STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Windows Server 2025 Security Technical Implementation Guide

Version

V1R1

Benchmark ID

MS_Windows_Server_2025_STIG

Total Checks

284

Tags

windows

CAT I: 29CAT II: 243CAT III: 12

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (284)

V-277982MEDIUMWindows Server 2025 must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).V-277983MEDIUMWindows Server 2025 must prohibit the use or connection of unauthorized hardware components.V-277985MEDIUMWindows Server 2025 users with administrative privileges must have separate accounts for administrative duties and normal operational tasks.V-277986MEDIUMWindows Server 2025 passwords for the built-in Administrator account must be changed at least every 60 days.V-277987HIGHWindows Server 2025 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.V-277988MEDIUMWindows Server 2025 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.V-277989MEDIUMWindows Server 2025 manually managed application account passwords must be at least 15 characters in length.V-277990MEDIUMWindows Server 2025 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.V-277991MEDIUMWindows Server 2025 shared user accounts must not be permitted.V-277992MEDIUMWindows Server 2025 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.V-277993MEDIUMWindows Server 2025 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.V-277995MEDIUMWindows Server 2025 must use an antivirus program.V-277996MEDIUMWindows Server 2025 must have a host-based intrusion detection and prevention service (IDPS) installed.V-277997HIGHWindows Server 2025 local volumes must use a format that supports New Technology File System (NTFS) attributes.V-277998MEDIUMWindows Server 2025 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.V-277999MEDIUMWindows Server 2025 permissions for program file directories must conform to minimum requirements.V-278000MEDIUMWindows Server 2025 permissions for the Windows installation directory must conform to minimum requirements.V-278001MEDIUMWindows Server 2025 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.V-278002LOWWindows Server 2025 nonadministrative accounts or groups must only have print permissions on printer shares.V-278003MEDIUMOutdated or unused accounts on Windows Server 2025 must be removed or disabled.V-278004MEDIUMWindows Server 2025 accounts must require passwords.V-278005MEDIUMWindows Server 2025 passwords must be configured to expire.V-278006MEDIUMWindows Server 2025 system files must be monitored for unauthorized changes.V-278007MEDIUMWindows Server 2025 nonsystem-created file shares must limit access to groups that require it.V-278008MEDIUMWindows Server 2025 must have software certificate installation files removed.V-278009MEDIUMWindows Server 2025 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.V-278010MEDIUMWindows Server 2025 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.V-278011MEDIUMWindows Server 2025 must have the roles and features required by the system documented.V-278012MEDIUMWindows Server 2025 must have a host-based firewall installed and enabled.V-278013MEDIUMWindows Server 2025 must automatically remove or disable temporary user accounts after 72 hours.V-278014MEDIUMWindows Server 2025 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.V-278015MEDIUMWindows Server 2025 must not have the Fax Server role installed.V-278016MEDIUMWindows Server 2025 must not have the Microsoft FTP service installed unless required by the organization.V-278017MEDIUMWindows Server 2025 must not have Wi-Fi enabled unless required by the organization.V-278018MEDIUMWindows Server 2025 must not have Bluetooth enabled unless required by the organization.V-278019MEDIUMWindows Server 2025 must not have the Peer Name Resolution Protocol installed.V-278020MEDIUMWindows Server 2025 must not have Simple TCP/IP Services installed.V-278021MEDIUMWindows Server 2025 must not have the Telnet Client installed.V-278022MEDIUMWindows Server 2025 must not have the TFTP Client installed.V-278023MEDIUMWindows Server 2025 must not have the Server Message Block (SMB) v1 protocol installed.V-278024MEDIUMWindows Server 2025 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.V-278025MEDIUMWindows Server 2025 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.V-278026MEDIUMWindows Server 2025 must not have Windows PowerShell 2.0 installed.V-278027MEDIUMWindows Server 2025 FTP servers must be configured to prevent anonymous logons.V-278028MEDIUMWindows Server 2025 FTP servers must be configured to prevent access to the system drive.V-278029LOWThe Windows Server 2025 time service must synchronize with an appropriate DOD time source.V-278030MEDIUMWindows Server 2025 must have orphaned security identifiers (SIDs) removed from user rights.V-278031MEDIUMWindows Server 2025 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.V-278032MEDIUMWindows Server 2025 must have Secure Boot enabled.V-278033MEDIUMWindows Server 2025 account lockout duration must be configured to 15 minutes or greater.V-278034MEDIUMWindows