STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 5 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Windows Server 2019 Security Technical Implementation Guide

Archived

Version

V1R3

Release Date

Jan 24, 2020

SCAP Benchmark ID

S-07d10092416f6cab42a71ef50b3d40d94f8dedce

Total Checks

303

Tags

windows

CAT I: 33CAT II: 256CAT III: 14

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (303)

V-92961MEDIUMWindows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.V-92963MEDIUMWindows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.V-92965MEDIUMWindows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.V-92967MEDIUMWindows Server 2019 must be configured to audit logon successes.V-92969MEDIUMWindows Server 2019 must be configured to audit logon failures.V-92971MEDIUMWindows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.V-92973MEDIUMWindows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.V-92975MEDIUMWindows Server 2019 must automatically remove or disable temporary user accounts after 72 hours.V-92977MEDIUMWindows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.V-92979MEDIUMWindows Server 2019 must be configured to audit Account Management - Security Group Management successes.V-92981MEDIUMWindows Server 2019 must be configured to audit Account Management - User Account Management successes.V-92983MEDIUMWindows Server 2019 must be configured to audit Account Management - User Account Management failures.V-92985MEDIUMWindows Server 2019 must be configured to audit Account Management - Computer Account Management successes.V-92987MEDIUMWindows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes.V-92989MEDIUMWindows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures.V-92991HIGHWindows Server 2019 local volumes must use a format that supports NTFS attributes.V-92993LOWWindows Server 2019 non-administrative accounts or groups must only have print permissions on printer shares.V-92995MEDIUMWindows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.V-92997MEDIUMWindows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.V-92999MEDIUMWindows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.V-93001MEDIUMWindows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.V-93003MEDIUMWindows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.V-93005MEDIUMWindows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.V-93007MEDIUMWindows Server 2019 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems.V-93009MEDIUMWindows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.V-93011MEDIUMWindows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.V-93013MEDIUMWindows Server 2019 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.V-93015MEDIUMWindows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.V-93017MEDIUMWindows Server 2019 Allow log on locally user right must only be assigned to the Administrators group.V-93019MEDIUMWindows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.V-93021MEDIUMWindows Server 2019 permissions for program file directories must conform to minimum requirements.V-93023MEDIUMWindows Server 2019 permissions for the Windows installation directory must conform to minimum requirements.V-93025MEDIUMWindows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.V-93027HIGHWindows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system.V-93029HIGHWindows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access.V-93031HIGHWindows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions.V-93033HIGHWindows Server 2019 Active Directory Group Policy objects must have proper access control permissions.V-93035HIGHWindows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.V-93037HIGHWindows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.V-93039MEDIUMWindows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.V-93041MEDIUMWindows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.V-93043HIGHWindows Server 2019 must only allow administrators responsible for the member server or standalone system to have Administrator rights on the system.V-93045MEDIUMWindows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone systems.V-93047MEDIUMWindows Server 2019 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone systems.V-93049MEDIUMWindows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.V-93051HIGHWindows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts.V-93053MEDIUMWindows Server 2019 Back up files and directories user right must only be assigned to the Administrators group.V-93055MEDIUMWindows Server 2019 Create a pagefile user right must only be assigned to the Administrators group.V-93057HIGHWindows Server 2019 Create a token object user right must not be assigned to any groups or accounts.V-93059MEDIUMWindows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-93061MEDIUMWindows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts.V-93063MEDIUMWindows Server 2019 Create symbolic links user right must only be assigned to the Administrators group.V-93065HIGHWindows Server 2019 Debug programs: user right must only be assigned to the Administrators