| Vulnerability ID |
Severity |
Description |
|
V-254247
|
Medium
|
Windows Server 2022 must be maintained at a supported servicing level
|
|
V-254355
|
Medium
|
Windows Server 2022 administrator accounts must not be enumerated during elevation
|
|
V-205714
|
Medium
|
Windows Server 2019 administrator accounts must not be enumerated during elevation
|
|
V-253391
|
Medium
|
Windows 11 administrator accounts must not be enumerated during elevation
|
|
V-220832
|
Medium
|
Windows 10 administrator accounts must not be enumerated during elevation
|
|
V-205751
|
Medium
|
Windows Server 2019 back up files and directories user right must only be assigned to the Adminis...
|
|
V-254289
|
Medium
|
Windows Server 2022 maximum password age must be configured to 60 days or less
|
|
V-205659
|
Medium
|
Windows Server 2019 maximum password age must be configured to 60 days or less
|
|
V-253301
|
Medium
|
The maximum password age must be configured to 60 days or less
|
|
V-220743
|
Medium
|
The maximum password age must be configured to 60 days or less.
|
|
V-254447
|
Medium
|
Windows Server 2022 built-in administrator account must be renamed
|
|
V-205909
|
Medium
|
Windows Server 2019 built-in administrator account must be renamed
|
|
V-253435
|
Medium
|
The built-in administrator account must be renamed
|
|
V-220911
|
Medium
|
The built-in administrator account must be renamed
|
|
V-254291
|
Medium
|
Windows Server 2022 minimum password length must be configured to 14 characters
|
|
V-205662
|
Medium
|
Windows Server 2019 minimum password length must be configured to 14 characters
|
|
V-253303
|
Medium
|
Passwords must, at a minimum, be 14 characters
|
|
V-220745
|
Medium
|
Passwords must, at a minimum, be 14 characters
|
|
V-254290
|
Medium
|
Windows Server 2022 minimum password age must be configured to at least one day
|
|
V-205656
|
Medium
|
Windows Server 2019 minimum password age must be configured to at least one day.
|
|
V-253302
|
Medium
|
The minimum password age must be configured to at least 1 day
|
|
V-220744
|
Medium
|
The minimum password age must be configured to at least 1 day
|
|
V-254448
|
Medium
|
Windows Server 2022 built-in guest account must be renamed
|
|
V-205910
|
Medium
|
Windows Server 2019 built-in guest account must be renamed
|
|
V-220912
|
Medium
|
The built-in guest account must be renamed
|
|
V-253436
|
Medium
|
The built-in guest account must be renamed
|
|
V-254424
|
Medium
|
Windows Server 2022 Deny log on locally user right on domain controllers must be configured to pr...
|
|
V-254438
|
Medium
|
Windows Server 2022 Deny log on locally user right on domain-joined member servers must be config...
|
|
V-205670
|
Medium
|
Windows Server 2019 Deny log on locally user right on domain controllers must be configured to pr...
|
|
V-205675
|
Medium
|
Windows Server 2019 Deny log on locally user right on domain-joined member servers must be config...
|
|
V-220971
|
Medium
|
The Deny log on locally user right on workstations must be configured to prevent access from high...
|
|
V-253494
|
Medium
|
The "Deny log on locally" user right on workstations must be configured to prevent access from hi...
|
|
V-254440
|
Medium
|
Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right mus...
|
|
V-205748
|
Medium
|
Windows Server 2019 "Enable computer and user accounts to be trusted for delegation" user right m...
|
|
V-220973
|
Medium
|
The Enable computer and user accounts to be trusted for delegation user right must not be assigne...
|
|
V-253496
|
Medium
|
The "Enable computer and user accounts to be trusted for delegation" user right must not be assig...
|
|
V-254426
|
Medium
|
Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right mus...
|
|
V-205745
|
Medium
|
Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right mus...
|
|
V-220910
|
Medium
|
Local accounts with blank passwords must be restricted to prevent access from the network
|
|
V-253434
|
Medium
|
Local accounts with blank passwords must be restricted to prevent access from the network
|
|
V-254429
|
Medium
|
Windows Server 2022 local administrator accounts must have their privileged token filtered to pre...
