| Vulnerability ID |
Severity |
Description |
|
V-254247
|
Medium
|
Windows Server 2022 must be maintained at a supported servicing level
|
|
V-253263
|
High
|
Windows 11 systems must be maintained at a supported servicing level
|
|
V-220911
|
Medium
|
The built-in administrator account must be renamed
|
|
V-254448
|
Medium
|
Windows Server 2022 built-in guest account must be renamed
|
|
V-205910
|
Medium
|
Windows Server 2019 built-in guest account must be renamed
|
|
V-220912
|
Medium
|
The built-in guest account must be renamed
|
|
V-253436
|
Medium
|
The built-in guest account must be renamed
|
|
V-205908
|
High
|
Windows Server 2019 must prevent local accounts with blank passwords from being used from the net...
|
|
V-254446
|
High
|
Windows Server 2022 must prevent local accounts with blank passwords from being used from the net...
|
|
V-220910
|
Medium
|
Local accounts with blank passwords must be restricted to prevent access from the network
|
|
V-253434
|
Medium
|
Local accounts with blank passwords must be restricted to prevent access from the network
|
|
V-254342
|
Medium
|
Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable c...
|
|
V-205863
|
Medium
|
Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable ...
|
|
V-253368
|
Medium
|
Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials
|
|
V-220810
|
Medium
|
Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials
|
|
V-254376
|
Medium
|
Windows Server 2022 must disable automatically signing in the last interactive user after a syste...
|
|
V-205925
|
Medium
|
Windows Server 2019 must disable automatically signing in the last interactive user after a syste...
|
|
V-253413
|
Medium
|
Automatically signing in the last interactive user after a system-initiated restart must be disabled
|
|
V-220859
|
Medium
|
Automatically signing in the last interactive user after a system-initiated restart must be disabled
|
|
V-260469
|
High
|
Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence
|
|
V-253441
|
Low
|
The computer account password must not be prevented from being reset
|
|
V-220917
|
Low
|
The computer account password must not be prevented from being reset
|
|
V-254349
|
Medium
|
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on b...
|
|
V-205867
|
Medium
|
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on b...
|
|
V-254350
|
Medium
|
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plug...
|
|
V-205868
|
Medium
|
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plug...
|
|
V-205876
|
Medium
|
Windows Server 2019 domain controllers must be configured to allow reset of machine account passw...
|
|
V-254427
|
Medium
|
The password for the krbtgt account on a domain must be reset at least every 180 days
|
|
V-205877
|
Medium
|
The password for the krbtgt account on a domain must be reset at least every 180 days
|
|
V-254441
|
High
|
Windows Server 2022 must be running Credential Guard on domain-joined member servers
|
|
V-205907
|
High
|
Windows Server 2019 must be running Credential Guard on domain-joined member servers
|
|
V-253370
|
High
|
Credential Guard must be running on Windows 11 domain-joined systems
|
|
V-220812
|
High
|
Credential Guard must be running on Windows 10 domain-joined systems
|
|
V-253447
|
Low
|
Caching of logon credentials must be limited
|
|
V-220923
|
Low
|
Caching of logon credentials must be limited
|
|
V-254432
|
Medium
|
Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined ...
|
|
V-205906
|
Medium
|
Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined ...
|
|
V-254345
|
Medium
|
Windows Server 2022 group policy objects must be reprocessed even if they have not changed
|
|
V-205866
|
Medium
|
Windows Server 2019 group policy objects must be reprocessed even if they have not changed
|
|
V-253373
|
Medium
|
Group Policy objects must be reprocessed even if they have not changed
|
|
V-220814
|
Medium
|
Group Policy objects must be reprocessed even if they have not changed
|
|
V-254340
|
Medium
|
Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require m...
|
|
V-205862
|
Medium
|
Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require m...
|
|
V-253362
|
Medium
|
Hardened UNC Paths must be defined to require mutual authentication and integrity for at least th...
|
|
V-250319
|
Medium
|
Hardened UNC paths must be defined to require mutual authentication and integrity for at least th...
