| Vulnerability ID |
Severity |
Description |
|
V-220745
|
Medium
|
Passwords must, at a minimum, be 14 characters
|
|
V-218793
|
Medium
|
The IIS 10.0 web server must only contain functions necessary for operation
|
|
V-218808
|
Medium
|
Directory Browsing on the IIS 10.0 web server must be disabled
|
|
V-218795
|
High
|
All IIS 10.0 web server sample code, example applications, and tutorials must be removed from a p...
|
|
V-218809
|
Medium
|
The IIS 10.0 web server Indexing must only index web content
|
|
V-218822
|
Medium
|
The IIS 10.0 web server must maintain the confidentiality of controlled information during transm...
|
|
V-218824
|
Medium
|
Unspecified file extensions on a production IIS 10.0 web server must be removed
|
|
V-241789
|
Low
|
ASP.NET version must be removed from the HTTP Response Header information
|
|
V-268325
|
Medium
|
The Request Smuggling filter must be enabled
|
|
V-218817
|
Medium
|
The IIS 10.0 web server must not be running on a system providing any other role
|
|
V-218818
|
Medium
|
The Internet Printing Protocol (IPP) must be disabled on the IIS 10.0 web server
|
|
V-218820
|
Medium
|
IIS 10.0 web server session IDs must be sent to the client using TLS
|
|
V-218826
|
Medium
|
The IIS 10.0 websites MaxConnections setting must be configured to limit the number of allowed si...
|
|
V-218806
|
Medium
|
The IIS 10.0 web server must augment re-creation to a stable and known baseline
|
|
V-218810
|
Medium
|
Warning and error messages displayed to clients must be modified to minimize the identity of the ...
|
|
V-228572
|
Medium
|
An IIS Server configured to be a SMTP relay must require authentication
|
|
V-218796
|
Medium
|
The accounts created by uninstalled features (i.e., tools, utilities, specific, etc.) must be del...
|
|
V-218799
|
Medium
|
The IIS 10.0 web server must have Web Distributed Authoring and Versioning (WebDAV) disabled
|
|
V-218803
|
Medium
|
The IIS 10.0 web server must separate the hosted applications from hosted web server management f...
|
|
V-218807
|
Medium
|
The production IIS 10.0 web server must utilize SHA2 encryption for the Machine Key
|
|
V-218827
|
Low
|
The IIS 10.0 web server must enable HTTP Strict Transport Security (HSTS)
|
|
V-218786
|
Medium
|
Both the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled
|
|
V-218791
|
Medium
|
The log data and records from the IIS 10.0 web server must be backed up onto a different system o...
|
|
V-218797
|
Medium
|
The IIS 10.0 web server must be reviewed on a regular basis to remove any Operating System featur...
|
|
V-218801
|
Medium
|
Java software installed on a production IIS 10.0 web server must be limited to .class files and t...
|
|
V-218825
|
Medium
|
The IIS 10.0 web server must have a global authorization rule configured to restrict access
|
|
V-218790
|
Medium
|
The log information from the IIS 10.0 web server must be protected from unauthorized modification...
|
|
V-218792
|
Medium
|
The IIS 10.0 web server must not perform user management for hosted applications
|
|
V-218794
|
Medium
|
The IIS 10.0 web server must not be both a website server and a proxy server
|
|
V-218814
|
Medium
|
IIS 10.0 web server system files must conform to minimum file permission requirements
|
|
V-253278
|
Medium
|
The Telnet Client must not be installed on the system
|
|
V-220721
|
Medium
|
The Telnet Client must not be installed on the system
|
|
V-253279
|
Medium
|
The TFTP Client must not be installed on the system
|
|
V-220722
|
Medium
|
The TFTP Client must not be installed on the system
|
|
V-268531
|
Medium
|
The macOS system must disable Remote Management
|
|
V-268572
|
Medium
|
The macOS system must disable Genmoji
|
|
V-277139
|
Medium
|
The macOS system must disable Remote Management
|
|
V-277182
|
Medium
|
The macOS system must disable Genmoji AI Creation
|
|
V-254372
|
Medium
|
Windows Server 2022 must prevent Indexing of encrypted files
|
|
V-253409
|
Medium
|
Indexing of encrypted files must be turned off
|
|
V-220855
|
Medium
|
Indexing of encrypted files must be turned off
|
|
V-253407
|
Medium
|
Attachments must be prevented from being downloaded from RSS feeds
|
|
V-220853
|
Medium
|
Attachments must be prevented from being downloaded from RSS feeds
|
|
V-253360
|
Medium
|
Insecure logons to an SMB server must be disabled
|
|
V-253416
|
High
|
The Windows Remote Management (WinRM) client must not use Basic authentication
|
|
V-220862
|
High
|
The Windows Remote Management (WinRM) client must not use Basic authentication
|
|
V-268481
|
Medium
|
The macOS system must disable Bonjour multicast
|
|
V-268529
|
Medium
|
The macOS system must disable Dictation
|
|
V-268530
|
Medium
|
The macOS system must disable Printer Sharing
|
|
V-268539
|
Medium
|
The macOS system must disable password hints
|
|
V-268573
|
Medium
|
The macOS system must disable Apple Intelligence Image Generation
|
|
V-268574
|
Medium
|
The macOS system must disable Apple Intelligence Writing Tools
|
|
V-277088
|
Medium
|
The macOS system must disable Bonjour multicast
|
|
V-277138
|
Medium
|
The macOS system must disable Printer Sharing
|
|
V-277148
|
Medium
|
The macOS system must disable password hints
|
|
V-277183
|
Medium
|
The macOS system must disable Apple Intelligence Image Playground
|
|
V-218798
|
Medium
|
The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS she...
|
|
V-218802
|
High
|
IIS 10.0 Web server accounts accessing the directory tree, the shell, or other operating system f...
|
|
V-218812
|
Medium
|
The IIS 10.0 web server must restrict inbound connections from non-secure zones
|
|
V-218816
|
Medium
|
Access to web administration tools must be restricted to the web manager and the web managers des...
|
|
V-218819
|
Medium
|
The IIS 10.0 web server must be tuned to handle the operational requirements of the hosted applic...
|
|
V-218823
|
High
|
All accounts installed with the IIS 10.0 web server software and tools must have passwords assign...
|
|
V-205694
|
Medium
|
Windows Server 2019 must prevent Indexing of encrypted files
|
|
V-253281
|
Medium
|
A host-based firewall must be installed and enabled on the system
|
|
V-220724
|
Medium
|
A host-based firewall must be installed and enabled on the system
|
|
V-214936
|
Medium
|
Windows Server 2019 must have a host-based firewall installed and enabled
|
|
V-253378
|
Medium
|
The network selection user interface (UI) must not be displayed on the logon screen
|
|
V-220819
|
Medium
|
The network selection user interface (UI) must not be displayed on the logon screen
|
|
V-254370
|
Medium
|
Windows Server 2022 must prevent attachments from being downloaded from RSS feeds
|
|
V-205873
|
Medium
|
Windows Server 2019 must prevent attachments from being downloaded from RSS feeds
|
|
V-254339
|
Medium
|
Windows Server 2022 insecure logons to an SMB server must be disabled
|
|
V-205861
|
Medium
|
Windows Server 2019 insecure logons to an SMB server must be disabled
|
|
V-254471
|
Medium
|
Windows Server 2022 must prevent NTLM from falling back to a Null session
|
|
V-205917
|
Medium
|
Windows Server 2019 must prevent NTLM from falling back to a Null session
|
|
V-253458
|
Medium
|
NTLM must be prevented from falling back to a Null session
|
|
V-220934
|
Medium
|
NTLM must be prevented from falling back to a Null session
|
|
V-253277
|
Medium
|
Simple TCP/IP Services must not be installed on the system
|
|
V-220720
|
Medium
|
Simple TCP/IP Services must not be installed on the system
|
|
V-253273
|
Medium
|
Accounts must be configured to require password expiration
|
|
V-220716
|
Medium
|
Accounts must be configured to require password expiration
|
|
V-253383
|
Medium
|
Unauthenticated RPC clients must be restricted from connecting to the RPC server
|
|
V-220824
|
Medium
|
Unauthenticated RPC clients must be restricted from connecting to the RPC server
|
|
V-253417
|
Medium
|
The Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-253421
|
Medium
|
The Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-220868
|
Medium
|
The Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-254381
|
High
|
Windows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication
|
|
V-205713
|
High
|
Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication
|
|
V-254373
|
Medium
|
Windows Server 2022 must prevent users from changing installation options
|
|
V-205801
|
Medium
|
Windows Server 2019 must prevent users from changing installation options
|
|
V-253410
|
Medium
|
Users must be prevented from changing installation options
|
|
V-220856
|
Medium
|
Users must be prevented from changing installation options
|
|
V-253419
|
Medium
|
The Windows Remote Management (WinRM) service must not allow unencrypted traffic
|
|
V-263623
|
Medium
|
The DNS server implementation must disable accounts when the accounts have expired.
|
|
V-268493
|
Medium
|
The macOS system must disable Siri
|
|
V-268528
|
Medium
|
The macOS system must enforce On Device Dictation
|
|
V-268532
|
Medium
|
The macOS system must disable the Bluetooth System Settings pane
|
|
V-268533
|
Medium
|
The macOS system must disable the iCloud Freeform services
|
|
V-268564
|
Medium
|
The macOS system must disable Erase Content and Settings
|
|
V-278086
|
Medium
|
Windows Server 2025 insecure logons to an SMB server must be disabled
|
|
V-278117
|
Medium
|
Windows Server 2025 must prevent attachments from being downloaded from RSS feeds
|
|
V-278119
|
Medium
|
Windows Server 2025 must prevent Indexing of encrypted files
|
|
V-278120
|
Medium
|
Windows Server 2025 must prevent users from changing installation options
|
|
V-278221
|
Medium
|
Windows Server 2025 must prevent NTLM from falling back to a Null session
|
|
V-277137
|
Medium
|
The macOS system must disable Dictation
|
|
V-277184
|
Medium
|
The macOS system must disable Apple Intelligence Writing Tools
|
|
V-254247
|
Medium
|
Windows Server 2022 must be maintained at a supported servicing level
|
|
V-205849
|
High
|
Windows Server 2019 must be maintained at a supported servicing level
|
|
V-253265
|
High
|
Local volumes must be formatted using NTFS
|
|
V-220708
|
High
|
Local volumes must be formatted using NTFS
|
|
V-253387
|
High
|
The default autorun behavior must be configured to prevent autorun commands
|
|
V-220828
|
Medium
|
The default autorun behavior must be configured to prevent autorun commands
|
|
V-254265
|
Medium
|
Windows Server 2022 must have a host-based firewall installed and enabled
|
|
V-254348
|
Medium
|
Windows Server 2022 network selection user interface (UI) must not be displayed on the logon screen
|
|
V-205690
|
Medium
|
Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen
|
|
V-253453
|
High
|
Anonymous enumeration of SAM accounts must not be allowed
|
|
V-220929
|
High
|
Anonymous enumeration of SAM accounts must not be allowed
|
|
V-253454
|
High
|
Anonymous enumeration of shares must be restricted
|
|
V-220930
|
High
|
Anonymous enumeration of shares must be restricted
|
|
V-220802
|
Medium
|
Insecure logons to an SMB server must be disabled
|
|
V-220863
|
Medium
|
The Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-254380
|
Medium
|
Windows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-205712
|
Medium
|
Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-253411
|
High
|
The Windows Installer feature "Always install with elevated privileges" must be disabled
|
|
V-220857
|
High
|
The Windows Installer Always install with elevated privileges must be disabled
|
|
V-253420
|
Medium
|
The Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-220867
|
Medium
|
The Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-263627
|
Medium
|
The DNS server implementation must automatically generate audit records of the enforcement actions.