|
|
V-205715
|
Medium
|
Windows Server 2019 local administrator accounts must have their privileged token filtered to pre...
|
|
V-253357
|
Medium
|
Local administrator accounts must have their privileged token filtered to prevent elevated privil...
|
|
V-220799
|
Medium
|
Local administrator accounts must have their privileged token filtered to prevent elevated privil...
|
|
V-253432
|
Medium
|
The built-in administrator account must be disabled.
|
|
V-220908
|
Medium
|
The built-in administrator account must be disabled
|
|
V-254445
|
Medium
|
Windows Server 2022 must have the built-in guest account disabled
|
|
V-205709
|
Medium
|
Windows Server 2019 must have the built-in guest account disabled
|
|
V-253433
|
Medium
|
The built-in guest account must be disabled
|
|
V-220909
|
Medium
|
The built-in guest account must be disabled
|
|
V-254372
|
Medium
|
Windows Server 2022 must prevent Indexing of encrypted files
|
|
V-205694
|
Medium
|
Windows Server 2019 must prevent Indexing of encrypted files
|
|
V-253409
|
Medium
|
Indexing of encrypted files must be turned off
|
|
V-220855
|
Medium
|
Indexing of encrypted files must be turned off
|
|
V-254494
|
Medium
|
Windows Server 2022 back up files and directories user right must only be assigned to the Adminis...
|
|
V-253483
|
Medium
|
The "Back up files and directories" user right must only be assigned to the Administrators group
|
|
V-220960
|
Medium
|
The Back up files and directories user right must only be assigned to the Administrators group
|
|
V-254317
|
Medium
|
Windows Server 2022 must be configured to audit Object Access - Removable Storage successes
|
|
V-205840
|
Medium
|
Windows Server 2019 must be configured to audit Object Access - Removable Storage successes
|
|
V-253324
|
Medium
|
The system must be configured to audit Object Access - Removable Storage successes
|
|
V-220766
|
Medium
|
The system must be configured to audit Object Access - Removable Storage successes
|
|
V-254285
|
Medium
|
Windows Server 2022 account lockout duration must be configured to 15 minutes or greater
|
|
V-205795
|
Medium
|
Windows Server 2019 account lockout duration must be configured to 15 minutes or greater
|
|
V-253297
|
Medium
|
Windows 11 account lockout duration must be configured to 15 minutes or greater
|
|
V-220739
|
Medium
|
Windows 10 account lockout duration must be configured to 15 minutes or greater
|
|
V-254342
|
Medium
|
Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable c...
|
|
V-205863
|
Medium
|
Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable ...
|
|
V-253368
|
Medium
|
Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials
|
|
V-220810
|
Medium
|
Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials
|
|
V-254376
|
Medium
|
Windows Server 2022 must disable automatically signing in the last interactive user after a syste...
|
|
V-205925
|
Medium
|
Windows Server 2019 must disable automatically signing in the last interactive user after a syste...
|
|
V-253413
|
Medium
|
Automatically signing in the last interactive user after a system-initiated restart must be disabled
|
|
V-220859
|
Medium
|
Automatically signing in the last interactive user after a system-initiated restart must be disabled
|
|
V-254292
|
Medium
|
Windows Server 2022 must have the built-in Windows password complexity policy enabled
|
|
V-205652
|
Medium
|
Windows Server 2019 must have the built-in Windows password complexity policy enabled
|
|
V-253304
|
Medium
|
The built-in Microsoft password complexity filter must be enabled
|
|
V-220746
|
Medium
|
The built-in Microsoft password complexity filter must be enabled
|
|
V-254287
|
Medium
|
Windows Server 2022 must have the period of time before the bad logon counter is reset configured...
|
|
V-205630
|
Medium
|
Windows Server 2019 must have the period of time before the bad logon counter is reset configured...