|
|
V-254454
|
Medium
|
Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less
|
|
V-205911
|
Medium
|
Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less
|
|
V-253442
|
Low
|
The maximum age for machine account passwords must be configured to 30 days or less
|
|
V-220918
|
Low
|
The maximum age for machine account passwords must be configured to 30 days or less
|
|
V-254476
|
Medium
|
Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing
|
|
V-205920
|
Medium
|
Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing
|
|
V-253463
|
Medium
|
The system must be configured to the required LDAP client signing level
|
|
V-220939
|
Medium
|
The system must be configured to the required LDAP client signing level
|
|
V-254364
|
Medium
|
Windows Server 2022 File Explorer shell protocol must run in protected mode
|
|
V-205872
|
Medium
|
Windows Server 2019 File Explorer shell protocol must run in protected mode
|
|
V-253398
|
Medium
|
File Explorer shell protocol must run in protected mode
|
|
V-220839
|
Medium
|
File Explorer shell protocol must run in protected mode
|
|
V-254248
|
Medium
|
Windows Server 2022 must use an antivirus program
|
|
V-205850
|
High
|
Windows Server 2019 must use an anti-virus program
|
|
V-253264
|
High
|
The Windows 11 system must use an antivirus program
|
|
V-220707
|
High
|
The Windows 10 system must use an anti-virus program
|
|
V-254344
|
Medium
|
Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must preven...
|
|
V-205865
|
Medium
|
Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must preven...
|
|
V-253372
|
Medium
|
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers
|
|
V-220813
|
Medium
|
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers
|
|
V-253281
|
Medium
|
A host-based firewall must be installed and enabled on the system
|
|
V-220724
|
Medium
|
A host-based firewall must be installed and enabled on the system
|
|
V-254370
|
Medium
|
Windows Server 2022 must prevent attachments from being downloaded from RSS feeds
|
|
V-205873
|
Medium
|
Windows Server 2019 must prevent attachments from being downloaded from RSS feeds
|
|
V-253407
|
Medium
|
Attachments must be prevented from being downloaded from RSS feeds
|
|
V-220853
|
Medium
|
Attachments must be prevented from being downloaded from RSS feeds
|
|
V-220844
|
Medium
|
The Windows Defender SmartScreen filter for Microsoft Edge must be enabled
|
|
V-220841
|
Medium
|
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified f...
|
|
V-220840
|
Medium
|
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious we...
|
|
V-254466
|
High
|
Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts
|
|
V-205914
|
High
|
Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts
|
|
V-253453
|
High
|
Anonymous enumeration of SAM accounts must not be allowed
|
|
V-220929
|
High
|
Anonymous enumeration of SAM accounts must not be allowed
|
|
V-254339
|
Medium
|
Windows Server 2022 insecure logons to an SMB server must be disabled
|
|
V-205861
|
Medium
|
Windows Server 2019 insecure logons to an SMB server must be disabled
|
|
V-253360
|
Medium
|
Insecure logons to an SMB server must be disabled
|
|
V-220802
|
Medium
|
Insecure logons to an SMB server must be disabled
|
|
V-254475
|
High
|
Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response o...
|
|
V-205919
|
High
|
Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response o...
|
|
V-253462
|
High
|
The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM
|
|
V-220938
|
High
|
The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM
|
|
V-254468
|
Medium
|
Windows Server 2022 must be configured to prevent anonymous users from having the same permission...
|
|
V-205915
|
Medium
|
Windows Server 2019 must be configured to prevent anonymous users from having the same permission...
|
|
V-253455
|
Medium
|
The system must be configured to prevent anonymous users from having the same rights as the Every...
|
|
V-254471
|
Medium
|
Windows Server 2022 must prevent NTLM from falling back to a Null session
|
|
V-205917
|
Medium
|
Windows Server 2019 must prevent NTLM from falling back to a Null session
|
|
V-253458
|
Medium
|
NTLM must be prevented from falling back to a Null session
|
|
V-220934
|
Medium
|
NTLM must be prevented from falling back to a Null session
|
|
V-254470
|
Medium
|
Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authent...