|
|
V-268421
|
Medium
|
The macOS system must enforce screen saver password
|
|
V-268483
|
Medium
|
The macOS system must disable Internet Sharing
|
|
V-268485
|
Medium
|
The macOS system must disable AirDrop
|
|
V-268488
|
Medium
|
The macOS system must disable iCloud Reminders
|
|
V-268490
|
Medium
|
The macOS system must disable iCloud Mail
|
|
V-268491
|
Medium
|
The macOS system must disable iCloud Notes
|
|
V-268510
|
Medium
|
The macOS system must disable the guest account
|
|
V-268521
|
Medium
|
The macOS system must disable Content Caching service
|
|
V-268524
|
Medium
|
The macOS system must disable iCloud Private Relay
|
|
V-268526
|
Medium
|
The macOS system must disable Personalized Advertising
|
|
V-253459
|
Medium
|
PKU2U authentication using online identities must be prevented
|
|
V-220935
|
Medium
|
PKU2U authentication using online identities must be prevented
|
|
V-278012
|
Medium
|
Windows Server 2025 must have a host-based firewall installed and enabled
|
|
V-278095
|
Medium
|
Windows Server 2025 network selection user interface (UI) must not be displayed on the logon screen
|
|
V-278125
|
High
|
Windows Server 2025 Windows Remote Management (WinRM) client must not use Basic authentication
|
|
V-278128
|
High
|
Windows Server 2025 Windows Remote Management (WinRM) service must not use Basic authentication
|
|
V-277092
|
Medium
|
The macOS system must disable AirDrop
|
|
V-277100
|
Medium
|
The macOS system must disable Siri
|
|
V-277119
|
Medium
|
The macOS system must disable the guest account
|
|
V-277134
|
Medium
|
The macOS system must disable Personalized Advertising
|
|
V-277136
|
Medium
|
The macOS system must enforce On Device Dictation
|
|
V-277140
|
Medium
|
The macOS system must disable the Bluetooth System Settings pane
|
|
V-277141
|
Medium
|
The macOS system must disable the iCloud Freeform services
|
|
V-277174
|
Medium
|
The macOS system must disable Erase Content and Settings
|
|
V-218789
|
Medium
|
The IIS 10.0 web server must produce log records containing sufficient information to establish t...
|
|
V-218804
|
Medium
|
The IIS 10.0 web server must use cookies to track session state
|
|
V-218805
|
Medium
|
The IIS 10.0 web server must accept only system-generated session identifiers
|
|
V-218815
|
Medium
|
The IIS 10.0 web server must use a logging mechanism configured to allocate log record storage ca...
|
|
V-218821
|
High
|
An IIS 10.0 web server must maintain the confidentiality of controlled information during transmi...
|
|
V-253391
|
Medium
|
Windows 11 administrator accounts must not be enumerated during elevation
|
|
V-220832
|
Medium
|
Windows 10 administrator accounts must not be enumerated during elevation
|
|
V-253435
|
Medium
|
The built-in administrator account must be renamed
|
|
V-220911
|
Medium
|
The built-in administrator account must be renamed
|
|
V-253474
|
Medium
|
User Account Control must run all administrators in Admin Approval Mode, enabling UAC
|
|
V-220950
|
Medium
|
User Account Control must run all administrators in Admin Approval Mode, enabling UAC
|
|
V-253380
|
Medium
|
Users must be prompted for a password on resume from sleep (on battery)
|
|
V-220821
|
Medium
|
Users must be prompted for a password on resume from sleep (on battery)
|
|
V-253381
|
Medium
|
The user must be prompted for a password on resume from sleep (plugged in)
|
|
V-220822
|
Medium
|
The user must be prompted for a password on resume from sleep (plugged in)
|
|
V-254353
|
High
|
Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands
|
|
V-205805
|
High
|
Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands
|
|
V-253463
|
Medium
|
The system must be configured to the required LDAP client signing level
|
|
V-220939
|
Medium
|
The system must be configured to the required LDAP client signing level
|
|
V-253382
|
High
|
Solicited Remote Assistance must not be allowed
|
|
V-220823
|
High
|
Solicited Remote Assistance must not be allowed
|
|
V-254333
|
Medium
|
Windows Server 2022 must prevent the display of slide shows on the lock screen
|
|
V-205686
|
Medium
|
Windows Server 2019 must prevent the display of slide shows on the lock screen
|
|
V-254466
|
High
|
Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts
|
|
V-205914
|
High
|
Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts
|
|
V-254467
|
High
|
Windows Server 2022 must not allow anonymous enumeration of shares
|
|
V-205724
|
High
|
Windows Server 2019 must not allow anonymous enumeration of shares
|
|
V-253406
|
Medium
|
Remote Desktop Services must be configured with the client connection encryption set to the requi...
|
|
V-260570
|
High
|
Ubuntu 22.04 LTS must not allow accounts configured with blank or null passwords
|
|
V-254366
|
Medium
|
Windows Server 2022 Remote Desktop Services must prevent drive redirection
|
|
V-205722
|
Medium
|
Windows Server 2019 Remote Desktop Services must prevent drive redirection
|
|
V-254379
|
Medium
|
Windows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-205816
|
Medium
|
Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-254374
|
High
|
Windows Server 2022 must disable the Windows Installer Always install with elevated privileges op...
|
|
V-205802
|
High
|
Windows Server 2019 must disable the Windows Installer Always install with elevated privileges op...
|
|
V-253257
|
Medium
|
Secure Boot must be enabled on Windows 11 systems
|
|
V-254382
|
Medium
|
Windows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic
|
|
V-205817
|
Medium
|
Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic
|
|
V-254238
|
Medium
|
Windows Server 2022 users with Administrative privileges must have separate accounts for administ...
|
|
V-205844
|
High
|
Windows Server 2019 users with Administrative privileges must have separate accounts for administ...
|
|
V-263624
|
Medium
|
The DNS server implementation must disable accounts when the accounts are no longer associated to...
|
|
V-205183
|
Medium
|
The DNS implementation must protect the authenticity of communications sessions for dynamic updates.
|
|
V-268479
|
Medium
|
The macOS system must disable Network File System (NFS) service
|
|
V-268487
|
Medium
|
The macOS system must disable the iCloud Calendar services
|
|
V-268489
|
Medium
|
The macOS system must disable iCloud Address Book
|
|
V-268501
|
Medium
|
The macOS system must disable iCloud Keychain Sync
|
|
V-268503
|
Medium
|
The macOS system must disable iCloud Bookmarks
|
|
V-268504
|
Medium
|
The macOS system must disable iCloud Photo Library
|
|
V-272477
|
Medium
|
The macOS system must disable iPhone Mirroring
|
|
V-268557
|
Medium
|
The macOS system must enable macOS Application Firewall
|
|
V-268560
|
Medium
|
The macOS system must disable the Screen Time prompt during Setup Assistant
|
|
V-268562
|
Medium
|
The macOS system must disable Handoff
|
|
V-268563
|
Medium
|
The macOS system must disable proximity-based password sharing requests
|
|
V-254472
|
Medium
|
Windows Server 2022 must prevent PKU2U authentication using online identities
|
|
V-205918
|
Medium
|
Windows Server 2019 must prevent PKU2U authentication using online identities
|
|
V-271426
|
Medium
|
Windows Server 2022 must be configured for certificate-based authentication for domain controllers
|
|
V-271428
|
Medium
|
Windows Server 2019 must be configured for certificate-based authentication for domain controllers
|
|
V-254465
|
High
|
Windows Server 2022 must not allow anonymous SID/Name translation
|
|
V-205913
|
High
|
Windows Server 2019 must not allow anonymous SID/Name translation
|
|
V-253452
|
High
|
Anonymous SID/Name translation must not be allowed
|
|
V-220928
|
High
|
Anonymous SID/Name translation must not be allowed
|
|
V-277985
|
Medium
|
Windows Server 2025 users with administrative privileges must have separate accounts for administ...
|
|
V-278041
|
Medium
|
Windows Server 2025 audit records must be backed up to a different system or media than the syste...
|
|
V-278080
|
Medium
|
Windows Server 2025 must prevent the display of slide shows on the lock screen
|
|
V-278100
|
High
|
Windows Server 2025 default AutoRun behavior must be configured to prevent AutoRun commands
|
|
V-278113
|
Medium
|
Windows Server 2025 Remote Desktop Services must prevent drive redirection
|
|
V-278121
|
High
|
Windows Server 2025 must disable the Windows Installer Always install with elevated privileges op...
|
|
V-278127
|
Medium
|
Windows Server 2025 Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-278215
|
High
|
Windows Server 2025 must not allow anonymous SID/Name translation
|
|
V-278216
|
High
|
Windows Server 2025 must not allow anonymous enumeration of Security Account Manager (SAM) accounts
|
|
V-278217
|
High
|
Windows Server 2025 must not allow anonymous enumeration of shares
|
|
V-278222
|
Medium
|
Windows Server 2025 must prevent PKU2U authentication using online identities
|
|
V-277029
|
Medium
|
The macOS system must enforce screen saver password
|
|
V-277035
|
Medium
|
The macOS system must enforce time synchronization
|
|
V-277090
|
Medium
|
The macOS system must disable Internet Sharing
|
|
V-277094
|
Medium
|
The macOS system must disable the iCloud Calendar services
|
|
V-277095
|
Medium
|
The macOS system must disable iCloud Reminders
|
|
V-277096
|
Medium
|
The macOS system must disable iCloud Address Book
|
|
V-277097
|
Medium
|
The macOS system must disable iCloud Mail
|
|
V-277098
|
Medium
|
The macOS system must disable iCloud Notes
|
|
V-277112
|
Medium
|
The macOS system must disable iCloud Bookmarks
|
|
V-277113
|
Medium
|
The macOS system must disable iCloud Photo Library
|
|
V-277129
|
Medium
|
The macOS system must disable Content Caching service
|
|
V-277132
|
Medium
|
The macOS system must disable iCloud Private Relay
|
|
V-277142
|
Medium
|
The macOS system must disable iPhone Mirroring
|
|
V-277167
|
Medium
|
The macOS system must enable macOS Application Firewall
|
|
V-277172
|
Medium
|
The macOS system must disable Handoff
|
|
V-277173
|
Medium
|
The macOS system must disable proximity-based password sharing requests
|
|
V-254355
|
Medium
|
Windows Server 2022 administrator accounts must not be enumerated during elevation
|
|
V-205714
|
Medium
|
Windows Server 2019 administrator accounts must not be enumerated during elevation
|
|
V-253303
|
Medium
|
Passwords must, at a minimum, be 14 characters
|
|
V-253302
|
Medium
|
The minimum password age must be configured to at least 1 day
|
|
V-220744
|
Medium
|
The minimum password age must be configured to at least 1 day
|
|
V-253432
|
Medium
|
The built-in administrator account must be disabled.
|
|
V-220908
|
Medium
|
The built-in administrator account must be disabled
|
|
V-253305
|
High
|
Reversible password encryption must be disabled
|
|
V-220747
|
High
|
Reversible password encryption must be disabled
|
|
V-253468
|
Medium
|
User Account Control approval mode for the built-in Administrator must be enabled
|
|
V-220944
|
Medium
|
User Account Control approval mode for the built-in Administrator must be enabled
|
|
V-253472
|
Medium
|
User Account Control must be configured to detect application installations and prompt for elevation
|
|
V-220948
|
Medium
|
User Account Control must be configured to detect application installations and prompt for elevation
|
|
V-254430
|
Medium
|
Windows Server 2022 local users on domain-joined member servers must not be enumerated
|
|
V-254476
|
Medium
|
Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing
|
|
V-205920
|
Medium
|
Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing
|
|
V-253460
|
Medium
|
Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites
|
|
V-220936
|
Medium
|
Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites
|
|
V-254468
|
Medium
|
Windows Server 2022 must be configured to prevent anonymous users from having the same permission...
|
|
V-205915
|
Medium
|
Windows Server 2019 must be configured to prevent anonymous users from having the same permission...
|
|
V-253455
|
Medium
|
The system must be configured to prevent anonymous users from having the same rights as the Every...
|
|
V-254470
|
Medium
|
Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authent...
|
|
V-205916
|
Medium
|
Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authent...
|
|
V-253404
|
Medium
|
Remote Desktop Services must always prompt a client for passwords upon connection
|
|
V-220850
|
Medium
|
Remote Desktop Services must always prompt a client for passwords upon connection
|
|
V-220852
|
Medium
|
Remote Desktop Services must be configured with the client connection encryption set to the requi...