Server 2025 must have the number of allowed bad logon attempts configured to three or less.V-278035MEDIUMWindows Server 2025 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.V-278036MEDIUMWindows Server 2025 password history must be configured to 24 passwords remembered.V-278037MEDIUMWindows Server 2025 maximum password age must be configured to 60 days or less.V-278038MEDIUMWindows Server 2025 minimum password age must be configured to at least one day.V-278039MEDIUMWindows Server 2025 must have the built-in Windows password complexity policy enabled.V-278040HIGHWindows Server 2025 reversible password encryption must be disabled.V-278041MEDIUMWindows Server 2025 audit records must be backed up to a different system or media than the system being audited.V-278042MEDIUMWindows Server 2025 must, at a minimum, off-load audit records of interconnected systems in real time and off-load stand-alone or nondomain-joined systems weekly.V-278043MEDIUMWindows Server 2025 permissions for the Application event log must prevent access by nonprivileged accounts.V-278044MEDIUMWindows Server 2025 permissions for the Security event log must prevent access by nonprivileged accounts.V-278045MEDIUMWindows Server 2025 permissions for the System event log must prevent access by nonprivileged accounts.V-278046MEDIUMWindows Server 2025 Event Viewer must be protected from unauthorized modification and deletion.V-278047MEDIUMWindows Server 2025 must be configured to audit Account Logon - Credential Validation successes.V-278048MEDIUMWindows Server 2025 must be configured to audit Account Logon - Credential Validation failures.V-278049MEDIUMWindows Server 2025 must be configured to audit Account Management - Other Account Management Events successes.V-278050MEDIUMWindows Server 2025 must be configured to audit Account Management - Security Group Management successes.V-278051MEDIUMWindows Server 2025 must be configured to audit Account Management - User Account Management successes.V-278052MEDIUMWindows Server 2025 must be configured to audit Account Management - User Account Management failures.V-278053MEDIUMWindows Server 2025 must be configured to audit Detailed Tracking - Plug and Play Events successes.V-278054MEDIUMWindows Server 2025 must be configured to audit Detailed Tracking - Process Creation successes.V-278055MEDIUMWindows Server 2025 must be configured to audit Logon/Logoff - Account Lockout successes.V-278056MEDIUMWindows Server 2025 must be configured to audit Logon/Logoff - Account Lockout failures.V-278057MEDIUMWindows Server 2025 must be configured to audit Logon/Logoff - Group Membership successes.V-278058MEDIUMWindows Server 2025 must be configured to audit logoff successes.V-278059MEDIUMWindows Server 2025 must be configured to audit logon successes.V-278060MEDIUMWindows Server 2025 must be configured to audit logon failures.V-278061MEDIUMWindows Server 2025 must be configured to audit Logon/Logoff - Special Logon successes.V-278062MEDIUMWindows Server 2025 must be configured to audit Object Access - Other Object Access Events successes.V-278063MEDIUMWindows Server 2025 must be configured to audit Object Access - Other Object Access Events failures.V-278064MEDIUMWindows Server 2025 must be configured to audit Object Access - Removable Storage successes.V-278065MEDIUMWindows Server 2025 must be configured to audit Object Access - Removable Storage failures.V-278066MEDIUMWindows Server 2025 must be configured to audit Policy Change - Audit Policy Change successes.V-278067MEDIUMWindows Server 2025 must be configured to audit Policy Change - Audit Policy Change failures.V-278068MEDIUMWindows Server 2025 must be configured to audit Policy Change - Authentication Policy Change successes.V-278069MEDIUMWindows Server 2025 must be configured to audit Policy Change - Authorization Policy Change successes.V-278070MEDIUMWindows Server 2025 must be configured to audit Privilege Use - Sensitive Privilege Use successes.V-278071MEDIUMWindows Server 2025 must be configured to audit Privilege Use - Sensitive Privilege Use failures.V-278072MEDIUMWindows Server 2025 must be configured to audit System - IPsec Driver successes.V-278073MEDIUMWindows Server 2025 must be configured to audit System - IPsec Driver failures.V-278074MEDIUMWindows Server 2025 must be configured to audit System - Other System Events successes.V-278075MEDIUMWindows Server 2025 must be configured to audit System - Other System Events failures.V-278076MEDIUMWindows Server 2025 must be configured to audit System - Security State Change successes.V-278077MEDIUMWindows Server 2025 must be configured to audit System - Security System Extension successes.V-278078MEDIUMWindows Server 2025 must be configured to audit System - System Integrity successes.V-278079MEDIUMWindows Server 2025 must be configured to audit System - System Integrity failures.V-278080MEDIUMWindows Server 2025 must prevent the display of slide shows on the lock screen.V-278082LOWWindows Server 2025 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.V-278083LOWWindows