| Vulnerability ID |
Severity |
Description |
|
V-260590
|
Medium
|
Ubuntu 22.04 LTS must have the "auditd" package installed
|
|
V-260591
|
Medium
|
Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when,...
|
|
V-268555
|
High
|
The macOS system must ensure System Integrity Protection is enabled
|
|
V-268454
|
Medium
|
The macOS system must enable security auditing
|
|
V-268473
|
Medium
|
The macOS system must configure audit_control group to wheel
|
|
V-268474
|
Medium
|
The macOS system must configure audit_control owner to root
|
|
V-268475
|
Medium
|
The macOS system must configure audit_control owner to mode 440 or less permissive
|
|
V-269095
|
Medium
|
The macOS system must configure audit_control to not contain access control lists (ACLs)
|
|
V-268452
|
Medium
|
The macOS system must be configured to audit all administrative action events
|
|
V-268462
|
Medium
|
The macOS system must be configured to audit all deletions of object attributes
|
|
V-268463
|
Medium
|
The macOS system must be configured to audit all changes of object attributes
|
|
V-268464
|
Medium
|
The macOS system must be configured to audit all failed read actions on the system
|
|
V-268465
|
Medium
|
The macOS system must be configured to audit all failed write actions on the system
|
|
V-268457
|
Medium
|
The macOS system must configure audit log folders to be owned by root
|
|
V-220750
|
Medium
|
The system must be configured to audit Account Management - Security Group Management successes
|
|
V-220752
|
Medium
|
The system must be configured to audit Account Management - User Account Management successes
|
|
V-220751
|
Medium
|
The system must be configured to audit Account Management - User Account Management failures
|
|
V-268542
|
Medium
|
The macOS system must enforce smart card authentication
|
|
V-268456
|
Medium
|
The macOS system must configure audit log files to be owned by root
|
|
V-268458
|
Medium
|
The macOS system must configure the audit log files group to wheel
|
|
V-268459
|
Medium
|
The macOS system must configure the audit log folders group to wheel
|
|
V-268460
|
Medium
|
The macOS system must configure audit log files to mode 440 or less permissive
|
|
V-268461
|
Medium
|
The macOS system must configure audit log folders to mode 700 or less permissive
|
|
V-253446
|
Low
|
The Windows message title for the legal notice must be configured
|
|
V-220922
|
Low
|
The Windows dialog box title for the legal banner must be configured
|
|
V-268543
|
Medium
|
The macOS system must allow smart card authentication
|
|
V-220978
|
Medium
|
The Manage auditing and security log user right must only be assigned to the Administrators group
|
|
V-225037
|
Low
|
The Windows dialog box title for the legal banner must be configured with the appropriate text
|
|
V-260573
|
Medium
|
Ubuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accoun...
|
|
V-224884
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - Security Group Management su...
|
|
V-224885
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - User Account Management succ...
|
|
V-224886
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - User Account Management fail...
|
|
V-268477
|
High
|
The macOS system must disable password authentication for SSH
|
|
V-254458
|
Low
|
Windows Server 2022 title for legal banner dialog box must be configured with the appropriate text
|
|
V-205632
|
Low
|
Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text
|
|
V-224986
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - Computer Account Management ...
|
|
V-254303
|
Medium
|
Windows Server 2022 must be configured to audit Account Management - Security Group Management su...
|
|
V-205625
|
Medium
|
Windows Server 2019 must be configured to audit Account Management - Security Group Management su...
|
|
V-254304
|
Medium
|
Windows Server 2022 must be configured to audit Account Management - User Account Management succ...
|
|
V-205626
|
Medium
|
Windows Server 2019 must be configured to audit Account Management - User Account Management succ...
|
|
V-254305
|
Medium
|
Windows Server 2022 must be configured to audit Account Management - User Account Management fail...
|
|
V-205627
|
Medium
|
Windows Server 2019 must be configured to audit Account Management - User Account Management fail...
|
|
V-254407
|
Medium
|
Windows Server 2022 must be configured to audit Account Management - Computer Account Management ...
|
|
V-205628
|
Medium
|
Windows Server 2019 must be configured to audit Account Management - Computer Account Management ...
|
|
V-260628
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling,...
|
|
V-260629
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling,...
|
|
V-260630
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling,...
|
|
V-260631
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling,...
|
|
V-260632
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling,...
|
|
V-220746
|
Medium
|
The built-in Microsoft password complexity filter must be enabled
|
|
V-254292
|
Medium
|
Windows Server 2022 must have the built-in Windows password complexity policy enabled
|
|
V-268485
|
Medium
|
The macOS system must disable AirDrop
|
|
V-272477
|
Medium
|
The macOS system must disable iPhone Mirroring
|
|
V-268562
|
Medium
|
The macOS system must disable Handoff
|
|
V-205652
|
Medium
|
Windows Server 2019 must have the built-in Windows password complexity policy enabled
|
|
V-268450
|
Medium
|
The macOS system must enable the time synchronization daemon
|
|
V-268556
|
High
|
The macOS system must enforce FileVault
|
|
V-225086
|
Medium
|
The Manage auditing and security log user right must only be assigned to the Administrators group
|
|
V-254507
|
Medium
|
Windows Server 2022 manage auditing and security log user right must only be assigned to the Admi...
|
|
V-205643
|
Medium
|
Windows Server 2019 Manage auditing and security log user right must only be assigned to the Admi...
|
|
V-224873
|
Medium
|
Windows Server 2016 must have the built-in Windows password complexity policy enabled
|
|
V-268471
|
Medium
|
The macOS system must set smart card certificate trust to moderate
|
|
V-268443
|
Medium
|
The macOS system must disable root login
|
|
V-220921
|
Medium
|
The required legal notice must be configured to display before console logon
|
|
V-268438
|
High
|
The macOS system must limit SSHD to FIPS-compliant connections
|
|
V-260575
|
Medium
|
Ubuntu 22.04 LTS must implement smart card logins for multifactor authentication for local and ne...
|
|
V-224994
|
Medium
|
Active Directory user accounts, including administrators, must be configured to require the use o...
|
|
V-268544
|
Medium
|
The macOS system must enforce multifactor authentication for login
|
|
V-268546
|
Medium
|
The macOS system must enforce multifactor authentication for privilege escalation through the sud...
|
|
V-254456
|
Medium
|
Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the syste...
|
|
V-205633
|
Medium
|
Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the syste...
|
|
V-260599
|
Medium
|
Ubuntu 22.04 LTS must permit only authorized groups ownership of the audit log files
|
|
V-268568
|
Medium
|
The macOS system must ensure Secure Boot level is set to "full"
|
|
V-254457
|
Medium
|
Windows Server 2022 required legal notice must be configured to display before console logon
|
|
V-205631
|
Medium
|
Windows Server 2019 required legal notice must be configured to display before console logon
|
|
V-225036
|
Medium
|
The required legal notice must be configured to display before console logon
|
|
V-268545
|
Medium
|
The macOS system must enforce multifactor authentication for the su command
|
|
V-224846
|
Medium
|
A host-based firewall must be installed and enabled on the system
|
|
V-260547
|
Medium
|
Ubuntu 22.04 LTS must disable account identifiers (individuals, groups, roles, and devices) after...
|
|
V-260553
|
Medium
|
Ubuntu 22.04 LTS must allow users to directly initiate a session lock for all connection types
|
|
V-214936
|
Medium
|
Windows Server 2019 must have a host-based firewall installed and enabled
|
|
V-253273
|
Medium
|
Accounts must be configured to require password expiration
|
|
V-220716
|
Medium
|
Accounts must be configured to require password expiration
|
|
V-254373
|
Medium
|
Windows Server 2022 must prevent users from changing installation options
|
|
V-205801
|
Medium
|
Windows Server 2019 must prevent users from changing installation options
|
|
V-253410
|
Medium
|
Users must be prevented from changing installation options
|
|
V-220856
|
Medium
|
Users must be prevented from changing installation options
|
|
V-254265
|
Medium
|
Windows Server 2022 must have a host-based firewall installed and enabled
|
|
V-220863
|
Medium
|
The Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-253411
|
High
|
The Windows Installer feature "Always install with elevated privileges" must be disabled
|
|
V-220857
|
High
|
The Windows Installer Always install with elevated privileges must be disabled
|
|
V-224959
|
Medium
|
The Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-224962
|
Medium
|
The Windows Remote Management (WinRM) service must not allow unencrypted traffic
|
|
V-260524
|
High
|
Ubuntu 22.04 LTS must use SSH to protect the confidentiality and integrity of transmitted informa...
|
|
V-260598
|
Medium
|
Ubuntu 22.04 LTS must be configured to permit only authorized users ownership of the audit log files
|
|
V-224843
|
High
|
Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauth...
|
|
V-224877
|
Medium
|
Permissions for the Application event log must prevent access by non-privileged accounts
|
|
V-224878
|
Medium
|
Permissions for the Security event log must prevent access by non-privileged accounts
|
|
V-224879
|
Medium
|
Permissions for the System event log must prevent access by non-privileged accounts
|
|
V-253312
|
Medium
|
The system must be configured to audit Detailed Tracking - Process Creation successes
|
|
V-220754
|
Medium
|
The system must be configured to audit Detailed Tracking - Process Creation successes
|
|
V-254379
|
Medium
|
Windows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-205816
|
Medium
|
Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-254374
|
High
|
Windows Server 2022 must disable the Windows Installer Always install with elevated privileges op...
|
|
V-205802
|
High
|
Windows Server 2019 must disable the Windows Installer Always install with elevated privileges op...
|
|
V-254382
|
Medium
|
Windows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic
|
|
V-205817
|
Medium
|
Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic
|
|
V-254297
|
Medium
|
Windows Server 2022 permissions for the Security event log must prevent access by nonprivileged a...
|
|
V-205641
|
Medium
|
Windows Server 2019 permissions for the Security event log must prevent access by non-privileged ...
|
|
V-254298
|
Medium
|
Windows Server 2022 permissions for the System event log must prevent access by nonprivileged acc...
|
|
V-205642
|
Medium
|
Windows Server 2019 permissions for the System event log must prevent access by non-privileged ac...
|
|
V-260556
|
Medium
|
Ubuntu 22.04 LTS must have the "apparmor" package installed
|
|
V-253303
|
Medium
|
Passwords must, at a minimum, be 14 characters
|
|
V-220745
|
Medium
|
Passwords must, at a minimum, be 14 characters
|
|
V-253302
|
Medium
|
The minimum password age must be configured to at least 1 day
|
|
V-220744
|
Medium
|
The minimum password age must be configured to at least 1 day
|
|
V-253305
|
High
|
Reversible password encryption must be disabled
|
|
V-220747
|
High
|
Reversible password encryption must be disabled
|
|
V-220852
|
Medium
|
Remote Desktop Services must be configured with the client connection encryption set to the requi...
|
|
V-268515
|
Medium
|
The macOS system must disable Airplay Receiver
|
|
V-220919
|
Medium
|
The system must be configured to require a strong session key
|
|
V-220783
|
Medium
|
Windows 10 permissions for the Security event log must prevent access by non-privileged accounts
|
|
V-220784
|
Medium
|
Windows 10 permissions for the System event log must prevent access by non-privileged accounts
|
|
V-218786
|
Medium
|
Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled
|
|
V-268470
|
Medium
|
The macOS system must be configured to audit all authorization and authentication events
|
|
V-254451
|
Medium
|
Windows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) ...
|
|
V-205822
|
Medium
|
Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) ...
|
|
V-254452
|
Medium
|
Windows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) mus...
|
|
V-205823
|
Medium
|
Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) mus...
