The "Replace a process level token" user right allows one process or service to start V Medium Unauthorized accounts must not have the Profile system performance user right. Accounts with the "Profile system performance" user right can monitor system processes V Medium The required legal notice must be configured to display before console logon. Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
V Medium The Deny log on as a batch job user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. The "Deny log on as a batch job" right defines accounts that are prevented from V Medium Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions V Medium Unauthorized accounts must not have the Restore files and directories user right. Accounts with the "Restore files and directories" user right can circumvent file and V Medium Outgoing secure channel traffic is not signed when possible.
Requests sent on the secure channel are authenticated, and sensitive information such as passwords is encrypted, but the channel is not integrity checked. If this policy is enabled, all V Medium Outgoing secure channel traffic is not encrypted when possible. Requests sent on the secure channel are authenticated and sensitive information such as passwords is encrypted, but not all information is encrypted.
If this policy is enabled, outgoing secure V Medium The system must be configured to prevent unsolicited remote assistance offers.
Remote assistance allows another user to view or take control of the local session of a user. Unsolicited remote assistance is help that is offered by the remote user. This may allow V Medium Unauthorized accounts must not have the Access Credential Manager as a trusted caller user right. Accounts with the "Access Credential Manager as a trusted caller" user right may be The default search behavior, when an application calls a function in a Dynamic Link Library DLL , is to search the current directory followed by the directories contained in the systems path This check verifies that non UAC compliant applications will run in virtualized file and registry entries in per user locations allowing them to run.
V Medium The System event log must be configured to a minimum size requirement. Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel. V Medium The Setup event log must be configured to a minimum size requirement.
V Medium Disable the Responder network protocol driver. This check verifies that the Responder network protocol driver is disabled. V Medium For systems utilizing a logon ID as the individual identifier, passwords must be a minimum of 14 characters in length.
Information systems not protected with strong password schemes including passwords of minimum length provide the opportunity for anyone to crack the password, thus, gaining access to the system V Medium Outgoing secure channel traffic is not encrypted or signed. Requests sent on the secure channel are authenticated, and sensitive information such as passwords is encrypted, but not all information is encrypted. This check verifies that the system is configured to prevent users from sharing the local drives on their client computers to Remote Session Hosts that they access.
V Medium Windows is prevented from using Windows Update to search for drivers. This check verifies that the system is configured to prevent Windows from searching Windows Update for device drivers when no local drivers for a device are present.
This check verifies that the system is configured to prevent the computer from downloading print driver packages over HTTP. V Medium The built-in Windows password complexity policy must be enabled. The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least 3 of the 4 types of characters V Medium The system must be configured to require case insensitivity for non-Windows subsystems.
This setting controls the behavior of non-Windows subsystems when dealing with the case of arguments or commands. Case sensitivity could lead to the access of files or commands that must be V Medium Hide mechanism for removing zone information from file attachments. This check verifies that users cannot manually remove zone information from saved file attachments. Unattended systems are susceptible to unauthorized use and must be locked.
Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended. V Medium Windows 7 account lockout duration must be configured to 15 minutes or greater.
The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified V Medium The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 7.
This parameter specifies the period of time that must pass after failed logon attempts before the V Medium Reversible password encryption must be disabled. Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords.
For this reason, this policy must never be enabled. V Medium The system must lockout accounts after 3 invalid logon attempts within a specified time period.
The higher this value is, the less effective the account lockout feature will be in protecting the V Medium A host-based firewall must be installed and enabled on the system. A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules. V Medium The system is configured to permit storage of passwords and credentials. This setting controls the storage of passwords and credentials for network authentication on the local system.
Such credentials should never be stored on the local machine as that may lead to V Medium The system is not configured to require a strong session key. This setting controls the requirement that strong session keys be used between systems.
V Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. A compromised local administrator account can provide means for an attacker to move laterally between domain systems. With User Account Control enabled, filtering the privileged token for local V Medium Booting into alternate operating systems is permitted.