Server 2025 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.V-278084LOWWindows Server 2025 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.V-278085LOWWindows Server 2025 must be configured to ignore NetBIOS name release requests except from WINS servers.V-278086MEDIUMWindows Server 2025 insecure logons to an SMB server must be disabled.V-278087MEDIUMWindows Server 2025 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.V-278088MEDIUMWindows Server 2025 command line data must be included in process creation events.V-278089MEDIUMWindows Server 2025 must be configured to enable Remote host allows delegation of nonexportable credentials.V-278090MEDIUMWindows Server 2025 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.V-278091MEDIUMWindows Server 2025 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.V-278092MEDIUMWindows Server 2025 group policy objects must be reprocessed even if they have not changed.V-278093MEDIUMWindows Server 2025 downloading print driver packages over HTTP must be turned off.V-278094MEDIUMWindows Server 2025 printing over HTTP must be turned off.V-278095MEDIUMWindows Server 2025 network selection user interface (UI) must not be displayed on the logon screen.V-278096MEDIUMWindows Server 2025 users must be prompted to authenticate when the system wakes from sleep (on battery).V-278097MEDIUMWindows Server 2025 users must be prompted to authenticate when the system wakes from sleep (plugged in).V-278098LOWWindows Server 2025 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.V-278099HIGHWindows Server 2025 AutoPlay must be turned off for nonvolume devices.V-278100HIGHWindows Server 2025 default AutoRun behavior must be configured to prevent AutoRun commands.V-278101HIGHWindows Server 2025 AutoPlay must be disabled for all drives.V-278102MEDIUMWindows Server 2025 administrator accounts must not be enumerated during elevation.V-278103MEDIUMWindows Server 2025 Telemetry must be configured to limit diagnostic data sent to Microsoft.V-278104LOWWindows Server 2025 Windows Update must not obtain updates from other PCs on the internet.V-278105MEDIUMWindows Server 2025 Application event log size must be configured to 32768 KB or greater.V-278106MEDIUMWindows Server 2025 Security event log size must be configured to 196608 KB or greater.V-278107MEDIUMWindows Server 2025 System event log size must be configured to 32768 KB or greater.V-278108MEDIUMWindows Server 2025 Microsoft Defender antivirus SmartScreen must be enabled.V-278109MEDIUMWindows Server 2025 Explorer Data Execution Prevention must be enabled.V-278110LOWWindows Server 2025 Turning off File Explorer heap termination on corruption must be disabled.V-278111MEDIUMWindows Server 2025 File Explorer shell protocol must run in protected mode.V-278112MEDIUMWindows Server 2025 must not save passwords in the Remote Desktop Client.V-278113MEDIUMWindows Server 2025 Remote Desktop Services must prevent drive redirection.V-278114MEDIUMWindows Server 2025 Remote Desktop Services must always prompt a client for passwords upon connection.V-278115MEDIUMWindows Server 2025 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.V-278116MEDIUMWindows Server 2025 Remote Desktop Services must be configured with the client connection encryption set to High Level.V-278117MEDIUMWindows Server 2025 must prevent attachments from being downloaded from RSS feeds.V-278118MEDIUMWindows Server 2025 must disable Basic authentication for RSS feeds over HTTP.V-278119MEDIUMWindows Server 2025 must prevent Indexing of encrypted files.V-278120MEDIUMWindows Server 2025 must prevent users from changing installation options.V-278121HIGHWindows Server 2025 must disable the Windows Installer Always install with elevated privileges option.V-278122MEDIUMWindows Server 2025 users must be notified if a web-based program attempts to install software.V-278123MEDIUMWindows Server 2025 must disable automatically signing in the last interactive user after a system-initiated restart.V-278124MEDIUMWindows Server 2025 PowerShell script block logging must be enabled.V-278125HIGHWindows Server 2025 Windows Remote Management (WinRM) client must not use Basic authentication.V-278126MEDIUMWindows Server 2025 Windows Remote Management (WinRM) client must not allow unencrypted traffic.V-278127MEDIUMWindows Server 2025 Windows Remote Management (WinRM) client must not use Digest authentication.V-278128HIGHWindows Server 2025 Windows Remote Management (WinRM) service must not use Basic authentication.V-278129MEDIUMWindows Server 2025 Windows Remote Management (WinRM) service must not allow unencrypted traffic.V-278130MEDIUMWindows Server 2025 Windows Remote Management (WinRM) service must not store RunAs credentials.V-278131MEDIUMWindows Server 2025 must have PowerShell Transcription enabled.V-278132HIGHWindows Server 2025 must only allow administrators responsible for the domain controller to have Administrator rights on the system.V-278133MEDIUMWindows Server 2025 Kerberos user logon restrictions must be enforced.V-278134MEDIUMWindows