STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 5 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Windows Server 2016 Security Technical Implementation Guide

Archived

Version

V1R10

Release Date

Jan 24, 2020

SCAP Benchmark ID

S-f8db2aa43b9798ee0ba5a37de5d64c8a9a6a102e

Total Checks

544

Tags

windows

CAT I: 66CAT II: 452CAT III: 26

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (544)

V-73217HIGHUsers with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.V-73217HIGHUsers with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.V-73219HIGHOnly administrators responsible for the domain controller must have Administrator rights on the system.V-73219HIGHOnly administrators responsible for the domain controller must have Administrator rights on the system.V-73221HIGHOnly administrators responsible for the member server or standalone system must have Administrator rights on the system.V-73221HIGHOnly administrators responsible for the member server or standalone system must have Administrator rights on the system.V-73223MEDIUMPasswords for the built-in Administrator account must be changed at least every 60 days.V-73223MEDIUMPasswords for the built-in Administrator account must be changed at least every 60 days.V-73225HIGHAdministrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.V-73225HIGHAdministrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.V-73227MEDIUMMembers of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.V-73227MEDIUMMembers of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.V-73229MEDIUMManually managed application account passwords must be at least 15 characters in length.V-73229MEDIUMManually managed application account passwords must be at least 15 characters in length.V-73231MEDIUMManually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.V-73231MEDIUMManually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.V-73233MEDIUMShared user accounts must not be permitted on the system.V-73233MEDIUMShared user accounts must not be permitted on the system.V-73235MEDIUMWindows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.V-73235MEDIUMWindows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.V-73237MEDIUMWindows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.V-73237MEDIUMWindows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.V-73239HIGHSystems must be maintained at a supported servicing level.V-73239HIGHSystems must be maintained at a supported servicing level.V-73241HIGHThe Windows Server 2016 system must use an anti-virus program.V-73241HIGHThe Windows Server 2016 system must use an anti-virus program.V-73245MEDIUMServers must have a host-based intrusion detection or prevention system.V-73245MEDIUMServers must have a host-based intrusion detection or prevention system.V-73247HIGHLocal volumes must use a format that supports NTFS attributes.V-73247HIGHLocal volumes must use a format that supports NTFS attributes.V-73249MEDIUMPermissions for the system drive root directory (usually C:\) must conform to minimum requirements.V-73249MEDIUMPermissions for the system drive root directory (usually C:\) must conform to minimum requirements.V-73251MEDIUMPermissions for program file directories must conform to minimum requirements.V-73251MEDIUMPermissions for program file directories must conform to minimum requirements.V-73253MEDIUMPermissions for the Windows installation directory must conform to minimum requirements.V-73253MEDIUMPermissions for the Windows installation directory must conform to minimum requirements.V-73255MEDIUMDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.V-73255MEDIUMDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.V-73257LOWNon-administrative accounts or groups must only have print permissions on printer shares.V-73257LOWNon-administrative accounts or groups must only have print permissions on printer shares.V-73259MEDIUMOutdated or unused accounts must be removed from the system or disabled.V-73259MEDIUMOutdated or unused accounts must be removed from the system or disabled.V-73261MEDIUMWindows Server 2016 accounts must require passwords.V-73261MEDIUMWindows Server 2016 accounts must require passwords.V-73263MEDIUMPasswords must be configured to expire.V-73263MEDIUMPasswords must be configured to expire.V-73265MEDIUMSystem files must be monitored for unauthorized changes.V-73265MEDIUMSystem files must be monitored for unauthorized changes.V-73267MEDIUMNon-system-created file shares on a system must limit access to groups that require it.V-73267MEDIUMNon-system-created file shares on a system must limit access to groups that require it.V-73271MEDIUMSoftware certificate installation files must be removed from Windows Server 2016.V-73271MEDIUMSoftware certificate installation files must be removed from Windows Server 2016.V-73273MEDIUMSystems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.V-73273MEDIUMSystems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.V-73275MEDIUMProtection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.V-73275MEDIUMProtection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.V-73277MEDIUMThe roles and features required by the system must be documented.V-73277MEDIUMThe roles and features required by the system must be documented.V-73279MEDIUMA host-based firewall must be installed and enabled on the system.V-73279MEDIUMA host-based firewall must be installed and enabled on the system.V-73281MEDIUMWindows Server 2016 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).V-73281MEDIUMWindows Server 2016 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).V-73283MEDIUMWindows Server 2016 must automatically remove or disable temporary user accounts after 72 hours.V-73283MEDIUMWindows Server 2016 must automatically remove or disable temporary user accounts