|
|
V-253299
|
Medium
|
The period of time before the bad logon counter is reset must be configured to 15 minutes
|
|
V-220741
|
Medium
|
The period of time before the bad logon counter is reset must be configured to 15 minutes
|
|
V-254257
|
Medium
|
Windows Server 2022 accounts must require passwords
|
|
V-205700
|
Medium
|
Windows Server 2019 accounts must require passwords
|
|
V-254453
|
Medium
|
Windows Server 2022 computer account password must not be prevented from being reset
|
|
V-205815
|
Medium
|
Windows Server 2019 computer account password must not be prevented from being reset
|
|
V-254286
|
Medium
|
Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less
|
|
V-205629
|
Medium
|
Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less
|
|
V-253298
|
Medium
|
The number of allowed bad logon attempts must be configured to three or less
|
|
V-220740
|
Medium
|
The number of allowed bad logon attempts must be configured to 3 or less
|
|
V-254483
|
Medium
|
Windows Server 2022 UIAccess applications must not be allowed to prompt for elevation without usi...
|
|
V-205716
|
Medium
|
Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without usi...
|
|
V-254482
|
Medium
|
Windows Server 2022 User Account Control (UAC) approval mode for the built-in Administrator must ...
|
|
V-205811
|
Medium
|
Windows Server 2019 User Account Control approval mode for the built-in Administrator must be ena...
|
|
V-253468
|
Medium
|
User Account Control approval mode for the built-in Administrator must be enabled
|
|
V-220944
|
Medium
|
User Account Control approval mode for the built-in Administrator must be enabled
|
|
V-254485
|
Medium
|
Windows Server 2022 User Account Control (UAC) must automatically deny standard user requests for...
|
|
V-205812
|
Medium
|
Windows Server 2019 User Account Control must automatically deny standard user requests for eleva...
|
|
V-253471
|
Medium
|
User Account Control must automatically deny elevation requests for standard users
|
|
V-220947
|
Medium
|
User Account Control must automatically deny elevation requests for standard users
|
|
V-254488
|
Medium
|
Windows Server 2022 User Account Control (UAC) must run all administrators in Admin Approval Mode...
|
|
V-205813
|
Medium
|
Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enab...
|
|
V-253474
|
Medium
|
User Account Control must run all administrators in Admin Approval Mode, enabling UAC
|
|
V-220950
|
Medium
|
User Account Control must run all administrators in Admin Approval Mode, enabling UAC
|
|
V-254486
|
Medium
|
Windows Server 2022 User Account Control (UAC) must be configured to detect application installat...
|
|
V-205718
|
Medium
|
Windows Server 2019 User Account Control must be configured to detect application installations a...
|
|
V-253472
|
Medium
|
User Account Control must be configured to detect application installations and prompt for elevation
|
|
V-220948
|
Medium
|
User Account Control must be configured to detect application installations and prompt for elevation
|
|
V-254489
|
Medium
|
Windows Server 2022 User Account Control (UAC) must virtualize file and registry write failures t...
|
|
V-205720
|
Medium
|
Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures t...
|
|
V-253475
|
Medium
|
User Account Control must virtualize file and registry write failures to per-user locations
|
|
V-220951
|
Medium
|
User Account Control must virtualize file and registry write failures to per-user locations
|
|
V-254484
|
Medium
|
Windows Server 2022 User Account Control (UAC) must, at a minimum, prompt administrators for cons...
|
|
V-205717
|
Medium
|
Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on...
|
|
V-253469
|
Medium
|
User Account Control must prompt administrators for consent on the secure desktop
|
|
V-220945
|
Medium
|
User Account Control must, at minimum, prompt administrators for consent on the secure desktop
|
|
V-254487
|
Medium
|
Windows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are i...
|
|
V-205719
|
Medium
|
Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are i...
|
|
V-253473
|
Medium
|
User Account Control must only elevate UIAccess applications that are installed in secure locations
|
|
V-220949
|
Medium
|
User Account Control must only elevate UIAccess applications that are installed in secure locations
|
|
V-254349
|
Medium
|
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on b...
|
|
V-205867
|
Medium
|
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on b...
|
|
V-253380
|
Medium
|
Users must be prompted for a password on resume from sleep (on battery)
|
|
V-220821
|
Medium
|
Users must be prompted for a password on resume from sleep (on battery)
|
|
V-254350
|
Medium
|
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plug...