group.V-93067MEDIUMWindows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group.V-93069MEDIUMWindows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.V-93071MEDIUMWindows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.V-93073MEDIUMWindows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.V-93075MEDIUMWindows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group.V-93077MEDIUMWindows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts.V-93079MEDIUMWindows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group.V-93081MEDIUMWindows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group.V-93083MEDIUMWindows Server 2019 Profile single process user right must only be assigned to the Administrators group.V-93085MEDIUMWindows Server 2019 Restore files and directories user right must only be assigned to the Administrators group.V-93087MEDIUMWindows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group.V-93089MEDIUMWindows Server 2019 must be configured to audit Account Management - Other Account Management Events successes.V-93091MEDIUMWindows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes.V-93093MEDIUMWindows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes.V-93095MEDIUMWindows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures.V-93097MEDIUMWindows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes.V-93099MEDIUMWindows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes.V-93101MEDIUMWindows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes.V-93103MEDIUMWindows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures.V-93105MEDIUMWindows Server 2019 must be configured to audit System - IPsec Driver successes.V-93107MEDIUMWindows Server 2019 must be configured to audit System - IPsec Driver failures.V-93109MEDIUMWindows Server 2019 must be configured to audit System - Other System Events successes.V-93111MEDIUMWindows Server 2019 must be configured to audit System - Other System Events failures.V-93113MEDIUMWindows Server 2019 must be configured to audit System - Security State Change successes.V-93115MEDIUMWindows Server 2019 must be configured to audit System - Security System Extension successes.V-93117MEDIUMWindows Server 2019 must be configured to audit System - System Integrity successes.V-93119MEDIUMWindows Server 2019 must be configured to audit System - System Integrity failures.V-93121MEDIUMWindows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings.V-93123MEDIUMWindows Server 2019 Active Directory Domain object must be configured with proper audit settings.V-93125MEDIUMWindows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings.V-93127MEDIUMWindows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.V-93129MEDIUMWindows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings.V-93131MEDIUMWindows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings.V-93133MEDIUMWindows Server 2019 must be configured to audit DS Access - Directory Service Access successes.V-93135MEDIUMWindows Server 2019 must be configured to audit DS Access - Directory Service Access failures.V-93137MEDIUMWindows Server 2019 must be configured to audit DS Access - Directory Service Changes successes.V-93139MEDIUMWindows Server 2019 must be configured to audit DS Access - Directory Service Changes failures.V-93141MEDIUMWindows Server 2019 must have the number of allowed bad logon attempts configured to three or less.V-93143MEDIUMWindows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.V-93145MEDIUMWindows Server 2019 account lockout duration must be configured to 15 minutes or greater.V-93147MEDIUMWindows Server 2019 required legal notice must be configured to display before console logon.V-93149LOWWindows Server 2019 title for legal banner dialog box must be configured with the appropriate text.V-93151MEDIUMWindows Server 2019 must force audit policy subcategory settings to override audit policy category settings.V-93153MEDIUMWindows Server 2019 must be configured to audit Account Logon - Credential Validation successes.V-93155MEDIUMWindows Server 2019 must be configured to audit Account Logon - Credential Validation failures.V-93157MEDIUMWindows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes.V-93159MEDIUMWindows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes.V-93161MEDIUMWindows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes.V-93163MEDIUMWindows Server 2019 must be configured to audit Object Access - Other Object Access Events successes.V-93165MEDIUMWindows Server 2019 must be configured to audit Object Access - Other Object Access Events failures.V-93167MEDIUMWindows Server 2019 must be configured to audit Object Access - Removable Storage successes.V-93169MEDIUMWindows Server 2019 must be configured to audit Object Access - Removable Storage failures.V-93171MEDIUMWindows Server 2019 must be configured to audit logoff successes.V-93173MEDIUMWindows Server 2019 command line data must be included in process creation events.V-93175MEDIUMWindows Server 2019 PowerShell script block logging must be enabled.V-93177MEDIUMWindows Server 2019 Application event log size must be configured to 32768 KB or greater.V-93179MEDIUMWindows Server 2019 Security event log size must be configured to 196608 KB or greater.V-93181MEDIUMWindows Server 2019 System event log size must be configured to 32768 KB or greater.V-93183MEDIUMWindows