|
|
V-205916
|
Medium
|
Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authent...
|
|
V-254477
|
Medium
|
Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTL...
|
|
V-205921
|
Medium
|
Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTL...
|
|
V-254478
|
Medium
|
Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTL...
|
|
V-205922
|
Medium
|
Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTL...
|
|
V-254335
|
Low
|
Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the h...
|
|
V-205858
|
Low
|
Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the h...
|
|
V-253353
|
Medium
|
IPv6 source routing must be configured to highest protection
|
|
V-220795
|
Medium
|
IPv6 source routing must be configured to highest protection
|
|
V-254336
|
Low
|
Windows Server 2022 source routing must be configured to the highest protection level to prevent ...
|
|
V-205859
|
Low
|
Windows Server 2019 source routing must be configured to the highest protection level to prevent ...
|
|
V-205869
|
Medium
|
Windows Server 2019 Telemetry must be configured to Security or Basic
|
|
V-220834
|
Medium
|
Windows Telemetry must not be configured to Full
|
|
V-260478
|
Medium
|
Ubuntu 22.04 LTS must have the "libpam-pwquality" package installed
|
|
V-260479
|
Low
|
Ubuntu 22.04 LTS must have the "chrony" package installed
|
|
V-260480
|
Low
|
Ubuntu 22.04 LTS must not have the "systemd-timesyncd" package installed
|
|
V-260481
|
Low
|
Ubuntu 22.04 LTS must not have the "ntp" package installed
|
|
V-260516
|
Medium
|
Ubuntu 22.04 LTS must have an application firewall enabled
|
|
V-260539
|
High
|
Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface ...
|
|
V-260550
|
Low
|
Ubuntu 22.04 LTS must enforce a delay of at least four seconds between logon prompts following a ...
|
|
V-260555
|
Medium
|
Ubuntu 22.04 LTS default filesystem permissions must be defined in such a way that all authentica...
|
|
V-260564
|
Medium
|
Ubuntu 22.04 LTS must prevent the use of dictionary words for passwords
|
|
V-260567
|
Medium
|
Ubuntu 22.04 LTS must be configured so that when passwords are changed or new passwords are estab...
|
|
V-260570
|
High
|
Ubuntu 22.04 LTS must not allow accounts configured with blank or null passwords
|
|
V-260571
|
High
|
Ubuntu 22.04 LTS must not have accounts configured with blank or null passwords
|
|
V-260640
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for all events that affect the systemd journal files
|
|
V-224819
|
High
|
Users with Administrative privileges must have separate accounts for administrative duties and no...
|
|
V-224821
|
High
|
Administrative accounts must not be used with applications that access the Internet, such as web ...
|
|
V-224822
|
Medium
|
Members of the Backup Operators group must have separate accounts for backup duties and normal op...
|
|
V-224824
|
Medium
|
Manually managed application account passwords must be changed at least annually or when a system...
|
|
V-224827
|
Medium
|
Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and r...
|
|
V-224828
|
High
|
Systems must be maintained at a supported servicing level
|
|
V-224829
|
High
|
The Windows Server 2016 system must use an anti-virus program
|
|
V-224830
|
Medium
|
Servers must have a host-based intrusion detection or prevention system
|
|
V-224842
|
Medium
|
Software certificate installation files must be removed from Windows Server 2016
|
|
V-224860
|
Medium
|
FTP servers must be configured to prevent anonymous logons
|
|
V-224861
|
Medium
|
FTP servers must be configured to prevent access to the system drive
|
|
V-224863
|
Medium
|
Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016
|
|
V-224864
|
Low
|
Secure Boot must be enabled on Windows Server 2016 systems
|
|
V-224865
|
Low
|
Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be confi...
|
|
V-254343
|
Medium
|
Windows Server 2022 virtualization-based security must be enabled with the platform security leve...
|
|
V-205864
|
Medium
|
Windows Server 2019 virtualization-based security must be enabled with the platform security leve...
