 create permanent shared objects user right must not be assigned to any groups or accounts.V-254499MEDIUMWindows Server 2022 create symbolic links user right must only be assigned to the Administrators group.V-254500HIGHWindows Server 2022 debug programs user right must only be assigned to the Administrators group.V-254501MEDIUMWindows Server 2022 force shutdown from a remote system user right must only be assigned to the Administrators group.V-254502MEDIUMWindows Server 2022 generate security audits user right must only be assigned to Local Service and Network Service.V-254503MEDIUMWindows Server 2022 impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-254504MEDIUMWindows Server 2022 increase scheduling priority: user right must only be assigned to the Administrators group.V-254505MEDIUMWindows Server 2022 load and unload device drivers user right must only be assigned to the Administrators group.V-254506MEDIUMWindows Server 2022 lock pages in memory user right must not be assigned to any groups or accounts.V-254507MEDIUMWindows Server 2022 manage auditing and security log user right must only be assigned to the Administrators group.V-254508MEDIUMWindows Server 2022 modify firmware environment values user right must only be assigned to the Administrators group.V-254509MEDIUMWindows Server 2022 perform volume maintenance tasks user right must only be assigned to the Administrators group.V-254510MEDIUMWindows Server 2022 profile single process user right must only be assigned to the Administrators group.V-254511MEDIUMWindows Server 2022 restore files and directories user right must only be assigned to the Administrators group.V-254512MEDIUMWindows Server 2022 take ownership of files or other objects user right must only be assigned to the Administrators group.V-271426MEDIUMWindows Server 2022 must be configured for certificate-based authentication for domain controllers.V-271427MEDIUMWindows Server 2022 must be configured for name-based strong mappings for certificates.V-278942MEDIUMWindows Server 2022 must be configured to audit file system failures.V-278943MEDIUMWindows Server 2022 must be configured to audit file system successes.V-278944MEDIUMWindows Server 2022 must be configured to audit handle manipulation failures.V-278945MEDIUMWindows Server 2022 must be configured to audit handle manipulation successes.V-278946MEDIUMWindows Server 2022 must be configured to audit registry failures.V-278947MEDIUMWindows Server 2022 must be configured to audit registry successes.V-278948MEDIUMWindows Server 2022 must be configured to audit sensitive privilege use successes.V-278949MEDIUMWindows Server 2022 must be configured to audit sensitive privilege use failures.