Server 2019 audit records must be backed up to a different system or media than the system being audited.V-93185MEDIUMWindows Server 2019 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.V-93187LOWThe Windows Server 2019 time service must synchronize with an appropriate DoD time source.V-93189MEDIUMWindows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts.V-93191MEDIUMWindows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts.V-93193MEDIUMWindows Server 2019 permissions for the System event log must prevent access by non-privileged accounts.V-93195MEDIUMWindows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.V-93197MEDIUMWindows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group.V-93199MEDIUMWindows Server 2019 must prevent users from changing installation options.V-93201HIGHWindows Server 2019 must disable the Windows Installer Always install with elevated privileges option.V-93203MEDIUMWindows Server 2019 system files must be monitored for unauthorized changes.V-93205HIGHWindows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.V-93207MEDIUMWindows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.V-93209MEDIUMWindows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.V-93211MEDIUMThe password for the krbtgt account on a domain must be reset at least every 180 days.V-93213MEDIUMWindows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.V-93215HIGHWindows Server 2019 must be maintained at a supported servicing level.V-93217HIGHWindows Server 2019 must use an anti-virus program.V-93219MEDIUMWindows Server 2019 must have a host-based intrusion detection or prevention system.V-93221MEDIUMWindows Server 2019 must have software certificate installation files removed.V-93223MEDIUMWindows Server 2019 FTP servers must be configured to prevent anonymous logons.V-93225MEDIUMWindows Server 2019 FTP servers must be configured to prevent access to the system drive.V-93227MEDIUMWindows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights.V-93229LOWWindows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.V-93231LOWWindows Server 2019 must have Secure Boot enabled.V-93233LOWWindows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.V-93235LOWWindows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.V-93237LOWWindows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.V-93239MEDIUMWindows Server 2019 insecure logons to an SMB server must be disabled.V-93241MEDIUMWindows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.V-93243MEDIUMWindows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials.V-93245MEDIUMWindows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.V-93249MEDIUMWindows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.V-93251MEDIUMWindows Server 2019 group policy objects must be reprocessed even if they have not changed.V-93253MEDIUMWindows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery).V-93255MEDIUMWindows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in).V-93257MEDIUMWindows Server 2019 Telemetry must be configured to Security or Basic.V-93259LOWWindows Server 2019 Windows Update must not obtain updates from other PCs on the Internet.V-93261LOWWindows Server 2019 Turning off File Explorer heap termination on corruption must be disabled.V-93263MEDIUMWindows Server 2019 File Explorer shell protocol must run in protected mode.V-93265MEDIUMWindows Server 2019 must prevent attachments from being downloaded from RSS feeds.V-93267MEDIUMWindows Server 2019 users must be notified if a web-based program attempts to install software.V-93269MEDIUMWindows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart.V-93271HIGHWindows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.V-93273MEDIUMWindows Server 2019 domain controllers must be configured to allow reset of machine account passwords.V-93275MEDIUMWindows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.V-93277HIGHWindows Server 2019 must be running Credential Guard on domain-joined member servers.V-93279HIGHWindows Server 2019 must prevent local accounts with blank passwords from being used from the network.V-93281MEDIUMWindows Server 2019 built-in administrator account must be renamed.V-93283MEDIUMWindows Server 2019 built-in guest account must be renamed.V-93285MEDIUMWindows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.V-93287MEDIUMWindows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.V-93289HIGHWindows Server 2019 must not allow anonymous SID/Name translation.V-93291HIGHWindows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.V-93293MEDIUMWindows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.V-93295MEDIUMWindows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.V-93297MEDIUMWindows Server 2019 must prevent NTLM from falling back to a Null session.V-93299MEDIUMWindows Server 2019 must prevent PKU2U authentication using online identities.V-93301HIGHWindows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.V-93303MEDIUMWindows Server 2019 must be configured to at least negotiate signing for LDAP client signing.V-93305MEDIUMWindows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.V-93307MEDIUMWindows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.V-93309LOWWindows Server 2019 