|
|
V-253369
|
Medium
|
Virtualization-based Security must be enabled on Windows 11 with the platform security level conf...
|
|
V-220811
|
Medium
|
Virtualization Based Security must be enabled on Windows 10 with the platform security level conf...
|
|
V-224916
|
Low
|
Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection le...
|
|
V-224917
|
Low
|
Source routing must be configured to the highest protection level to prevent Internet Protocol (I...
|
|
V-224918
|
Low
|
Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redire...
|
|
V-224920
|
Medium
|
Insecure logons to an SMB server must be disabled
|
|
V-224921
|
Medium
|
Hardened UNC paths must be defined to require mutual authentication and integrity for at least th...
|
|
V-224923
|
Medium
|
Windows Server 2016 virtualization-based security must be enabled with the platform security leve...
|
|
V-224924
|
Medium
|
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers ident...
|
|
V-224925
|
Medium
|
Group Policy objects must be reprocessed even if they have not changed
|
|
V-224929
|
Medium
|
Users must be prompted to authenticate when the system wakes from sleep (on battery)
|
|
V-224930
|
Medium
|
Users must be prompted to authenticate when the system wakes from sleep (plugged in)
|
|
V-224936
|
Medium
|
Windows Telemetry must be configured to Security or Basic
|
|
V-224942
|
Low
|
Turning off File Explorer heap termination on corruption must be disabled
|
|
V-224943
|
Medium
|
File Explorer shell protocol must run in protected mode
|
|
V-224949
|
Medium
|
Attachments must be prevented from being downloaded from RSS feeds
|
|
V-236000
|
Medium
|
The Windows Explorer Preview pane must be disabled for Windows Server 2016
|
|
V-224955
|
Medium
|
Users must be notified if a web-based program attempts to install software
|
|
V-224956
|
Medium
|
Automatically signing in the last interactive user after a system-initiated restart must be disabled
|
|
V-224978
|
High
|
Directory data (outside the root DSE) of a non-public directory must be configured to prevent ano...
|
|
V-254375
|
Medium
|
Windows Server 2022 users must be notified if a web-based program attempts to install software
|
|
V-205874
|
Medium
|
Windows Server 2019 users must be notified if a web-based program attempts to install software
|
|
V-253412
|
Medium
|
Users must be notified if a web-based program attempts to install software
|
|
V-220858
|
Medium
|
Users must be notified if a web-based program attempts to install software
|
|
V-254284
|
Medium
|
Windows Server 2022 must have Secure Boot enabled
|
|
V-205857
|
Low
|
Windows Server 2019 must have Secure Boot enabled
|
|
V-220700
|
Low
|
Secure Boot must be enabled on Windows 10 systems
|
|
V-254357
|
Low
|
Windows Server 2022 Windows Update must not obtain updates from other PCs on the internet
|
|
V-205870
|
Low
|
Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet
|
|
V-253394
|
Low
|
Windows Update must not obtain updates from other PCs on the internet
|
|
V-220835
|
Low
|
Windows Update must not obtain updates from other PCs on the internet
|
|
V-224996
|
Medium
|
Domain controllers must be configured to allow reset of machine account passwords
|
|
V-225006
|
Medium
|
The password for the krbtgt account on a domain must be reset at least every 180 days
|
|
V-225011
|
Medium
|
Caching of logon credentials must be limited
|
|
V-225012
|
High
|
Windows Server 2016 must be running Credential Guard on domain-joined member servers
|
|
V-225025
|
High
|
Local accounts with blank passwords must be restricted to prevent access from the network
|
|
V-225026
|
Medium
|
Windows Server 2016 built-in administrator account must be renamed
|
|
V-225027
|
Medium
|
Windows Server 2016 built-in guest account must be renamed
|
|
V-225033
|
Medium
|
The maximum age for machine account passwords must be configured to 30 days or less
|
|
V-225038
|
Medium
|
The Smart Card removal option must be configured to Force Logoff or Lock Workstation
|
|
V-225044
|
High
|
Anonymous SID/Name translation must not be allowed
|
|
V-225045
|
High
|
Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed
|
|
V-225047
|
Medium
|
Windows Server 2016 must be configured to prevent anonymous users from having the same permission...