Server 2025 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.V-278135MEDIUMWindows Server 2025 Kerberos user ticket lifetime must be limited to 10 hours or less.V-278136MEDIUMWindows Server 2025 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.V-278137MEDIUMWindows Server 2025 computer clock synchronization tolerance must be limited to five minutes or less.V-278138HIGHWindows Server 2025 permissions on the Active Directory data files must only allow system administrators (SAs) access.V-278139HIGHWindows Server 2025 Active Directory SYSVOL directory must have the proper access control permissions.V-278140HIGHWindows Server 2025 Active Directory (AD) Group Policy Objects (GPOs) must have proper access control permissions.V-278141HIGHWindows Server 2025 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.V-278142HIGHWindows Server 2025 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.V-278143MEDIUMWindows Server 2025 data files owned by users must be on a different logical partition from the directory server data files.V-278144MEDIUMWindows Server 2025 domain controllers must run on a machine dedicated to that function.V-278145MEDIUMWindows Server 2025 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.V-278146HIGHWindows Server 2025 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access.V-278147LOWWindows Server 2025 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.V-278148MEDIUMWindows Server 2025 Active Directory Group Policy Objects (GPOs) must be configured with proper audit settings.V-278149MEDIUMWindows Server 2025 Active Directory (AD) Domain object must be configured with proper audit settings.V-278150MEDIUMWindows Server 2025 Active Directory (AD) Infrastructure object must be configured with proper audit settings.V-278151MEDIUMWindows Server 2025 Active Directory (AD) Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.V-278152MEDIUMWindows Server 2025 Active Directory (AD) AdminSDHolder object must be configured with proper audit settings.V-278153MEDIUMWindows Server 2025 Active Directory (AD) RID Manager$ object must be configured with proper audit settings.V-278154MEDIUMWindows Server 2025 must be configured to audit Account Management - Computer Account Management successes.V-278155MEDIUMWindows Server 2025 must be configured to audit DS Access - Directory Service Access successes.V-278156MEDIUMWindows Server 2025 must be configured to audit DS Access - Directory Service Access failures.V-278157MEDIUMWindows Server 2025 must be configured to audit DS Access - Directory Service Changes successes.V-278158MEDIUMWindows Server 2025 must be configured to audit DS Access - Directory Service Changes failures.V-278159MEDIUMWindows Server 2025 domain controllers must have a PKI server certificate.V-278160HIGHWindows Server 2025 domain Controller PKI certificates must be issued by the DOD PKI or an approved External Certificate Authority (ECA).V-278161HIGHWindows Server 2025 PKI certificates associated with user accounts must be issued by a DOD PKI or an approved External Certificate Authority (ECA).V-278162MEDIUMWindows Server 2025 Active Directory (AD) user accounts, including administrators, must be configured to require the use of a common access card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.V-278163MEDIUMWindows Server 2025 domain controllers must require LDAP access signing.V-278164MEDIUMWindows Server 2025 domain controllers must be configured to allow reset of machine account passwords.V-278165MEDIUMThe Windows Server 2025 "Access this computer from the network" user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.V-278166MEDIUMThe Windows Server 2025 "Add workstations to domain" user right must only be assigned to the Administrators group on domain controllers.V-278167MEDIUMThe Windows Server 2025 "Allow log on through Remote Desktop Services" user right must only be assigned to the Administrators group on domain controllers.V-278168MEDIUMThe Windows Server 2025 "Deny access to this computer from the network" user right on domain controllers must be configured to prevent unauthenticated access.V-278169MEDIUMThe Windows Server 2025 "Deny log on as a batch job" user right on domain controllers must be configured to prevent unauthenticated access.V-278170MEDIUMThe Windows Server 2025 "Deny log on as a service" user right must be configured to include no accounts or groups (blank) on domain controllers.V-278171MEDIUMThe Windows Server 2025 "Deny log on locally" user right on domain controllers must be configured to prevent unauthenticated access.V-278172MEDIUMWindows Server 2025 must be configured for certificate-based authentication for domain controllers.V-278173MEDIUMWindows Server 2025 must be configured for name-based strong mappings for certificates.V-278174MEDIUMThe Windows Server 2025 "Deny log on through Remote Desktop Services" user right on domain controllers must be configured to prevent unauthenticated access.V-278175MEDIUMThe Windows Server 2025 "Enable computer and user accounts to be trusted for delegation" user