|
|
V-205868
|
Medium
|
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plug...
|
|
V-253381
|
Medium
|
The user must be prompted for a password on resume from sleep (plugged in)
|
|
V-220822
|
Medium
|
The user must be prompted for a password on resume from sleep (plugged in)
|
|
V-254479
|
Medium
|
Windows Server 2022 users must be required to enter a password to access private keys stored on t...
|
|
V-205651
|
Medium
|
Windows Server 2019 users must be required to enter a password to access private keys stored on t...
|
|
V-254341
|
Medium
|
Windows Server 2022 command line data must be included in process creation events
|
|
V-205638
|
Medium
|
Windows Server 2019 command line data must be included in process creation events
|
|
V-220809
|
Medium
|
Command line data must be included in process creation events
|
|
V-253367
|
Medium
|
Command line data must be included in process creation events
|
|
V-254299
|
Medium
|
Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion
|
|
V-205731
|
Medium
|
Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion
|
|
V-254358
|
Medium
|
Windows Server 2022 Application event log size must be configured to 32768 KB or greater
|
|
V-205796
|
Medium
|
Windows Server 2019 Application event log size must be configured to 32768 KB or greater
|
|
V-253337
|
Medium
|
The Application event log size must be configured to 32768 KB or greater
|
|
V-220779
|
Medium
|
The Application event log size must be configured to 32768 KB or greater
|
|
V-254359
|
Medium
|
Windows Server 2022 Security event log size must be configured to 196608 KB or greater
|
|
V-205797
|
Medium
|
Windows Server 2019 Security event log size must be configured to 196608 KB or greater
|
|
V-253338
|
Medium
|
The Security event log size must be configured to 1024000 KB or greater
|
|
V-220780
|
Medium
|
The Security event log size must be configured to 1024000 KB or greater
|
|
V-254360
|
Medium
|
Windows Server 2022 System event log size must be configured to 32768 KB or greater
|
|
V-205798
|
Medium
|
Windows Server 2019 System event log size must be configured to 32768 KB or greater
|
|
V-253339
|
Medium
|
The System event log size must be configured to 32768 KB or greater
|
|
V-220781
|
Medium
|
The System event log size must be configured to 32768 KB or greater
|
|
V-254449
|
Medium
|
Windows Server 2022 must force audit policy subcategory settings to override audit policy categor...
|
|
V-205644
|
Medium
|
Windows Server 2019 must force audit policy subcategory settings to override audit policy categor...
|
|
V-253437
|
Medium
|
Audit policy using subcategories must be enabled
|
|
V-220913
|
Medium
|
Audit policy using subcategories must be enabled
|
|
V-254297
|
Medium
|
Windows Server 2022 permissions for the Security event log must prevent access by nonprivileged a...
|
|
V-205641
|
Medium
|
Windows Server 2019 permissions for the Security event log must prevent access by non-privileged ...
|
|
V-253341
|
Medium
|
Windows 11 permissions for the Security event log must prevent access by non-privileged accounts
|
|
V-220783
|
Medium
|
Windows 10 permissions for the Security event log must prevent access by non-privileged accounts
|
|
V-254298
|
Medium
|
Windows Server 2022 permissions for the System event log must prevent access by nonprivileged acc...
|
|
V-205642
|
Medium
|
Windows Server 2019 permissions for the System event log must prevent access by non-privileged ac...
|
|
V-253342
|
Medium
|
Windows 11 permissions for the System event log must prevent access by non-privileged accounts
|
|
V-220784
|
Medium
|
Windows 10 permissions for the System event log must prevent access by non-privileged accounts
|
|
V-220828
|
Medium
|
The default autorun behavior must be configured to prevent autorun commands
|
|
V-205624
|
Medium
|
Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours
|
|
V-254334
|
Medium
|
Windows Server 2022 must have WDigest Authentication disabled
|
|
V-205687
|
Medium
|
Windows Server 2019 must have WDigest Authentication disabled
|
|
V-253358
|
Medium
|
WDigest Authentication must be disabled
|
|
V-220800
|
Medium
|
WDigest Authentication must be disabled
|
|
V-254417
|
Medium
|
Windows Server 2022 domain controllers must be configured to allow reset of machine account passw...
