| Vulnerability ID |
Severity |
Description |
|
V-224819
|
High
|
Users with Administrative privileges must have separate accounts for administrative duties and no...
|
|
V-224820
|
Medium
|
Passwords for the built-in Administrator account must be changed at least every 60 days
|
|
V-224821
|
High
|
Administrative accounts must not be used with applications that access the Internet, such as web ...
|
|
V-224822
|
Medium
|
Members of the Backup Operators group must have separate accounts for backup duties and normal op...
|
|
V-224823
|
Medium
|
Manually managed application account passwords must be at least 14 characters in length
|
|
V-224824
|
Medium
|
Manually managed application account passwords must be changed at least annually or when a system...
|
|
V-224825
|
Medium
|
Shared user accounts must not be permitted on the system
|
|
V-224826
|
Medium
|
Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of ...
|
|
V-224827
|
Medium
|
Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and r...
|
|
V-224828
|
High
|
Systems must be maintained at a supported servicing level
|
|
V-224829
|
High
|
The Windows Server 2016 system must use an anti-virus program
|
|
V-224830
|
Medium
|
Servers must have a host-based intrusion detection or prevention system
|
|
V-224831
|
High
|
Local volumes must use a format that supports NTFS attributes
|
|
V-224832
|
Medium
|
Permissions for the system drive root directory (usually C:\) must conform to minimum requirements
|
|
V-224833
|
Medium
|
Permissions for program file directories must conform to minimum requirements
|
|
V-224834
|
Medium
|
Permissions for the Windows installation directory must conform to minimum requirements
|
|
V-224835
|
Medium
|
Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained
|
|
V-224836
|
Low
|
Non-administrative accounts or groups must only have print permissions on printer shares
|
|
V-224837
|
Medium
|
Outdated or unused accounts must be removed from the system or disabled
|
|
V-224838
|
Medium
|
Windows Server 2016 accounts must require passwords
|
|
V-224839
|
Medium
|
Passwords must be configured to expire
|
|
V-224840
|
Medium
|
System files must be monitored for unauthorized changes
|
|
V-224841
|
Medium
|
Non-system-created file shares on a system must limit access to groups that require it
|
|
V-224842
|
Medium
|
Software certificate installation files must be removed from Windows Server 2016
|
|
V-224843
|
High
|
Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauth...
|
|
V-224844
|
Medium
|
Protection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner ha...
|
|
V-224845
|
Medium
|
The roles and features required by the system must be documented
|
|
V-224846
|
Medium
|
A host-based firewall must be installed and enabled on the system
|
|
V-224847
|
Medium
|
Windows Server 2016 must employ automated mechanisms to determine the state of system components ...
|
|
V-224848
|
Medium
|
Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours
|
|
V-224849
|
Medium
|
Windows Server 2016 must automatically remove or disable emergency accounts after the crisis is r...
|
|
V-224850
|
Medium
|
The Fax Server role must not be installed
|
|
V-224851
|
Medium
|
The Microsoft FTP service must not be installed unless required
|
|
V-224852
|
Medium
|
The Peer Name Resolution Protocol must not be installed
|
|
V-224853
|
Medium
|
Simple TCP/IP Services must not be installed
|
|
V-224854
|
Medium
|
The Telnet Client must not be installed
|
|
V-224855
|
Medium
|
The TFTP Client must not be installed
|
|
V-224856
|
Medium
|
The Server Message Block (SMB) v1 protocol must be uninstalled
|
|
V-224857
|
Medium
|
The Server Message Block (SMB) v1 protocol must be disabled on the SMB server
|
|
V-224858
|
Medium
|
The Server Message Block (SMB) v1 protocol must be disabled on the SMB client
|
|
V-224859
|
Medium
|
Windows PowerShell 2.0 must not be installed
|
|
V-224860
|
Medium
|
FTP servers must be configured to prevent anonymous logons
|
|
V-224861
|
Medium
|
FTP servers must be configured to prevent access to the system drive
|
|
V-224862
|
Low
|
The time service must synchronize with an appropriate DoD time source
|
|
V-224863
|
Medium
|
Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016
|
|
V-224864
|
Low
|
Secure Boot must be enabled on Windows Server 2016 systems
|
|
V-224865
|
Low
|
Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be confi...