|
|
V-220937
|
High
|
The system must be configured to prevent the storage of the LAN Manager hash of passwords
|
|
V-254474
|
High
|
Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords
|
|
V-205654
|
High
|
Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords
|
|
V-253461
|
High
|
The system must be configured to prevent the storage of the LAN Manager hash of passwords
|
|
V-254369
|
Medium
|
Windows Server 2022 Remote Desktop Services must be configured with the client connection encrypt...
|
|
V-205637
|
Medium
|
Windows Server 2019 Remote Desktop Services must be configured with the client connection encrypt...
|
|
V-260558
|
Medium
|
Ubuntu 22.04 LTS must require users to reauthenticate for privilege escalation or when changing r...
|
|
V-225029
|
Medium
|
The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configu...
|
|
V-225030
|
Medium
|
The setting Domain member: Digitally encrypt secure channel data (when possible) must be configur...
|
|
V-225031
|
Medium
|
The setting Domain member: Digitally sign secure channel data (when possible) must be configured ...
|
|
V-225039
|
Medium
|
The setting Microsoft network client: Digitally sign communications (always) must be configured t...
|
|
V-225040
|
Medium
|
The setting Microsoft network client: Digitally sign communications (if server agrees) must be co...
|
|
V-225042
|
Medium
|
The setting Microsoft network server: Digitally sign communications (always) must be configured t...
|
|
V-225043
|
Medium
|
The setting Microsoft network server: Digitally sign communications (if client agrees) must be co...
|
|
V-254242
|
Medium
|
Windows Server 2022 manually managed application account passwords must be at least 14 characters...
|
|
V-205661
|
Medium
|
Windows Server 2019 manually managed application account passwords must be at least 14 characters...
|
|
V-268567
|
Medium
|
The macOS system must authorize USB devices before allowing connection
|
|
V-260523
|
High
|
Ubuntu 22.04 LTS must have SSH installed
|
|
V-268453
|
Medium
|
The macOS system must be configured to audit all login and logout events
|
|
V-253301
|
Medium
|
The maximum password age must be configured to 60 days or less
|
|
V-220743
|
Medium
|
The maximum password age must be configured to 60 days or less.
|
|
V-254291
|
Medium
|
Windows Server 2022 minimum password length must be configured to 14 characters
|
|
V-205662
|
Medium
|
Windows Server 2019 minimum password length must be configured to 14 characters
|
|
V-254293
|
High
|
Windows Server 2022 reversible password encryption must be disabled
|
|
V-205653
|
High
|
Windows Server 2019 reversible password encryption must be disabled
|
|
V-254450
|
Medium
|
Windows Server 2022 setting Domain member: Digitally encrypt or sign secure channel data (always)...
|
|
V-205821
|
Medium
|
Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always)...
|
|
V-254460
|
Medium
|
Windows Server 2022 setting Microsoft network client: Digitally sign communications (always) must...
|
|
V-205825
|
Medium
|
Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must...
|
|
V-254461
|
Medium
|
Windows Server 2022 setting Microsoft network client: Digitally sign communications (if server ag...
|
|
V-205826
|
Medium
|
Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server ag...
|
|
V-254463
|
Medium
|
Windows Server 2022 setting Microsoft network server: Digitally sign communications (always) must...
|
|
V-205827
|
Medium
|
Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must...
|
|
V-254464
|
Medium
|
Windows Server 2022 setting Microsoft network server: Digitally sign communications (if client ag...
|
|
V-205828
|
Medium
|
Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client ag...
|
|
V-260546
|
Medium
|
Ubuntu 22.04 LTS must enforce a 60-day maximum password lifetime restriction. Passwords for new u...
|
|
V-225034
|
Medium
|
Windows Server 2016 must be configured to require a strong session key
|
|
V-268449
|
Medium
|
The macOS system must be configured to use an authorized time server
|
|
V-268494
|
Medium
|
The macOS system must disable sending diagnostic and usage data to Apple
|
|
V-268495
|
Medium
|
The macOS system must disable Remote Apple Events
|
|
V-268499
|
High
|
The macOS system must disable Trivial File Transfer Protocol (TFTP) service
|
|
V-268512
|
High
|
The macOS system must disable unattended or automatic login to the system
|
|
V-268534
|
Medium
|
The macOS system must issue or obtain public key certificates from an approved service provider
|
|
V-260484
|
Medium
|
Ubuntu 22.04 LTS must implement cryptographic mechanisms to prevent unauthorized disclosure and m...
|
|
V-218816
|
Medium
|
Access to web administration tools must be restricted to the web manager and the web managers des...
|
|
V-254290
|
Medium
|
Windows Server 2022 minimum password age must be configured to at least one day
|
|
V-205656
|
Medium
|
Windows Server 2019 minimum password age must be configured to at least one day.
|
|
V-253304
|
Medium
|
The built-in Microsoft password complexity filter must be enabled
|
|
V-220741
|
Medium
|
The period of time before the bad logon counter is reset must be configured to 15 minutes
|
|
V-253444
|
Medium
|
The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver
|
|
V-260545
|
Medium
|
Ubuntu 22.04 LTS must enforce 24 hours/one day as the minimum password lifetime. Passwords for ne...
|
|
V-260569
|
Medium
|
Ubuntu 22.04 LTS must store only encrypted representations of passwords
|
|
V-254368
|
Medium
|
Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) commu...
|
|
V-205636
|
Medium
|
Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) commu...
|
|
V-224965
|
Medium
|
Kerberos user logon restrictions must be enforced
|
|
V-268440
|
Medium
|
The macOS system must set account lockout time to 15 minutes
|
|
V-268468
|
Medium
|
The macOS system must configure audit capacity warning
|
|
V-268469
|
Medium
|
The macOS system must configure audit failure notification
|
|
V-274881
|
Medium
|
The macOS system must require users to reauthenticate for privilege escalation when using the "su...
|
|
V-274880
|
Medium
|
The macOS system must configure sudoers timestamp type
|
|
V-254455
|
Medium
|
Windows Server 2022 must be configured to require a strong session key
|
|
V-205824
|
Medium
|
Windows Server 2019 must be configured to require a strong session key
|
|
V-268439
|
High
|
The macOS system must limit SSH to FIPS-compliant connections
|
|
V-254289
|
Medium
|
Windows Server 2022 maximum password age must be configured to 60 days or less
|
|
V-205659
|
Medium
|
Windows Server 2019 maximum password age must be configured to 60 days or less
|
|
V-205658
|
Medium
|
Windows Server 2019 passwords must be configured to expire
|
|
V-260560
|
Medium
|
Ubuntu 22.04 LTS must enforce password complexity by requiring at least one uppercase character b...
|
|
V-260561
|
Medium
|
Ubuntu 22.04 LTS must enforce password complexity by requiring at least one lowercase character b...
|
|
V-260562
|
Medium
|
Ubuntu 22.04 LTS must enforce password complexity by requiring that at least one numeric characte...
|
|
V-260565
|
Medium
|
Ubuntu 22.04 LTS must enforce a minimum 15-character password length
|
|
V-224868
|
Medium
|
Windows Server 2016 must have the period of time before the bad logon counter is reset configured...
|
|
V-224968
|
Medium
|
The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less
|
|
V-252896
|
Medium
|
PowerShell Transcription must be enabled on Windows 10
|
|
V-268552
|
Medium
|
The macOS system must configure system log files owned by root and group to wheel
|
|
V-225059
|
Medium
|
Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, ...
|
|
V-254386
|
Medium
|
Windows Server 2022 Kerberos user logon restrictions must be enforced
|
|
V-254389
|
Medium
|
Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven...
|
|
V-205705
|
Medium
|
Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven...
|
|
V-253501
|
Medium
|
The "Manage auditing and security log" user right must only be assigned to the Administrators group
|
|
V-260557
|
Medium
|
Ubuntu 22.04 LTS must be configured to use AppArmor
|
|
V-260649
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for privileged activities, nonlocal maintenance, dia...
|
|
V-254391
|
High
|
Windows Server 2022 permissions on the Active Directory data files must only allow System and Adm...
|
|
V-254258
|
Medium
|
Windows Server 2022 passwords must be configured to expire
|
|
V-260563
|
Medium
|
Ubuntu 22.04 LTS must enforce password complexity by requiring that at least one special characte...
|
|
V-224880
|
Medium
|
Event Viewer must be protected from unauthorized modification and deletion
|
|
V-224966
|
Medium
|
The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less
|
|
V-220778
|
Medium
|
The system must be configured to audit System - System Integrity successes
|
|
V-220777
|
Medium
|
The system must be configured to audit System - System Integrity failures
|
|
V-268550
|
Medium
|
The macOS system must configure Apple System Log (ASL) files owned by root and group to wheel
|
|
V-205630
|
Medium
|
Windows Server 2019 must have the period of time before the bad logon counter is reset configured...
|
|
V-254299
|
Medium
|
Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion
|
|
V-205731
|
Medium
|
Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion
|
|
V-254416
|
Medium
|
Windows Server 2022 domain controllers must require LDAP access signing
|
|
V-205820
|
Medium
|
Windows Server 2019 domain controllers must require LDAP access signing
|
|
V-260540
|
Medium
|
Ubuntu 22.04 LTS must disable automatic mounting of Universal Serial Bus (USB) mass storage driver
|
|
V-260543
|
Medium
|
Ubuntu 22.04 LTS must uniquely identify interactive users
|
|
V-260566
|
Medium
|
Ubuntu 22.04 LTS must require the change of at least eight characters when passwords are changed
|
|
V-260578
|
Medium
|
Ubuntu 22.04 LTS for PKI-based authentication, must implement a local cache of revocation data in...
|
|
V-224888
|
Medium
|
Windows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes
|
|
V-224890
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures
|
|
V-224906
|
Medium
|
Windows Server 2016 must be configured to audit System - IPsec Driver successes
|
|
V-224907
|
Medium
|
Windows Server 2016 must be configured to audit System - IPsec Driver failures
|
|
V-224912
|
Medium
|
Windows Server 2016 must be configured to audit System - System Integrity successes
|
|
V-224913
|
Medium
|
Windows Server 2016 must be configured to audit System - System Integrity failures
|
|
V-224969
|
Medium
|
The computer clock synchronization tolerance must be limited to 5 minutes or less
|
|
V-224995
|
Medium
|
Domain controllers must require LDAP access signing
|
|
V-220768
|
Medium
|
The system must be configured to audit Policy Change - Authentication Policy Change successes
|
|
V-220771
|
Medium
|
The system must be configured to audit Privilege Use - Sensitive Privilege Use successes
|
|
V-220770
|
Medium
|
The system must be configured to audit Privilege Use - Sensitive Privilege Use failures
|
|
V-220775
|
Medium
|
The system must be configured to audit System - Security State Change successes
|
|
V-220776
|
Medium
|
The system must be configured to audit System - Security System Extension successes
|
|
V-254309
|
Medium
|
Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures
|
|
V-205730
|
Medium
|
Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures
|
|
V-268445
|
Medium
|
The macOS system must configure SSHD channel timeout to 900
|
|
V-268446
|
Medium
|
The macOS system must configure SSHD unused connection timeout to 900
|
|
V-268518
|
Medium
|
The macOS system must disable Bluetooth Sharing
|
|
V-268551
|
Medium
|
The macOS system must configure Apple System Log (ASL) files to mode 640 or less permissive
|
|
V-254387
|
Medium
|
Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less
|
|
V-205703
|
Medium
|
Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less
|
|
V-254390
|
Medium
|
Windows Server 2022 computer clock synchronization tolerance must be limited to five minutes or less
|
|
V-205706
|
Medium
|
Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less
|
|
V-260584
|
Medium
|
Ubuntu 22.04 LTS must notify designated personnel if baseline configurations are changed in an un...