Allowing other operating systems to run on a secure system, can allow users to circumvent security. If more than one operating system is installed on a computer, each must be configured to be V Medium The system is not configured to use the Classic security model. Windows includes two network-sharing security models - Classic and Guest only. With the classic model, local accounts must be password protected; otherwise, anyone can use guest user accounts to Removable hard drives can be formatted and ejected by others who are not members of the Administrators Group, if they are not properly configured.
Formatting and ejecting removable NTFS media Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds.
V Medium Shell protocol runs in protected mode. This check verifies that the shell protocol is run in protected mode. This allows applications to only open limited folders. V Medium Automatic logons must be disabled.
Allowing a system to automatically log on when the machine is booted could give access to any unauthorized individual who restarts the computer. Automatic logon with administrator privileges Some non-Microsoft SMB servers only support unencrypted plain text password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the V Medium Prevent users from changing Windows installer options.
This check verifies that users are prevented from changing installation options. V Medium Notify antivirus when file attachments are opened.
This check verifies that antivirus programs are notified when a user opens a file attachment. V Medium Application account passwords must meet DoD requirements for length, complexity and changes. Setting application accounts to expire may cause applications to stop functioning.
The site will have a policy that application account passwords are changed at least annually or when a system V Medium Bluetooth must be turned off when not in use. If not configured properly, Bluetooth may allow rogue devices to communicate with a system.
If a rogue device is paired with a system, there is potential for sensitive information to be compromised. V Medium Remote Desktop Services is not configured to always prompt a client for passwords upon connection.
This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in V Medium Remote Desktop Services is not configured to delete temporary folders. This setting controls the deletion of the temporary folders when the session is terminated.
Temporary folders should always be deleted after a session is over to prevent hard disk clutter and V Medium Remote Desktop Services must be configured to use session-specific temporary folders. If a communal temporary folder is used for remote desktop sessions, it might be possible for users to access other users' temporary folders.
If this setting is enabled, only one temporary folder V Medium Remote Desktop Services is not configured with the client connection encryption set to the required level.
Remote connections must be encrypted to prevent interception of data or sensitive information. V Medium Inbound exceptions to the firewall on domain workstations must only allow authorized management systems and remote management hosts.
Allowing inbound access to domain workstations from other systems may allow lateral movement across systems if credentials are compromised. Limiting inbound connections only from authorized This check verifies that SpyNet membership is disabled. V Medium Permissions for system files and directories must conform to minimum requirements. Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications.
V Medium Unauthorized accounts must not have the Back up files and directories user right. Accounts with the "Back up files and directories" user right can circumvent file and This check verifies that unhandled file associations will not use the Microsoft Web service to find an application. This check verifies that the elevation prompt is only used in secure desktop mode.
This check verifies that UAC has not been disabled. V Medium Bluetooth must be turned off unless approved by the organization. This check verifies that the system is configured to prevent users from saving passwords in the Remote Desktop Client. Allowing a remote desktop session to a workstation enables another avenue of access that could be exploited.
The system must be configured to prevent users from connecting to a computer using V Medium The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software.
Using only authorized software decreases risk by limiting the number of V Medium The built-in administrator account must be renamed. The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.
V Medium The system is configured to give anonymous users Everyone rights. This setting helps define the permissions that anonymous users have. If this setting is enabled then anonymous users have the same rights and permissions as the built-in Everyone group. V Medium System mechanisms must be implemented to enforce automatic expiration of passwords. Passwords that do not expire increase exposure with a greater probability of being discovered or cracked.
V Medium The built-in guest account must be renamed. The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized V Medium Media Player must be configured to prevent automatic checking for updates. Uncontrolled system updates can introduce issues to a system.
The automatic check for updates performed by Windows Media Player must be disabled to ensure a constant platform and to prevent the V Medium The system must be configured with a password-protected screen saver.