right must only be assigned to the Administrators group on domain controllers.V-278176MEDIUMThe password for the krbtgt account on a domain must be reset at least every 180 days.V-278177HIGHWindows Server 2025 must only allow administrators responsible for the member server or stand-alone or nondomain-joined system to have Administrator rights on the system.V-278178MEDIUMWindows Server 2025 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.V-278179MEDIUMWindows Server 2025 local users on domain-joined member servers must not be enumerated.V-278180MEDIUMWindows Server 2025 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and stand-alone or nondomain-joined systems.V-278181MEDIUMWindows Server 2025 must limit the caching of logon credentials to four or less on domain-joined member servers.V-278182MEDIUMWindows Server 2025 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and stand-alone or nondomain-joined systems.V-278183MEDIUMWindows Server 2025 "Access this computer from the network" user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and stand-alone or nondomain-joined systems.V-278184MEDIUMThe Windows Server 2025 "Deny access to this computer from the network" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.V-278185MEDIUMWindows Server 2025 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.V-278186MEDIUMThe Windows Server 2025 "Deny log on as a service" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.V-278187MEDIUMThe Windows Server 2025 "Deny log on locally" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.V-278188MEDIUMThe Windows Server 2025 "Deny log on through Remote Desktop Services" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.V-278189MEDIUMThe Windows Server 2025 "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on domain-joined member servers and stand-alone or nondomain-joined systems.V-278190HIGHWindows Server 2025 must be running Credential Guard on domain-joined member servers.V-278192MEDIUMWindows Server 2025 must have the DOD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.V-278193MEDIUMWindows Server 2025 must have the DOD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.V-278194MEDIUMWindows Server 2025 must have the US DOD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.V-278195MEDIUMWindows Server 2025 must have the built-in guest account disabled.V-278196HIGHWindows Server 2025 must prevent local accounts with blank passwords from being used from the network.V-278197MEDIUMThe Windows Server 2025 built-in administrator account must be renamed.V-278198MEDIUMThe Windows Server 2025 built-in guest account must be renamed.V-278199MEDIUMWindows Server 2025 must force audit policy subcategory settings to override audit policy category settings.V-278200MEDIUMThe Windows Server 2025 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.V-278201MEDIUMWindows Server 2025 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled.V-278202MEDIUMThe Windows Server 2025 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.V-278203MEDIUMWindows Server 2025 computer account password must not be prevented from being reset.V-278204MEDIUMWindows Server 2025 maximum age for machine account passwords must be configured to 30 days or less.V-278205MEDIUMWindows Server 2025 must be configured to require a strong session key.V-278206MEDIUMWindows Server 2025 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.V-278207MEDIUMThe Windows Server 2025 required legal notice must be configured to display before console logon.V-278208LOWWindows Server 2025 title for legal banner dialog box must be configured with the appropriate text.V-278209MEDIUMThe Windows Server 2025 Smart Card removal option must be configured to Force Logoff or Lock Workstation.V-278210MEDIUMThe Windows Server 2025 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.V-278211MEDIUMThe Windows Server 2025 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.V-278212MEDIUMWindows Server 2025 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.V-278213MEDIUMThe Windows Server 2025 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.V-278214MEDIUMThe Windows Server 2025 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.V-278215HIGHWindows Server 2025 must not allow anonymous SID/Name translation.V-278216HIGHWindows Server 2025 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.V-278217HIGHWindows Server 2025 must not allow anonymous enumeration of shares.V-278218MEDIUMWindows Server 2025 must be configured to prevent anonymous users from having the same permissions as the Everyone group.V-278219HIGHWindows Server 2025 must restrict anonymous access to Named Pipes and Shares.V-278220MEDIUMWindows Server 2025 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.V-278221MEDIUMWindows Server 2025 must prevent NTLM from falling back to a Null session.V-278222MEDIUMWindows Server 2025 must prevent PKU2U authentication using online identities.V-278223MEDIUMWindows Server 2025 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.V-278225HIGHWindows Server 