|
|
V-260597
|
Medium
|
Ubuntu 22.04 LTS must be configured so that audit log files are not read- or write-accessible by ...
|
|
V-224883
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - Other Account Management Eve...
|
|
V-224900
|
Medium
|
Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes
|
|
V-224901
|
Medium
|
Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures
|
|
V-224902
|
Medium
|
Windows Server 2016 must be configured to audit Policy Change - Authentication Policy Change succ...
|
|
V-224903
|
Medium
|
Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change succe...
|
|
V-224904
|
Medium
|
Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes
|
|
V-224905
|
Medium
|
Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures
|
|
V-224908
|
Medium
|
Windows Server 2016 must be configured to audit System - Other System Events successes
|
|
V-224909
|
Medium
|
Windows Server 2016 must be configured to audit System - Other System Events failures
|
|
V-224910
|
Medium
|
Windows Server 2016 must be configured to audit System - Security State Change successes
|
|
V-224911
|
Medium
|
Windows Server 2016 must be configured to audit System - Security System Extension successes
|
|
V-224987
|
Medium
|
Windows Server 2016 must be configured to audit DS Access - Directory Service Access successes
|
|
V-224988
|
Medium
|
Windows Server 2016 must be configured to audit DS Access - Directory Service Access failures
|
|
V-254325
|
Medium
|
Windows Server 2022 must be configured to audit System - IPsec Driver successes
|
|
V-205777
|
Medium
|
Windows Server 2019 must be configured to audit System - IPsec Driver successes
|
|
V-254326
|
Medium
|
Windows Server 2022 must be configured to audit System - IPsec Driver failures
|
|
V-205778
|
Medium
|
Windows Server 2019 must be configured to audit System - IPsec Driver failures
|
|
V-205838
|
Medium
|
Windows Server 2019 must be configured to audit logoff successes
|
|
V-220757
|
Medium
|
The system must be configured to audit Logon/Logoff - Logoff successes
|
|
V-220759
|
Medium
|
The system must be configured to audit Logon/Logoff - Logon successes
|
|
V-220758
|
Medium
|
The system must be configured to audit Logon/Logoff - Logon failures
|
|
V-254319
|
Medium
|
Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes
|
|
V-205771
|
Medium
|
Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes
|
|
V-254320
|
Medium
|
Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures
|
|
V-205772
|
Medium
|
Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures
|
|
V-254327
|
Medium
|
Windows Server 2022 must be configured to audit System - Other System Events successes
|
|
V-205779
|
Medium
|
Windows Server 2019 must be configured to audit System - Other System Events successes
|
|
V-254328
|
Medium
|
Windows Server 2022 must be configured to audit System - Other System Events failures
|
|
V-205780
|
Medium
|
Windows Server 2019 must be configured to audit System - Other System Events failures
|
|
V-254330
|
Medium
|
Windows Server 2022 must be configured to audit System - Security System Extension successes
|
|
V-205782
|
Medium
|
Windows Server 2019 must be configured to audit System - Security System Extension successes
|
|
V-254331
|
Medium
|
Windows Server 2022 must be configured to audit System - System Integrity successes
|
|
V-205783
|
Medium
|
Windows Server 2019 must be configured to audit System - System Integrity successes
|
|
V-254332
|
Medium
|
Windows Server 2022 must be configured to audit System - System Integrity failures
|
|
V-205784
|
Medium
|
Windows Server 2019 must be configured to audit System - System Integrity failures
|
|
V-254307
|
Medium
|
Windows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes
|
|
V-205770
|
Medium
|
Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes
|
|
V-268442
|
Medium
|
The macOS system must disable login to other users' active and locked sessions
|
|
V-269094
|
Medium
|
The macOS system must be configured to audit all failed program execution on the system
|
|
V-268472
|
Medium
|
The macOS system must disable root login for SSH
|
|
V-268547
|
Medium
|
The macOS system must require that passwords contain a minimum of one lowercase character and one...
|
|
V-268549
|
Medium
|
The macOS system must disable accounts after 35 days of inactivity
|
|
V-268553
|
Medium
|
The macOS system must configure system log files to mode 640 or less permissive
|
|
V-224892
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Logoff successes
|
|
V-224893
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes
|
|
V-224894
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Logon failures
|
|
V-224989
|
Medium
|
Windows Server 2016 must be configured to audit DS Access - Directory Service Changes successes
|
|
V-254312
|
Medium
|
Windows Server 2022 must be configured to audit logon successes
|
|
V-205634
|
Medium
|
Windows Server 2019 must be configured to audit logon successes
|
|
V-254313
|
Medium
|
Windows Server 2022 must be configured to audit logon failures
|
|
V-205635
|
Medium
|
Windows Server 2019 must be configured to audit logon failures
|
|
V-254321
|
Medium
|
Windows Server 2022 must be configured to audit Policy Change - Authentication Policy Change succ...
|
|
V-205773
|
Medium
|
Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change succ...
|
|
V-254322
|
Medium
|
Windows Server 2022 must be configured to audit Policy Change - Authorization Policy Change succe...
|
|
V-205774
|
Medium
|
Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change succe...
|
|
V-254323
|
Medium
|
Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes
|
|
V-205775
|
Medium
|
Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes
|
|
V-254324
|
Medium
|
Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures
|
|
V-205776
|
Medium
|
Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures
|
|
V-254329
|
Medium
|
Windows Server 2022 must be configured to audit System - Security State Change successes
|
|
V-205781
|
Medium
|
Windows Server 2019 must be configured to audit System - Security State Change successes
|
|
V-254302
|
Medium
|
Windows Server 2022 must be configured to audit Account Management - Other Account Management Eve...
|
|
V-205769
|
Medium
|
Windows Server 2019 must be configured to audit Account Management - Other Account Management Eve...
|
|
V-254408
|
Medium
|
Windows Server 2022 must be configured to audit DS Access - Directory Service Access successes
|
|
V-205791
|
Medium
|
Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes
|
|
V-254410
|
Medium
|
Windows Server 2022 must be configured to audit DS Access - Directory Service Changes successes
|
|
V-205793
|
Medium
|
Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes
|
|
V-254409
|
Medium
|
Windows Server 2022 must be configured to audit DS Access - Directory Service Access failures
|
|
V-205792
|
Medium
|
Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures
|
|
V-260492
|
Medium
|
Ubuntu 22.04 LTS must configure audit tools with a mode of "755" or less permissive
|
|
V-260507
|
Medium
|
Ubuntu 22.04 LTS must configure audit tools to be owned by "root"
|
|
V-260542
|
Medium
|
Ubuntu 22.04 LTS must prevent direct login into the root account
|
|
V-224844
|
Medium
|
Protection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner ha...
|
|
V-254263
|
Medium
|
Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if th...
|
|
V-205829
|
Medium
|
Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if th...
|
|
V-224967
|
Medium
|
The Kerberos user ticket lifetime must be limited to 10 hours or less
|
|
V-254388
|
Medium
|
Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less
|
|
V-205704
|
Medium
|
Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less
|
|
V-224952
|
Medium
|
Indexing of encrypted files must be turned off
|
|
V-253278
|
Medium
|
The Telnet Client must not be installed on the system
|
|
V-220721
|
Medium
|
The Telnet Client must not be installed on the system
|
|
V-253279
|
Medium
|
The TFTP Client must not be installed on the system
|
|
V-220722
|
Medium
|
The TFTP Client must not be installed on the system
|
|
V-268531
|
Medium
|
The macOS system must disable Remote Management
|
|
V-268572
|
Medium
|
The macOS system must disable Genmoji
|
|
V-277139
|
Medium
|
The macOS system must disable Remote Management
|
|
V-277182
|
Medium
|
The macOS system must disable Genmoji AI Creation
|
|
V-254372
|
Medium
|
Windows Server 2022 must prevent Indexing of encrypted files
|
|
V-253409
|
Medium
|
Indexing of encrypted files must be turned off
|
|
V-220855
|
Medium
|
Indexing of encrypted files must be turned off
|
|
V-253407
|
Medium
|
Attachments must be prevented from being downloaded from RSS feeds
|
|
V-220853
|
Medium
|
Attachments must be prevented from being downloaded from RSS feeds
|
|
V-253360
|
Medium
|
Insecure logons to an SMB server must be disabled
|
|
V-253416
|
High
|
The Windows Remote Management (WinRM) client must not use Basic authentication
|
|
V-220862
|
High
|
The Windows Remote Management (WinRM) client must not use Basic authentication
|
|
V-224920
|
Medium
|
Insecure logons to an SMB server must be disabled
|
|
V-224949
|
Medium
|
Attachments must be prevented from being downloaded from RSS feeds
|
|
V-224953
|
Medium
|
Users must be prevented from changing installation options
|
|
V-224958
|
High
|
The Windows Remote Management (WinRM) client must not use Basic authentication
|
|
V-224961
|
High
|
The Windows Remote Management (WinRM) service must not use Basic authentication
|
|
V-268481
|
Medium
|
The macOS system must disable Bonjour multicast
|
|
V-268529
|
Medium
|
The macOS system must disable Dictation
|
|
V-268530
|
Medium
|
The macOS system must disable Printer Sharing
|
|
V-268539
|
Medium
|
The macOS system must disable password hints
|
|
V-268573
|
Medium
|
The macOS system must disable Apple Intelligence Image Generation
|
|
V-268574
|
Medium
|
The macOS system must disable Apple Intelligence Writing Tools
|
|
V-225050
|
Medium
|
NTLM must be prevented from falling back to a Null session
|
|
V-277088
|
Medium
|
The macOS system must disable Bonjour multicast
|
|
V-277138
|
Medium
|
The macOS system must disable Printer Sharing
|
|
V-277148
|
Medium
|
The macOS system must disable password hints
|
|
V-277183
|
Medium
|
The macOS system must disable Apple Intelligence Image Playground
|
|
V-253445
|
Medium
|
The required legal notice must be configured to display before console logon
|
|
V-260548
|
Medium
|
Ubuntu 22.04 LTS must automatically expire temporary accounts within 72 hours
|
|
V-260549
|
Low
|
Ubuntu 22.04 LTS must automatically lock an account until the locked account is released by an ad...
|
|
V-224837
|
Medium
|
Outdated or unused accounts must be removed from the system or disabled
|
|
V-253476
|
Medium
|
Passwords for enabled local Administrator accounts must be changed at least every 60 days
|
|
V-220952
|
Medium
|
Passwords for enabled local Administrator accounts must be changed at least every 60 days
|
|
V-254240
|
High
|
Windows Server 2022 administrative accounts must not be used with applications that access the in...