|
|
V-224866
|
Medium
|
Windows 2016 account lockout duration must be configured to 15 minutes or greater
|
|
V-224867
|
Medium
|
Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less
|
|
V-224868
|
Medium
|
Windows Server 2016 must have the period of time before the bad logon counter is reset configured...
|
|
V-224869
|
Medium
|
Windows Server 2016 password history must be configured to 24 passwords remembered
|
|
V-224870
|
Medium
|
Windows Server 2016 maximum password age must be configured to 60 days or less
|
|
V-224871
|
Medium
|
Windows Server 2016 minimum password age must be configured to at least one day
|
|
V-224872
|
Medium
|
Windows Server 2016 minimum password length must be configured to 14 characters
|
|
V-224873
|
Medium
|
Windows Server 2016 must have the built-in Windows password complexity policy enabled
|
|
V-224874
|
High
|
Windows Server 2016 reversible password encryption must be disabled
|
|
V-224875
|
Medium
|
Audit records must be backed up to a different system or media than the system being audited
|
|
V-224876
|
Medium
|
Windows Server 2016 must, at a minimum, offload audit records of interconnected systems in real t...
|
|
V-224877
|
Medium
|
Permissions for the Application event log must prevent access by non-privileged accounts
|
|
V-224878
|
Medium
|
Permissions for the Security event log must prevent access by non-privileged accounts
|
|
V-224879
|
Medium
|
Permissions for the System event log must prevent access by non-privileged accounts
|
|
V-224880
|
Medium
|
Event Viewer must be protected from unauthorized modification and deletion
|
|
V-224881
|
Medium
|
Windows Server 2016 must be configured to audit Account Logon - Credential Validation successes
|
|
V-224882
|
Medium
|
Windows Server 2016 must be configured to audit Account Logon - Credential Validation failures
|
|
V-224883
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - Other Account Management Eve...
|
|
V-224884
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - Security Group Management su...
|
|
V-224885
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - User Account Management succ...
|
|
V-224886
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - User Account Management fail...
|
|
V-224887
|
Medium
|
Windows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes
|
|
V-224888
|
Medium
|
Windows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes
|
|
V-224890
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures
|
|
V-224891
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes
|
|
V-224892
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Logoff successes
|
|
V-224893
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes
|
|
V-224894
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Logon failures
|
|
V-224895
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes
|
|
V-224896
|
Medium
|
Windows 2016 must be configured to audit Object Access - Other Object Access Events successes
|
|
V-224897
|
Medium
|
Windows 2016 must be configured to audit Object Access - Other Object Access Events failures
|
|
V-224898
|
Medium
|
Windows Server 2016 must be configured to audit Object Access - Removable Storage successes
|
|
V-224899
|
Medium
|
Windows Server 2016 must be configured to audit Object Access - Removable Storage failures
|
|
V-224900
|
Medium
|
Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes
|
|
V-224901
|
Medium
|
Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures
|
|
V-224902
|
Medium
|
Windows Server 2016 must be configured to audit Policy Change - Authentication Policy Change succ...
|
|
V-224903
|
Medium
|
Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change succe...
|
|
V-224904
|
Medium
|
Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes
|
|
V-224905
|
Medium
|
Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures
|
|
V-224906
|
Medium
|
Windows Server 2016 must be configured to audit System - IPsec Driver successes
|
|
V-224907
|
Medium
|
Windows Server 2016 must be configured to audit System - IPsec Driver failures
|
|
V-224908
|
Medium
|
Windows Server 2016 must be configured to audit System - Other System Events successes
|
|
V-224909
|
Medium
|
Windows Server 2016 must be configured to audit System - Other System Events failures
|
|
V-224910
|
Medium
|
Windows Server 2016 must be configured to audit System - Security State Change successes
|
|
V-224911
|
Medium
|
Windows Server 2016 must be configured to audit System - Security System Extension successes
|
|
V-224912
|
Medium
|
Windows Server 2016 must be configured to audit System - System Integrity successes
|
|
V-224913
|
Medium
|
Windows Server 2016 must be configured to audit System - System Integrity failures
|
|
V-224914
|
Medium
|
The display of slide shows on the lock screen must be disabled
|
|
V-224915
|
Medium
|
WDigest Authentication must be disabled on Windows Server 2016
|
|
V-224916
|
Low
|
Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection le...