2025 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.V-278226MEDIUMWindows Server 2025 must be configured to at least negotiate signing for LDAP client signing.V-278227MEDIUMWindows Server 2025 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.V-278228MEDIUMWindows Server 2025 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.V-278229MEDIUMWindows Server 2025 users must be required to enter a password to access private keys stored on the computer.V-278230MEDIUMWindows Server 2025 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.V-278231LOWWindows Server 2025 default permissions of global system objects must be strengthened.V-278232MEDIUMWindows Server 2025 User Account Control (UAC) approval mode for the built-in Administrator must be enabled.V-278233MEDIUMWindows Server 2025 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.V-278234MEDIUMWindows Server 2025 User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop.V-278235MEDIUMWindows Server 2025 User Account Control (UAC) must automatically deny standard user requests for elevation.V-278236MEDIUMWindows Server 2025 User Account Control (UAC) must be configured to detect application installations and prompt for elevation.V-278237MEDIUMWindows Server 2025 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.V-278238MEDIUMWindows Server 2025 User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC.V-278239MEDIUMWindows Server 2025 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.V-278240MEDIUMWindows Server 2025 must preserve zone information when saving attachments.V-278241MEDIUMThe Windows Server 2025 "Access Credential Manager as a trusted caller" user right must not be assigned to any groups or accounts.V-278242HIGHThe Windows Server 2025 "Act as part of the operating system" user right must not be assigned to any groups or accounts.V-278243MEDIUMThe Windows Server 2025 "Allow log on locally" user right must only be assigned to the Administrators group.V-278244MEDIUMThe Windows Server 2025 "Back up files and directories" user right must only be assigned to the Administrators group.V-278245MEDIUMThe Windows Server 2025 "Create a pagefile" user right must only be assigned to the Administrators group.V-278246HIGHThe Windows Server 2025 "Create a token object" user right must not be assigned to any groups or accounts.V-278247MEDIUMThe Windows Server 2025 "Create global objects" user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-278248MEDIUMThe Windows Server 2025 "Create permanent shared objects" user right must not be assigned to any groups or accounts.V-278249MEDIUMThe Windows Server 2025 "Create symbolic links" user right must only be assigned to the Administrators group.V-278250HIGHThe Windows Server 2025 "Debug programs" user right must only be assigned to the Administrators group.V-278251MEDIUMThe Windows Server 2025 "Force shutdown from a remote system" user right must only be assigned to the Administrators group.V-278252MEDIUMThe Windows Server 2025 "Generate security audits" user right must only be assigned to Local Service and Network Service.V-278253MEDIUMThe Windows Server 2025 "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-278254MEDIUMThe Windows Server 2025 "Increase scheduling priority" user right must only be assigned to the Administrators group.V-278255MEDIUMThe Windows Server 2025 "Load and unload device drivers" user right must only be assigned to the Administrators group.V-278256MEDIUMThe Windows Server 2025 "Lock pages in memory" user right must not be assigned to any groups or accounts.V-278257MEDIUMThe Windows Server 2025 "Manage auditing and security log" user right must only be assigned to the Administrators group.V-278258MEDIUMThe Windows Server 2025 "Modify firmware environment values" user right must only be assigned to the Administrators group.V-278259MEDIUMThe Windows Server 2025 "Perform volume maintenance tasks" user right must only be assigned to the Administrators group.V-278260MEDIUMThe Windows Server 2025 "Profile single process" user right must only be assigned to the Administrators group.V-278261MEDIUMThe Windows Server 2025 "Restore files and directories" user right must only be assigned to the Administrators group.V-278262MEDIUMThe Windows Server 2025 "Take ownership of files or other objects" user right must only be assigned to the Administrators group.V-279916MEDIUMWindows Server 2025 must be configured to audit file system failures.V-279917MEDIUMWindows Server 2025 must be configured to audit file system successes.V-279918MEDIUMWindows Server 2025 must be configured to audit handle manipulation failures.V-279919MEDIUMWindows Server 2025 must be configured to audit handle manipulation successes.V-279920MEDIUMWindows Server 2025 must be configured to audit registry failures.V-279921MEDIUMWindows Server 2025 must be configured to audit registry successes.V-279922MEDIUMWindows Server 2025 must be configured to audit sensitive privilege use successes.V-279923MEDIUMWindows Server 2025 must be configured to audit sensitive privilege use failures.