default permissions of global system objects must be strengthened.V-93311MEDIUMWindows Server 2019 must preserve zone information when saving attachments.V-93313MEDIUMWindows Server 2019 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.V-93315MEDIUMWindows Server 2019 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.V-93317MEDIUMWindows Server 2019 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.V-93319MEDIUMWindows Server 2019 Exploit Protection system-level mitigation, Validate heap integrity, must be on.V-93321MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for Acrobat.exe.V-93323MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for AcroRd32.exe.V-93325MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for chrome.exe.V-93327MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for EXCEL.EXE.V-93329MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for firefox.exe.V-93331MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for FLTLDR.EXE.V-93333MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for GROOVE.EXE.V-93335MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for iexplore.exe.V-93337MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for INFOPATH.EXE.V-93339MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe.V-93341MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for lync.exe.V-93343MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for MSACCESS.EXE.V-93345MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for MSPUB.EXE.V-93347MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for OIS.EXE.V-93349MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for OneDrive.exe.V-93351MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for OUTLOOK.EXE.V-93353MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for plugin-container.exe.V-93355MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for POWERPNT.EXE.V-93357MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for PPTVIEW.EXE.V-93359MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for VISIO.EXE.V-93361MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for VPREVIEW.EXE.V-93363MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for WINWORD.EXE.V-93365MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for wmplayer.exe.V-93367MEDIUMWindows Server 2019 Exploit Protection mitigations must be configured for wordpad.exe.V-93369HIGHWindows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.V-93373HIGHWindows Server 2019 Autoplay must be turned off for non-volume devices.V-93375HIGHWindows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.V-93377HIGHWindows Server 2019 AutoPlay must be disabled for all drives.V-93379MEDIUMWindows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.V-93381MEDIUMWindows Server 2019 must have the roles and features required by the system documented.V-93383MEDIUMWindows Server 2019 must not have the Fax Server role installed.V-93385MEDIUMWindows Server 2019 must not have the Peer Name Resolution Protocol installed.V-93387MEDIUMWindows Server 2019 must not have Simple TCP/IP Services installed.V-93389MEDIUMWindows Server 2019 must not have the TFTP Client installed.V-93391MEDIUMWindows Server 2019 must not the Server Message Block (SMB) v1 protocol installed.V-93393MEDIUMWindows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.V-93395MEDIUMWindows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.V-93397MEDIUMWindows Server 2019 must not have Windows PowerShell 2.0 installed.V-93399MEDIUMWindows Server 2019 must prevent the display of slide shows on the lock screen.V-93401MEDIUMWindows Server 2019 must have WDigest Authentication disabled.V-93403MEDIUMWindows Server 2019 downloading print driver packages over HTTP must be turned off.V-93405MEDIUMWindows Server 2019 printing over HTTP must be turned off.V-93407MEDIUMWindows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.V-93409LOWWindows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.V-93411MEDIUMWindows Server 2019 Windows Defender SmartScreen must be enabled.V-93413MEDIUMWindows Server 2019 must disable Basic authentication for RSS feeds over HTTP.V-93415MEDIUMWindows Server 2019 must prevent Indexing of encrypted files.V-93417MEDIUMWindows Server 2019 domain controllers must run on a machine dedicated to that function.V-93419MEDIUMWindows Server 2019 local users on domain-joined member servers must not be enumerated.V-93421MEDIUMWindows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.V-93423MEDIUMWindows Server 2019 must not have the Telnet Client installed.V-93425MEDIUMWindows Server 2019 must not save passwords in the Remote Desktop Client.V-93427MEDIUMWindows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.V-93429MEDIUMWindows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.V-93431MEDIUMWindows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.V-93433MEDIUMWindows Server 2019 User Account Control must automatically deny standard user requests for elevation.V-93435MEDIUMWindows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.V-93437MEDIUMWindows Server 2019 shared user accounts must not be permitted.V-93439MEDIUMWindows Server 2019 accounts must require passwords.V-93441MEDIUMWindows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.V-93443MEDIUMWindows