|
|
V-205876
|
Medium
|
Windows Server 2019 domain controllers must be configured to allow reset of machine account passw...
|
|
V-254416
|
Medium
|
Windows Server 2022 domain controllers must require LDAP access signing
|
|
V-205820
|
Medium
|
Windows Server 2019 domain controllers must require LDAP access signing
|
|
V-254427
|
Medium
|
The password for the krbtgt account on a domain must be reset at least every 180 days
|
|
V-205877
|
Medium
|
The password for the krbtgt account on a domain must be reset at least every 180 days
|
|
V-254432
|
Medium
|
Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined ...
|
|
V-205906
|
Medium
|
Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined ...
|
|
V-254450
|
Medium
|
Windows Server 2022 setting Domain member: Digitally encrypt or sign secure channel data (always)...
|
|
V-205821
|
Medium
|
Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always)...
|
|
V-254451
|
Medium
|
Windows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) ...
|
|
V-205822
|
Medium
|
Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) ...
|
|
V-254452
|
Medium
|
Windows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) mus...
|
|
V-205823
|
Medium
|
Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) mus...
|
|
V-254345
|
Medium
|
Windows Server 2022 group policy objects must be reprocessed even if they have not changed
|
|
V-205866
|
Medium
|
Windows Server 2019 group policy objects must be reprocessed even if they have not changed
|
|
V-253373
|
Medium
|
Group Policy objects must be reprocessed even if they have not changed
|
|
V-220814
|
Medium
|
Group Policy objects must be reprocessed even if they have not changed
|
|
V-254340
|
Medium
|
Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require m...
|
|
V-205862
|
Medium
|
Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require m...
|
|
V-253362
|
Medium
|
Hardened UNC Paths must be defined to require mutual authentication and integrity for at least th...
|
|
V-250319
|
Medium
|
Hardened UNC paths must be defined to require mutual authentication and integrity for at least th...
|
|
V-254430
|
Medium
|
Windows Server 2022 local users on domain-joined member servers must not be enumerated
|
|
V-205696
|
Medium
|
Windows Server 2019 local users on domain-joined member servers must not be enumerated
|
|
V-253379
|
Medium
|
Local users on domain-joined computers must not be enumerated
|
|
V-220820
|
Medium
|
Local users on domain-joined computers must not be enumerated
|
|
V-254454
|
Medium
|
Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less
|
|
V-205911
|
Medium
|
Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less
|
|
V-254476
|
Medium
|
Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing
|
|
V-205920
|
Medium
|
Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing
|
|
V-253463
|
Medium
|
The system must be configured to the required LDAP client signing level
|
|
V-220939
|
Medium
|
The system must be configured to the required LDAP client signing level
|
|
V-254364
|
Medium
|
Windows Server 2022 File Explorer shell protocol must run in protected mode
|
|
V-205872
|
Medium
|
Windows Server 2019 File Explorer shell protocol must run in protected mode
|
|
V-253398
|
Medium
|
File Explorer shell protocol must run in protected mode
|
|
V-220839
|
Medium
|
File Explorer shell protocol must run in protected mode
|
|
V-254248
|
Medium
|
Windows Server 2022 must use an antivirus program
|
|
V-254346
|
Medium
|
Windows Server 2022 downloading print driver packages over HTTP must be turned off
|
|
V-205688
|
Medium
|
Windows Server 2019 downloading print driver packages over HTTP must be turned off
|
|
V-253374
|
Medium
|
Downloading print driver packages over HTTP must be prevented
|
|
V-220815
|
Medium
|
Downloading print driver packages over HTTP must be prevented
|
|
V-254344
|
Medium
|
Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must preven...
|
|
V-205865
|
Medium
|
Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must preven...
|
|
V-253372
|
Medium
|
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers
|
|
V-220813
|
Medium
|
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers
|
|
V-254456
|
Medium
|
Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the syste...
|
|
V-205633
|
Medium
|
Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the syste...