|
|
V-205694
|
Medium
|
Windows Server 2019 must prevent Indexing of encrypted files
|
|
V-253281
|
Medium
|
A host-based firewall must be installed and enabled on the system
|
|
V-220724
|
Medium
|
A host-based firewall must be installed and enabled on the system
|
|
V-253378
|
Medium
|
The network selection user interface (UI) must not be displayed on the logon screen
|
|
V-220819
|
Medium
|
The network selection user interface (UI) must not be displayed on the logon screen
|
|
V-254370
|
Medium
|
Windows Server 2022 must prevent attachments from being downloaded from RSS feeds
|
|
V-205873
|
Medium
|
Windows Server 2019 must prevent attachments from being downloaded from RSS feeds
|
|
V-254339
|
Medium
|
Windows Server 2022 insecure logons to an SMB server must be disabled
|
|
V-205861
|
Medium
|
Windows Server 2019 insecure logons to an SMB server must be disabled
|
|
V-254471
|
Medium
|
Windows Server 2022 must prevent NTLM from falling back to a Null session
|
|
V-205917
|
Medium
|
Windows Server 2019 must prevent NTLM from falling back to a Null session
|
|
V-253458
|
Medium
|
NTLM must be prevented from falling back to a Null session
|
|
V-220934
|
Medium
|
NTLM must be prevented from falling back to a Null session
|
|
V-253277
|
Medium
|
Simple TCP/IP Services must not be installed on the system
|
|
V-220720
|
Medium
|
Simple TCP/IP Services must not be installed on the system
|
|
V-224828
|
High
|
Systems must be maintained at a supported servicing level
|
|
V-253383
|
Medium
|
Unauthenticated RPC clients must be restricted from connecting to the RPC server
|
|
V-220824
|
Medium
|
Unauthenticated RPC clients must be restricted from connecting to the RPC server
|
|
V-253417
|
Medium
|
The Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-254378
|
High
|
Windows Server 2022 Windows Remote Management (WinRM) client must not use Basic authentication
|
|
V-205711
|
High
|
Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication
|
|
V-253421
|
Medium
|
The Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-220868
|
Medium
|
The Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-254381
|
High
|
Windows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication
|
|
V-205713
|
High
|
Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication
|
|
V-224928
|
Medium
|
The network selection user interface (UI) must not be displayed on the logon screen
|
|
V-224933
|
High
|
The default AutoRun behavior must be configured to prevent AutoRun commands
|
|
V-224940
|
Medium
|
Windows Server 2016 Windows SmartScreen must be enabled
|
|
V-224954
|
High
|
The Windows Installer Always install with elevated privileges option must be disabled
|
|
V-224960
|
Medium
|
The Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-253419
|
Medium
|
The Windows Remote Management (WinRM) service must not allow unencrypted traffic
|
|
V-268493
|
Medium
|
The macOS system must disable Siri
|
|
V-268528
|
Medium
|
The macOS system must enforce On Device Dictation
|
|
V-268532
|
Medium
|
The macOS system must disable the Bluetooth System Settings pane
|
|
V-268533
|
Medium
|
The macOS system must disable the iCloud Freeform services
|
|
V-268564
|
Medium
|
The macOS system must disable Erase Content and Settings
|
|
V-278086
|
Medium
|
Windows Server 2025 insecure logons to an SMB server must be disabled
|
|
V-278117
|
Medium
|
Windows Server 2025 must prevent attachments from being downloaded from RSS feeds
|
|
V-278119
|
Medium
|
Windows Server 2025 must prevent Indexing of encrypted files
|
|
V-278120
|
Medium
|
Windows Server 2025 must prevent users from changing installation options
|
|
V-278221
|
Medium
|
Windows Server 2025 must prevent NTLM from falling back to a Null session
|
|
V-277137
|
Medium
|
The macOS system must disable Dictation
|
|
V-277184
|
Medium
|
The macOS system must disable Apple Intelligence Writing Tools
|
|
V-254247
|
Medium
|
Windows Server 2022 must be maintained at a supported servicing level
|
|
V-205849
|
High
|
Windows Server 2019 must be maintained at a supported servicing level
|
|
V-253265
|
High
|
Local volumes must be formatted using NTFS
|
|
V-220708
|
High
|
Local volumes must be formatted using NTFS
|
|
V-253387
|
High
|
The default autorun behavior must be configured to prevent autorun commands
|
|
V-220828
|
Medium
|
The default autorun behavior must be configured to prevent autorun commands
|
|
V-254348
|
Medium
|
Windows Server 2022 network selection user interface (UI) must not be displayed on the logon screen
|
|
V-205690
|
Medium
|
Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen
|
|
V-253453
|
High
|
Anonymous enumeration of SAM accounts must not be allowed
|
|
V-220929
|
High
|
Anonymous enumeration of SAM accounts must not be allowed
|
|
V-253454
|
High
|
Anonymous enumeration of shares must be restricted
|
|
V-220930
|
High
|
Anonymous enumeration of shares must be restricted
|
|
V-220802
|
Medium
|
Insecure logons to an SMB server must be disabled
|
|
V-224819
|
High
|
Users with Administrative privileges must have separate accounts for administrative duties and no...
|
|
V-224831
|
High
|
Local volumes must use a format that supports NTFS attributes
|
|
V-254380
|
Medium
|
Windows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-205712
|
Medium
|
Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-224875
|
Medium
|
Audit records must be backed up to a different system or media than the system being audited
|
|
V-224914
|
Medium
|
The display of slide shows on the lock screen must be disabled
|
|
V-224935
|
Medium
|
Administrator accounts must not be enumerated during elevation
|
|
V-224945
|
Medium
|
Local drives must be prevented from sharing with Remote Desktop Session Hosts
|
|
V-225045
|
High
|
Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed
|
|
V-225046
|
High
|
Anonymous enumeration of shares must not be allowed
|
|
V-253420
|
Medium
|
The Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-220867
|
Medium
|
The Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-268421
|
Medium
|
The macOS system must enforce screen saver password
|
|
V-268483
|
Medium
|
The macOS system must disable Internet Sharing
|
|
V-268488
|
Medium
|
The macOS system must disable iCloud Reminders
|
|
V-268490
|
Medium
|
The macOS system must disable iCloud Mail
|
|
V-268491
|
Medium
|
The macOS system must disable iCloud Notes
|
|
V-268510
|
Medium
|
The macOS system must disable the guest account
|
|
V-268521
|
Medium
|
The macOS system must disable Content Caching service
|
|
V-268524
|
Medium
|
The macOS system must disable iCloud Private Relay
|
|
V-268526
|
Medium
|
The macOS system must disable Personalized Advertising
|
|
V-253459
|
Medium
|
PKU2U authentication using online identities must be prevented
|
|
V-220935
|
Medium
|
PKU2U authentication using online identities must be prevented
|
|
V-225051
|
Medium
|
PKU2U authentication using online identities must be prevented
|
|
V-278012
|
Medium
|
Windows Server 2025 must have a host-based firewall installed and enabled
|
|
V-278095
|
Medium
|
Windows Server 2025 network selection user interface (UI) must not be displayed on the logon screen
|
|
V-278125
|
High
|
Windows Server 2025 Windows Remote Management (WinRM) client must not use Basic authentication
|
|
V-278128
|
High
|
Windows Server 2025 Windows Remote Management (WinRM) service must not use Basic authentication
|
|
V-277092
|
Medium
|
The macOS system must disable AirDrop
|
|
V-277100
|
Medium
|
The macOS system must disable Siri
|
|
V-277119
|
Medium
|
The macOS system must disable the guest account
|
|
V-277134
|
Medium
|
The macOS system must disable Personalized Advertising
|
|
V-277136
|
Medium
|
The macOS system must enforce On Device Dictation
|
|
V-277140
|
Medium
|
The macOS system must disable the Bluetooth System Settings pane
|
|
V-277141
|
Medium
|
The macOS system must disable the iCloud Freeform services
|
|
V-277174
|
Medium
|
The macOS system must disable Erase Content and Settings
|
|
V-260476
|
Low
|
Ubuntu 22.04 LTS must be configured so that the Advance Package Tool (APT) prevents the installat...
|
|
V-260520
|
Low
|
Ubuntu 22.04 LTS must synchronize internal information system clocks to the authoritative time so...
|
|
V-254239
|
Medium
|
Windows Server 2022 passwords for the built-in Administrator account must be changed at least eve...
|
|
V-205657
|
Medium
|
Windows Server 2019 passwords for the built-in Administrator account must be changed at least eve...
|
|
V-253391
|
Medium
|
Windows 11 administrator accounts must not be enumerated during elevation
|
|
V-220832
|
Medium
|
Windows 10 administrator accounts must not be enumerated during elevation
|
|
V-253435
|
Medium
|
The built-in administrator account must be renamed
|
|
V-220911
|
Medium
|
The built-in administrator account must be renamed
|
|
V-253474
|
Medium
|
User Account Control must run all administrators in Admin Approval Mode, enabling UAC
|
|
V-220950
|
Medium
|
User Account Control must run all administrators in Admin Approval Mode, enabling UAC
|
|
V-253380
|
Medium
|
Users must be prompted for a password on resume from sleep (on battery)
|
|
V-220821
|
Medium
|
Users must be prompted for a password on resume from sleep (on battery)
|
|
V-253381
|
Medium
|
The user must be prompted for a password on resume from sleep (plugged in)
|
|
V-220822
|
Medium
|
The user must be prompted for a password on resume from sleep (plugged in)
|
|
V-254353
|
High
|
Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands
|
|
V-205805
|
High
|
Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands
|
|
V-253463
|
Medium
|
The system must be configured to the required LDAP client signing level
|
|
V-220939
|
Medium
|
The system must be configured to the required LDAP client signing level
|
|
V-253382
|
High
|
Solicited Remote Assistance must not be allowed
|
|
V-220823
|
High
|
Solicited Remote Assistance must not be allowed
|
|
V-254333
|
Medium
|
Windows Server 2022 must prevent the display of slide shows on the lock screen
|
|
V-205686
|
Medium
|
Windows Server 2019 must prevent the display of slide shows on the lock screen
|
|
V-254466
|
High
|
Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts
|
|
V-205914
|
High
|
Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts
|
|
V-254467
|
High
|
Windows Server 2022 must not allow anonymous enumeration of shares
|
|
V-205724
|
High
|
Windows Server 2019 must not allow anonymous enumeration of shares
|
|
V-253406
|
Medium
|
Remote Desktop Services must be configured with the client connection encryption set to the requi...
|
|
V-260570
|
High
|
Ubuntu 22.04 LTS must not allow accounts configured with blank or null passwords
|
|
V-254366
|
Medium
|
Windows Server 2022 Remote Desktop Services must prevent drive redirection
|
|
V-205722
|
Medium
|
Windows Server 2019 Remote Desktop Services must prevent drive redirection
|
|
V-224876
|
Medium
|
Windows Server 2016 must, at a minimum, offload audit records of interconnected systems in real t...
|
|
V-224948
|
Medium
|
Remote Desktop Services must be configured with the client connection encryption set to High Level
|
|
V-224963
|
Medium
|
The Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-253257
|
Medium
|
Secure Boot must be enabled on Windows 11 systems
|
|
V-225009
|
Medium
|
Local users on domain-joined computers must not be enumerated
|
|
V-254238
|
Medium
|
Windows Server 2022 users with Administrative privileges must have separate accounts for administ...
|
|
V-205844
|
High
|
Windows Server 2019 users with Administrative privileges must have separate accounts for administ...
|
|
V-268479
|
Medium
|
The macOS system must disable Network File System (NFS) service
|
|
V-268487
|
Medium
|
The macOS system must disable the iCloud Calendar services
|
|
V-268489
|
Medium
|
The macOS system must disable iCloud Address Book
|
|
V-268501
|
Medium
|
The macOS system must disable iCloud Keychain Sync
|
|
V-268503
|
Medium
|
The macOS system must disable iCloud Bookmarks
|
|
V-268504
|
Medium
|
The macOS system must disable iCloud Photo Library
|
|
V-268557
|
Medium
|
The macOS system must enable macOS Application Firewall
|
|
V-268560
|
Medium
|
The macOS system must disable the Screen Time prompt during Setup Assistant
|
|
V-268563
|
Medium
|
The macOS system must disable proximity-based password sharing requests
|
|
V-254472
|
Medium
|
Windows Server 2022 must prevent PKU2U authentication using online identities
|
|
V-205918
|
Medium
|
Windows Server 2019 must prevent PKU2U authentication using online identities
|
|
V-271426
|
Medium
|
Windows Server 2022 must be configured for certificate-based authentication for domain controllers
|
|
V-271428
|
Medium
|
Windows Server 2019 must be configured for certificate-based authentication for domain controllers
|
|
V-254465
|
High
|
Windows Server 2022 must not allow anonymous SID/Name translation
|
|
V-205913
|
High
|
Windows Server 2019 must not allow anonymous SID/Name translation
|
|
V-253452
|
High
|
Anonymous SID/Name translation must not be allowed
|
|
V-220928
|
High
|
Anonymous SID/Name translation must not be allowed
|
|
V-225049
|
Medium
|
Services using Local System that use Negotiate when reverting to NTLM authentication must use the...