Unattended systems are susceptible to unauthorized use and must be locked when unattended. Enabling a password-protected screen saver to engage after a specified period of time helps protects This check verifies the Network Bridge cannot be installed and configured.
V Medium Audit of backup and restore privileges is not turned off. This policy setting stops the system from generating audit events for every file backed up or restored which could fill the security log in Windows. V Medium Prevent the system from joining a homegroup. This setting will prevent a system from being joined to a homegroup. Homegroups are a method of sharing data and printers on a home network.
V Medium Turn off autoplay for non-volume devices. V Medium Web publishing and online ordering wizards prevented from downloading list of providers. This check verifies that the system is configured to prevent Windows from downloading a list of providers for the Web publishing and online ordering wizards. V Medium The built-in guest account must be disabled. A system faces an increased vulnerability threat if the built-in guest account is not disabled.
This account is a known account that exists on all Windows systems and cannot be deleted. This check verifies that the system is configured to restrict unauthenticated RPC clients from connecting to the RPC server.
V Medium WDigest Authentication must be disabled. This setting will prevent V Medium Security-related software patches are not applied. Major software vendors release security patches and hot fixes to their products when security vulnerabilities are discovered.
It is essential that these updates be applied in a timely manner to To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD The DoD root certificates will ensure that the trust The ECA root certificates will V Medium IE security prompt is enabled for web-based installations.
This check verifies that users are notified if a web-based program attempts to install software. This setting prevents the system from setting up a default system access control list for certain system objects, which could create a very large number of security events, filling the security V Medium Group Policy objects are not reprocessed if they have not changed.
Enabling this setting and then selecting the "Process even if the Group Policy objects have not changed" option ensures that the policies will be reprocessed even if none have been changed. V Medium Wireless network adapters must be turned off when the system is connected to a wired network.
If a client device supports simultaneous use of wireless and wired connections, then this increases the probability that an adversary who can access the device using its wireless interface can MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS V Medium Administrator passwords must be changed as required.
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Passwords for the built-in administrator account and any emergency V Medium The site must have a contingency for emergency administration of the system. The built-in administrator account, as a well known account subject to attack, is disabled by default and per STIG requirements. Domain administrative accounts on domain-joined systems should V Medium Unauthorized accounts must not have the Lock pages in memory user right.
The "Lock pages in memory" user right allows physical memory to be assigned to V Medium Unauthorized accounts must not have the Manage auditing and security log user right. Accounts with the "Manage auditing and security log" user right can manage the V Medium Unauthorized accounts must not have the Load and unload device drivers user right. The "Load and unload device drivers" user right allows device drivers to dynamically V Medium Unauthorized accounts must not have the Increase scheduling priority user right.
Accounts with the "Increase scheduling priority" user right can change a scheduling V Medium Unauthorized accounts must not have the Modify firmware environment values user right. Accounts with the "Modify firmware environment values" user right can change hardware V Medium The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and unauthenticated access on all systems.
The "Deny access to this computer from the network" right defines the accounts that V Medium The built-in administrator account must be disabled. It also provides no accountability to individual administrators on a system. It must be disabled to prevent its use. V Medium Disable remote access to the plug and play interface.
This check verifies that remote access to the Plug and Play interface is disabled. V Medium Password is required on resume from sleep plugged in. This check verifies that the user is prompted for a password on resume from sleep Plugged In. V Medium Password is required on resume from sleep on battery. This check verifies that the user is prompted for a password on resume from sleep on battery.
V Medium Preserve zone information when saving attachments. This check verifies that file attachments are marked with their zone of origin allowing Windows to determine risk. V Medium Disable Help Ratings feed back. This check verifies that the users cannot provide ratings feedback to Microsoft for Help content. V Medium The system must notify the user when a Bluetooth device attempts to connect. This check verifies that the Windows Help Experience Improvement Program is disabled to prevent information from being passed to the vendor.