|
|
V-224917
|
Low
|
Source routing must be configured to the highest protection level to prevent Internet Protocol (I...
|
|
V-224918
|
Low
|
Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redire...
|
|
V-224919
|
Low
|
Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS s...
|
|
V-224920
|
Medium
|
Insecure logons to an SMB server must be disabled
|
|
V-224921
|
Medium
|
Hardened UNC paths must be defined to require mutual authentication and integrity for at least th...
|
|
V-224922
|
Medium
|
Command line data must be included in process creation events
|
|
V-224923
|
Medium
|
Windows Server 2016 virtualization-based security must be enabled with the platform security leve...
|
|
V-224924
|
Medium
|
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers ident...
|
|
V-224925
|
Medium
|
Group Policy objects must be reprocessed even if they have not changed
|
|
V-224926
|
Medium
|
Downloading print driver packages over HTTP must be prevented
|
|
V-224927
|
Medium
|
Printing over HTTP must be prevented
|
|
V-224928
|
Medium
|
The network selection user interface (UI) must not be displayed on the logon screen
|
|
V-224929
|
Medium
|
Users must be prompted to authenticate when the system wakes from sleep (on battery)
|
|
V-224930
|
Medium
|
Users must be prompted to authenticate when the system wakes from sleep (plugged in)
|
|
V-224931
|
Low
|
The Application Compatibility Program Inventory must be prevented from collecting data and sendin...
|
|
V-224932
|
High
|
AutoPlay must be turned off for non-volume devices
|
|
V-224933
|
High
|
The default AutoRun behavior must be configured to prevent AutoRun commands
|
|
V-224934
|
High
|
AutoPlay must be disabled for all drives
|
|
V-224935
|
Medium
|
Administrator accounts must not be enumerated during elevation
|
|
V-224936
|
Medium
|
Windows Telemetry must be configured to Security or Basic
|
|
V-224937
|
Medium
|
The Application event log size must be configured to 32768 KB or greater
|
|
V-224938
|
Medium
|
The Security event log size must be configured to 196608 KB or greater
|
|
V-224939
|
Medium
|
The System event log size must be configured to 32768 KB or greater
|
|
V-224940
|
Medium
|
Windows Server 2016 Windows SmartScreen must be enabled
|
|
V-224941
|
Medium
|
Explorer Data Execution Prevention must be enabled
|
|
V-224942
|
Low
|
Turning off File Explorer heap termination on corruption must be disabled
|
|
V-224943
|
Medium
|
File Explorer shell protocol must run in protected mode
|
|
V-224944
|
Medium
|
Passwords must not be saved in the Remote Desktop Client
|
|
V-224945
|
Medium
|
Local drives must be prevented from sharing with Remote Desktop Session Hosts
|
|
V-224946
|
Medium
|
Remote Desktop Services must always prompt a client for passwords upon connection
|
|
V-224947
|
Medium
|
The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications
|
|
V-224948
|
Medium
|
Remote Desktop Services must be configured with the client connection encryption set to High Level
|
|
V-224949
|
Medium
|
Attachments must be prevented from being downloaded from RSS feeds
|
|
V-236000
|
Medium
|
The Windows Explorer Preview pane must be disabled for Windows Server 2016
|
|
V-224951
|
Medium
|
Basic authentication for RSS feeds over HTTP must not be used
|
|
V-224952
|
Medium
|
Indexing of encrypted files must be turned off
|
|
V-224953
|
Medium
|
Users must be prevented from changing installation options
|
|
V-224954
|
High
|
The Windows Installer Always install with elevated privileges option must be disabled
|
|
V-224955
|
Medium
|
Users must be notified if a web-based program attempts to install software
|
|
V-224956
|
Medium
|
Automatically signing in the last interactive user after a system-initiated restart must be disabled
|
|
V-224957
|
Medium
|
PowerShell script block logging must be enabled
|
|
V-224958
|
High
|
The Windows Remote Management (WinRM) client must not use Basic authentication
|
|
V-224959
|
Medium
|
The Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-224960
|
Medium
|
The Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-224961
|
High
|
The Windows Remote Management (WinRM) service must not use Basic authentication
|
|
V-224962
|
Medium
|
The Windows Remote Management (WinRM) service must not allow unencrypted traffic
|
|
V-224963
|
Medium
|
The Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-257502
|
Medium
|
Windows Server 2016 must have PowerShell Transcription enabled
|
|
V-224964
|
High
|
Only administrators responsible for the domain controller must have Administrator rights on the s...