|
|
V-225055
|
Medium
|
Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing
|
|
V-277985
|
Medium
|
Windows Server 2025 users with administrative privileges must have separate accounts for administ...
|
|
V-278041
|
Medium
|
Windows Server 2025 audit records must be backed up to a different system or media than the syste...
|
|
V-278080
|
Medium
|
Windows Server 2025 must prevent the display of slide shows on the lock screen
|
|
V-278100
|
High
|
Windows Server 2025 default AutoRun behavior must be configured to prevent AutoRun commands
|
|
V-278113
|
Medium
|
Windows Server 2025 Remote Desktop Services must prevent drive redirection
|
|
V-278121
|
High
|
Windows Server 2025 must disable the Windows Installer Always install with elevated privileges op...
|
|
V-278127
|
Medium
|
Windows Server 2025 Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-278215
|
High
|
Windows Server 2025 must not allow anonymous SID/Name translation
|
|
V-278216
|
High
|
Windows Server 2025 must not allow anonymous enumeration of Security Account Manager (SAM) accounts
|
|
V-278217
|
High
|
Windows Server 2025 must not allow anonymous enumeration of shares
|
|
V-278222
|
Medium
|
Windows Server 2025 must prevent PKU2U authentication using online identities
|
|
V-277029
|
Medium
|
The macOS system must enforce screen saver password
|
|
V-277035
|
Medium
|
The macOS system must enforce time synchronization
|
|
V-277090
|
Medium
|
The macOS system must disable Internet Sharing
|
|
V-277094
|
Medium
|
The macOS system must disable the iCloud Calendar services
|
|
V-277095
|
Medium
|
The macOS system must disable iCloud Reminders
|
|
V-277096
|
Medium
|
The macOS system must disable iCloud Address Book
|
|
V-277097
|
Medium
|
The macOS system must disable iCloud Mail
|
|
V-277098
|
Medium
|
The macOS system must disable iCloud Notes
|
|
V-277112
|
Medium
|
The macOS system must disable iCloud Bookmarks
|
|
V-277113
|
Medium
|
The macOS system must disable iCloud Photo Library
|
|
V-277129
|
Medium
|
The macOS system must disable Content Caching service
|
|
V-277132
|
Medium
|
The macOS system must disable iCloud Private Relay
|
|
V-277142
|
Medium
|
The macOS system must disable iPhone Mirroring
|
|
V-277167
|
Medium
|
The macOS system must enable macOS Application Firewall
|
|
V-277172
|
Medium
|
The macOS system must disable Handoff
|
|
V-277173
|
Medium
|
The macOS system must disable proximity-based password sharing requests
|
|
V-254355
|
Medium
|
Windows Server 2022 administrator accounts must not be enumerated during elevation
|
|
V-205714
|
Medium
|
Windows Server 2019 administrator accounts must not be enumerated during elevation
|
|
V-253432
|
Medium
|
The built-in administrator account must be disabled.
|
|
V-220908
|
Medium
|
The built-in administrator account must be disabled
|
|
V-253468
|
Medium
|
User Account Control approval mode for the built-in Administrator must be enabled
|
|
V-220944
|
Medium
|
User Account Control approval mode for the built-in Administrator must be enabled
|
|
V-253472
|
Medium
|
User Account Control must be configured to detect application installations and prompt for elevation
|
|
V-220948
|
Medium
|
User Account Control must be configured to detect application installations and prompt for elevation
|
|
V-254430
|
Medium
|
Windows Server 2022 local users on domain-joined member servers must not be enumerated
|
|
V-254476
|
Medium
|
Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing
|
|
V-205920
|
Medium
|
Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing
|
|
V-253460
|
Medium
|
Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites
|
|
V-220936
|
Medium
|
Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites
|
|
V-254468
|
Medium
|
Windows Server 2022 must be configured to prevent anonymous users from having the same permission...
|
|
V-205915
|
Medium
|
Windows Server 2019 must be configured to prevent anonymous users from having the same permission...
|
|
V-253455
|
Medium
|
The system must be configured to prevent anonymous users from having the same rights as the Every...
|
|
V-254470
|
Medium
|
Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authent...
|
|
V-205916
|
Medium
|
Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authent...
|
|
V-253404
|
Medium
|
Remote Desktop Services must always prompt a client for passwords upon connection
|
|
V-220850
|
Medium
|
Remote Desktop Services must always prompt a client for passwords upon connection
|
|
V-260564
|
Medium
|
Ubuntu 22.04 LTS must prevent the use of dictionary words for passwords
|
|
V-260571
|
High
|
Ubuntu 22.04 LTS must not have accounts configured with blank or null passwords
|
|
V-253402
|
Medium
|
Passwords must not be saved in the Remote Desktop Client
|
|
V-220848
|
Medium
|
Passwords must not be saved in the Remote Desktop Client
|
|
V-224823
|
Medium
|
Manually managed application account passwords must be at least 14 characters in length
|
|
V-224860
|
Medium
|
FTP servers must be configured to prevent anonymous logons
|
|
V-224929
|
Medium
|
Users must be prompted to authenticate when the system wakes from sleep (on battery)
|
|
V-224930
|
Medium
|
Users must be prompted to authenticate when the system wakes from sleep (plugged in)
|
|
V-224932
|
High
|
AutoPlay must be turned off for non-volume devices
|
|
V-224944
|
Medium
|
Passwords must not be saved in the Remote Desktop Client
|
|
V-254284
|
Medium
|
Windows Server 2022 must have Secure Boot enabled
|
|
V-224996
|
Medium
|
Domain controllers must be configured to allow reset of machine account passwords
|
|
V-225010
|
Medium
|
Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC...
|
|
V-225032
|
Medium
|
The computer account password must not be prevented from being reset
|
|
V-225047
|
Medium
|
Windows Server 2016 must be configured to prevent anonymous users from having the same permission...
|
|
V-254383
|
Medium
|
Windows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-205810
|
Medium
|
Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-268441
|
Medium
|
The macOS system must enforce screen saver timeout
|
|
V-268451
|
Medium
|
The macOS system must configure sudo to log events
|
|
V-268478
|
Medium
|
The macOS system must disable Server Message Block (SMB) sharing
|
|
V-268480
|
Medium
|
The macOS system must disable Location Services
|
|
V-268484
|
Medium
|
The macOS system must disable the built-in web server
|
|
V-269566
|
Medium
|
The macOS system must disable sending search data from Spotlight to Apple
|
|
V-268498
|
Medium
|
The macOS system must disable iCloud storage setup during Setup Assistant
|
|
V-268502
|
Medium
|
The macOS system must disable iCloud Document Sync
|
|
V-268511
|
High
|
The macOS system must enable gatekeeper
|
|
V-268523
|
Medium
|
The macOS system must disable iCloud Game Center
|
|
V-268541
|
Medium
|
The macOS system must remove password hints from user accounts
|
|
V-268559
|
Medium
|
The macOS system must disable the TouchID prompt during Setup Assistant
|
|
V-268561
|
Medium
|
The macOS system must disable Unlock with Apple Watch during Setup Assistant
|
|
V-253443
|
Medium
|
The system must be configured to require a strong session key
|
|
V-278032
|
Medium
|
Windows Server 2025 must have Secure Boot enabled
|
|
V-278102
|
Medium
|
Windows Server 2025 administrator accounts must not be enumerated during elevation
|
|
V-278126
|
Medium
|
Windows Server 2025 Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-278129
|
Medium
|
Windows Server 2025 Windows Remote Management (WinRM) service must not allow unencrypted traffic
|
|
V-278130
|
Medium
|
Windows Server 2025 Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-278172
|
Medium
|
Windows Server 2025 must be configured for certificate-based authentication for domain controllers
|
|
V-278220
|
Medium
|
Windows Server 2025 services using Local System that use Negotiate when reverting to NTLM authent...
|
|
V-278226
|
Medium
|
Windows Server 2025 must be configured to at least negotiate signing for LDAP client signing
|
|
V-277059
|
Medium
|
The macOS system must configure sudo to log events
|
|
V-277104
|
Medium
|
The macOS system must disable sending search data from Spotlight to Apple
|
|
V-277110
|
Medium
|
The macOS system must disable iCloud Keychain Sync
|
|
V-277111
|
Medium
|
The macOS system must disable iCloud Document Sync
|
|
V-277124
|
Medium
|
The macOS system must disable Airplay Receiver
|
|
V-277131
|
Medium
|
The macOS system must disable iCloud Game Center
|
|
V-277170
|
Medium
|
The macOS system must disable the Screen Time prompt during Setup Assistant
|
|
V-279329
|
Medium
|
The macOS system must disable Apple Intelligence during Setup Assistant
|
|
V-260519
|
Low
|
Ubuntu 22.04 LTS must, for networked systems, compare internal information system clocks at least...
|
|
V-225021
|
Medium
|
The DoD Root CA certificates must be installed in the Trusted Root Store
|
|
V-253385
|
Low
|
The Application Compatibility Program Inventory must be prevented from collecting data and sendin...
|
|
V-220826
|
Low
|
The Application Compatibility Program Inventory must be prevented from collecting data and sendin...
|
|
V-253433
|
Medium
|
The built-in guest account must be disabled
|
|
V-220909
|
Medium
|
The built-in guest account must be disabled
|
|
V-254250
|
High
|
Windows Server 2022 local volumes must use a format that supports NTFS attributes
|
|
V-205663
|
High
|
Windows Server 2019 local volumes must use a format that supports NTFS attributes
|
|
V-254342
|
Medium
|
Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable c...
|
|
V-253368
|
Medium
|
Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials
|
|
V-254453
|
Medium
|
Windows Server 2022 computer account password must not be prevented from being reset
|
|
V-205815
|
Medium
|
Windows Server 2019 computer account password must not be prevented from being reset
|
|
V-253441
|
Low
|
The computer account password must not be prevented from being reset
|
|
V-220917
|
Low
|
The computer account password must not be prevented from being reset
|
|
V-253475
|
Medium
|
User Account Control must virtualize file and registry write failures to per-user locations
|
|
V-220951
|
Medium
|
User Account Control must virtualize file and registry write failures to per-user locations
|
|
V-253469
|
Medium
|
User Account Control must prompt administrators for consent on the secure desktop
|
|
V-254349
|
Medium
|
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on b...
|
|
V-205867
|
Medium
|
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on b...
|
|
V-254350
|
Medium
|
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plug...
|
|
V-205868
|
Medium
|
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plug...
|
|
V-254352
|
High
|
Windows Server 2022 Autoplay must be turned off for nonvolume devices
|
|
V-205804
|
High
|
Windows Server 2019 Autoplay must be turned off for non-volume devices
|
|
V-253386
|
High
|
Autoplay must be turned off for non-volume devices
|
|
V-220827
|
High
|
Autoplay must be turned off for non-volume devices
|
|
V-205876
|
Medium
|
Windows Server 2019 domain controllers must be configured to allow reset of machine account passw...