|
|
V-260564
|
Medium
|
Ubuntu 22.04 LTS must prevent the use of dictionary words for passwords
|
|
V-260571
|
High
|
Ubuntu 22.04 LTS must not have accounts configured with blank or null passwords
|
|
V-253402
|
Medium
|
Passwords must not be saved in the Remote Desktop Client
|
|
V-220848
|
Medium
|
Passwords must not be saved in the Remote Desktop Client
|
|
V-254284
|
Medium
|
Windows Server 2022 must have Secure Boot enabled
|
|
V-254383
|
Medium
|
Windows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-205810
|
Medium
|
Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-263629
|
Medium
|
The DNS server implementation must require users to be individually authenticated before granting...
|
|
V-263625
|
Medium
|
The DNS server implementation must implement the capability to centrally review and analyze audit...
|
|
V-205182
|
Medium
|
The DNS implementation must protect the authenticity of communications sessions for zone transfers.
|
|
V-268441
|
Medium
|
The macOS system must enforce screen saver timeout
|
|
V-268451
|
Medium
|
The macOS system must configure sudo to log events
|
|
V-268478
|
Medium
|
The macOS system must disable Server Message Block (SMB) sharing
|
|
V-268480
|
Medium
|
The macOS system must disable Location Services
|
|
V-268484
|
Medium
|
The macOS system must disable the built-in web server
|
|
V-269566
|
Medium
|
The macOS system must disable sending search data from Spotlight to Apple
|
|
V-268498
|
Medium
|
The macOS system must disable iCloud storage setup during Setup Assistant
|
|
V-268502
|
Medium
|
The macOS system must disable iCloud Document Sync
|
|
V-268511
|
High
|
The macOS system must enable gatekeeper
|
|
V-268515
|
Medium
|
The macOS system must disable Airplay Receiver
|
|
V-268523
|
Medium
|
The macOS system must disable iCloud Game Center
|
|
V-268541
|
Medium
|
The macOS system must remove password hints from user accounts
|
|
V-268559
|
Medium
|
The macOS system must disable the TouchID prompt during Setup Assistant
|
|
V-268561
|
Medium
|
The macOS system must disable Unlock with Apple Watch during Setup Assistant
|
|
V-253443
|
Medium
|
The system must be configured to require a strong session key
|
|
V-220919
|
Medium
|
The system must be configured to require a strong session key
|
|
V-278032
|
Medium
|
Windows Server 2025 must have Secure Boot enabled
|
|
V-278102
|
Medium
|
Windows Server 2025 administrator accounts must not be enumerated during elevation
|
|
V-278126
|
Medium
|
Windows Server 2025 Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-278129
|
Medium
|
Windows Server 2025 Windows Remote Management (WinRM) service must not allow unencrypted traffic
|
|
V-278130
|
Medium
|
Windows Server 2025 Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-278172
|
Medium
|
Windows Server 2025 must be configured for certificate-based authentication for domain controllers
|
|
V-278220
|
Medium
|
Windows Server 2025 services using Local System that use Negotiate when reverting to NTLM authent...
|
|
V-278226
|
Medium
|
Windows Server 2025 must be configured to at least negotiate signing for LDAP client signing
|
|
V-277059
|
Medium
|
The macOS system must configure sudo to log events
|
|
V-277104
|
Medium
|
The macOS system must disable sending search data from Spotlight to Apple
|
|
V-277110
|
Medium
|
The macOS system must disable iCloud Keychain Sync
|
|
V-277111
|
Medium
|
The macOS system must disable iCloud Document Sync
|
|
V-277124
|
Medium
|
The macOS system must disable Airplay Receiver
|
|
V-277131
|
Medium
|
The macOS system must disable iCloud Game Center
|
|
V-277170
|
Medium
|
The macOS system must disable the Screen Time prompt during Setup Assistant
|
|
V-279329
|
Medium
|
The macOS system must disable Apple Intelligence during Setup Assistant
|
|
V-253385
|
Low
|
The Application Compatibility Program Inventory must be prevented from collecting data and sendin...
|
|
V-220826
|
Low
|
The Application Compatibility Program Inventory must be prevented from collecting data and sendin...
|
|
V-253433
|
Medium
|
The built-in guest account must be disabled
|
|
V-220909
|
Medium
|
The built-in guest account must be disabled
|
|
V-254250
|
High
|
Windows Server 2022 local volumes must use a format that supports NTFS attributes
|
|
V-205663
|
High
|
Windows Server 2019 local volumes must use a format that supports NTFS attributes
|
|
V-254342
|
Medium
|
Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable c...
|
|
V-253368
|
Medium
|
Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials
|
|
V-254453
|
Medium
|
Windows Server 2022 computer account password must not be prevented from being reset
|
|
V-205815
|
Medium
|
Windows Server 2019 computer account password must not be prevented from being reset
|
|
V-253441
|
Low
|
The computer account password must not be prevented from being reset
|
|
V-220917
|
Low
|
The computer account password must not be prevented from being reset
|
|
V-253475
|
Medium
|
User Account Control must virtualize file and registry write failures to per-user locations
|
|
V-220951
|
Medium
|
User Account Control must virtualize file and registry write failures to per-user locations
|
|
V-253469
|
Medium
|
User Account Control must prompt administrators for consent on the secure desktop
|
|
V-254349
|
Medium
|
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on b...
|
|
V-205867
|
Medium
|
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on b...
|
|
V-254350
|
Medium
|
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plug...
|
|
V-205868
|
Medium
|
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plug...
|
|
V-254352
|
High
|
Windows Server 2022 Autoplay must be turned off for nonvolume devices
|
|
V-205804
|
High
|
Windows Server 2019 Autoplay must be turned off for non-volume devices
|
|
V-253386
|
High
|
Autoplay must be turned off for non-volume devices
|
|
V-220827
|
High
|
Autoplay must be turned off for non-volume devices
|
|
V-205876
|
Medium
|
Windows Server 2019 domain controllers must be configured to allow reset of machine account passw...
|
|
V-254451
|
Medium
|
Windows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) ...
|
|
V-205822
|
Medium
|
Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) ...
|
|
V-254452
|
Medium
|
Windows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) mus...
|
|
V-205823
|
Medium
|
Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) mus...
|
|
V-205696
|
Medium
|
Windows Server 2019 local users on domain-joined member servers must not be enumerated
|
|
V-253379
|
Medium
|
Local users on domain-joined computers must not be enumerated
|
|
V-220820
|
Medium
|
Local users on domain-joined computers must not be enumerated
|
|
V-254346
|
Medium
|
Windows Server 2022 downloading print driver packages over HTTP must be turned off
|
|
V-205688
|
Medium
|
Windows Server 2019 downloading print driver packages over HTTP must be turned off
|
|
V-253374
|
Medium
|
Downloading print driver packages over HTTP must be prevented
|
|
V-220815
|
Medium
|
Downloading print driver packages over HTTP must be prevented
|
|
V-253376
|
Medium
|
Printing over HTTP must be prevented
|
|
V-220817
|
Medium
|
Printing over HTTP must be prevented
|
|
V-253408
|
Medium
|
Basic authentication for RSS feeds over HTTP must not be used
|
|
V-220844
|
Medium
|
The Windows Defender SmartScreen filter for Microsoft Edge must be enabled
|
|
V-220937
|
High
|
The system must be configured to prevent the storage of the LAN Manager hash of passwords
|
|
V-254469
|
High
|
Windows Server 2022 must restrict anonymous access to Named Pipes and Shares
|
|
V-205725
|
High
|
Windows Server 2019 must restrict anonymous access to Named Pipes and Shares
|
|
V-253456
|
High
|
Anonymous access to Named Pipes and Shares must be restricted
|
|
V-220932
|
High
|
Anonymous access to Named Pipes and Shares must be restricted
|
|
V-254477
|
Medium
|
Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTL...
|
|
V-205921
|
Medium
|
Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTL...
|
|
V-254478
|
Medium
|
Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTL...
|
|
V-205922
|
Medium
|
Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTL...
|
|
V-253450
|
Medium
|
Unencrypted passwords must not be sent to third-party SMB Servers
|
|
V-220926
|
Medium
|
Unencrypted passwords must not be sent to third-party SMB Servers
|
|
V-253353
|
Medium
|
IPv6 source routing must be configured to highest protection
|
|
V-220795
|
Medium
|
IPv6 source routing must be configured to highest protection
|
|
V-254272
|
Medium
|
Windows Server 2022 must not have Simple TCP/IP Services installed
|
|
V-205680
|
Medium
|
Windows Server 2019 must not have Simple TCP/IP Services installed
|
|
V-254474
|
High
|
Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords
|
|
V-205654
|
High
|
Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords
|
|
V-253461
|
High
|
The system must be configured to prevent the storage of the LAN Manager hash of passwords
|
|
V-254367
|
Medium
|
Windows Server 2022 Remote Desktop Services must always prompt a client for passwords upon connec...
|
|
V-205809
|
Medium
|
Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connec...
|
|
V-254369
|
Medium
|
Windows Server 2022 Remote Desktop Services must be configured with the client connection encrypt...
|
|
V-205637
|
Medium
|
Windows Server 2019 Remote Desktop Services must be configured with the client connection encrypt...
|
|
V-260478
|
Medium
|
Ubuntu 22.04 LTS must have the "libpam-pwquality" package installed
|
|
V-260481
|
Low
|
Ubuntu 22.04 LTS must not have the "ntp" package installed
|
|
V-260516
|
Medium
|
Ubuntu 22.04 LTS must have an application firewall enabled
|
|
V-260521
|
Low
|
Ubuntu 22.04 LTS must record time stamps for audit records that can be mapped to Coordinated Univ...
|
|
V-260558
|
Medium
|
Ubuntu 22.04 LTS must require users to reauthenticate for privilege escalation or when changing r...
|
|
V-260572
|
Medium
|
Ubuntu 22.04 LTS must encrypt all stored passwords with a FIPS 140-3-approved cryptographic hashi...
|
|
V-254365
|
Medium
|
Windows Server 2022 must not save passwords in the Remote Desktop Client
|
|
V-205808
|
Medium
|
Windows Server 2019 must not save passwords in the Remote Desktop Client
|
|
V-254431
|
Medium
|
Windows Server 2022 must restrict unauthenticated Remote Procedure Call (RPC) clients from connec...
|
|
V-205814
|
Medium
|
Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connec...
|
|
V-254269
|
Medium
|
Windows Server 2022 must not have the Fax Server role installed
|
|
V-205678
|
Medium
|
Windows Server 2019 must not have the Fax Server role installed
|
|
V-254271
|
Medium
|
Windows Server 2022 must not have the Peer Name Resolution Protocol installed
|
|
V-205679
|
Medium
|
Windows Server 2019 must not have the Peer Name Resolution Protocol installed
|
|
V-254273
|
Medium
|
Windows Server 2022 must not have the Telnet Client installed
|
|
V-205698
|
Medium
|
Windows Server 2019 must not have the Telnet Client installed
|
|
V-254274
|
Medium
|
Windows Server 2022 must not have the TFTP Client installed
|
|
V-205681
|
Medium
|
Windows Server 2019 must not have the TFTP Client installed
|
|
V-254242
|
Medium
|
Windows Server 2022 manually managed application account passwords must be at least 14 characters...
|
|
V-205661
|
Medium
|
Windows Server 2019 manually managed application account passwords must be at least 14 characters...
|
|
V-263646
|
Medium
|
The DNS server implementation must compare the internal system clocks on an organization-defined ...
|
|
V-263644
|
Medium
|
The DNS server implementation must provide protected storage for cryptographic keys with organiza...
|
|
V-205226
|
Medium
|
The DNS server must implement NIST FIPS-validated cryptography for provisioning digital signature...
|
|
V-205219
|
Medium
|
The DNS server implementation must maintain the integrity of information during reception.
|
|
V-253256
|
Medium
|
Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configu...
|
|
V-254283
|
Medium
|
Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and b...
|
|
V-220699
|
Medium
|
Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configu...