after 72 hours.V-73285MEDIUMWindows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.V-73285MEDIUMWindows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.V-73287MEDIUMThe Fax Server role must not be installed.V-73287MEDIUMThe Fax Server role must not be installed.V-73289MEDIUMThe Microsoft FTP service must not be installed unless required.V-73289MEDIUMThe Microsoft FTP service must not be installed unless required.V-73291MEDIUMThe Peer Name Resolution Protocol must not be installed.V-73291MEDIUMThe Peer Name Resolution Protocol must not be installed.V-73293MEDIUMSimple TCP/IP Services must not be installed.V-73293MEDIUMSimple TCP/IP Services must not be installed.V-73295MEDIUMThe Telnet Client must not be installed.V-73295MEDIUMThe Telnet Client must not be installed.V-73297MEDIUMThe TFTP Client must not be installed.V-73297MEDIUMThe TFTP Client must not be installed.V-73299MEDIUMThe Server Message Block (SMB) v1 protocol must be uninstalled.V-73299MEDIUMThe Server Message Block (SMB) v1 protocol must be uninstalled.V-73301MEDIUMWindows PowerShell 2.0 must not be installed.V-73301MEDIUMWindows PowerShell 2.0 must not be installed.V-73303MEDIUMFTP servers must be configured to prevent anonymous logons.V-73303MEDIUMFTP servers must be configured to prevent anonymous logons.V-73305MEDIUMFTP servers must be configured to prevent access to the system drive.V-73305MEDIUMFTP servers must be configured to prevent access to the system drive.V-73307LOWThe time service must synchronize with an appropriate DoD time source.V-73307LOWThe time service must synchronize with an appropriate DoD time source.V-73309MEDIUMWindows 2016 account lockout duration must be configured to 15 minutes or greater.V-73309MEDIUMWindows 2016 account lockout duration must be configured to 15 minutes or greater.V-73311MEDIUMWindows Server 2016 must have the number of allowed bad logon attempts configured to three or less.V-73311MEDIUMWindows Server 2016 must have the number of allowed bad logon attempts configured to three or less.V-73313MEDIUMWindows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.V-73313MEDIUMWindows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.V-73315MEDIUMWindows Server 2016 password history must be configured to 24 passwords remembered.V-73315MEDIUMWindows Server 2016 password history must be configured to 24 passwords remembered.V-73317MEDIUMWindows Server 2016 maximum password age must be configured to 60 days or less.V-73317MEDIUMWindows Server 2016 maximum password age must be configured to 60 days or less.V-73319MEDIUMWindows Server 2016 minimum password age must be configured to at least one day.V-73319MEDIUMWindows Server 2016 minimum password age must be configured to at least one day.V-73321MEDIUMWindows Server 2016 minimum password length must be configured to 14 characters.V-73321MEDIUMWindows Server 2016 minimum password length must be configured to 14 characters.V-73323MEDIUMWindows Server 2016 must have the built-in Windows password complexity policy enabled.V-73323MEDIUMWindows Server 2016 must have the built-in Windows password complexity policy enabled.V-73325HIGHWindows Server 2016 reversible password encryption must be disabled.V-73325HIGHWindows Server 2016 reversible password encryption must be disabled.V-73359MEDIUMKerberos user logon restrictions must be enforced.V-73359MEDIUMKerberos user logon restrictions must be enforced.V-73361MEDIUMThe Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.V-73361MEDIUMThe Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.V-73363MEDIUMThe Kerberos user ticket lifetime must be limited to 10 hours or less.V-73363MEDIUMThe Kerberos user ticket lifetime must be limited to 10 hours or less.V-73365MEDIUMThe Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.V-73365MEDIUMThe Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.V-73367MEDIUMThe computer clock synchronization tolerance must be limited to 5 minutes or less.V-73367MEDIUMThe computer clock synchronization tolerance must be limited to 5 minutes or less.V-73369HIGHPermissions on the Active Directory data files must only allow System and Administrators access.V-73369HIGHPermissions on the Active Directory data files must only allow System and Administrators access.V-73371HIGHThe Active Directory SYSVOL directory must have the proper access control permissions.V-73371HIGHThe Active Directory SYSVOL directory must have the proper access control permissions.V-73373HIGHActive Directory Group Policy objects must have proper access control permissions.V-73373HIGHActive Directory Group Policy objects must have proper access control permissions.V-73375HIGHThe Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.V-73375HIGHThe Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.V-73377HIGHDomain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions.V-73377HIGHDomain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions.V-73379MEDIUMData files owned by users must be on a different logical partition from the directory server data files.V-73379MEDIUMData files owned by users must be on a different logical partition from the directory server data files.V-73381MEDIUMDomain controllers must run on a machine dedicated to that function.V-73381MEDIUMDomain controllers must run on a machine dedicated to that function.V-73383MEDIUMSeparate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.V-73383MEDIUMSeparate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.V-73385HIGHDirectory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.V-73385HIGHDirectory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.V-73387LOWThe directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.V-73387LOWThe directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.V-73389MEDIUMActive Directory Group