|
|
V-205696
|
Medium
|
Windows Server 2019 local users on domain-joined member servers must not be enumerated
|
|
V-253379
|
Medium
|
Local users on domain-joined computers must not be enumerated
|
|
V-220820
|
Medium
|
Local users on domain-joined computers must not be enumerated
|
|
V-254346
|
Medium
|
Windows Server 2022 downloading print driver packages over HTTP must be turned off
|
|
V-205688
|
Medium
|
Windows Server 2019 downloading print driver packages over HTTP must be turned off
|
|
V-253374
|
Medium
|
Downloading print driver packages over HTTP must be prevented
|
|
V-220815
|
Medium
|
Downloading print driver packages over HTTP must be prevented
|
|
V-253376
|
Medium
|
Printing over HTTP must be prevented
|
|
V-220817
|
Medium
|
Printing over HTTP must be prevented
|
|
V-253408
|
Medium
|
Basic authentication for RSS feeds over HTTP must not be used
|
|
V-220844
|
Medium
|
The Windows Defender SmartScreen filter for Microsoft Edge must be enabled
|
|
V-254469
|
High
|
Windows Server 2022 must restrict anonymous access to Named Pipes and Shares
|
|
V-205725
|
High
|
Windows Server 2019 must restrict anonymous access to Named Pipes and Shares
|
|
V-253456
|
High
|
Anonymous access to Named Pipes and Shares must be restricted
|
|
V-220932
|
High
|
Anonymous access to Named Pipes and Shares must be restricted
|
|
V-254477
|
Medium
|
Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTL...
|
|
V-205921
|
Medium
|
Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTL...
|
|
V-254478
|
Medium
|
Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTL...
|
|
V-205922
|
Medium
|
Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTL...
|
|
V-253450
|
Medium
|
Unencrypted passwords must not be sent to third-party SMB Servers
|
|
V-220926
|
Medium
|
Unencrypted passwords must not be sent to third-party SMB Servers
|
|
V-253353
|
Medium
|
IPv6 source routing must be configured to highest protection
|
|
V-220795
|
Medium
|
IPv6 source routing must be configured to highest protection
|
|
V-254272
|
Medium
|
Windows Server 2022 must not have Simple TCP/IP Services installed
|
|
V-205680
|
Medium
|
Windows Server 2019 must not have Simple TCP/IP Services installed
|
|
V-254367
|
Medium
|
Windows Server 2022 Remote Desktop Services must always prompt a client for passwords upon connec...
|
|
V-205809
|
Medium
|
Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connec...
|
|
V-260478
|
Medium
|
Ubuntu 22.04 LTS must have the "libpam-pwquality" package installed
|
|
V-260481
|
Low
|
Ubuntu 22.04 LTS must not have the "ntp" package installed
|
|
V-260516
|
Medium
|
Ubuntu 22.04 LTS must have an application firewall enabled
|
|
V-260521
|
Low
|
Ubuntu 22.04 LTS must record time stamps for audit records that can be mapped to Coordinated Univ...
|
|
V-260572
|
Medium
|
Ubuntu 22.04 LTS must encrypt all stored passwords with a FIPS 140-3-approved cryptographic hashi...
|
|
V-254365
|
Medium
|
Windows Server 2022 must not save passwords in the Remote Desktop Client
|
|
V-205808
|
Medium
|
Windows Server 2019 must not save passwords in the Remote Desktop Client
|
|
V-254431
|
Medium
|
Windows Server 2022 must restrict unauthenticated Remote Procedure Call (RPC) clients from connec...
|
|
V-205814
|
Medium
|
Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connec...
|
|
V-224845
|
Medium
|
The roles and features required by the system must be documented
|
|
V-224850
|
Medium
|
The Fax Server role must not be installed
|
|
V-224852
|
Medium
|
The Peer Name Resolution Protocol must not be installed
|
|
V-224853
|
Medium
|
Simple TCP/IP Services must not be installed
|
|
V-224854
|
Medium
|
The Telnet Client must not be installed
|
|
V-224855
|
Medium
|
The TFTP Client must not be installed
|
|
V-224864
|
Low
|
Secure Boot must be enabled on Windows Server 2016 systems
|
|
V-224874
|
High
|
Windows Server 2016 reversible password encryption must be disabled
|
|
V-224915
|
Medium
|
WDigest Authentication must be disabled on Windows Server 2016
|
|
V-224916
|
Low
|
Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection le...
|
|
V-224917
|
Low
|
Source routing must be configured to the highest protection level to prevent Internet Protocol (I...
|
|
V-224926
|
Medium
|
Downloading print driver packages over HTTP must be prevented
|
|
V-224927
|
Medium
|
Printing over HTTP must be prevented
|
|
V-224931
|
Low
|
The Application Compatibility Program Inventory must be prevented from collecting data and sendin...
|
|
V-224934
|
High
|
AutoPlay must be disabled for all drives
|
|
V-224937
|
Medium
|
The Application event log size must be configured to 32768 KB or greater
|
|
V-224938
|
Medium
|
The Security event log size must be configured to 196608 KB or greater
|
|
V-224939
|
Medium
|
The System event log size must be configured to 32768 KB or greater
|
|
V-224946
|
Medium
|
Remote Desktop Services must always prompt a client for passwords upon connection
|
|
V-224956
|
Medium
|
Automatically signing in the last interactive user after a system-initiated restart must be disabled
|
|
V-254269
|
Medium
|
Windows Server 2022 must not have the Fax Server role installed
|
|
V-205678
|
Medium
|
Windows Server 2019 must not have the Fax Server role installed
|
|
V-254271
|
Medium
|
Windows Server 2022 must not have the Peer Name Resolution Protocol installed
|
|
V-205679
|
Medium
|
Windows Server 2019 must not have the Peer Name Resolution Protocol installed
|
|
V-254273
|
Medium
|
Windows Server 2022 must not have the Telnet Client installed
|
|
V-205698
|
Medium
|
Windows Server 2019 must not have the Telnet Client installed
|
|
V-254274
|
Medium
|
Windows Server 2022 must not have the TFTP Client installed
|
|
V-205681
|
Medium
|
Windows Server 2019 must not have the TFTP Client installed
|
|
V-271430
|
High
|
Windows Server 2016 must be configured for name-based strong mappings for certificates
|
|
V-225025
|
High
|
Local accounts with blank passwords must be restricted to prevent access from the network
|
|
V-225041
|
Medium
|
Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers
|
|
V-225044
|
High
|
Anonymous SID/Name translation must not be allowed
|
|
V-225048
|
High
|
Anonymous access to Named Pipes and Shares must be restricted
|
|
V-253256
|
Medium
|
Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configu...
|
|
V-254283
|
Medium
|
Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and b...
|
|
V-220699
|
Medium
|
Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configu...
|
|
V-218793
|
Medium
|
The IIS 10.0 web server must only contain functions necessary for operation
|
|
V-218808
|
Medium
|
Directory Browsing on the IIS 10.0 web server must be disabled
|
|
V-268467
|
Low
|
The macOS system must configure audit retention to seven days
|
|
V-269096
|
Medium
|
The macOS system must disable sending audio recordings and transcripts to Apple
|
|
V-268496
|
Medium
|
The macOS system must disable Apple ID setup during Setup Assistant
|
|
V-268497
|
Medium
|
The macOS system must disable Privacy Setup services during Setup Assistant
|
|
V-268500
|
Medium
|
The macOS system must disable Siri Setup during Setup Assistant
|
|
V-268507
|
Medium
|
The macOS system must disable the system settings pane for Siri
|
|
V-268509
|
High
|
The macOS system must disable Bluetooth when no approved device is connected
|
|
V-268522
|
Medium
|
The macOS system must disable iCloud Desktop and Document folder sync
|
|
V-268527
|
Medium
|
The macOS system must disable sending Siri and Dictation information to Apple
|
|
V-253478
|
Medium
|
Zone information must be preserved when saving attachments
|
|
V-254417
|
Medium
|
Windows Server 2022 domain controllers must be configured to allow reset of machine account passw...
|
|
V-253397
|
Low
|
File Explorer heap termination on corruption must be disabled
|
|
V-253486
|
High
|
The "Create a token object" user right must not be assigned to any groups or accounts
|
|
V-220963
|
High
|
The Create a token object user right must not be assigned to any groups or accounts
|
|
V-225053
|
High
|
Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords
|
|
V-225056
|
Medium
|
Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security...
|
|
V-225057
|
Medium
|
Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security...
|
|
V-225067
|
Medium
|
User Account Control must run all administrators in Admin Approval Mode, enabling UAC
|
|
V-277983
|
Medium
|
Windows Server 2025 must prohibit the use or connection of unauthorized hardware components
|
|
V-277989
|
Medium
|
Windows Server 2025 manually managed application account passwords must be at least 15 characters...
|
|
V-277997
|
High
|
Windows Server 2025 local volumes must use a format that supports New Technology File System (NTF...
|
|
V-278017
|
Medium
|
Windows Server 2025 must not have Wi-Fi enabled unless required by the organization
|
|
V-278027
|
Medium
|
Windows Server 2025 FTP servers must be configured to prevent anonymous logons
|
|
V-278031
|
Medium
|
Windows Server 2025 systems must have Unified Extensible Firmware Interface (UEFI) firmware and b...
|
|
V-278042
|
Medium
|
Windows Server 2025 must, at a minimum, off-load audit records of interconnected systems in real ...
|
|
V-278089
|
Medium
|
Windows Server 2025 must be configured to enable Remote host allows delegation of nonexportable c...
|
|
V-278093
|
Medium
|
Windows Server 2025 downloading print driver packages over HTTP must be turned off
|
|
V-278096
|
Medium
|
Windows Server 2025 users must be prompted to authenticate when the system wakes from sleep (on b...
|
|
V-278097
|
Medium
|
Windows Server 2025 users must be prompted to authenticate when the system wakes from sleep (plug...
|
|
V-278099
|
High
|
Windows Server 2025 AutoPlay must be turned off for nonvolume devices
|
|
V-278112
|
Medium
|
Windows Server 2025 must not save passwords in the Remote Desktop Client
|
|
V-278116
|
Medium
|
Windows Server 2025 Remote Desktop Services must be configured with the client connection encrypt...
|
|
V-278164
|
Medium
|
Windows Server 2025 domain controllers must be configured to allow reset of machine account passw...
|
|
V-278179
|
Medium
|
Windows Server 2025 local users on domain-joined member servers must not be enumerated
|
|
V-278201
|
Medium
|
Windows Server 2025 setting Domain member: Digitally encrypt secure channel data (when possible) ...
|
|
V-278202
|
Medium
|
The Windows Server 2025 setting Domain member: Digitally sign secure channel data (when possible)...
|
|
V-278203
|
Medium
|
Windows Server 2025 computer account password must not be prevented from being reset
|
|
V-278218
|
Medium
|
Windows Server 2025 must be configured to prevent anonymous users from having the same permission...
|
|
V-278219
|
High
|
Windows Server 2025 must restrict anonymous access to Named Pipes and Shares
|
|
V-253482
|
Medium
|
The "Allow log on locally" user right must only be assigned to the Administrators and Users groups
|
|
V-220959
|
Medium
|
The Allow log on locally user right must only be assigned to the Administrators and Users groups
|
|
V-253485
|
Medium
|
The "Create a pagefile" user right must only be assigned to the Administrators group
|
|
V-220962
|
Medium
|
The Create a pagefile user right must only be assigned to the Administrators group
|
|
V-253488
|
Medium
|
The "Create permanent shared objects" user right must not be assigned to any groups or accounts
|
|
V-220965
|
Medium
|
The Create permanent shared objects user right must not be assigned to any groups or accounts
|
|
V-253502
|
Medium
|
The "Modify firmware environment values" user right must only be assigned to the Administrators g...