|
|
V-254238
|
Medium
|
Windows Server 2022 users with Administrative privileges must have separate accounts for administ...
|
|
V-205844
|
High
|
Windows Server 2019 users with Administrative privileges must have separate accounts for administ...
|
|
V-205845
|
High
|
Windows Server 2019 administrative accounts must not be used with applications that access the In...
|
|
V-253294
|
High
|
Administrative accounts must not be used with applications that access the internet, such as web ...
|
|
V-220737
|
High
|
Administrative accounts must not be used with applications that access the Internet, such as web ...
|
|
V-254241
|
Medium
|
Windows Server 2022 members of the Backup Operators group must have separate accounts for backup ...
|
|
V-205846
|
Medium
|
Windows Server 2019 members of the Backup Operators group must have separate accounts for backup ...
|
|
V-253270
|
Medium
|
Only accounts responsible for the backup operations must be members of the Backup Operators group
|
|
V-220713
|
Medium
|
Only accounts responsible for the backup operations must be members of the Backup Operators group
|
|
V-254243
|
Medium
|
Windows Server 2022 manually managed application account passwords must be changed at least annua...
|
|
V-205847
|
Medium
|
Windows Server 2019 manually managed application account passwords must be changed at least annua...
|
|
V-254246
|
Medium
|
Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and r...
|
|
V-205848
|
Medium
|
Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and r...
|
|
V-220698
|
Medium
|
Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use
|
|
V-254283
|
Medium
|
Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and b...
|
|
V-205856
|
Low
|
Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and b...
|
|
V-220699
|
Medium
|
Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configu...
|
|
V-254356
|
Medium
|
Windows Server 2022 Diagnostic Data must be configured to send "required diagnostic data" or "opt...
|
|
V-218823
|
High
|
All accounts installed with the IIS 10.0 web server software and tools must have passwords assign...
|
|
V-218824
|
Medium
|
Unspecified file extensions on a production IIS 10.0 web server must be removed
|
|
V-218825
|
Medium
|
The IIS 10.0 web server must have a global authorization rule configured to restrict access
|
|
V-218827
|
Low
|
The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS)
|
|
V-268513
|
Medium
|
The macOS system must secure users' home folders
|
|
V-268540
|
Medium
|
The macOS system must enable firmware password
|
|
V-268557
|
Medium
|
The macOS system must enable macOS Application Firewall
|
|
V-268569
|
Medium
|
The macOS system must enforce enrollment in Mobile Device Management (MDM)
|
|
V-268570
|
Medium
|
The macOS system must enable Recovery Lock
|
|
V-268571
|
Medium
|
The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automati...
|
|
V-254459
|
Medium
|
Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation
|
|
V-253448
|
Medium
|
The Smart Card removal option must be configured to Force Logoff or Lock Workstation
|
|
V-220924
|
Medium
|
The Smart Card removal option must be configured to Force Logoff or Lock Workstation
|
|
V-254472
|
Medium
|
Windows Server 2022 must prevent PKU2U authentication using online identities
|
|
V-205918
|
Medium
|
Windows Server 2019 must prevent PKU2U authentication using online identities
|
|
V-253459
|
Medium
|
PKU2U authentication using online identities must be prevented
|
|
V-220935
|
Medium
|
PKU2U authentication using online identities must be prevented
|
|
V-225051
|
Medium
|
PKU2U authentication using online identities must be prevented
|
|
V-254490
|
Medium
|
Windows Server 2022 must preserve zone information when saving attachments
|
|
V-205924
|
Medium
|
Windows Server 2019 must preserve zone information when saving attachments
|
|
V-253478
|
Medium
|
Zone information must be preserved when saving attachments
|
|
V-220955
|
Medium
|
Zone information must be preserved when saving attachments
|
|
V-225069
|
Medium
|
Zone information must be preserved when saving attachments
|
|
V-254417
|
Medium
|
Windows Server 2022 domain controllers must be configured to allow reset of machine account passw...