Policy objects must be configured with proper audit settings.V-73389MEDIUMActive Directory Group Policy objects must be configured with proper audit settings.V-73391MEDIUMThe Active Directory Domain object must be configured with proper audit settings.V-73391MEDIUMThe Active Directory Domain object must be configured with proper audit settings.V-73393MEDIUMThe Active Directory Infrastructure object must be configured with proper audit settings.V-73393MEDIUMThe Active Directory Infrastructure object must be configured with proper audit settings.V-73395MEDIUMThe Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.V-73395MEDIUMThe Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.V-73397MEDIUMThe Active Directory AdminSDHolder object must be configured with proper audit settings.V-73397MEDIUMThe Active Directory AdminSDHolder object must be configured with proper audit settings.V-73399MEDIUMThe Active Directory RID Manager$ object must be configured with proper audit settings.V-73399MEDIUMThe Active Directory RID Manager$ object must be configured with proper audit settings.V-73401MEDIUMAudit records must be backed up to a different system or media than the system being audited.V-73401MEDIUMAudit records must be backed up to a different system or media than the system being audited.V-73403MEDIUMWindows Server 2016 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.V-73403MEDIUMWindows Server 2016 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.V-73405MEDIUMPermissions for the Application event log must prevent access by non-privileged accounts.V-73405MEDIUMPermissions for the Application event log must prevent access by non-privileged accounts.V-73407MEDIUMPermissions for the Security event log must prevent access by non-privileged accounts.V-73407MEDIUMPermissions for the Security event log must prevent access by non-privileged accounts.V-73409MEDIUMPermissions for the System event log must prevent access by non-privileged accounts.V-73409MEDIUMPermissions for the System event log must prevent access by non-privileged accounts.V-73411MEDIUMEvent Viewer must be protected from unauthorized modification and deletion.V-73411MEDIUMEvent Viewer must be protected from unauthorized modification and deletion.V-73413MEDIUMWindows Server 2016 must be configured to audit Account Logon - Credential Validation successes.V-73413MEDIUMWindows Server 2016 must be configured to audit Account Logon - Credential Validation successes.V-73415MEDIUMWindows Server 2016 must be configured to audit Account Logon - Credential Validation failures.V-73415MEDIUMWindows Server 2016 must be configured to audit Account Logon - Credential Validation failures.V-73417MEDIUMWindows Server 2016 must be configured to audit Account Management - Computer Account Management successes.V-73417MEDIUMWindows Server 2016 must be configured to audit Account Management - Computer Account Management successes.V-73419MEDIUMWindows Server 2016 must be configured to audit Account Management - Other Account Management Events successes.V-73419MEDIUMWindows Server 2016 must be configured to audit Account Management - Other Account Management Events successes.V-73423MEDIUMWindows Server 2016 must be configured to audit Account Management - Security Group Management successes.V-73423MEDIUMWindows Server 2016 must be configured to audit Account Management - Security Group Management successes.V-73427MEDIUMWindows Server 2016 must be configured to audit Account Management - User Account Management successes.V-73427MEDIUMWindows Server 2016 must be configured to audit Account Management - User Account Management successes.V-73429MEDIUMWindows Server 2016 must be configured to audit Account Management - User Account Management failures.V-73429MEDIUMWindows Server 2016 must be configured to audit Account Management - User Account Management failures.V-73431MEDIUMWindows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes.V-73431MEDIUMWindows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes.V-73433MEDIUMWindows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes.V-73433MEDIUMWindows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes.V-73435MEDIUMWindows Server 2016 must be configured to audit DS Access - Directory Service Access successes.V-73435MEDIUMWindows Server 2016 must be configured to audit DS Access - Directory Service Access successes.V-73437MEDIUMWindows Server 2016 must be configured to audit DS Access - Directory Service Access failures.V-73437MEDIUMWindows Server 2016 must be configured to audit DS Access - Directory Service Access failures.V-73439MEDIUMWindows Server 2016 must be configured to audit DS Access - Directory Service Changes successes.V-73439MEDIUMWindows Server 2016 must be configured to audit DS Access - Directory Service Changes successes.V-73441MEDIUMWindows Server 2016 must be configured to audit DS Access - Directory Service Changes failures.V-73441MEDIUMWindows Server 2016 must be configured to audit DS Access - Directory Service Changes failures.V-73443MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Account Lockout successes.V-73443MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Account Lockout successes.V-73445MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures.V-73445MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures.V-73447MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes.V-73447MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes.V-73449MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Logoff successes.V-73449MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Logoff successes.V-73451MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Logon successes.V-73451MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Logon successes.V-73453MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Logon