This check verifies that the Windows Customer Experience Improvement Program is disabled so information is not passed to the vendor. V Medium The password history must be configured to 24 passwords remembered. A system is more vulnerable to unauthorized access when users can recycle the same password several times without being required to change it to a unique password on a regularly scheduled basis.
V Medium Unauthorized accounts must not have the Modify an object label user right. Accounts with the "Modify an object label" user right can change the integrity label V Medium The minimum password age must be configured to at least 1 day. Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database.
This enables users to effectively negate the purpose V Medium The maximum password age must be configured to 60 days or less. The longer passwords are in use, the greater the opportunity for someone to gain unauthorized knowledge of them. Scheduled changing of passwords hinders the ability of unauthorized users to crack Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously instead of using the computer identity.
V Medium The service principal name SPN target name validation level must be configured to Accept if provided by client. If a service principle name SPN is provided by the client, it is validated against the server's list of SPNs, aiding in the prevention of spoofing. PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems.
Authentication will be centrally managed with Windows user accounts. NTLM sessions that are allowed to fall back to Null unauthenticated sessions may gain unauthorized access. Certain encryption types are no longer considered secure. This setting configures a minimum encryption type for Kerberos, preventing the use of the DES encryption suites.
V Medium Unauthorized accounts must not have the Impersonate a client after authentication user right. The "Impersonate a client after authentication" user right allows a program to V Medium The Application event log must be configured to a minimum size requirement. V Medium User Account Control is configured for the appropriate elevation prompt for administrators This setting configures the elevation requirements for logged on administrators to complete a task that requires raised privileges.
V Medium User Account Control is configured to detect application installations. This requires Windows to respond to application installation requests by prompting for credentials. V Medium Unauthorized accounts must not have the Create symbolic links user right. Accounts with the "Create symbolic links" user right can create pointers to other This check verifies that the configuration of wireless devices using Windows Connect Now is disabled.
V Medium Unauthorized accounts must not have the Create global objects user right. Accounts with the "Create global objects" user right can create objects that are V Medium Unauthorized accounts must not have the Create permanent shared objects user right. Accounts with the "Create permanent shared objects" user right could expose sensitive If RDS is used, it must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and unauthenticated access on all systems.
The "Deny log on through Remote Desktop Services" right defines the accounts that are V Medium Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right. The "Enable computer and user accounts to be trusted for delegation" user right allows V Medium The Deny log on as a service user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
The "Deny log on as a service" right defines accounts that are denied log on as a V Medium The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. The "Deny log on locally" right defines accounts that are prevented from logging on Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups.
If the account or group objects are reanimated, there V Medium Unauthorized accounts must not have the Force shutdown from a remote system user right. Accounts with the "Force shutdown from a remote system" user right can remotely shut V Medium Unauthorized accounts must not have the Generate security audits user right. The "Generate security audits" user right specifies users and processes that can STIG Topics. Privacy and Security Section Site Map. Login with CAC.
Apache 2. Apache Server 2. Apple OS X BIND 9. Canonical Ubuntu Citrix XenDesktop 7. Docker Enterprise 2. Google Android Google Android 9. Honeywell Android 9. Infoblox 7. Infoblox 8. Ivanti MobileIron Sentry 9. Jamf Pro v McAfee Antivirus 8. McAfee Application Control 8. McAfee Virus Scan 8. Net Framework 4. He is a leader who also brings extensive experience managing personnel, budgets, and information technology requirements, top priorities for DCSA.
Lecce is a retired Marine Corps Major General with decades of leadership experience in a variety of roles. Most recently he served as staff judge advocate and senior legal advisor to the Commandant of the Marine Corps.
Lecce was selected after an extensive process that included a call for nominations from across the security enterprise and intelligence community, throughout DOD, across all interagency partners, and the entire defense industrial base. Click title for more information.
0コメント