|
|
V-224965
|
Medium
|
Kerberos user logon restrictions must be enforced
|
|
V-224966
|
Medium
|
The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less
|
|
V-224967
|
Medium
|
The Kerberos user ticket lifetime must be limited to 10 hours or less
|
|
V-224968
|
Medium
|
The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less
|
|
V-224969
|
Medium
|
The computer clock synchronization tolerance must be limited to 5 minutes or less
|
|
V-224970
|
High
|
Permissions on the Active Directory data files must only allow System and Administrators access
|
|
V-224971
|
High
|
The Active Directory SYSVOL directory must have the proper access control permissions
|
|
V-224972
|
High
|
Active Directory Group Policy objects must have proper access control permissions
|
|
V-224973
|
High
|
The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper acce...
|
|
V-224974
|
High
|
Domain-created Active Directory Organizational Unit (OU) objects must have proper access control ...
|
|
V-224975
|
Medium
|
Data files owned by users must be on a different logical partition from the directory server data...
|
|
V-224976
|
Medium
|
Domain controllers must run on a machine dedicated to that function
|
|
V-224977
|
Medium
|
Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transi...
|
|
V-224978
|
High
|
Directory data (outside the root DSE) of a non-public directory must be configured to prevent ano...
|
|
V-224979
|
Low
|
The directory service must be configured to terminate LDAP-based network connections to the direc...
|
|
V-224980
|
Medium
|
Active Directory Group Policy objects must be configured with proper audit settings
|
|
V-224981
|
Medium
|
The Active Directory Domain object must be configured with proper audit settings
|
|
V-224982
|
Medium
|
The Active Directory Infrastructure object must be configured with proper audit settings
|
|
V-224983
|
Medium
|
The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with p...
|
|
V-224984
|
Medium
|
The Active Directory AdminSDHolder object must be configured with proper audit settings
|
|
V-224985
|
Medium
|
The Active Directory RID Manager$ object must be configured with proper audit settings
|
|
V-224986
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - Computer Account Management ...
|
|
V-224987
|
Medium
|
Windows Server 2016 must be configured to audit DS Access - Directory Service Access successes
|
|
V-224988
|
Medium
|
Windows Server 2016 must be configured to audit DS Access - Directory Service Access failures
|
|
V-224989
|
Medium
|
Windows Server 2016 must be configured to audit DS Access - Directory Service Changes successes
|
|
V-224991
|
Medium
|
Domain controllers must have a PKI server certificate
|
|
V-224992
|
High
|
Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certific...
|
|
V-224993
|
High
|
PKI certificates associated with user accounts must be issued by the DoD PKI or an approved Exter...
|
|
V-224994
|
Medium
|
Active Directory user accounts, including administrators, must be configured to require the use o...
|
|
V-224995
|
Medium
|
Domain controllers must require LDAP access signing
|
|
V-224996
|
Medium
|
Domain controllers must be configured to allow reset of machine account passwords
|
|
V-224997
|
Medium
|
The Access this computer from the network user right must only be assigned to the Administrators,...
|
|
V-224998
|
Medium
|
The Add workstations to domain user right must only be assigned to the Administrators group
|
|
V-224999
|
Medium
|
The Allow log on through Remote Desktop Services user right must only be assigned to the Administ...
|
|
V-225000
|
Medium
|
The Deny access to this computer from the network user right on domain controllers must be config...
|
|
V-225001
|
Medium
|
The Deny log on as a batch job user right on domain controllers must be configured to prevent una...
|
|
V-225002
|
Medium
|
The Deny log on as a service user right must be configured to include no accounts or groups (blan...
|
|
V-225003
|
Medium
|
The Deny log on locally user right on domain controllers must be configured to prevent unauthenti...
|
|
V-271430
|
High
|
Windows Server 2016 must be configured for name-based strong mappings for certificates
|
|
V-225004
|
Medium
|
The Deny log on through Remote Desktop Services user right on domain controllers must be configur...
|
|
V-225005
|
Medium
|
The Enable computer and user accounts to be trusted for delegation user right must only be assign...