|
|
V-268450
|
Medium
|
The macOS system must enable the time synchronization daemon
|
|
V-268467
|
Low
|
The macOS system must configure audit retention to seven days
|
|
V-269096
|
Medium
|
The macOS system must disable sending audio recordings and transcripts to Apple
|
|
V-268496
|
Medium
|
The macOS system must disable Apple ID setup during Setup Assistant
|
|
V-268497
|
Medium
|
The macOS system must disable Privacy Setup services during Setup Assistant
|
|
V-268500
|
Medium
|
The macOS system must disable Siri Setup during Setup Assistant
|
|
V-268507
|
Medium
|
The macOS system must disable the system settings pane for Siri
|
|
V-268509
|
High
|
The macOS system must disable Bluetooth when no approved device is connected
|
|
V-268522
|
Medium
|
The macOS system must disable iCloud Desktop and Document folder sync
|
|
V-268527
|
Medium
|
The macOS system must disable sending Siri and Dictation information to Apple
|
|
V-268556
|
High
|
The macOS system must enforce FileVault
|
|
V-268567
|
Medium
|
The macOS system must authorize USB devices before allowing connection
|
|
V-253478
|
Medium
|
Zone information must be preserved when saving attachments
|
|
V-254417
|
Medium
|
Windows Server 2022 domain controllers must be configured to allow reset of machine account passw...
|
|
V-253397
|
Low
|
File Explorer heap termination on corruption must be disabled
|
|
V-253486
|
High
|
The "Create a token object" user right must not be assigned to any groups or accounts
|
|
V-220963
|
High
|
The Create a token object user right must not be assigned to any groups or accounts
|
|
V-277983
|
Medium
|
Windows Server 2025 must prohibit the use or connection of unauthorized hardware components
|
|
V-277989
|
Medium
|
Windows Server 2025 manually managed application account passwords must be at least 15 characters...
|
|
V-277997
|
High
|
Windows Server 2025 local volumes must use a format that supports New Technology File System (NTF...
|
|
V-278017
|
Medium
|
Windows Server 2025 must not have Wi-Fi enabled unless required by the organization
|
|
V-278027
|
Medium
|
Windows Server 2025 FTP servers must be configured to prevent anonymous logons
|
|
V-278031
|
Medium
|
Windows Server 2025 systems must have Unified Extensible Firmware Interface (UEFI) firmware and b...
|
|
V-278042
|
Medium
|
Windows Server 2025 must, at a minimum, off-load audit records of interconnected systems in real ...
|
|
V-278089
|
Medium
|
Windows Server 2025 must be configured to enable Remote host allows delegation of nonexportable c...
|
|
V-278093
|
Medium
|
Windows Server 2025 downloading print driver packages over HTTP must be turned off
|
|
V-278096
|
Medium
|
Windows Server 2025 users must be prompted to authenticate when the system wakes from sleep (on b...
|
|
V-278097
|
Medium
|
Windows Server 2025 users must be prompted to authenticate when the system wakes from sleep (plug...
|
|
V-278099
|
High
|
Windows Server 2025 AutoPlay must be turned off for nonvolume devices
|
|
V-278112
|
Medium
|
Windows Server 2025 must not save passwords in the Remote Desktop Client
|
|
V-278116
|
Medium
|
Windows Server 2025 Remote Desktop Services must be configured with the client connection encrypt...
|
|
V-278164
|
Medium
|
Windows Server 2025 domain controllers must be configured to allow reset of machine account passw...
|
|
V-278179
|
Medium
|
Windows Server 2025 local users on domain-joined member servers must not be enumerated
|
|
V-278201
|
Medium
|
Windows Server 2025 setting Domain member: Digitally encrypt secure channel data (when possible) ...
|
|
V-278202
|
Medium
|
The Windows Server 2025 setting Domain member: Digitally sign secure channel data (when possible)...
|
|
V-278203
|
Medium
|
Windows Server 2025 computer account password must not be prevented from being reset
|
|
V-278218
|
Medium
|
Windows Server 2025 must be configured to prevent anonymous users from having the same permission...
|
|
V-278219
|
High
|
Windows Server 2025 must restrict anonymous access to Named Pipes and Shares
|
|
V-253482
|
Medium
|
The "Allow log on locally" user right must only be assigned to the Administrators and Users groups
|
|
V-220959
|
Medium
|
The Allow log on locally user right must only be assigned to the Administrators and Users groups
|
|
V-253485
|
Medium
|
The "Create a pagefile" user right must only be assigned to the Administrators group
|
|
V-220962
|
Medium
|
The Create a pagefile user right must only be assigned to the Administrators group
|
|
V-253488
|
Medium
|
The "Create permanent shared objects" user right must not be assigned to any groups or accounts
|
|
V-220965
|
Medium
|
The Create permanent shared objects user right must not be assigned to any groups or accounts
|
|
V-253502
|
Medium
|
The "Modify firmware environment values" user right must only be assigned to the Administrators g...
|
|
V-220979
|
Medium
|
The Modify firmware environment values user right must only be assigned to the Administrators group
|
|
V-253503
|
Medium
|
The "Perform volume maintenance tasks" user right must only be assigned to the Administrators group
|
|
V-220980
|
Medium
|
The Perform volume maintenance tasks user right must only be assigned to the Administrators group
|
|
V-253504
|
Medium
|
The "Profile single process" user right must only be assigned to the Administrators group
|
|
V-220981
|
Medium
|
The Profile single process user right must only be assigned to the Administrators group
|
|
V-243470
|
High
|
Delegation of privileged accounts must be prohibited
|
|
V-277049
|
Medium
|
The macOS system must enforce screen saver timeout
|
|
V-277058
|
Medium
|
The macOS system must enable the time synchronization daemon
|
|
V-277085
|
Medium
|
The macOS system must disable Server Message Block (SMB) sharing
|
|
V-277086
|
Medium
|
The macOS system must disable Network File System (NFS) service
|
|
V-277087
|
Medium
|
The macOS system must disable Location Services
|
|
V-277103
|
Medium
|
The macOS system must disable sending audio recordings and transcripts to Apple
|
|
V-277105
|
Medium
|
The macOS system must disable Apple ID setup during Setup Assistant
|
|
V-277107
|
Medium
|
The macOS system must disable iCloud storage setup during Setup Assistant
|
|
V-277109
|
Medium
|
The macOS system must disable Siri Setup during Setup Assistant
|
|
V-277116
|
Medium
|
The macOS system must disable the system settings pane for Siri
|
|
V-277118
|
High
|
The macOS system must disable Bluetooth when no approved device is connected
|
|
V-277120
|
High
|
The macOS system must enable gatekeeper
|
|
V-277130
|
Medium
|
The macOS system must disable iCloud Desktop and Document folder sync
|
|
V-277135
|
Medium
|
The macOS system must disable sending Siri and Dictation information to Apple
|
|
V-277149
|
Medium
|
The macOS system must remove password hints from user accounts
|
|
V-277166
|
High
|
The macOS system must enforce FileVault
|
|
V-277169
|
Medium
|
The macOS system must disable the TouchID prompt during Setup Assistant
|
|
V-277171
|
Medium
|
The macOS system must disable Unlock with Apple Watch during Setup Assistant
|
|
V-277177
|
Medium
|
The macOS system must authorize USB devices before allowing connection
|
|
V-218788
|
Medium
|
The IIS 10.0 web server must produce log records that contain sufficient information to establish...
|
|
V-218813
|
Medium
|
The IIS 10.0 web server must provide the capability to immediately disconnect or disable remote a...
|
|
V-253301
|
Medium
|
The maximum password age must be configured to 60 days or less
|
|
V-220743
|
Medium
|
The maximum password age must be configured to 60 days or less.
|
|
V-254447
|
Medium
|
Windows Server 2022 built-in administrator account must be renamed
|
|
V-205909
|
Medium
|
Windows Server 2019 built-in administrator account must be renamed
|
|
V-254291
|
Medium
|
Windows Server 2022 minimum password length must be configured to 14 characters
|
|
V-205662
|
Medium
|
Windows Server 2019 minimum password length must be configured to 14 characters
|
|
V-254351
|
Low
|
Windows Server 2022 Application Compatibility Program Inventory must be prevented from collecting...
|
|
V-205691
|
Low
|
Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting...
|
|
V-220912
|
Medium
|
The built-in guest account must be renamed
|
|
V-253436
|
Medium
|
The built-in guest account must be renamed
|
|
V-205908
|
High
|
Windows Server 2019 must prevent local accounts with blank passwords from being used from the net...
|
|
V-220910
|
Medium
|
Local accounts with blank passwords must be restricted to prevent access from the network
|
|
V-253434
|
Medium
|
Local accounts with blank passwords must be restricted to prevent access from the network
|
|
V-253483
|
Medium
|
The "Back up files and directories" user right must only be assigned to the Administrators group
|
|
V-220960
|
Medium
|
The Back up files and directories user right must only be assigned to the Administrators group
|
|
V-205863
|
Medium
|
Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable ...
|
|
V-220810
|
Medium
|
Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials
|
|
V-254376
|
Medium
|
Windows Server 2022 must disable automatically signing in the last interactive user after a syste...
|
|
V-205925
|
Medium
|
Windows Server 2019 must disable automatically signing in the last interactive user after a syste...
|
|
V-253413
|
Medium
|
Automatically signing in the last interactive user after a system-initiated restart must be disabled
|
|
V-220859
|
Medium
|
Automatically signing in the last interactive user after a system-initiated restart must be disabled
|
|
V-254293
|
High
|
Windows Server 2022 reversible password encryption must be disabled
|
|
V-205653
|
High
|
Windows Server 2019 reversible password encryption must be disabled
|
|
V-254483
|
Medium
|
Windows Server 2022 UIAccess applications must not be allowed to prompt for elevation without usi...
|
|
V-253471
|
Medium
|
User Account Control must automatically deny elevation requests for standard users
|
|
V-220947
|
Medium
|
User Account Control must automatically deny elevation requests for standard users
|
|
V-254488
|
Medium
|
Windows Server 2022 User Account Control (UAC) must run all administrators in Admin Approval Mode...
|
|
V-205813
|
Medium
|
Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enab...
|
|
V-254486
|
Medium
|
Windows Server 2022 User Account Control (UAC) must be configured to detect application installat...
|
|
V-205718
|
Medium
|
Windows Server 2019 User Account Control must be configured to detect application installations a...
|
|
V-220945
|
Medium
|
User Account Control must, at minimum, prompt administrators for consent on the secure desktop
|
|
V-253473
|
Medium
|
User Account Control must only elevate UIAccess applications that are installed in secure locations
|
|
V-220949
|
Medium
|
User Account Control must only elevate UIAccess applications that are installed in secure locations
|
|
V-254358
|
Medium
|
Windows Server 2022 Application event log size must be configured to 32768 KB or greater
|
|
V-205796
|
Medium
|
Windows Server 2019 Application event log size must be configured to 32768 KB or greater
|
|
V-254359
|
Medium
|
Windows Server 2022 Security event log size must be configured to 196608 KB or greater
|
|
V-205797
|
Medium
|
Windows Server 2019 Security event log size must be configured to 196608 KB or greater
|
|
V-254360
|
Medium
|
Windows Server 2022 System event log size must be configured to 32768 KB or greater
|
|
V-205798
|
Medium
|
Windows Server 2019 System event log size must be configured to 32768 KB or greater
|
|
V-254354
|
High
|
Windows Server 2022 AutoPlay must be disabled for all drives
|
|
V-205806
|
High
|
Windows Server 2019 AutoPlay must be disabled for all drives
|
|
V-254334
|
Medium
|
Windows Server 2022 must have WDigest Authentication disabled
|
|
V-205687
|
Medium
|
Windows Server 2019 must have WDigest Authentication disabled
|
|
V-253490
|
High
|
The "Debug programs" user right must only be assigned to the Administrators group
|
|
V-220967
|
High
|
The Debug programs user right must only be assigned to the Administrators group
|
|
V-254450
|
Medium
|
Windows Server 2022 setting Domain member: Digitally encrypt or sign secure channel data (always)...
|
|
V-205821
|
Medium
|
Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always)...