failures.V-73453MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Logon failures.V-73455MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes.V-73455MEDIUMWindows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes.V-73457MEDIUMWindows Server 2016 must be configured to audit Object Access - Removable Storage successes.V-73457MEDIUMWindows Server 2016 must be configured to audit Object Access - Removable Storage successes.V-73459MEDIUMWindows Server 2016 must be configured to audit Object Access - Removable Storage failures.V-73459MEDIUMWindows Server 2016 must be configured to audit Object Access - Removable Storage failures.V-73461MEDIUMWindows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes.V-73461MEDIUMWindows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes.V-73463MEDIUMWindows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures.V-73463MEDIUMWindows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures.V-73465MEDIUMWindows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes.V-73465MEDIUMWindows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes.V-73467MEDIUMWindows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes.V-73467MEDIUMWindows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes.V-73469MEDIUMWindows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes.V-73469MEDIUMWindows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes.V-73471MEDIUMWindows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures.V-73471MEDIUMWindows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures.V-73473MEDIUMWindows Server 2016 must be configured to audit System - IPsec Driver successes.V-73473MEDIUMWindows Server 2016 must be configured to audit System - IPsec Driver successes.V-73475MEDIUMWindows Server 2016 must be configured to audit System - IPsec Driver failures.V-73475MEDIUMWindows Server 2016 must be configured to audit System - IPsec Driver failures.V-73477MEDIUMWindows Server 2016 must be configured to audit System - Other System Events successes.V-73477MEDIUMWindows Server 2016 must be configured to audit System - Other System Events successes.V-73479MEDIUMWindows Server 2016 must be configured to audit System - Other System Events failures.V-73479MEDIUMWindows Server 2016 must be configured to audit System - Other System Events failures.V-73481MEDIUMWindows Server 2016 must be configured to audit System - Security State Change successes.V-73481MEDIUMWindows Server 2016 must be configured to audit System - Security State Change successes.V-73483MEDIUMWindows Server 2016 must be configured to audit System - Security System Extension successes.V-73483MEDIUMWindows Server 2016 must be configured to audit System - Security System Extension successes.V-73487MEDIUMAdministrator accounts must not be enumerated during elevation.V-73487MEDIUMAdministrator accounts must not be enumerated during elevation.V-73489MEDIUMWindows Server 2016 must be configured to audit System - System Integrity successes.V-73489MEDIUMWindows Server 2016 must be configured to audit System - System Integrity successes.V-73491MEDIUMWindows Server 2016 must be configured to audit System - System Integrity failures.V-73491MEDIUMWindows Server 2016 must be configured to audit System - System Integrity failures.V-73493MEDIUMThe display of slide shows on the lock screen must be disabled.V-73493MEDIUMThe display of slide shows on the lock screen must be disabled.V-73495MEDIUMLocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.V-73495MEDIUMLocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.V-73497MEDIUMWDigest Authentication must be disabled on Windows Server 2016.V-73497MEDIUMWDigest Authentication must be disabled on Windows Server 2016.V-73499LOWInternet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.V-73499LOWInternet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.V-73501LOWSource routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.V-73501LOWSource routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.V-73503LOWWindows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.V-73503LOWWindows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.V-73505LOWWindows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers.V-73505LOWWindows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers.V-73507MEDIUMInsecure logons to an SMB server must be disabled.V-73507MEDIUMInsecure logons to an SMB server must be disabled.V-73509MEDIUMHardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.V-73509MEDIUMHardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.V-73511MEDIUMCommand line data must be included in process creation events.V-73511MEDIUMCommand line data must be included in process creation events.V-73513MEDIUMWindows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.V-73513MEDIUMWindows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.V-73515HIGHWindows Server 2016 must be running Credential Guard on domain-joined member servers.V-73515HIGHWindows Server 2016 must be running Credential Guard on domain-joined member servers.V-73521MEDIUMEarly Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.V-73521MEDIUMEarly Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.V-73525MEDIUMGroup Policy objects must be reprocessed even if they have not changed.V-73525MEDIUMGroup Policy objects must be reprocessed even if they have not changed.V-73527MEDIUMDownloading print driver packages over HTTP must be prevented.V-73527MEDIUMDownloading print driver packages over HTTP must be prevented.V-73529MEDIUMPrinting over HTTP must be prevented.V-73529MEDIUMPrinting over HTTP must be prevented.V-73531MEDIUMThe network selection user interface (UI) must not be displayed on the logon screen.V-73531MEDIUMThe network selection user interface (UI) must not be displayed on the logon screen.V-73533MEDIUMLocal users on domain-joined computers must not be enumerated.V-73533MEDIUMLocal users on domain-joined computers must not be enumerated.V-73537MEDIUMUsers must be prompted to authenticate when the system wakes from sleep (on battery).V-73537MEDIUMUsers must be prompted to authenticate when the system wakes from sleep (on battery).V-73539MEDIUMUsers must be prompted to authenticate when the system wakes from sleep (plugged in).V-73539MEDIUMUsers must be prompted to authenticate when the system wakes from sleep (plugged in).V-73541MEDIUMUnauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server.V-73541MEDIUMUnauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server.V-73543LOWThe Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.V-73543LOWThe Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.V-73545HIGHAutoPlay must be turned off for non-volume devices.V-73545HIGHAutoPlay must be turned off for non-volume devices.V-73547HIGHThe default AutoRun behavior must be configured to prevent AutoRun commands.V-73547HIGHThe default AutoRun behavior must be configured to prevent AutoRun commands.V-73549HIGHAutoPlay must be disabled for all drives.V-73549HIGHAutoPlay must be disabled for all drives.V-73551MEDIUMWindows Telemetry must be configured to Security or Basic.V-73551MEDIUMWindows Telemetry must be configured to Security or Basic.V-73553MEDIUMThe Application event log size must be configured to 32768 KB or greater.V-73553MEDIUMThe Application event log size must be configured to 32768 KB or greater.V-73555MEDIUMThe Security event log size must be configured to 196608 KB or greater.V-73555MEDIUMThe Security event log size must be configured to 196608 KB or greater.V-73557MEDIUMThe System event log size must be configured to 32768 KB or greater.V-73557MEDIUMThe System event log size must be configured to 32768 KB or greater.V-73559MEDIUMWindows Server 2016 Windows SmartScreen must be enabled.V-73559MEDIUMWindows Server 2016 Windows SmartScreen must be enabled.V-73561MEDIUMExplorer Data Execution Prevention must be enabled.V-73561MEDIUMExplorer Data Execution Prevention must be enabled.V-73563LOWTurning off File Explorer heap termination on corruption must be disabled.V-73563LOWTurning off File Explorer heap termination on corruption must be disabled.V-73565MEDIUMFile Explorer shell protocol must run in protected mode.V-73565MEDIUMFile Explorer shell protocol must run in protected mode.V-73567MEDIUMPasswords must not be saved in the Remote Desktop Client.V-73567MEDIUMPasswords must not be saved in the Remote Desktop Client.V-73569MEDIUMLocal drives must be prevented from sharing with Remote Desktop Session Hosts.V-73569MEDIUMLocal drives must be prevented from sharing with Remote Desktop Session Hosts.V-73571MEDIUMRemote Desktop Services must always prompt a client for passwords upon connection.V-73571MEDIUMRemote Desktop Services must always prompt a client for passwords upon connection.V-73573MEDIUMThe Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications.V-73573MEDIUMThe Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications.V-73575MEDIUMRemote Desktop Services must be configured with the client connection encryption set to High Level.V-73575MEDIUMRemote Desktop Services must be configured with the client connection encryption set to High Level.V-73577MEDIUMAttachments must be prevented from being downloaded from RSS feeds.V-73577MEDIUMAttachments must be prevented from being downloaded from RSS feeds.V-73579MEDIUMBasic authentication for RSS feeds over HTTP must not be used.V-73579MEDIUMBasic authentication for RSS feeds over HTTP must not be used.V-73581MEDIUMIndexing of encrypted files must be turned off.V-73581MEDIUMIndexing of encrypted files must be turned off.V-73583MEDIUMUsers must be prevented from changing installation options.V-73583MEDIUMUsers must be prevented from changing installation options.V-73585HIGHThe Windows Installer Always install with elevated privileges option must be disabled.V-73585HIGHThe Windows Installer Always install with elevated privileges option must be disabled.V-73587MEDIUMUsers must be notified if a web-based program attempts to install software.V-73587MEDIUMUsers must be notified if a web-based program attempts to install software.V-73589MEDIUMAutomatically signing in the last interactive user after a system-initiated restart must be disabled.V-73589MEDIUMAutomatically signing in the last interactive user after a system-initiated restart must be disabled.V-73591MEDIUMPowerShell script block logging must be enabled.V-73591MEDIUMPowerShell script block logging must be enabled.V-73593HIGHThe Windows Remote Management (WinRM) client must not use Basic authentication.V-73593HIGHThe Windows Remote Management (WinRM) client must not use Basic authentication.V-73595MEDIUMThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.V-73595MEDIUMThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.V-73597MEDIUMThe Windows Remote Management (WinRM) client must not use Digest authentication.V-73597MEDIUMThe Windows Remote Management (WinRM) client must not use Digest authentication.V-73599HIGHThe Windows Remote Management (WinRM) service must not use Basic authentication.V-73599HIGHThe Windows Remote Management (WinRM) service must not use Basic authentication.V-73601MEDIUMThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.V-73601MEDIUMThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.V-73603MEDIUMThe Windows Remote Management (WinRM) service must not store RunAs credentials.V-73603MEDIUMThe Windows Remote Management (WinRM) service must not store RunAs credentials.V-73605MEDIUMThe DoD Root CA certificates must be installed in the Trusted Root Store.V-73605MEDIUMThe DoD Root CA certificates