|
|
V-220979
|
Medium
|
The Modify firmware environment values user right must only be assigned to the Administrators group
|
|
V-253503
|
Medium
|
The "Perform volume maintenance tasks" user right must only be assigned to the Administrators group
|
|
V-220980
|
Medium
|
The Perform volume maintenance tasks user right must only be assigned to the Administrators group
|
|
V-253504
|
Medium
|
The "Profile single process" user right must only be assigned to the Administrators group
|
|
V-220981
|
Medium
|
The Profile single process user right must only be assigned to the Administrators group
|
|
V-243470
|
High
|
Delegation of privileged accounts must be prohibited
|
|
V-277049
|
Medium
|
The macOS system must enforce screen saver timeout
|
|
V-277058
|
Medium
|
The macOS system must enable the time synchronization daemon
|
|
V-277085
|
Medium
|
The macOS system must disable Server Message Block (SMB) sharing
|
|
V-277086
|
Medium
|
The macOS system must disable Network File System (NFS) service
|
|
V-277087
|
Medium
|
The macOS system must disable Location Services
|
|
V-277103
|
Medium
|
The macOS system must disable sending audio recordings and transcripts to Apple
|
|
V-277105
|
Medium
|
The macOS system must disable Apple ID setup during Setup Assistant
|
|
V-277107
|
Medium
|
The macOS system must disable iCloud storage setup during Setup Assistant
|
|
V-277109
|
Medium
|
The macOS system must disable Siri Setup during Setup Assistant
|
|
V-277116
|
Medium
|
The macOS system must disable the system settings pane for Siri
|
|
V-277118
|
High
|
The macOS system must disable Bluetooth when no approved device is connected
|
|
V-277120
|
High
|
The macOS system must enable gatekeeper
|
|
V-277130
|
Medium
|
The macOS system must disable iCloud Desktop and Document folder sync
|
|
V-277135
|
Medium
|
The macOS system must disable sending Siri and Dictation information to Apple
|
|
V-277149
|
Medium
|
The macOS system must remove password hints from user accounts
|
|
V-277166
|
High
|
The macOS system must enforce FileVault
|
|
V-277169
|
Medium
|
The macOS system must disable the TouchID prompt during Setup Assistant
|
|
V-277171
|
Medium
|
The macOS system must disable Unlock with Apple Watch during Setup Assistant
|
|
V-277177
|
Medium
|
The macOS system must authorize USB devices before allowing connection
|
|
V-260577
|
Medium
|
Ubuntu 22.04 LTS, for PKI-based authentication, must validate certificates by constructing a cert...
|
|
V-260648
|
Medium
|
Ubuntu 22.04 LTS must prevent all software from executing at higher privilege levels than users e...
|
|
V-254442
|
Medium
|
Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in t...
|
|
V-205648
|
Medium
|
Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in t...
|
|
V-220903
|
Medium
|
The DoD Root CA certificates must be installed in the Trusted Root Store
|
|
V-225022
|
Medium
|
The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificat...
|
|
V-225023
|
Medium
|
The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Ce...
|
|
V-254447
|
Medium
|
Windows Server 2022 built-in administrator account must be renamed
|
|
V-205909
|
Medium
|
Windows Server 2019 built-in administrator account must be renamed
|
|
V-254351
|
Low
|
Windows Server 2022 Application Compatibility Program Inventory must be prevented from collecting...
|
|
V-205691
|
Low
|
Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting...
|
|
V-220912
|
Medium
|
The built-in guest account must be renamed
|
|
V-253436
|
Medium
|
The built-in guest account must be renamed
|
|
V-205908
|
High
|
Windows Server 2019 must prevent local accounts with blank passwords from being used from the net...
|
|
V-254446
|
High
|
Windows Server 2022 must prevent local accounts with blank passwords from being used from the net...
|
|
V-220910
|
Medium
|
Local accounts with blank passwords must be restricted to prevent access from the network
|
|
V-253434
|
Medium
|
Local accounts with blank passwords must be restricted to prevent access from the network
|
|
V-253483
|
Medium
|
The "Back up files and directories" user right must only be assigned to the Administrators group
|
|
V-220960
|
Medium
|
The Back up files and directories user right must only be assigned to the Administrators group
|
|
V-205863
|
Medium
|
Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable ...
|
|
V-220810
|
Medium
|
Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials
|
|
V-254376
|
Medium
|
Windows Server 2022 must disable automatically signing in the last interactive user after a syste...
|
|
V-205925
|
Medium
|
Windows Server 2019 must disable automatically signing in the last interactive user after a syste...
|
|
V-253413
|
Medium
|
Automatically signing in the last interactive user after a system-initiated restart must be disabled
|
|
V-220859
|
Medium
|
Automatically signing in the last interactive user after a system-initiated restart must be disabled
|
|
V-254483
|
Medium
|
Windows Server 2022 UIAccess applications must not be allowed to prompt for elevation without usi...
|
|
V-253471
|
Medium
|
User Account Control must automatically deny elevation requests for standard users
|
|
V-220947
|
Medium
|
User Account Control must automatically deny elevation requests for standard users
|
|
V-254488
|
Medium
|
Windows Server 2022 User Account Control (UAC) must run all administrators in Admin Approval Mode...
|
|
V-205813
|
Medium
|
Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enab...
|
|
V-254486
|
Medium
|
Windows Server 2022 User Account Control (UAC) must be configured to detect application installat...
|
|
V-205718
|
Medium
|
Windows Server 2019 User Account Control must be configured to detect application installations a...
|
|
V-220945
|
Medium
|
User Account Control must, at minimum, prompt administrators for consent on the secure desktop
|
|
V-253473
|
Medium
|
User Account Control must only elevate UIAccess applications that are installed in secure locations
|
|
V-220949
|
Medium
|
User Account Control must only elevate UIAccess applications that are installed in secure locations
|
|
V-254358
|
Medium
|
Windows Server 2022 Application event log size must be configured to 32768 KB or greater
|
|
V-205796
|
Medium
|
Windows Server 2019 Application event log size must be configured to 32768 KB or greater
|
|
V-254359
|
Medium
|
Windows Server 2022 Security event log size must be configured to 196608 KB or greater
|
|
V-205797
|
Medium
|
Windows Server 2019 Security event log size must be configured to 196608 KB or greater
|
|
V-254360
|
Medium
|
Windows Server 2022 System event log size must be configured to 32768 KB or greater
|
|
V-205798
|
Medium
|
Windows Server 2019 System event log size must be configured to 32768 KB or greater
|
|
V-254354
|
High
|
Windows Server 2022 AutoPlay must be disabled for all drives
|
|
V-205806
|
High
|
Windows Server 2019 AutoPlay must be disabled for all drives
|
|
V-254334
|
Medium
|
Windows Server 2022 must have WDigest Authentication disabled
|
|
V-205687
|
Medium
|
Windows Server 2019 must have WDigest Authentication disabled
|
|
V-253490
|
High
|
The "Debug programs" user right must only be assigned to the Administrators group
|
|
V-220967
|
High
|
The Debug programs user right must only be assigned to the Administrators group
|
|
V-253373
|
Medium
|
Group Policy objects must be reprocessed even if they have not changed
|
|
V-220814
|
Medium
|
Group Policy objects must be reprocessed even if they have not changed
|
|
V-253284
|
High
|
Structured Exception Handling Overwrite Protection (SEHOP) must be enabled
|
|
V-253398
|
Medium
|
File Explorer shell protocol must run in protected mode
|
|
V-220920
|
Medium
|
The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver
|
|
V-254347
|
Medium
|
Windows Server 2022 printing over HTTP must be turned off
|
|
V-205689
|
Medium
|
Windows Server 2019 printing over HTTP must be turned off
|
|
V-254361
|
Medium
|
Windows Server 2022 Microsoft Defender antivirus SmartScreen must be enabled
|
|
V-205692
|
Medium
|
Windows Server 2019 Windows Defender SmartScreen must be enabled
|
|
V-253462
|
High
|
The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM
|
|
V-220938
|
High
|
The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM
|
|
V-254462
|
Medium
|
Windows Server 2022 unencrypted passwords must not be sent to third-party Server Message Block (S...
|
|
V-205655
|
Medium
|
Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (S...
|
|
V-254335
|
Low
|
Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the h...
|
|
V-205858
|
Low
|
Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the h...
|
|
V-254336
|
Low
|
Windows Server 2022 source routing must be configured to the highest protection level to prevent ...
|
|
V-205859
|
Low
|
Windows Server 2019 source routing must be configured to the highest protection level to prevent ...
|
|
V-253300
|
Medium
|
The password history must be configured to 24 passwords remembered
|
|
V-220742
|
Medium
|
The password history must be configured to 24 passwords remembered
|
|
V-254278
|
Medium
|
Windows Server 2022 must not have Windows PowerShell 2.0 installed
|
|
V-205685
|
Medium
|
Windows Server 2019 must not have Windows PowerShell 2.0 installed
|
|
V-260479
|
Low
|
Ubuntu 22.04 LTS must have the "chrony" package installed
|
|
V-260480
|
Low
|
Ubuntu 22.04 LTS must not have the "systemd-timesyncd" package installed
|
|
V-260550
|
Low
|
Ubuntu 22.04 LTS must enforce a delay of at least four seconds between logon prompts following a ...
|
|
V-260574
|
Medium
|
Ubuntu 22.04 LTS must accept personal identity verification (PIV) credentials
|
|
V-260587
|
Low
|
Ubuntu 22.04 LTS must have a crontab script running weekly to offload audit events of standalone ...
|
|
V-224830
|
Medium
|
Servers must have a host-based intrusion detection or prevention system
|
|
V-224836
|
Low
|
Non-administrative accounts or groups must only have print permissions on printer shares
|
|
V-224840
|
Medium
|
System files must be monitored for unauthorized changes
|
|
V-224842
|
Medium
|
Software certificate installation files must be removed from Windows Server 2016
|
|
V-224851
|
Medium
|
The Microsoft FTP service must not be installed unless required
|
|
V-224859
|
Medium
|
Windows PowerShell 2.0 must not be installed
|
|
V-224861
|
Medium
|
FTP servers must be configured to prevent access to the system drive
|
|
V-253426
|
Medium
|
Windows 11 Kernel (Direct Memory Access) DMA Protection must be enabled
|
|
V-220902
|
Medium
|
Windows 10 Kernel (Direct Memory Access) DMA Protection must be enabled
|
|
V-224871
|
Medium
|
Windows Server 2016 minimum password age must be configured to at least one day
|
|
V-224872
|
Medium
|
Windows Server 2016 minimum password length must be configured to 14 characters
|
|
V-224918
|
Low
|
Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redire...
|
|
V-224936
|
Medium
|
Windows Telemetry must be configured to Security or Basic
|
|
V-224947
|
Medium
|
The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications
|
|
V-253396
|
Medium
|
Explorer Data Execution Prevention must be enabled
|
|
V-220700
|
Low
|
Secure Boot must be enabled on Windows 10 systems
|
|
V-225024
|
Medium
|
Windows Server 2016 built-in guest account must be disabled
|
|
V-225026
|
Medium
|
Windows Server 2016 built-in administrator account must be renamed
|
|
V-225028
|
Medium
|
Audit policy using subcategories must be enabled
|
|
V-225033
|
Medium
|
The maximum age for machine account passwords must be configured to 30 days or less
|
|
V-225035
|
Medium
|
The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver
|
|
V-253270
|
Medium
|
Only accounts responsible for the backup operations must be members of the Backup Operators group
|
|
V-220713
|
Medium
|
Only accounts responsible for the backup operations must be members of the Backup Operators group
|
|
V-218795
|
High
|
All IIS 10.0 web server sample code, example applications, and tutorials must be removed from a p...