|
|
V-253373
|
Medium
|
Group Policy objects must be reprocessed even if they have not changed
|
|
V-220814
|
Medium
|
Group Policy objects must be reprocessed even if they have not changed
|
|
V-253284
|
High
|
Structured Exception Handling Overwrite Protection (SEHOP) must be enabled
|
|
V-253398
|
Medium
|
File Explorer shell protocol must run in protected mode
|
|
V-220920
|
Medium
|
The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver
|
|
V-254347
|
Medium
|
Windows Server 2022 printing over HTTP must be turned off
|
|
V-205689
|
Medium
|
Windows Server 2019 printing over HTTP must be turned off
|
|
V-254361
|
Medium
|
Windows Server 2022 Microsoft Defender antivirus SmartScreen must be enabled
|
|
V-205692
|
Medium
|
Windows Server 2019 Windows Defender SmartScreen must be enabled
|
|
V-254460
|
Medium
|
Windows Server 2022 setting Microsoft network client: Digitally sign communications (always) must...
|
|
V-205825
|
Medium
|
Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must...
|
|
V-253462
|
High
|
The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM
|
|
V-220938
|
High
|
The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM
|
|
V-254461
|
Medium
|
Windows Server 2022 setting Microsoft network client: Digitally sign communications (if server ag...
|
|
V-205826
|
Medium
|
Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server ag...
|
|
V-254463
|
Medium
|
Windows Server 2022 setting Microsoft network server: Digitally sign communications (always) must...
|
|
V-205827
|
Medium
|
Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must...
|
|
V-254464
|
Medium
|
Windows Server 2022 setting Microsoft network server: Digitally sign communications (if client ag...
|
|
V-205828
|
Medium
|
Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client ag...
|
|
V-254462
|
Medium
|
Windows Server 2022 unencrypted passwords must not be sent to third-party Server Message Block (S...
|
|
V-205655
|
Medium
|
Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (S...
|
|
V-254335
|
Low
|
Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the h...
|
|
V-205858
|
Low
|
Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the h...
|
|
V-254336
|
Low
|
Windows Server 2022 source routing must be configured to the highest protection level to prevent ...
|
|
V-205859
|
Low
|
Windows Server 2019 source routing must be configured to the highest protection level to prevent ...
|
|
V-253300
|
Medium
|
The password history must be configured to 24 passwords remembered
|
|
V-220742
|
Medium
|
The password history must be configured to 24 passwords remembered
|
|
V-254278
|
Medium
|
Windows Server 2022 must not have Windows PowerShell 2.0 installed
|
|
V-205685
|
Medium
|
Windows Server 2019 must not have Windows PowerShell 2.0 installed
|
|
V-260479
|
Low
|
Ubuntu 22.04 LTS must have the "chrony" package installed
|
|
V-260480
|
Low
|
Ubuntu 22.04 LTS must not have the "systemd-timesyncd" package installed
|
|
V-260546
|
Medium
|
Ubuntu 22.04 LTS must enforce a 60-day maximum password lifetime restriction. Passwords for new u...
|
|
V-260550
|
Low
|
Ubuntu 22.04 LTS must enforce a delay of at least four seconds between logon prompts following a ...
|
|
V-260574
|
Medium
|
Ubuntu 22.04 LTS must accept personal identity verification (PIV) credentials
|
|
V-260587
|
Low
|
Ubuntu 22.04 LTS must have a crontab script running weekly to offload audit events of standalone ...
|
|
V-253426
|
Medium
|
Windows 11 Kernel (Direct Memory Access) DMA Protection must be enabled
|
|
V-220902
|
Medium
|
Windows 10 Kernel (Direct Memory Access) DMA Protection must be enabled
|
|
V-253396
|
Medium
|
Explorer Data Execution Prevention must be enabled
|
|
V-220700
|
Low
|
Secure Boot must be enabled on Windows 10 systems
|
|
V-253270
|
Medium
|
Only accounts responsible for the backup operations must be members of the Backup Operators group
|
|
V-220713
|
Medium
|
Only accounts responsible for the backup operations must be members of the Backup Operators group
|
|
V-263642
|
Medium
|
The DNS server implementation must protect nonlocal maintenance sessions by separating the mainte...
|
|
V-205218
|
Medium
|
The DNS server implementation must maintain the integrity of information during preparation for t...
|
|
V-205166
|
Medium
|
The DNS server implementation must generate audit records containing information that establishes...
|
|
V-268420
|
Medium
|
The macOS system must prevent Apple Watch from terminating a session lock
|
|
V-268434
|
Medium
|
The macOS system must disable FileVault automatic login
|
|
V-268443
|
Medium
|
The macOS system must disable root login
|
|
V-268448
|
Medium
|
The macOS system must enforce auto logout after 86400 seconds of inactivity
|
|
V-268449
|
Medium
|
The macOS system must be configured to use an authorized time server
|
|
V-268455
|
Medium
|
The macOS system must be configured to shut down upon audit failure
|
|
V-268473
|
Medium
|
The macOS system must configure audit_control group to wheel
|
|
V-268474
|
Medium
|
The macOS system must configure audit_control owner to root
|
|
V-268482
|
Medium
|
The macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service
|
|
V-268494
|
Medium
|
The macOS system must disable sending diagnostic and usage data to Apple
|
|
V-268495
|
Medium
|
The macOS system must disable Remote Apple Events
|
|
V-268499
|
High
|
The macOS system must disable Trivial File Transfer Protocol (TFTP) service
|
|
V-268505
|
Medium
|
The macOS system must disable Screen Sharing and Apple Remote Desktop
|
|
V-268506
|
Medium
|
The macOS system must disable the System Settings pane for Wallet and Apple Pay
|
|
V-268512
|
High
|
The macOS system must disable unattended or automatic login to the system
|
|
V-268516
|
Medium
|
The macOS system must disable TouchID for unlocking the device
|
|
V-268534
|
Medium
|
The macOS system must issue or obtain public key certificates from an approved service provider
|
|
V-268558
|
Medium
|
The macOS system must configure the login window to prompt for username and password
|
|
V-268565
|
Medium
|
The macOS system must enable Authenticated Root
|
|
V-268569
|
Medium
|
The macOS system must enforce enrollment in Mobile Device Management (MDM)
|
|
V-268570
|
Medium
|
The macOS system must enable Recovery Lock
|
|
V-268571
|
Medium
|
The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automati...
|
|
V-253466
|
Medium
|
The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing
|
|
V-254337
|
Low
|
Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redire...
|
|
V-205860
|
Low
|
Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redire...
|
|
V-220797
|
Low
|
The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from ...
|
|
V-254481
|
Low
|
Windows Server 2022 default permissions of global system objects must be strengthened
|
|
V-205923
|
Low
|
Windows Server 2019 default permissions of global system objects must be strengthened
|
|
V-253467
|
Low
|
The default permissions of global system objects must be increased
|
|
V-220943
|
Low
|
The default permissions of global system objects must be increased
|
|
V-277996
|
Medium
|
Windows Server 2025 must have a host-based intrusion detection and prevention service (IDPS) inst...
|
|
V-278006
|
Medium
|
Windows Server 2025 system files must be monitored for unauthorized changes
|
|
V-278008
|
Medium
|
Windows Server 2025 must have software certificate installation files removed
|
|
V-278011
|
Medium
|
Windows Server 2025 must have the roles and features required by the system documented
|
|
V-278015
|
Medium
|
Windows Server 2025 must not have the Fax Server role installed
|
|
V-278018
|
Medium
|
Windows Server 2025 must not have Bluetooth enabled unless required by the organization
|
|
V-278019
|
Medium
|
Windows Server 2025 must not have the Peer Name Resolution Protocol installed
|
|
V-278020
|
Medium
|
Windows Server 2025 must not have Simple TCP/IP Services installed
|
|
V-278021
|
Medium
|
Windows Server 2025 must not have the Telnet Client installed
|
|
V-278022
|
Medium
|
Windows Server 2025 must not have the TFTP Client installed
|
|
V-278040
|
High
|
Windows Server 2025 reversible password encryption must be disabled
|
|
V-278082
|
Low
|
Windows Server 2025 Internet Protocol version 6 (IPv6) source routing must be configured to the h...
|
|
V-278083
|
Low
|
Windows Server 2025 source routing must be configured to the highest protection level to prevent ...
|
|
V-278084
|
Low
|
Windows Server 2025 must be configured to prevent Internet Control Message Protocol (ICMP) redire...
|
|
V-278094
|
Medium
|
Windows Server 2025 printing over HTTP must be turned off
|
|
V-278098
|
Low
|
Windows Server 2025 Application Compatibility Program Inventory must be prevented from collecting...
|
|
V-278101
|
High
|
Windows Server 2025 AutoPlay must be disabled for all drives
|
|
V-278105
|
Medium
|
Windows Server 2025 Application event log size must be configured to 32768 KB or greater
|
|
V-278106
|
Medium
|
Windows Server 2025 Security event log size must be configured to 196608 KB or greater
|
|
V-278107
|
Medium
|
Windows Server 2025 System event log size must be configured to 32768 KB or greater
|
|
V-278108
|
Medium
|
Windows Server 2025 Microsoft Defender antivirus SmartScreen must be enabled
|
|
V-278114
|
Medium
|
Windows Server 2025 Remote Desktop Services must always prompt a client for passwords upon connec...
|
|
V-278123
|
Medium
|
Windows Server 2025 must disable automatically signing in the last interactive user after a syste...
|
|
V-278180
|
Medium
|
Windows Server 2025 must restrict unauthenticated Remote Procedure Call (RPC) clients from connec...
|
|
V-278196
|
High
|
Windows Server 2025 must prevent local accounts with blank passwords from being used from the net...
|
|
V-278200
|
Medium
|
The Windows Server 2025 setting Domain member: Digitally encrypt or sign secure channel data (alw...
|
|
V-278210
|
Medium
|
The Windows Server 2025 setting Microsoft network client: Digitally sign communications (always) ...
|
|
V-278211
|
Medium
|
The Windows Server 2025 setting Microsoft network client: Digitally sign communications (if serve...
|
|
V-278212
|
Medium
|
Windows Server 2025 unencrypted passwords must not be sent to third-party Server Message Block (S...
|
|
V-278213
|
Medium
|
The Windows Server 2025 setting Microsoft network server: Digitally sign communications (always) ...
|
|
V-278214
|
Medium
|
The Windows Server 2025 setting Microsoft network server: Digitally sign communications (if clien...
|
|
V-278227
|
Medium
|
Windows Server 2025 session security for NTLM SSP-based clients must be configured to require NTL...
|
|
V-278228
|
Medium
|
Windows Server 2025 session security for NTLM SSP-based servers must be configured to require NTL...
|
|
V-278236
|
Medium
|
Windows Server 2025 User Account Control (UAC) must be configured to detect application installat...
|
|
V-278238
|
Medium
|
Windows Server 2025 User Account Control (UAC) must run all administrators in Admin Approval Mode...
|
|
V-253479
|
Medium
|
The "Access Credential Manager as a trusted caller" user right must not be assigned to any groups...
|
|
V-220956
|
Medium
|
The Access Credential Manager as a trusted caller user right must not be assigned to any groups o...
|
|
V-253487
|
Medium
|
The "Create global objects" user right must only be assigned to Administrators, Service, Local Se...
|
|
V-220964
|
Medium
|
The Create global objects user right must only be assigned to Administrators, Service, Local Serv...
|
|
V-220974
|
Medium
|
The Force shutdown from a remote system user right must only be assigned to the Administrators group
|
|
V-220975
|
Medium
|
The "Impersonate a client after authentication" user right must only be assigned to Administrator...
|
|
V-253499
|
Medium
|
The "Load and unload device drivers" user right must only be assigned to the Administrators group
|
|
V-220976
|
Medium
|
The Load and unload device drivers user right must only be assigned to the Administrators group
|
|
V-253505
|
Medium
|
The "Restore files and directories" user right must only be assigned to the Administrators group
|
|
V-220982
|
Medium
|
The Restore files and directories user right must only be assigned to the Administrators group
|
|
V-253506
|
Medium
|
The "Take ownership of files or other objects" user right must only be assigned to the Administra...