must be installed in the Trusted Root Store.V-73607MEDIUMThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.V-73607MEDIUMThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.V-73609MEDIUMThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.V-73609MEDIUMThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.V-73611MEDIUMDomain controllers must have a PKI server certificate.V-73611MEDIUMDomain controllers must have a PKI server certificate.V-73613HIGHDomain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).V-73613HIGHDomain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).V-73615HIGHPKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).V-73615HIGHPKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).V-73617MEDIUMActive Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.V-73617MEDIUMActive Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.V-73621HIGHLocal accounts with blank passwords must be restricted to prevent access from the network.V-73621HIGHLocal accounts with blank passwords must be restricted to prevent access from the network.V-73623MEDIUMWindows Server 2016 built-in administrator account must be renamed.V-73623MEDIUMWindows Server 2016 built-in administrator account must be renamed.V-73625MEDIUMWindows Server 2016 built-in guest account must be renamed.V-73625MEDIUMWindows Server 2016 built-in guest account must be renamed.V-73627MEDIUMAudit policy using subcategories must be enabled.V-73627MEDIUMAudit policy using subcategories must be enabled.V-73629MEDIUMDomain controllers must require LDAP access signing.V-73629MEDIUMDomain controllers must require LDAP access signing.V-73631MEDIUMDomain controllers must be configured to allow reset of machine account passwords.V-73631MEDIUMDomain controllers must be configured to allow reset of machine account passwords.V-73633MEDIUMThe setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.V-73633MEDIUMThe setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.V-73635MEDIUMThe setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.V-73635MEDIUMThe setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.V-73637MEDIUMThe setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.V-73637MEDIUMThe setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.V-73639MEDIUMThe computer account password must not be prevented from being reset.V-73639MEDIUMThe computer account password must not be prevented from being reset.V-73641MEDIUMThe maximum age for machine account passwords must be configured to 30 days or less.V-73641MEDIUMThe maximum age for machine account passwords must be configured to 30 days or less.V-73643MEDIUMWindows Server 2016 must be configured to require a strong session key.V-73643MEDIUMWindows Server 2016 must be configured to require a strong session key.V-73645MEDIUMThe machine inactivity limit must be set to 15 minutes, locking the system with the screen saver.V-73645MEDIUMThe machine inactivity limit must be set to 15 minutes, locking the system with the screen saver.V-73647MEDIUMThe required legal notice must be configured to display before console logon.V-73647MEDIUMThe required legal notice must be configured to display before console logon.V-73649LOWThe Windows dialog box title for the legal banner must be configured with the appropriate text.V-73649LOWThe Windows dialog box title for the legal banner must be configured with the appropriate text.V-73651MEDIUMCaching of logon credentials must be limited.V-73651MEDIUMCaching of logon credentials must be limited.V-73653MEDIUMThe setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.V-73653MEDIUMThe setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.V-73655MEDIUMThe setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.V-73655MEDIUMThe setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.V-73657MEDIUMUnencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.V-73657MEDIUMUnencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.V-73661MEDIUMThe setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.V-73661MEDIUMThe setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.V-73663MEDIUMThe setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.V-73663MEDIUMThe setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.V-73665HIGHAnonymous SID/Name translation must not be allowed.V-73665HIGHAnonymous SID/Name translation must not be allowed.V-73667HIGHAnonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.V-73667HIGHAnonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.V-73669HIGHAnonymous enumeration of shares must not be allowed.V-73669HIGHAnonymous enumeration of shares must not be allowed.V-73673MEDIUMWindows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.V-73673MEDIUMWindows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.V-73675HIGHAnonymous access to Named Pipes and Shares must be restricted.V-73675HIGHAnonymous access to Named Pipes and Shares must be restricted.V-73677MEDIUMRemote calls to the Security Account Manager (SAM) must be restricted to Administrators.V-73677MEDIUMRemote calls to the Security Account Manager (SAM) must be restricted to Administrators.V-73679MEDIUMServices using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.V-73679MEDIUMServices using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.V-73681MEDIUMNTLM must be prevented from falling back to a Null session.V-73681MEDIUMNTLM must be prevented from falling back to a Null session.V-73683MEDIUMPKU2U authentication using online identities must be prevented.V-73683MEDIUMPKU2U authentication using online identities must be prevented.V-73685MEDIUMKerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.V-73685MEDIUMKerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.V-73687HIGHWindows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.V-73687HIGHWindows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.V-73691HIGHThe LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.V-73691HIGHThe LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.V-73693MEDIUMWindows Server 2016 must be configured to at least negotiate signing for LDAP client signing.V-73693MEDIUMWindows Server 2016 must be configured to at least negotiate signing for LDAP client signing.V-73695MEDIUMSession security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.V-73695MEDIUMSession security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.V-73697MEDIUMSession security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.V-73697MEDIUMSession security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.V-73699MEDIUMUsers must be required to enter a password to access private keys stored on the computer.V-73699MEDIUMUsers must be required to enter a password to access private keys stored on the computer.V-73701MEDIUMWindows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.V-73701MEDIUMWindows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.V-73705LOWThe default permissions of global system objects must be strengthened.V-73705LOWThe default permissions of global system objects must be strengthened.V-73707MEDIUMUser Account Control approval mode for the built-in Administrator must be enabled.V-73707MEDIUMUser Account Control approval mode for the built-in Administrator must be enabled.V-73709MEDIUMUIAccess applications must not be allowed to prompt for elevation without using the secure desktop.V-73709MEDIUMUIAccess applications must not be allowed to prompt for elevation without using the secure desktop.V-73711MEDIUMUser Account Control must, at a minimum, prompt administrators for consent on the secure desktop.V-73711MEDIUMUser Account Control must, at a minimum, prompt administrators for consent on the secure desktop.V-73713MEDIUMUser Account Control must automatically deny standard user requests for elevation.V-73713MEDIUMUser Account Control must automatically deny standard user requests for elevation.V-73715MEDIUMUser Account Control must be configured to detect application installations and prompt for elevation.V-73715MEDIUMUser Account Control must be configured to detect application installations and prompt for elevation.V-73717MEDIUMUser Account Control must only elevate UIAccess applications that are installed in secure locations.V-73717MEDIUMUser Account Control must only elevate UIAccess applications that are installed in secure locations.V-73719MEDIUMUser Account Control must run all administrators in Admin Approval Mode, enabling UAC.V-73719MEDIUMUser Account Control must run all administrators in Admin Approval Mode, enabling UAC.V-73721MEDIUMUser Account Control must virtualize file and registry write failures to per-user locations.V-73721MEDIUMUser Account Control must virtualize file and registry write failures to per-user locations.V-73727MEDIUMZone information must be preserved when saving attachments.V-73727MEDIUMZone information must be preserved when saving attachments.V-73729MEDIUMThe Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.V-73729MEDIUMThe Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.V-73731MEDIUMThe Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.V-73731MEDIUMThe Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.V-73733MEDIUMThe Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers.V-73733MEDIUMThe Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers.V-73735HIGHThe Act as part of the operating system user right must not be assigned to any groups or accounts.V-73735HIGHThe Act as part of the operating system user right must not be assigned to any groups or accounts.V-73737MEDIUMThe Add workstations to domain user right must only be assigned to the Administrators group.V-73737MEDIUMThe Add workstations to domain user right must only be assigned to the Administrators group.V-73739MEDIUMThe Allow log on locally user right must only be assigned to the Administrators group.V-73739MEDIUMThe Allow log on locally user right must only be assigned to the Administrators group.V-73741MEDIUMThe Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.V-73741MEDIUMThe Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.V-73743MEDIUMThe Back up files and directories user right must only be assigned to the Administrators group.V-73743MEDIUMThe Back up files and directories user right must only be assigned to the Administrators group.V-73745MEDIUMThe Create a pagefile user right must only be assigned to the Administrators group.V-73745MEDIUMThe Create a pagefile user right must only be assigned to the Administrators group.V-73747HIGHThe Create a token object user right must not be assigned to any groups or accounts.V-73747HIGHThe Create a token object user right must not be assigned to any groups or accounts.V-73749MEDIUMThe Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-73749MEDIUMThe Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-73751MEDIUMThe Create permanent shared objects user right must not be assigned to any groups or accounts.V-73751MEDIUMThe Create permanent shared objects user right must not be assigned to any groups or accounts.V-73753MEDIUMThe Create symbolic links user right must only be assigned to the Administrators group.V-73753MEDIUMThe Create symbolic links user right must only be assigned to the Administrators group.V-73755HIGHThe Debug programs user right must only be assigned to the Administrators group.V-73755HIGHThe Debug programs user right must only be assigned to the Administrators