|
|
V-254337
|
Low
|
Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redire...
|
|
V-205860
|
Low
|
Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redire...
|
|
V-220797
|
Low
|
The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from ...
|
|
V-254481
|
Low
|
Windows Server 2022 default permissions of global system objects must be strengthened
|
|
V-205923
|
Low
|
Windows Server 2019 default permissions of global system objects must be strengthened
|
|
V-253467
|
Low
|
The default permissions of global system objects must be increased
|
|
V-220943
|
Low
|
The default permissions of global system objects must be increased
|
|
V-225060
|
Low
|
The default permissions of global system objects must be strengthened
|
|
V-254363
|
Low
|
Windows Server 2022 Turning off File Explorer heap termination on corruption must be disabled
|
|
V-205871
|
Low
|
Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled
|
|
V-254465
|
High
|
Windows Server 2022 must not allow anonymous SID/Name translation
|
|
V-205913
|
High
|
Windows Server 2019 must not allow anonymous SID/Name translation
|
|
V-253452
|
High
|
Anonymous SID/Name translation must not be allowed
|
|
V-220928
|
High
|
Anonymous SID/Name translation must not be allowed
|
|
V-225049
|
Medium
|
Services using Local System that use Negotiate when reverting to NTLM authentication must use the...
|
|
V-225050
|
Medium
|
NTLM must be prevented from falling back to a Null session
|
|
V-225054
|
High
|
The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM an...
|
|
V-225055
|
Medium
|
Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing
|
|
V-225056
|
Medium
|
Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security...
|
|
V-225057
|
Medium
|
Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security...
|
|
V-254282
|
Medium
|
Windows Server 2022 must have orphaned security identifiers (SIDs) removed from user rights
|
|
V-253290
|
Medium
|
Orphaned security identifiers (SIDs) must be removed from user rights on Windows 11
|
|
V-220733
|
Medium
|
Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10
|
|
V-277985
|
Medium
|
Windows Server 2025 users with administrative privileges must have separate accounts for administ...
|
|
V-277987
|
High
|
Windows Server 2025 administrative accounts must not be used with applications that access the in...
|
|
V-277988
|
Medium
|
Windows Server 2025 members of the Backup Operators group must have separate accounts for backup ...
|
|
V-277990
|
Medium
|
Windows Server 2025 manually managed application account passwords must be changed at least annua...
|
|
V-277995
|
Medium
|
Windows Server 2025 must use an antivirus program
|
|
V-277996
|
Medium
|
Windows Server 2025 must have a host-based intrusion detection and prevention service (IDPS) inst...
|
|
V-278008
|
Medium
|
Windows Server 2025 must have software certificate installation files removed
|
|
V-278027
|
Medium
|
Windows Server 2025 FTP servers must be configured to prevent anonymous logons
|
|
V-278028
|
Medium
|
Windows Server 2025 FTP servers must be configured to prevent access to the system drive
|
|
V-278030
|
Medium
|
Windows Server 2025 must have orphaned security identifiers (SIDs) removed from user rights
|
|
V-278031
|
Medium
|
Windows Server 2025 systems must have Unified Extensible Firmware Interface (UEFI) firmware and b...
|
|
V-278032
|
Medium
|
Windows Server 2025 must have Secure Boot enabled
|
|
V-278082
|
Low
|
Windows Server 2025 Internet Protocol version 6 (IPv6) source routing must be configured to the h...
|
|
V-278083
|
Low
|
Windows Server 2025 source routing must be configured to the highest protection level to prevent ...
|
|
V-278084
|
Low
|
Windows Server 2025 must be configured to prevent Internet Control Message Protocol (ICMP) redire...
|
|
V-278086
|
Medium
|
Windows Server 2025 insecure logons to an SMB server must be disabled
|
|
V-278087
|
Medium
|
Windows Server 2025 hardened Universal Naming Convention (UNC) paths must be defined to require m...