|
|
V-220983
|
Medium
|
The Take ownership of files or other objects user right must only be assigned to the Administrato...
|
|
V-205851
|
Medium
|
Windows Server 2019 must have a host-based intrusion detection and prevention service installed
|
|
V-254249
|
Medium
|
Windows Server 2022 must have a host-based intrusion detection and prevention service installed
|
|
V-243478
|
Medium
|
Domain-joined systems (excluding domain controllers) must not be configured for unconstrained del...
|
|
V-277030
|
Medium
|
The macOS system must enforce session lock no more than five seconds after screen saver is started
|
|
V-277032
|
Medium
|
The macOS system must disable hot corners
|
|
V-277051
|
Medium
|
The macOS system must disable root login
|
|
V-277056
|
Medium
|
The macOS system must enforce auto logout after 86400 seconds of inactivity
|
|
V-277057
|
Medium
|
The macOS system must be configured to use an authorized time server
|
|
V-277074
|
Low
|
The macOS system must configure audit retention to seven days
|
|
V-277080
|
Medium
|
The macOS system must configure audit_control group to wheel
|
|
V-277081
|
Medium
|
The macOS system must configure audit_control owner to root
|
|
V-277101
|
Medium
|
The macOS system must disable sending diagnostic and usage data to Apple
|
|
V-277102
|
Medium
|
The macOS system must disable Remote Apple Events
|
|
V-277106
|
Medium
|
The macOS system must disable Privacy Setup services during Setup Assistant
|
|
V-277115
|
Medium
|
The macOS system must disable the System Settings pane for Wallet and Apple Pay
|
|
V-277121
|
High
|
The macOS system must disable unattended or automatic login to the system
|
|
V-277125
|
Medium
|
The macOS system must disable TouchID for unlocking the device
|
|
V-277143
|
Medium
|
The macOS system must issue or obtain public key certificates from an approved service provider
|
|
V-277168
|
Medium
|
The macOS system must configure the login window to prompt for username and password
|
|
V-277175
|
Medium
|
The macOS system must enable Authenticated Root
|
|
V-277179
|
Medium
|
The macOS system must enforce enrollment in Mobile Device Management (MDM)
|
|
V-277180
|
Medium
|
The macOS system must enable Recovery Lock
|
|
V-282964
|
High
|
The macOS system must be a version supported by the vendor
|
|
V-254290
|
Medium
|
Windows Server 2022 minimum password age must be configured to at least one day
|
|
V-205656
|
Medium
|
Windows Server 2019 minimum password age must be configured to at least one day.
|
|
V-220973
|
Medium
|
The Enable computer and user accounts to be trusted for delegation user right must not be assigne...
|
|
V-253496
|
Medium
|
The "Enable computer and user accounts to be trusted for delegation" user right must not be assig...
|
|
V-205709
|
Medium
|
Windows Server 2019 must have the built-in guest account disabled
|
|
V-253297
|
Medium
|
Windows 11 account lockout duration must be configured to 15 minutes or greater
|
|
V-220739
|
Medium
|
Windows 10 account lockout duration must be configured to 15 minutes or greater
|
|
V-260469
|
High
|
Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence
|
|
V-253304
|
Medium
|
The built-in Microsoft password complexity filter must be enabled
|
|
V-220746
|
Medium
|
The built-in Microsoft password complexity filter must be enabled
|
|
V-253299
|
Medium
|
The period of time before the bad logon counter is reset must be configured to 15 minutes
|
|
V-220741
|
Medium
|
The period of time before the bad logon counter is reset must be configured to 15 minutes
|
|
V-205716
|
Medium
|
Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without usi...
|
|
V-254482
|
Medium
|
Windows Server 2022 User Account Control (UAC) approval mode for the built-in Administrator must ...
|
|
V-205811
|
Medium
|
Windows Server 2019 User Account Control approval mode for the built-in Administrator must be ena...
|
|
V-254485
|
Medium
|
Windows Server 2022 User Account Control (UAC) must automatically deny standard user requests for...
|
|
V-205812
|
Medium
|
Windows Server 2019 User Account Control must automatically deny standard user requests for eleva...
|
|
V-254489
|
Medium
|
Windows Server 2022 User Account Control (UAC) must virtualize file and registry write failures t...
|
|
V-205720
|
Medium
|
Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures t...
|
|
V-254487
|
Medium
|
Windows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are i...
|
|
V-205719
|
Medium
|
Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are i...
|
|
V-253338
|
Medium
|
The Security event log size must be configured to 1024000 KB or greater
|
|
V-220780
|
Medium
|
The Security event log size must be configured to 1024000 KB or greater
|
|
V-254449
|
Medium
|
Windows Server 2022 must force audit policy subcategory settings to override audit policy categor...
|
|
V-205644
|
Medium
|
Windows Server 2019 must force audit policy subcategory settings to override audit policy categor...
|
|
V-253437
|
Medium
|
Audit policy using subcategories must be enabled
|
|
V-220913
|
Medium
|
Audit policy using subcategories must be enabled
|
|
V-253358
|
Medium
|
WDigest Authentication must be disabled
|
|
V-220800
|
Medium
|
WDigest Authentication must be disabled
|
|
V-254454
|
Medium
|
Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less
|
|
V-205911
|
Medium
|
Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less
|
|
V-253442
|
Low
|
The maximum age for machine account passwords must be configured to 30 days or less
|
|
V-220918
|
Low
|
The maximum age for machine account passwords must be configured to 30 days or less
|
|
V-220727
|
High
|
Structured Exception Handling Overwrite Protection (SEHOP) must be enabled
|
|
V-253264
|
High
|
The Windows 11 system must use an antivirus program
|
|
V-253275
|
High
|
Internet Information System (IIS) or its subcomponents must not be installed on a workstation
|
|
V-220718
|
High
|
Internet Information System (IIS) or its subcomponents must not be installed on a workstation
|
|
V-254456
|
Medium
|
Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the syste...
|
|
V-205633
|
Medium
|
Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the syste...
|
|
V-253444
|
Medium
|
The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver
|
|
V-253395
|
Medium
|
The Microsoft Defender SmartScreen for Explorer must be enabled
|
|
V-220854
|
Medium
|
Basic authentication for RSS feeds over HTTP must not be used
|
|
V-220840
|
Medium
|
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious we...
|
|
V-254475
|
High
|
Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response o...
|
|
V-205919
|
High
|
Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response o...
|
|
V-254377
|
Medium
|
Windows Server 2022 PowerShell script block logging must be enabled
|
|
V-205639
|
Medium
|
Windows Server 2019 PowerShell script block logging must be enabled
|
|
V-253414
|
Medium
|
PowerShell script block logging must be enabled on Windows 11
|
|
V-220860
|
Medium
|
PowerShell script block logging must be enabled on Windows 10
|
|
V-205869
|
Medium
|
Windows Server 2019 Telemetry must be configured to Security or Basic
|
|
V-260483
|
High
|
Ubuntu 22.04 LTS must not have the "telnet" package installed
|
|
V-260505
|
Medium
|
Ubuntu 22.04 LTS must be configured so that the "journalctl" command is owned by "root"
|
|
V-260545
|
Medium
|
Ubuntu 22.04 LTS must enforce 24 hours/one day as the minimum password lifetime. Passwords for ne...
|
|
V-260555
|
Medium
|
Ubuntu 22.04 LTS default filesystem permissions must be defined in such a way that all authentica...
|
|
V-260569
|
Medium
|
Ubuntu 22.04 LTS must store only encrypted representations of passwords
|
|
V-260576
|
Medium
|
Ubuntu 22.04 LTS must electronically verify personal identity verification (PIV) credentials
|
|
V-260579
|
High
|
Ubuntu 22.04 LTS must map the authenticated identity to the user or group account for PKI-based a...
|
|
V-260599
|
Medium
|
Ubuntu 22.04 LTS must permit only authorized groups ownership of the audit log files
|
|
V-254368
|
Medium
|
Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) commu...
|
|
V-205636
|
Medium
|
Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) commu...
|
|
V-253418
|
High
|
The Windows Remote Management (WinRM) service must not use Basic authentication
|
|
V-220865
|
High
|
The Windows Remote Management (WinRM) service must not use Basic authentication
|
|
V-254270
|
Medium
|
Windows Server 2022 must not have the Microsoft FTP service installed unless required by the orga...
|
|
V-205697
|
Medium
|
Windows Server 2019 must not have the Microsoft FTP service installed unless required by the orga...
|
|
V-205857
|
Low
|
Windows Server 2019 must have Secure Boot enabled
|
|
V-254241
|
Medium
|
Windows Server 2022 members of the Backup Operators group must have separate accounts for backup ...
|
|
V-205846
|
Medium
|
Windows Server 2019 members of the Backup Operators group must have separate accounts for backup ...
|
|
V-205203
|
Medium
|
The DNS server implementation must authenticate the other DNS server before responding to a serve...
|
|
V-205184
|
Medium
|
The DNS implementation must protect the authenticity of communications sessions for queries.
|
|
V-205171
|
Medium
|
The key file must be owned by the account under which the name server software is run.
|
|
V-205856
|
Low
|
Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and b...
|
|
V-268440
|
Medium
|
The macOS system must set account lockout time to 15 minutes
|
|
V-268468
|
Medium
|
The macOS system must configure audit capacity warning
|
|
V-268469
|
Medium
|
The macOS system must configure audit failure notification
|
|
V-268486
|
Medium
|
The macOS system must disable FaceTime.app
|
|
V-268519
|
Medium
|
The macOS system must disable AppleID and internet Account Modification
|
|
V-268525
|
Medium
|
The macOS system must disable Find My service
|
|
V-268537
|
Medium
|
The macOS system must require a minimum password length of 14 characters
|
|
V-268543
|
Medium
|
The macOS system must allow smart card authentication
|
|
V-274881
|
Medium
|
The macOS system must require users to reauthenticate for privilege escalation when using the "su...
|
|
V-274880
|
Medium
|
The macOS system must configure sudoers timestamp type
|
|
V-268568
|
Medium
|
The macOS system must ensure Secure Boot level is set to "full"
|
|
V-254455
|
Medium
|
Windows Server 2022 must be configured to require a strong session key
|
|
V-205824
|
Medium
|
Windows Server 2019 must be configured to require a strong session key
|
|
V-254490
|
Medium
|
Windows Server 2022 must preserve zone information when saving attachments
|
|
V-205924
|
Medium
|
Windows Server 2019 must preserve zone information when saving attachments
|
|
V-220955
|
Medium
|
Zone information must be preserved when saving attachments
|
|
V-254363
|
Low
|
Windows Server 2022 Turning off File Explorer heap termination on corruption must be disabled
|
|
V-205871
|
Low
|
Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled
|
|
V-220838
|
Low
|
Turning off File Explorer heap termination on corruption must be disabled
|
|
V-253481
|
High
|
The "Act as part of the operating system" user right must not be assigned to any groups or accounts
|
|
V-220958
|
High
|
The Act as part of the operating system user right must not be assigned to any groups or accounts
|
|
V-277988
|
Medium
|
Windows Server 2025 members of the Backup Operators group must have separate accounts for backup ...
|
|
V-278002
|
Low
|
Windows Server 2025 nonadministrative accounts or groups must only have print permissions on prin...
|
|
V-278026
|
Medium
|
Windows Server 2025 must not have Windows PowerShell 2.0 installed
|
|
V-278028
|
Medium
|
Windows Server 2025 FTP servers must be configured to prevent access to the system drive
|
|
V-278038
|
Medium
|
Windows Server 2025 minimum password age must be configured to at least one day
|
|
V-278115
|
Medium
|
Windows Server 2025 Remote Desktop Services must require secure Remote Procedure Call (RPC) commu...
|
|
V-278195
|
Medium
|
Windows Server 2025 must have the built-in guest account disabled
|
|
V-278199
|
Medium
|
Windows Server 2025 must force audit policy subcategory settings to override audit policy categor...
|
|
V-278205
|
Medium
|
Windows Server 2025 must be configured to require a strong session key
|
|
V-278206
|
Medium
|
Windows Server 2025 machine inactivity limit must be set to 15 minutes or less, locking the syste...