group.V-73757MEDIUMThe Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.V-73757MEDIUMThe Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.V-73759MEDIUMThe Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems.V-73759MEDIUMThe Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems.V-73761MEDIUMThe Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.V-73761MEDIUMThe Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.V-73763MEDIUMThe Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.V-73763MEDIUMThe Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.V-73765MEDIUMThe Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.V-73765MEDIUMThe Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.V-73767MEDIUMThe Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.V-73767MEDIUMThe Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.V-73769MEDIUMThe Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.V-73769MEDIUMThe Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.V-73771MEDIUMThe Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.V-73771MEDIUMThe Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.V-73773MEDIUMThe Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.V-73773MEDIUMThe Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.V-73775MEDIUMThe Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.V-73775MEDIUMThe Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.V-73777MEDIUMThe Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.V-73777MEDIUMThe Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.V-73779MEDIUMThe Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on member servers.V-73779MEDIUMThe Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on member servers.V-73781MEDIUMThe Force shutdown from a remote system user right must only be assigned to the Administrators group.V-73781MEDIUMThe Force shutdown from a remote system user right must only be assigned to the Administrators group.V-73783MEDIUMThe Generate security audits user right must only be assigned to Local Service and Network Service.V-73783MEDIUMThe Generate security audits user right must only be assigned to Local Service and Network Service.V-73785MEDIUMThe Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-73785MEDIUMThe Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-73787MEDIUMThe Increase scheduling priority user right must only be assigned to the Administrators group.V-73787MEDIUMThe Increase scheduling priority user right must only be assigned to the Administrators group.V-73789MEDIUMThe Load and unload device drivers user right must only be assigned to the Administrators group.V-73789MEDIUMThe Load and unload device drivers user right must only be assigned to the Administrators group.V-73791MEDIUMThe Lock pages in memory user right must not be assigned to any groups or accounts.V-73791MEDIUMThe Lock pages in memory user right must not be assigned to any groups or accounts.V-73793MEDIUMThe Manage auditing and security log user right must only be assigned to the Administrators group.V-73793MEDIUMThe Manage auditing and security log user right must only be assigned to the Administrators group.V-73795MEDIUMThe Modify firmware environment values user right must only be assigned to the Administrators group.V-73795MEDIUMThe Modify firmware environment values user right must only be assigned to the Administrators group.V-73797MEDIUMThe Perform volume maintenance tasks user right must only be assigned to the Administrators group.V-73797MEDIUMThe Perform volume maintenance tasks user right must only be assigned to the Administrators group.V-73799MEDIUMThe Profile single process user right must only be assigned to the Administrators group.V-73799MEDIUMThe Profile single process user right must only be assigned to the Administrators group.V-73801MEDIUMThe Restore files and directories user right must only be assigned to the Administrators group.V-73801MEDIUMThe Restore files and directories user right must only be assigned to the Administrators group.V-73803MEDIUMThe Take ownership of files or other objects user right must only be assigned to the Administrators group.V-73803MEDIUMThe Take ownership of files or other objects user right must only be assigned to the Administrators group.V-73807MEDIUMThe Smart Card removal option must be configured to Force Logoff or Lock Workstation.V-73807MEDIUMThe Smart Card removal option must be configured to Force Logoff or Lock Workstation.V-73809MEDIUMWindows Server 2016 built-in guest account must be disabled.V-73809MEDIUMWindows Server 2016 built-in guest account must be disabled.V-78123MEDIUMThe Server Message Block (SMB) v1 protocol must be disabled on the SMB server.V-78123MEDIUMThe Server Message Block (SMB) v1 protocol must be disabled on the SMB server.V-78125MEDIUMThe Server Message Block (SMB) v1 protocol must be disabled on the SMB client.V-78125MEDIUMThe Server Message Block (SMB) v1 protocol must be disabled on the SMB client.V-78127MEDIUMOrphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.V-78127MEDIUMOrphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.V-90355LOWSecure Boot must be enabled on Windows Server 2016 systems.V-90355LOWSecure Boot must be enabled on Windows Server 2016 systems.V-90357LOWWindows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.V-90357LOWWindows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.V-90359MEDIUMWindows 2016 must be configured to audit Object Access - Other Object Access Events successes.V-90359MEDIUMWindows 2016 must be configured to audit Object Access - Other Object Access Events successes.V-90361MEDIUMWindows 2016 must be configured to audit Object Access - Other Object Access Events failures.V-90361MEDIUMWindows 2016 must be configured to audit Object Access - Other Object Access Events failures.V-91779MEDIUMThe password for the krbtgt account on a domain must be reset at least every 180 days.V-91779MEDIUMThe password for the krbtgt account on a domain must be reset at least every 180 days.