|
|
V-278089
|
Medium
|
Windows Server 2025 must be configured to enable Remote host allows delegation of nonexportable c...
|
|
V-278090
|
Medium
|
Windows Server 2025 virtualization-based security must be enabled with the platform security leve...
|
|
V-278091
|
Medium
|
Windows Server 2025 Early Launch Antimalware, Boot-Start Driver Initialization Policy must preven...
|
|
V-278092
|
Medium
|
Windows Server 2025 group policy objects must be reprocessed even if they have not changed
|
|
V-278096
|
Medium
|
Windows Server 2025 users must be prompted to authenticate when the system wakes from sleep (on b...
|
|
V-278097
|
Medium
|
Windows Server 2025 users must be prompted to authenticate when the system wakes from sleep (plug...
|
|
V-278103
|
Medium
|
Windows Server 2025 Telemetry must be configured to limit diagnostic data sent to Microsoft
|
|
V-278104
|
Low
|
Windows Server 2025 Windows Update must not obtain updates from other PCs on the internet
|
|
V-278110
|
Low
|
Windows Server 2025 Turning off File Explorer heap termination on corruption must be disabled
|
|
V-278111
|
Medium
|
Windows Server 2025 File Explorer shell protocol must run in protected mode
|
|
V-278117
|
Medium
|
Windows Server 2025 must prevent attachments from being downloaded from RSS feeds
|
|
V-278122
|
Medium
|
Windows Server 2025 users must be notified if a web-based program attempts to install software
|
|
V-278123
|
Medium
|
Windows Server 2025 must disable automatically signing in the last interactive user after a syste...
|
|
V-278146
|
High
|
Windows Server 2025 directory data (outside the root DSE) of a nonpublic directory must be config...
|
|
V-278164
|
Medium
|
Windows Server 2025 domain controllers must be configured to allow reset of machine account passw...
|
|
V-278176
|
Medium
|
The password for the krbtgt account on a domain must be reset at least every 180 days
|
|
V-278181
|
Medium
|
Windows Server 2025 must limit the caching of logon credentials to four or less on domain-joined ...
|
|
V-278190
|
High
|
Windows Server 2025 must be running Credential Guard on domain-joined member servers
|
|
V-278196
|
High
|
Windows Server 2025 must prevent local accounts with blank passwords from being used from the net...
|
|
V-278197
|
Medium
|
The Windows Server 2025 built-in administrator account must be renamed
|
|
V-278198
|
Medium
|
The Windows Server 2025 built-in guest account must be renamed
|
|
V-278204
|
Medium
|
Windows Server 2025 maximum age for machine account passwords must be configured to 30 days or less
|
|
V-278209
|
Medium
|
The Windows Server 2025 Smart Card removal option must be configured to Force Logoff or Lock Work...
|
|
V-278215
|
High
|
Windows Server 2025 must not allow anonymous SID/Name translation
|
|
V-278216
|
High
|
Windows Server 2025 must not allow anonymous enumeration of Security Account Manager (SAM) accounts
|
|
V-278218
|
Medium
|
Windows Server 2025 must be configured to prevent anonymous users from having the same permission...
|
|
V-278220
|
Medium
|
Windows Server 2025 services using Local System that use Negotiate when reverting to NTLM authent...
|
|
V-278221
|
Medium
|
Windows Server 2025 must prevent NTLM from falling back to a Null session
|
|
V-278222
|
Medium
|
Windows Server 2025 must prevent PKU2U authentication using online identities
|
|
V-278225
|
High
|
Windows Server 2025 LAN Manager authentication level must be configured to send NTLMv2 response o...
|
|
V-278226
|
Medium
|
Windows Server 2025 must be configured to at least negotiate signing for LDAP client signing
|
|
V-278227
|
Medium
|
Windows Server 2025 session security for NTLM SSP-based clients must be configured to require NTL...
|
|
V-278228
|
Medium
|
Windows Server 2025 session security for NTLM SSP-based servers must be configured to require NTL...