|
|
V-278225
|
High
|
Windows Server 2025 LAN Manager authentication level must be configured to send NTLMv2 response o...
|
|
V-278231
|
Low
|
Windows Server 2025 default permissions of global system objects must be strengthened
|
|
V-278232
|
Medium
|
Windows Server 2025 User Account Control (UAC) approval mode for the built-in Administrator must ...
|
|
V-278233
|
Medium
|
Windows Server 2025 UIAccess applications must not be allowed to prompt for elevation without usi...
|
|
V-278235
|
Medium
|
Windows Server 2025 User Account Control (UAC) must automatically deny standard user requests for...
|
|
V-278237
|
Medium
|
Windows Server 2025 User Account Control (UAC) must only elevate UIAccess applications that are i...
|
|
V-278239
|
Medium
|
Windows Server 2025 User Account Control (UAC) must virtualize file and registry write failures t...
|
|
V-278248
|
Medium
|
The Windows Server 2025 "Create permanent shared objects" user right must not be assigned to any ...
|
|
V-279916
|
Medium
|
Windows Server 2025 must be configured to audit file system failures
|
|
V-279917
|
Medium
|
Windows Server 2025 must be configured to audit file system successes
|
|
V-279918
|
Medium
|
Windows Server 2025 must be configured to audit handle manipulation failures
|
|
V-279919
|
Medium
|
Windows Server 2025 must be configured to audit handle manipulation successes
|
|
V-279920
|
Medium
|
Windows Server 2025 must be configured to audit registry failures
|
|
V-279921
|
Medium
|
Windows Server 2025 must be configured to audit registry successes
|
|
V-279922
|
Medium
|
Windows Server 2025 must be configured to audit sensitive privilege use successes
|
|
V-279923
|
Medium
|
Windows Server 2025 must be configured to audit sensitive privilege use failures
|
|
V-254498
|
Medium
|
Windows Server 2022 create permanent shared objects user right must not be assigned to any groups...
|
|
V-205755
|
Medium
|
Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups...
|
|
V-220978
|
Medium
|
The Manage auditing and security log user right must only be assigned to the Administrators group
|
|
V-243475
|
Medium
|
Domain controllers must be blocked from Internet access
|
|
V-243481
|
Medium
|
Access to need-to-know information must be restricted to an authorized community of interest
|
|
V-277028
|
Medium
|
The macOS system must prevent Apple Watch from terminating a session lock
|
|
V-277033
|
Medium
|
The macOS system must prevent AdminHostInfo from being available at LoginWindow
|
|
V-277036
|
Medium
|
The macOS system must limit consecutive failed login attempts to three
|
|
V-277040
|
Medium
|
The macOS system must configure audit log files to not contain access control lists (ACLs)
|
|
V-277041
|
Medium
|
The macOS system must configure the audit log folder to not contain access control lists (ACLs)
|
|
V-277042
|
Medium
|
The macOS system must disable FileVault automatic login
|
|
V-277048
|
Medium
|
The macOS system must set account lockout time to 15 minutes
|
|
V-277075
|
Medium
|
The macOS system must configure audit capacity warning
|
|
V-277076
|
Medium
|
The macOS system must configure audit failure notification
|
|
V-277082
|
Medium
|
The macOS system must configure audit_control owner to mode 440 or less permissive
|
|
V-277083
|
Medium
|
The macOS system must configure audit_control to not contain access control lists (ACLs)
|
|
V-277091
|
Medium
|
The macOS system must disable the built-in web server
|
|
V-277093
|
Medium
|
The macOS system must disable FaceTime.app
|
|
V-277128
|
Medium
|
The macOS system must disable AppleID and internet Account Modification
|
|
V-277133
|
Medium
|
The macOS system must disable Find My service
|
|
V-277151
|
Medium
|
The macOS system must allow smart card authentication
|
|
V-277160
|
Medium
|
The macOS system must require users to reauthenticate for privilege escalation when using the "su...
|
|
V-277164
|
Medium
|
The macOS system must configure sudoers timestamp type
|
|
V-277178
|
Medium
|
The macOS system must ensure Secure Boot level is set to "full"
|
|
V-277181
|
Medium
|
The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automati...
|
|
V-253263
|
High
|
Windows 11 systems must be maintained at a supported servicing level
|
|
V-254289
|
Medium
|
Windows Server 2022 maximum password age must be configured to 60 days or less
|
|
V-205659
|
Medium
|
Windows Server 2019 maximum password age must be configured to 60 days or less
|
|
V-254448
|
Medium
|
Windows Server 2022 built-in guest account must be renamed
|
|
V-205910
|
Medium
|
Windows Server 2019 built-in guest account must be renamed
|
|
V-253357
|
Medium
|
Local administrator accounts must have their privileged token filtered to prevent elevated privil...
|
|
V-220799
|
Medium
|
Local administrator accounts must have their privileged token filtered to prevent elevated privil...
|
|
V-253298
|
Medium
|
The number of allowed bad logon attempts must be configured to three or less
|
|
V-220740
|
Medium
|
The number of allowed bad logon attempts must be configured to 3 or less
|
|
V-254341
|
Medium
|
Windows Server 2022 command line data must be included in process creation events
|
|
V-205638
|
Medium
|
Windows Server 2019 command line data must be included in process creation events
|
|
V-220809
|
Medium
|
Command line data must be included in process creation events
|
|
V-253367
|
Medium
|
Command line data must be included in process creation events
|
|
V-253337
|
Medium
|
The Application event log size must be configured to 32768 KB or greater
|
|
V-220779
|
Medium
|
The Application event log size must be configured to 32768 KB or greater
|
|
V-253339
|
Medium
|
The System event log size must be configured to 32768 KB or greater
|
|
V-220781
|
Medium
|
The System event log size must be configured to 32768 KB or greater
|
|
V-254345
|
Medium
|
Windows Server 2022 group policy objects must be reprocessed even if they have not changed
|
|
V-205866
|
Medium
|
Windows Server 2019 group policy objects must be reprocessed even if they have not changed
|
|
V-254340
|
Medium
|
Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require m...
|
|
V-205862
|
Medium
|
Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require m...
|
|
V-253362
|
Medium
|
Hardened UNC Paths must be defined to require mutual authentication and integrity for at least th...
|
|
V-250319
|
Medium
|
Hardened UNC paths must be defined to require mutual authentication and integrity for at least th...
|
|
V-220839
|
Medium
|
File Explorer shell protocol must run in protected mode
|
|
V-254371
|
Medium
|
Windows Server 2022 must disable Basic authentication for RSS feeds over HTTP
|
|
V-205693
|
Medium
|
Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP
|
|
V-220841
|
Medium
|
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified f...
|
|
V-254277
|
Medium
|
Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client
|
|
V-205684
|
Medium
|
Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client
|
|
V-254276
|
Medium
|
Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server
|
|
V-205683
|
Medium
|
Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server
|
|
V-254288
|
Medium
|
Windows Server 2022 password history must be configured to 24 passwords remembered
|
|
V-205660
|
Medium
|
Windows Server 2019 password history must be configured to 24 passwords remembered
|
|
V-205658
|
Medium
|
Windows Server 2019 passwords must be configured to expire
|
|
V-260471
|
Medium
|
Ubuntu 22.04 LTS must initiate session audits at system startup
|
|
V-260473
|
Medium
|
Ubuntu 22.04 LTS must disable kernel core dumps so that it can fail to a secure state if system i...
|
|
V-260477
|
Medium
|
Ubuntu 22.04 LTS must be configured so that the Advance Package Tool (APT) removes all software c...
|
|
V-260482
|
High
|
Ubuntu 22.04 LTS must not have the "rsh-server" package installed
|
|
V-260506
|
Medium
|
Ubuntu 22.04 LTS must be configured so that the "journalctl" command is group-owned by "root"
|
|
V-260508
|
Medium
|
Ubuntu 22.04 LTS must configure the "/var/log" directory to be owned by "root"
|
|
V-260509
|
Medium
|
Ubuntu 22.04 LTS must configure the "/var/log" directory to be group-owned by "syslog"
|
|
V-260510
|
Medium
|
Ubuntu 22.04 LTS must configure "/var/log/syslog" file to be owned by "syslog"
|
|
V-260560
|
Medium
|
Ubuntu 22.04 LTS must enforce password complexity by requiring at least one uppercase character b...
|
|
V-260561
|
Medium
|
Ubuntu 22.04 LTS must enforce password complexity by requiring at least one lowercase character b...
|
|
V-260562
|
Medium
|
Ubuntu 22.04 LTS must enforce password complexity by requiring that at least one numeric characte...
|
|
V-260565
|
Medium
|
Ubuntu 22.04 LTS must enforce a minimum 15-character password length
|
|
V-260581
|
Low
|
Ubuntu 22.04 LTS must be configured such that Pluggable Authentication Module (PAM) prohibits the...
|
|
V-253412
|
Medium
|
Users must be notified if a web-based program attempts to install software
|
|
V-254362
|
Medium
|
Windows Server 2022 Explorer Data Execution Prevention must be enabled
|
|
V-205830
|
Medium
|
Windows Server 2019 Explorer Data Execution Prevention must be enabled
|
|
V-220837
|
Medium
|
Explorer Data Execution Prevention must be enabled
|
|
V-254244
|
Medium
|
Windows Server 2022 shared user accounts must not be permitted
|
|
V-205699
|
Medium
|
Windows Server 2019 shared user accounts must not be permitted
|
|
V-205214
|
High
|
The DNS server implementation must utilize cryptographic mechanisms to prevent unauthorized modif...
|
|
V-205216
|
High
|
The DNS server implementation must protect the integrity of transmitted information.
|
|
V-263643
|
Medium
|
The DNS server implementation must include only approved trust anchors in trust stores or certifi...
|
|
V-263641
|
Medium
|
The DNS server implementation must, for public key-based authentication, implement a local cache ...
|
|
V-205244
|
Medium
|
The DNS name server software must be at the latest version.
|
|
V-205217
|
Medium
|
The DNS server implementation must implement cryptographic mechanisms to detect changes to inform...
|
|
V-205204
|
Medium
|
The DNS server implementation must authenticate another DNS server before establishing a remote a...
|
|
V-205197
|
Medium
|
The DNS server implementation must provide the means for authorized individuals to determine the ...
|
|
V-205172
|
Medium
|
Read/Write access to the key file must be restricted to the account that runs the name server sof...
|
|
V-254356
|
Medium
|
Windows Server 2022 Diagnostic Data must be configured to send "required diagnostic data" or "opt...
|
|
V-253415
|
Medium
|
PowerShell Transcription must be enabled on Windows 11
|
|
V-254384
|
Medium
|
Windows Server 2022 must have PowerShell Transcription enabled
|
|
V-268457
|
Medium
|
The macOS system must configure audit log folders to be owned by root
|
|
V-268475
|
Medium
|
The macOS system must configure audit_control owner to mode 440 or less permissive
|
|
V-269095
|
Medium
|
The macOS system must configure audit_control to not contain access control lists (ACLs)
|
|
V-268517
|
Medium
|
The macOS system must disable Media Sharing
|
|
V-268535
|
Medium
|
The macOS system must require that passwords contain a minimum of one numeric character
|
|
V-268536
|
Medium
|
The macOS system must restrict maximum password lifetime to 60 days
|
|
V-268552
|
Medium
|
The macOS system must configure system log files owned by root and group to wheel
|
|
V-254459
|
Medium
|
Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation
|
|
V-253448
|
Medium
|
The Smart Card removal option must be configured to Force Logoff or Lock Workstation
|
|
V-220924
|
Medium
|
The Smart Card removal option must be configured to Force Logoff or Lock Workstation
|
|
V-254480
|
Medium
|
Windows Server 2022 must be configured to use FIPS-compliant algorithms for encryption, hashing, ...
|
|
V-220942
|
Medium
|
The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing
|
|
V-254338
|
Low
|
Windows Server 2022 must be configured to ignore NetBIOS name release requests except from WINS s...
|
|
V-205819
|
Low
|
Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS s...