Server 2019 Kerberos user logon restrictions must be enforced.V-93445MEDIUMWindows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.V-93447MEDIUMWindows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.V-93449MEDIUMWindows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.V-93451MEDIUMWindows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.V-93453MEDIUMWindows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone systems.V-93455MEDIUMWindows Server 2019 computer account password must not be prevented from being reset.V-93457MEDIUMWindows Server 2019 outdated or unused accounts must be removed or disabled.V-93459MEDIUMWindows Server 2019 must have the built-in Windows password complexity policy enabled.V-93461MEDIUMWindows Server 2019 manually managed application account passwords must be at least 15 characters in length.V-93463MEDIUMWindows Server 2019 minimum password length must be configured to 14 characters.V-93465HIGHWindows Server 2019 reversible password encryption must be disabled.V-93467HIGHWindows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.V-93469MEDIUMWindows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.V-93471MEDIUMWindows Server 2019 minimum password age must be configured to at least one day.V-93473MEDIUMWindows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days.V-93475MEDIUMWindows Server 2019 passwords must be configured to expire.V-93477MEDIUMWindows Server 2019 maximum password age must be configured to 60 days or less.V-93479MEDIUMWindows Server 2019 password history must be configured to 24 passwords remembered.V-93481MEDIUMWindows Server 2019 domain controllers must have a PKI server certificate.V-93483HIGHWindows Server 2019 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).V-93485HIGHWindows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).V-93487MEDIUMWindows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.V-93489MEDIUMWindows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.V-93491MEDIUMWindows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.V-93493MEDIUMWindows Server 2019 users must be required to enter a password to access private keys stored on the computer.V-93495MEDIUMWindows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.V-93497MEDIUMWindows Server 2019 must have the built-in guest account disabled.V-93499MEDIUMWindows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.V-93501MEDIUMWindows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.V-93503HIGHWindows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.V-93505MEDIUMWindows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.V-93507HIGHWindows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.V-93509LOWWindows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.V-93511MEDIUMWindows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.V-93513MEDIUMWindows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.V-93515MEDIUMWindows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.V-93517MEDIUMWindows Server 2019 administrator accounts must not be enumerated during elevation.V-93519MEDIUMWindows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.V-93521MEDIUMWindows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.V-93523MEDIUMWindows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.V-93525MEDIUMWindows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.V-93527MEDIUMWindows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.V-93529MEDIUMWindows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.V-93531MEDIUMWindows Server 2019 non-system-created file shares must limit access to groups that require it.V-93533MEDIUMWindows Server 2019 Remote Desktop Services must prevent drive redirection.V-93535MEDIUMWindows Server 2019 data files owned by users must be on a different logical partition from the directory server data files.V-93537HIGHWindows Server 2019 must not allow anonymous enumeration of shares.V-93539HIGHWindows Server 2019 must restrict anonymous access to Named Pipes and Shares.V-93541LOWWindows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers.V-93543MEDIUMWindows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.V-93545MEDIUMWindows Server 2019 domain controllers must require LDAP access signing.V-93547MEDIUMWindows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.V-93549MEDIUMWindows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.V-93551MEDIUMWindows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.V-93553MEDIUMWindows Server 2019 must be configured to require a strong session key.V-93555MEDIUMWindows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.V-93557MEDIUMWindows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.V-93559MEDIUMWindows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.V-93561MEDIUMWindows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.V-93563MEDIUMWindows Server 2019 Explorer Data Execution Prevention must be enabled.V-93565MEDIUMWindows Server 2019 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.V-93567MEDIUMWindows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).V-93571MEDIUMWindows Server 2019 must have a host-based firewall installed and enabled.