|
|
V-253444
|
Medium
|
The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver
|
|
V-220920
|
Medium
|
The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver
|
|
V-254347
|
Medium
|
Windows Server 2022 printing over HTTP must be turned off
|
|
V-205689
|
Medium
|
Windows Server 2019 printing over HTTP must be turned off
|
|
V-253376
|
Medium
|
Printing over HTTP must be prevented
|
|
V-220817
|
Medium
|
Printing over HTTP must be prevented
|
|
V-253395
|
Medium
|
The Microsoft Defender SmartScreen for Explorer must be enabled
|
|
V-220836
|
Medium
|
The Windows Defender SmartScreen for Explorer must be enabled
|
|
V-254361
|
Medium
|
Windows Server 2022 Microsoft Defender antivirus SmartScreen must be enabled
|
|
V-205692
|
Medium
|
Windows Server 2019 Windows Defender SmartScreen must be enabled
|
|
V-254333
|
Medium
|
Windows Server 2022 must prevent the display of slide shows on the lock screen
|
|
V-205686
|
Medium
|
Windows Server 2019 must prevent the display of slide shows on the lock screen
|
|
V-254265
|
Medium
|
Windows Server 2022 must have a host-based firewall installed and enabled
|
|
V-253281
|
Medium
|
A host-based firewall must be installed and enabled on the system
|
|
V-220724
|
Medium
|
A host-based firewall must be installed and enabled on the system
|
|
V-214936
|
Medium
|
Windows Server 2019 must have a host-based firewall installed and enabled
|
|
V-254371
|
Medium
|
Windows Server 2022 must disable Basic authentication for RSS feeds over HTTP
|
|
V-205693
|
Medium
|
Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP
|
|
V-253408
|
Medium
|
Basic authentication for RSS feeds over HTTP must not be used
|
|
V-220854
|
Medium
|
Basic authentication for RSS feeds over HTTP must not be used
|
|
V-223079
|
Medium
|
Checking for signatures on downloaded programs must be enforced
|
|
V-223077
|
Medium
|
Software must be disallowed to run or install with invalid signatures
|
|
V-254348
|
Medium
|
Windows Server 2022 network selection user interface (UI) must not be displayed on the logon screen
|
|
V-205690
|
Medium
|
Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen
|
|
V-253378
|
Medium
|
The network selection user interface (UI) must not be displayed on the logon screen
|
|
V-220819
|
Medium
|
The network selection user interface (UI) must not be displayed on the logon screen
|
|
V-254370
|
Medium
|
Windows Server 2022 must prevent attachments from being downloaded from RSS feeds
|
|
V-205873
|
Medium
|
Windows Server 2019 must prevent attachments from being downloaded from RSS feeds
|
|
V-253407
|
Medium
|
Attachments must be prevented from being downloaded from RSS feeds
|
|
V-220853
|
Medium
|
Attachments must be prevented from being downloaded from RSS feeds
|
|
V-254457
|
Medium
|
Windows Server 2022 required legal notice must be configured to display before console logon
|
|
V-253445
|
Medium
|
The required legal notice must be configured to display before console logon
|
|
V-205631
|
Medium
|
Windows Server 2019 required legal notice must be configured to display before console logon
|
|
V-220921
|
Medium
|
The required legal notice must be configured to display before console logon
|
|
V-220844
|
Medium
|
The Windows Defender SmartScreen filter for Microsoft Edge must be enabled
|
|
V-220841
|
Medium
|
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified f...
|
|
V-220840
|
Medium
|
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious we...
|
|
V-254339
|
Medium
|
Windows Server 2022 insecure logons to an SMB server must be disabled
|
|
V-205861
|
Medium
|
Windows Server 2019 insecure logons to an SMB server must be disabled
|
|
V-253360
|
Medium
|
Insecure logons to an SMB server must be disabled
|
|
V-220802
|
Medium
|
Insecure logons to an SMB server must be disabled
|
|
V-254473
|
Medium
|
Windows Server 2022 Kerberos encryption types must be configured to prevent the use of DES and RC...
|
|
V-205708
|
Medium
|
Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC...
|
|
V-253460
|
Medium
|
Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites
|
|
V-220936
|
Medium
|
Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites
|
|
V-254460
|
Medium
|
Windows Server 2022 setting Microsoft network client: Digitally sign communications (always) must...