|
|
V-218809
|
Medium
|
The IIS 10.0 web server Indexing must only index web content
|
|
V-268420
|
Medium
|
The macOS system must prevent Apple Watch from terminating a session lock
|
|
V-268434
|
Medium
|
The macOS system must disable FileVault automatic login
|
|
V-268448
|
Medium
|
The macOS system must enforce auto logout after 86400 seconds of inactivity
|
|
V-268455
|
Medium
|
The macOS system must be configured to shut down upon audit failure
|
|
V-268482
|
Medium
|
The macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service
|
|
V-268505
|
Medium
|
The macOS system must disable Screen Sharing and Apple Remote Desktop
|
|
V-268506
|
Medium
|
The macOS system must disable the System Settings pane for Wallet and Apple Pay
|
|
V-268516
|
Medium
|
The macOS system must disable TouchID for unlocking the device
|
|
V-268558
|
Medium
|
The macOS system must configure the login window to prompt for username and password
|
|
V-268565
|
Medium
|
The macOS system must enable Authenticated Root
|
|
V-268569
|
Medium
|
The macOS system must enforce enrollment in Mobile Device Management (MDM)
|
|
V-268570
|
Medium
|
The macOS system must enable Recovery Lock
|
|
V-268571
|
Medium
|
The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automati...
|
|
V-253466
|
Medium
|
The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing
|
|
V-254337
|
Low
|
Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redire...
|
|
V-205860
|
Low
|
Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redire...
|
|
V-220797
|
Low
|
The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from ...
|
|
V-254481
|
Low
|
Windows Server 2022 default permissions of global system objects must be strengthened
|
|
V-205923
|
Low
|
Windows Server 2019 default permissions of global system objects must be strengthened
|
|
V-253467
|
Low
|
The default permissions of global system objects must be increased
|
|
V-220943
|
Low
|
The default permissions of global system objects must be increased
|
|
V-225060
|
Low
|
The default permissions of global system objects must be strengthened
|
|
V-225054
|
High
|
The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM an...
|
|
V-225061
|
Medium
|
User Account Control approval mode for the built-in Administrator must be enabled
|
|
V-225062
|
Medium
|
UIAccess applications must not be allowed to prompt for elevation without using the secure desktop
|
|
V-225064
|
Medium
|
User Account Control must automatically deny standard user requests for elevation
|
|
V-225065
|
Medium
|
User Account Control must be configured to detect application installations and prompt for elevation
|
|
V-225068
|
Medium
|
User Account Control must virtualize file and registry write failures to per-user locations
|
|
V-225077
|
Medium
|
The Create permanent shared objects user right must not be assigned to any groups or accounts
|
|
V-277996
|
Medium
|
Windows Server 2025 must have a host-based intrusion detection and prevention service (IDPS) inst...
|
|
V-278006
|
Medium
|
Windows Server 2025 system files must be monitored for unauthorized changes
|
|
V-278008
|
Medium
|
Windows Server 2025 must have software certificate installation files removed
|
|
V-278011
|
Medium
|
Windows Server 2025 must have the roles and features required by the system documented
|
|
V-278015
|
Medium
|
Windows Server 2025 must not have the Fax Server role installed
|
|
V-278018
|
Medium
|
Windows Server 2025 must not have Bluetooth enabled unless required by the organization
|
|
V-278019
|
Medium
|
Windows Server 2025 must not have the Peer Name Resolution Protocol installed
|
|
V-278020
|
Medium
|
Windows Server 2025 must not have Simple TCP/IP Services installed
|
|
V-278021
|
Medium
|
Windows Server 2025 must not have the Telnet Client installed
|
|
V-278022
|
Medium
|
Windows Server 2025 must not have the TFTP Client installed
|
|
V-278040
|
High
|
Windows Server 2025 reversible password encryption must be disabled
|
|
V-278082
|
Low
|
Windows Server 2025 Internet Protocol version 6 (IPv6) source routing must be configured to the h...
|
|
V-278083
|
Low
|
Windows Server 2025 source routing must be configured to the highest protection level to prevent ...
|
|
V-278084
|
Low
|
Windows Server 2025 must be configured to prevent Internet Control Message Protocol (ICMP) redire...
|
|
V-278094
|
Medium
|
Windows Server 2025 printing over HTTP must be turned off
|
|
V-278098
|
Low
|
Windows Server 2025 Application Compatibility Program Inventory must be prevented from collecting...
|
|
V-278101
|
High
|
Windows Server 2025 AutoPlay must be disabled for all drives
|
|
V-278105
|
Medium
|
Windows Server 2025 Application event log size must be configured to 32768 KB or greater
|
|
V-278106
|
Medium
|
Windows Server 2025 Security event log size must be configured to 196608 KB or greater
|
|
V-278107
|
Medium
|
Windows Server 2025 System event log size must be configured to 32768 KB or greater
|
|
V-278108
|
Medium
|
Windows Server 2025 Microsoft Defender antivirus SmartScreen must be enabled
|
|
V-278114
|
Medium
|
Windows Server 2025 Remote Desktop Services must always prompt a client for passwords upon connec...
|
|
V-278123
|
Medium
|
Windows Server 2025 must disable automatically signing in the last interactive user after a syste...
|
|
V-278180
|
Medium
|
Windows Server 2025 must restrict unauthenticated Remote Procedure Call (RPC) clients from connec...
|
|
V-278196
|
High
|
Windows Server 2025 must prevent local accounts with blank passwords from being used from the net...
|
|
V-278200
|
Medium
|
The Windows Server 2025 setting Domain member: Digitally encrypt or sign secure channel data (alw...
|
|
V-278210
|
Medium
|
The Windows Server 2025 setting Microsoft network client: Digitally sign communications (always) ...
|
|
V-278211
|
Medium
|
The Windows Server 2025 setting Microsoft network client: Digitally sign communications (if serve...
|
|
V-278212
|
Medium
|
Windows Server 2025 unencrypted passwords must not be sent to third-party Server Message Block (S...
|
|
V-278213
|
Medium
|
The Windows Server 2025 setting Microsoft network server: Digitally sign communications (always) ...
|
|
V-278214
|
Medium
|
The Windows Server 2025 setting Microsoft network server: Digitally sign communications (if clien...
|
|
V-278227
|
Medium
|
Windows Server 2025 session security for NTLM SSP-based clients must be configured to require NTL...
|
|
V-278228
|
Medium
|
Windows Server 2025 session security for NTLM SSP-based servers must be configured to require NTL...
|
|
V-278236
|
Medium
|
Windows Server 2025 User Account Control (UAC) must be configured to detect application installat...
|
|
V-278238
|
Medium
|
Windows Server 2025 User Account Control (UAC) must run all administrators in Admin Approval Mode...
|
|
V-253479
|
Medium
|
The "Access Credential Manager as a trusted caller" user right must not be assigned to any groups...
|
|
V-220956
|
Medium
|
The Access Credential Manager as a trusted caller user right must not be assigned to any groups o...
|
|
V-253487
|
Medium
|
The "Create global objects" user right must only be assigned to Administrators, Service, Local Se...
|
|
V-220964
|
Medium
|
The Create global objects user right must only be assigned to Administrators, Service, Local Serv...
|
|
V-271427
|
Medium
|
Windows Server 2022 must be configured for name-based strong mappings for certificates
|
|
V-220974
|
Medium
|
The Force shutdown from a remote system user right must only be assigned to the Administrators group
|
|
V-220975
|
Medium
|
The "Impersonate a client after authentication" user right must only be assigned to Administrator...
|
|
V-253499
|
Medium
|
The "Load and unload device drivers" user right must only be assigned to the Administrators group
|
|
V-220976
|
Medium
|
The Load and unload device drivers user right must only be assigned to the Administrators group
|
|
V-253505
|
Medium
|
The "Restore files and directories" user right must only be assigned to the Administrators group
|
|
V-220982
|
Medium
|
The Restore files and directories user right must only be assigned to the Administrators group
|
|
V-253506
|
Medium
|
The "Take ownership of files or other objects" user right must only be assigned to the Administra...
|
|
V-220983
|
Medium
|
The Take ownership of files or other objects user right must only be assigned to the Administrato...
|
|
V-205851
|
Medium
|
Windows Server 2019 must have a host-based intrusion detection and prevention service installed
|
|
V-254249
|
Medium
|
Windows Server 2022 must have a host-based intrusion detection and prevention service installed
|
|
V-243478
|
Medium
|
Domain-joined systems (excluding domain controllers) must not be configured for unconstrained del...
|
|
V-277030
|
Medium
|
The macOS system must enforce session lock no more than five seconds after screen saver is started
|
|
V-277032
|
Medium
|
The macOS system must disable hot corners
|
|
V-277051
|
Medium
|
The macOS system must disable root login
|
|
V-277056
|
Medium
|
The macOS system must enforce auto logout after 86400 seconds of inactivity
|
|
V-277057
|
Medium
|
The macOS system must be configured to use an authorized time server
|
|
V-277074
|
Low
|
The macOS system must configure audit retention to seven days
|
|
V-277080
|
Medium
|
The macOS system must configure audit_control group to wheel
|
|
V-277081
|
Medium
|
The macOS system must configure audit_control owner to root
|
|
V-277101
|
Medium
|
The macOS system must disable sending diagnostic and usage data to Apple
|
|
V-277102
|
Medium
|
The macOS system must disable Remote Apple Events
|
|
V-277106
|
Medium
|
The macOS system must disable Privacy Setup services during Setup Assistant
|
|
V-277115
|
Medium
|
The macOS system must disable the System Settings pane for Wallet and Apple Pay
|
|
V-277121
|
High
|
The macOS system must disable unattended or automatic login to the system
|
|
V-277125
|
Medium
|
The macOS system must disable TouchID for unlocking the device
|
|
V-277143
|
Medium
|
The macOS system must issue or obtain public key certificates from an approved service provider
|
|
V-277168
|
Medium
|
The macOS system must configure the login window to prompt for username and password
|
|
V-277175
|
Medium
|
The macOS system must enable Authenticated Root
|
|
V-277179
|
Medium
|
The macOS system must enforce enrollment in Mobile Device Management (MDM)
|
|
V-277180
|
Medium
|
The macOS system must enable Recovery Lock
|
|
V-282964
|
High
|
The macOS system must be a version supported by the vendor
|
|
V-253495
|
Medium
|
The "Deny log on through Remote Desktop Services" user right on Windows 11 workstations must be c...
|
|
V-220972
|
Medium
|
The Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a m...
|
|
V-220973
|
Medium
|
The Enable computer and user accounts to be trusted for delegation user right must not be assigne...
|
|
V-253496
|
Medium
|
The "Enable computer and user accounts to be trusted for delegation" user right must not be assig...
|
|
V-254445
|
Medium
|
Windows Server 2022 must have the built-in guest account disabled
|
|
V-205709
|
Medium
|
Windows Server 2019 must have the built-in guest account disabled
|
|
V-253297
|
Medium
|
Windows 11 account lockout duration must be configured to 15 minutes or greater
|
|
V-220739
|
Medium
|
Windows 10 account lockout duration must be configured to 15 minutes or greater
|
|
V-260469
|
High
|
Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence
|
|
V-253299
|
Medium
|
The period of time before the bad logon counter is reset must be configured to 15 minutes
|
|
V-205716
|
Medium
|
Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without usi...
|
|
V-254482
|
Medium
|
Windows Server 2022 User Account Control (UAC) approval mode for the built-in Administrator must ...
|
|
V-205811
|
Medium
|
Windows Server 2019 User Account Control approval mode for the built-in Administrator must be ena...
|
|
V-254485
|
Medium
|
Windows Server 2022 User Account Control (UAC) must automatically deny standard user requests for...
|
|
V-205812
|
Medium
|
Windows Server 2019 User Account Control must automatically deny standard user requests for eleva...
|
|
V-254489
|
Medium
|
Windows Server 2022 User Account Control (UAC) must virtualize file and registry write failures t...
|
|
V-205720
|
Medium
|
Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures t...
|
|
V-254487
|
Medium
|
Windows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are i...
|
|
V-205719
|
Medium
|
Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are i...
|