|
|
V-253356
|
Low
|
The system must be configured to ignore NetBIOS name release requests except from WINS servers
|
|
V-220798
|
Low
|
The system must be configured to ignore NetBIOS name release requests except from WINS servers
|
|
V-254386
|
Medium
|
Windows Server 2022 Kerberos user logon restrictions must be enforced
|
|
V-205702
|
Medium
|
Windows Server 2019 Kerberos user logon restrictions must be enforced
|
|
V-277982
|
Medium
|
Windows Server 2025 must install security-relevant software updates within 30 days unless the tim...
|
|
V-277991
|
Medium
|
Windows Server 2025 shared user accounts must not be permitted
|
|
V-277995
|
Medium
|
Windows Server 2025 must use an antivirus program
|
|
V-278004
|
Medium
|
Windows Server 2025 accounts must require passwords
|
|
V-278016
|
Medium
|
Windows Server 2025 must not have the Microsoft FTP service installed unless required by the orga...
|
|
V-278024
|
Medium
|
Windows Server 2025 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server
|
|
V-278025
|
Medium
|
Windows Server 2025 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client
|
|
V-278035
|
Medium
|
Windows Server 2025 must have the period of time before the bad logon counter is reset configured...
|
|
V-278036
|
Medium
|
Windows Server 2025 password history must be configured to 24 passwords remembered
|
|
V-278037
|
Medium
|
Windows Server 2025 maximum password age must be configured to 60 days or less
|
|
V-278085
|
Low
|
Windows Server 2025 must be configured to ignore NetBIOS name release requests except from WINS s...
|
|
V-278088
|
Medium
|
Windows Server 2025 command line data must be included in process creation events
|
|
V-278092
|
Medium
|
Windows Server 2025 group policy objects must be reprocessed even if they have not changed
|
|
V-278103
|
Medium
|
Windows Server 2025 Telemetry must be configured to limit diagnostic data sent to Microsoft
|
|
V-278109
|
Medium
|
Windows Server 2025 Explorer Data Execution Prevention must be enabled
|
|
V-278110
|
Low
|
Windows Server 2025 Turning off File Explorer heap termination on corruption must be disabled
|
|
V-278111
|
Medium
|
Windows Server 2025 File Explorer shell protocol must run in protected mode
|
|
V-278118
|
Medium
|
Windows Server 2025 must disable Basic authentication for RSS feeds over HTTP
|
|
V-278124
|
Medium
|
Windows Server 2025 PowerShell script block logging must be enabled
|
|
V-278131
|
Medium
|
Windows Server 2025 must have PowerShell Transcription enabled
|
|
V-278133
|
Medium
|
Windows Server 2025 Kerberos user logon restrictions must be enforced
|
|
V-278159
|
Medium
|
Windows Server 2025 domain controllers must have a PKI server certificate
|
|
V-278197
|
Medium
|
The Windows Server 2025 built-in administrator account must be renamed
|
|
V-278204
|
Medium
|
Windows Server 2025 maximum age for machine account passwords must be configured to 30 days or less
|
|
V-278209
|
Medium
|
The Windows Server 2025 Smart Card removal option must be configured to Force Logoff or Lock Work...
|
|
V-278230
|
Medium
|
Windows Server 2025 must be configured to use FIPS-compliant algorithms for encryption, hashing, ...
|
|
V-278240
|
Medium
|
Windows Server 2025 must preserve zone information when saving attachments
|
|
V-278241
|
Medium
|
The Windows Server 2025 "Access Credential Manager as a trusted caller" user right must not be as...
|
|
V-278245
|
Medium
|
The Windows Server 2025 "Create a pagefile" user right must only be assigned to the Administrator...
|
|
V-278260
|
Medium
|
The Windows Server 2025 "Profile single process" user right must only be assigned to the Administ...
|
|
V-254389
|
Medium
|
Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven...
|
|
V-205705
|
Medium
|
Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven...
|
|
V-254491
|
Medium
|
Windows Server 2022 Access Credential Manager as a trusted caller user right must not be assigned...
|
|
V-205749
|
Medium
|
Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned...
|
|
V-254495
|
Medium
|
Windows Server 2022 create a pagefile user right must only be assigned to the Administrators group
|
|
V-205752
|
Medium
|
Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group
|
|
V-253489
|
Medium
|
The "Create symbolic links" user right must only be assigned to the Administrators group
|
|
V-220966
|
Medium
|
The Create symbolic links user right must only be assigned to the Administrators group
|
|
V-254501
|
Medium
|
Windows Server 2022 force shutdown from a remote system user right must only be assigned to the A...
|
|
V-205758
|
Medium
|
Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the A...
|
|
V-205758
|
Medium
|
Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the A...
|
|
V-253501
|
Medium
|
The "Manage auditing and security log" user right must only be assigned to the Administrators group
|
|
V-254508
|
Medium
|
Windows Server 2022 modify firmware environment values user right must only be assigned to the Ad...
|
|
V-205764
|
Medium
|
Windows Server 2019 Modify firmware environment values user right must only be assigned to the Ad...
|
|
V-254509
|
Medium
|
Windows Server 2022 perform volume maintenance tasks user right must only be assigned to the Admi...
|
|
V-205765
|
Medium
|
Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Admi...
|
|
V-254510
|
Medium
|
Windows Server 2022 profile single process user right must only be assigned to the Administrators...
|
|
V-205766
|
Medium
|
Windows Server 2019 Profile single process user right must only be assigned to the Administrators...
|
|
V-243472
|
Medium
|
Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from s...
|
|
V-243499
|
Low
|
Active Directory implementation information must be added to the organization contingency plan wh...
|
|
V-277063
|
Medium
|
The macOS system must configure audit log files to be owned by root
|
|
V-277064
|
Medium
|
The macOS system must configure audit log folders to be owned by root
|
|
V-277066
|
Medium
|
The macOS system must configure the audit log folders group to wheel
|
|
V-277067
|
Medium
|
The macOS system must configure audit log files to mode 440 or less permissive
|
|
V-277089
|
Medium
|
The macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service
|
|
V-277108
|
High
|
The macOS system must disable Trivial File Transfer Protocol (TFTP) service
|
|
V-277114
|
Medium
|
The macOS system must disable Screen Sharing and Apple Remote Desktop
|
|
V-277126
|
Medium
|
The macOS system must disable Media Sharing
|
|
V-277144
|
Medium
|
The macOS system must require that passwords contain a minimum of one numeric character
|
|
V-277146
|
Medium
|
The macOS system must require a minimum password length of 14 characters
|
|
V-277161
|
Medium
|
The macOS system must configure system log files owned by root and group to wheel
|
|
V-205670
|
Medium
|
Windows Server 2019 Deny log on locally user right on domain controllers must be configured to pr...
|
|
V-254285
|
Medium
|
Windows Server 2022 account lockout duration must be configured to 15 minutes or greater
|
|
V-254287
|
Medium
|
Windows Server 2022 must have the period of time before the bad logon counter is reset configured...
|
|
V-254484
|
Medium
|
Windows Server 2022 User Account Control (UAC) must, at a minimum, prompt administrators for cons...
|
|
V-205717
|
Medium
|
Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on...
|
|
V-253388
|
High
|
Autoplay must be disabled for all drives
|
|
V-220829
|
High
|
Autoplay must be disabled for all drives
|
|
V-254391
|
High
|
Windows Server 2022 permissions on the Active Directory data files must only allow System and Adm...
|
|
V-254432
|
Medium
|
Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined ...
|
|
V-205906
|
Medium
|
Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined ...
|
|
V-254364
|
Medium
|
Windows Server 2022 File Explorer shell protocol must run in protected mode
|
|
V-205872
|
Medium
|
Windows Server 2019 File Explorer shell protocol must run in protected mode
|
|
V-254248
|
Medium
|
Windows Server 2022 must use an antivirus program
|
|
V-205850
|
High
|
Windows Server 2019 must use an anti-virus program
|
|
V-220707
|
High
|
The Windows 10 system must use an anti-virus program
|
|
V-254473
|
Medium
|
Windows Server 2022 Kerberos encryption types must be configured to prevent the use of DES and RC...
|
|
V-205708
|
Medium
|
Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC...
|
|
V-254433
|
Medium
|
Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administr...
|
|
V-205747
|
Medium
|
Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administr...
|
|
V-253457
|
Medium
|
Remote calls to the Security Account Manager (SAM) must be restricted to Administrators
|
|
V-254258
|
Medium
|
Windows Server 2022 passwords must be configured to expire
|
|
V-253285
|
Medium
|
The Windows PowerShell 2.0 feature must be disabled on the system
|
|
V-220728
|
Medium
|
The Windows PowerShell 2.0 feature must be disabled on the system
|
|
V-253393
|
Medium
|
Windows Telemetry must not be configured to Full
|
|
V-260475
|
Medium
|
Ubuntu 22.04 LTS must implement nonexecutable data to protect its memory from unauthorized code e...
|
|
V-260487
|
Medium
|
Ubuntu 22.04 LTS library files must have mode "755" or less permissive
|
|
V-260488
|
Medium
|
Ubuntu 22.04 LTS must configure the "/var/log" directory to have mode "755" or less permissive
|
|
V-260491
|
Medium
|
Ubuntu 22.04 LTS must configure "/var/log/syslog" file with mode "640" or less permissive
|
|
V-260497
|
Medium
|
Ubuntu 22.04 LTS library directories must be owned by "root"
|
|
V-260498
|
Medium
|
Ubuntu 22.04 LTS library directories must be group-owned by "root"
|
|
V-260499
|
Medium
|
Ubuntu 22.04 LTS library files must be owned by "root"
|
|
V-260511
|
Medium
|
Ubuntu 22.04 LTS must configure the "/var/log/syslog" file to be group-owned by "adm"
|
|
V-260512
|
Medium
|
Ubuntu 22.04 LTS must be configured so that the "journalctl" command is not accessible by unautho...
|
|
V-260515
|
Medium
|
Ubuntu 22.04 LTS must enable and run the Uncomplicated Firewall (ufw)
|
|
V-260547
|
Medium
|
Ubuntu 22.04 LTS must disable account identifiers (individuals, groups, roles, and devices) after...
|
|
V-260553
|
Medium
|
Ubuntu 22.04 LTS must allow users to directly initiate a session lock for all connection types
|
|
V-260554
|
Medium
|
Ubuntu 22.04 LTS must automatically exit interactive command shell user sessions after 15 minutes...
|
|
V-260563
|
Medium
|
Ubuntu 22.04 LTS must enforce password complexity by requiring that at least one special characte...
|
|
V-260582
|
Medium
|
Ubuntu 22.04 LTS must use a file integrity tool to verify correct operation of all security funct...
|
|
V-260588
|
Medium
|
Ubuntu 22.04 LTS must be configured to preserve log records from failure events
|
|
V-260602
|
Medium
|
Ubuntu 22.04 LTS must permit only authorized accounts to own the audit configuration files
|
|
V-260603
|
Medium
|
Ubuntu 22.04 LTS must permit only authorized groups to own the audit configuration files
|
|
V-254357
|
Low
|
Windows Server 2022 Windows Update must not obtain updates from other PCs on the internet
|
|
V-205870
|
Low
|
Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet
|
|
V-254246
|
Medium
|
Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and r...
|
|
V-205848
|
Medium
|
Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and r...
|
|
V-263626
|
Medium
|
The DNS server implementation must alert organization-defined personnel or roles upon detection o...
|
|
V-205224
|
Medium
|
The DNS implementation must generate audit records for the success and failure of start and stop ...
|
|
V-205198
|
Medium
|
The DNS server implementation must validate the binding of the other DNS servers identity to the ...
|
|
V-205196
|
Medium
|
The DNS server implementation must strongly bind the identity of the DNS server with the DNS info...
|
|
V-205186
|
Medium
|
In the event of a system failure, the DNS server implementation must preserve any information nec...
|
|
V-205169
|
Medium
|
The DNS server implementation must uniquely identify the other DNS server before responding to a ...
|
|
V-205165
|
Medium
|
The DNS server implementation must produce audit records that contain information to establish th...
|
|
V-205163
|
Medium
|
The DNS server implementation must produce audit records containing information to establish wher...
|
|
V-205162
|
Medium
|
The DNS server implementation must produce audit records containing information to establish when...
|