|
|
V-278231
|
Low
|
Windows Server 2025 default permissions of global system objects must be strengthened
|
|
V-278240
|
Medium
|
Windows Server 2025 must preserve zone information when saving attachments
|
|
V-205851
|
Medium
|
Windows Server 2019 must have a host-based intrusion detection and prevention service installed
|
|
V-254249
|
Medium
|
Windows Server 2022 must have a host-based intrusion detection and prevention service installed
|
|
V-243466
|
High
|
Membership to the Enterprise Admins group must be restricted to accounts used only to manage the ...
|
|
V-243467
|
High
|
Membership to the Domain Admins group must be restricted to accounts used only to manage the Acti...
|
|
V-243468
|
Medium
|
Administrators must have separate accounts specifically for managing domain member servers
|
|
V-243469
|
Medium
|
Administrators must have separate accounts specifically for managing domain workstations
|
|
V-243470
|
High
|
Delegation of privileged accounts must be prohibited
|
|
V-243472
|
Medium
|
Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from s...
|
|
V-243473
|
Medium
|
Separate domain accounts must be used to manage public facing servers from any domain accounts us...
|
|
V-243475
|
Medium
|
Domain controllers must be blocked from Internet access
|
|
V-243476
|
Medium
|
All accounts, privileged and unprivileged, that require smart cards must have the underlying NT h...
|
|
V-243477
|
Medium
|
User accounts with domain level administrative privileges must be members of the Protected Users ...
|
|
V-243478
|
Medium
|
Domain-joined systems (excluding domain controllers) must not be configured for unconstrained del...
|
|
V-243479
|
Medium
|
The Directory Service Restore Mode (DSRM) passwords must be changed on each Domain Controller (DC...
|
|
V-243480
|
Medium
|
The domain functional level must be at a Windows Server version still supported by Microsoft
|
|
V-243481
|
Medium
|
Access to need-to-know information must be restricted to an authorized community of interest
|
|
V-243482
|
High
|
Interconnections between DoD directory services of different classification levels must use a cro...
|
|
V-243483
|
High
|
A controlled interface must have interconnections among DoD information systems operating between...
|
|
V-243487
|
Medium
|
Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be l...
|
|
V-243488
|
Low
|
User accounts with delegated authority must be removed from Windows built-in administrative group...
|
|
V-243489
|
Medium
|
Read-only Domain Controller (RODC) architecture and configuration must comply with directory serv...
|
|
V-243490
|
Medium
|
Usage of administrative accounts must be monitored for suspicious and anomalous activity
|
|
V-243491
|
Medium
|
Systems must be monitored for attempts to use local accounts to log on remotely from other systems
|
|
V-243492
|
Medium
|
Systems must be monitored for remote desktop logons
|
|
V-243493
|
Medium
|
Active Directory data must be backed up daily for systems with a Risk Management Framework catego...
|
|
V-243494
|
Low
|
Each cross-directory authentication configuration must be documented
|
|
V-243496
|
Medium
|
Accounts from outside directories that are not part of the same organization or are not subject t...
|
|
V-243497
|
Medium
|
Inter-site replication must be enabled and configured to occur at least daily
|
|
V-243499
|
Low
|
Active Directory implementation information must be added to the organization contingency plan wh...
|
|
V-243500
|
Medium
|
Active Directory must be supported by multiple domain controllers where the Risk Management Frame...
|
|
V-243501
|
Low
|
The impact of CPCON changes on the cross-directory authentication configuration must be considere...
|
|
V-269097
|
Medium
|
Windows Server domain controllers must have Kerberos logging enabled with servers hosting Active ...
|
|
V-277122
|
Medium
|
The macOS system must secure users' home folders
|
|
V-277167
|
Medium
|
The macOS system must enable macOS Application Firewall
|
|
V-277179
|
Medium
|
The macOS system must enforce enrollment in Mobile Device Management (MDM)
|
|
V-277180
|
Medium
|
The macOS system must enable Recovery Lock
|
|
V-277181
|
Medium
|
The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automati...
|