|
|
V-225006
|
Medium
|
The password for the krbtgt account on a domain must be reset at least every 180 days
|
|
V-225007
|
High
|
Only administrators responsible for the member server or standalone or nondomain-joined system mu...
|
|
V-225008
|
Medium
|
Local administrator accounts must have their privileged token filtered to prevent elevated privil...
|
|
V-225009
|
Medium
|
Local users on domain-joined computers must not be enumerated
|
|
V-225010
|
Medium
|
Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC...
|
|
V-225011
|
Medium
|
Caching of logon credentials must be limited
|
|
V-225012
|
High
|
Windows Server 2016 must be running Credential Guard on domain-joined member servers
|
|
V-225013
|
Medium
|
Remote calls to the Security Account Manager (SAM) must be restricted to Administrators
|
|
V-225014
|
Medium
|
The "Access this computer from the network" user right must only be assigned to the Administrator...
|
|
V-225015
|
Medium
|
The "Deny access to this computer from the network" user right on member servers must be configur...
|
|
V-225016
|
Medium
|
The "Deny log on as a batch job" user right on member servers must be configured to prevent acces...
|
|
V-225017
|
Medium
|
The "Deny log on as a service" user right on member servers must be configured to prevent access ...
|
|
V-225018
|
Medium
|
The "Deny log on locally" user right on member servers must be configured to prevent access from ...
|
|
V-225019
|
Medium
|
The "Deny log on through Remote Desktop Services" user right on member servers must be configured...
|
|
V-225020
|
Medium
|
The "Enable computer and user accounts to be trusted for delegation" user right must not be assig...
|
|
V-225021
|
Medium
|
The DoD Root CA certificates must be installed in the Trusted Root Store
|
|
V-225022
|
Medium
|
The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificat...
|
|
V-225023
|
Medium
|
The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Ce...
|
|
V-225024
|
Medium
|
Windows Server 2016 built-in guest account must be disabled
|
|
V-225025
|
High
|
Local accounts with blank passwords must be restricted to prevent access from the network
|
|
V-225026
|
Medium
|
Windows Server 2016 built-in administrator account must be renamed
|
|
V-225027
|
Medium
|
Windows Server 2016 built-in guest account must be renamed
|
|
V-225028
|
Medium
|
Audit policy using subcategories must be enabled
|
|
V-225029
|
Medium
|
The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configu...
|
|
V-225030
|
Medium
|
The setting Domain member: Digitally encrypt secure channel data (when possible) must be configur...
|
|
V-225031
|
Medium
|
The setting Domain member: Digitally sign secure channel data (when possible) must be configured ...
|
|
V-225032
|
Medium
|
The computer account password must not be prevented from being reset
|
|
V-225033
|
Medium
|
The maximum age for machine account passwords must be configured to 30 days or less
|
|
V-225034
|
Medium
|
Windows Server 2016 must be configured to require a strong session key
|
|
V-225035
|
Medium
|
The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver
|
|
V-225036
|
Medium
|
The required legal notice must be configured to display before console logon
|
|
V-225037
|
Low
|
The Windows dialog box title for the legal banner must be configured with the appropriate text
|
|
V-225038
|
Medium
|
The Smart Card removal option must be configured to Force Logoff or Lock Workstation
|
|
V-225039
|
Medium
|
The setting Microsoft network client: Digitally sign communications (always) must be configured t...
|
|
V-225040
|
Medium
|
The setting Microsoft network client: Digitally sign communications (if server agrees) must be co...
|
|
V-225041
|
Medium
|
Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers
|
|
V-225042
|
Medium
|
The setting Microsoft network server: Digitally sign communications (always) must be configured t...
|
|
V-225043
|
Medium
|
The setting Microsoft network server: Digitally sign communications (if client agrees) must be co...
|
|
V-225044
|
High
|
Anonymous SID/Name translation must not be allowed
|
|
V-225045
|
High
|
Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed
|
|
V-225046
|
High
|
Anonymous enumeration of shares must not be allowed
|
|
V-225047
|
Medium
|
Windows Server 2016 must be configured to prevent anonymous users from having the same permission...
|
|
V-225048
|
High
|
Anonymous access to Named Pipes and Shares must be restricted
|
|
V-225093
|
Medium
|
The Take ownership of files or other objects user right must only be assigned to the Administrato...
|