|
|
V-205825
|
Medium
|
Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must...
|
|
V-254461
|
Medium
|
Windows Server 2022 setting Microsoft network client: Digitally sign communications (if server ag...
|
|
V-205826
|
Medium
|
Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server ag...
|
|
V-254463
|
Medium
|
Windows Server 2022 setting Microsoft network server: Digitally sign communications (always) must...
|
|
V-205827
|
Medium
|
Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must...
|
|
V-254464
|
Medium
|
Windows Server 2022 setting Microsoft network server: Digitally sign communications (if client ag...
|
|
V-205828
|
Medium
|
Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client ag...
|
|
V-254468
|
Medium
|
Windows Server 2022 must be configured to prevent anonymous users from having the same permission...
|
|
V-205915
|
Medium
|
Windows Server 2019 must be configured to prevent anonymous users from having the same permission...
|
|
V-253455
|
Medium
|
The system must be configured to prevent anonymous users from having the same rights as the Every...
|
|
V-254277
|
Medium
|
Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client
|
|
V-205684
|
Medium
|
Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client
|
|
V-253288
|
Medium
|
The Server Message Block (SMB) v1 protocol must be disabled on the SMB client
|
|
V-220731
|
Medium
|
The Server Message Block (SMB) v1 protocol must be disabled on the SMB client
|
|
V-254276
|
Medium
|
Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server
|
|
V-205683
|
Medium
|
Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server
|
|
V-253287
|
Medium
|
The Server Message Block (SMB) v1 protocol must be disabled on the SMB server
|
|
V-220730
|
Medium
|
The Server Message Block (SMB) v1 protocol must be disabled on the SMB server
|
|
V-254471
|
Medium
|
Windows Server 2022 must prevent NTLM from falling back to a Null session
|
|
V-205917
|
Medium
|
Windows Server 2019 must prevent NTLM from falling back to a Null session
|
|
V-253458
|
Medium
|
NTLM must be prevented from falling back to a Null session
|
|
V-220934
|
Medium
|
NTLM must be prevented from falling back to a Null session
|
|
V-254433
|
Medium
|
Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administr...
|
|
V-205747
|
Medium
|
Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administr...
|
|
V-253457
|
Medium
|
Remote calls to the Security Account Manager (SAM) must be restricted to Administrators
|
|
V-220933
|
Medium
|
Remote calls to the Security Account Manager (SAM) must be restricted to Administrators
|
|
V-254470
|
Medium
|
Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authent...
|
|
V-205916
|
Medium
|
Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authent...
|
|
V-254477
|
Medium
|
Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTL...
|
|
V-205921
|
Medium
|
Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTL...
|
|
V-254478
|
Medium
|
Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTL...
|
|
V-205922
|
Medium
|
Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTL...
|
|
V-254462
|
Medium
|
Windows Server 2022 unencrypted passwords must not be sent to third-party Server Message Block (S...
|
|
V-205655
|
Medium
|
Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (S...
|
|
V-253450
|
Medium
|
Unencrypted passwords must not be sent to third-party SMB Servers
|
|
V-220926
|
Medium
|
Unencrypted passwords must not be sent to third-party SMB Servers
|
|
V-254275
|
Medium
|
Windows Server 2022 must not the Server Message Block (SMB) v1 protocol installed
|
|
V-205682
|
Medium
|
Windows Server 2019 must not have the Server Message Block (SMB) v1 protocol installed
|
|
V-253353
|
Medium
|
IPv6 source routing must be configured to highest protection
|
|
V-220795
|
Medium
|
IPv6 source routing must be configured to highest protection
|
|
V-254272
|
Medium
|
Windows Server 2022 must not have Simple TCP/IP Services installed
|
|
V-205680
|
Medium
|
Windows Server 2019 must not have Simple TCP/IP Services installed
|
|
V-253277
|
Medium
|
Simple TCP/IP Services must not be installed on the system
|
|
V-220720
|
Medium
|
Simple TCP/IP Services must not be installed on the system
|
|
V-254288
|
Medium
|
Windows Server 2022 password history must be configured to 24 passwords remembered
|
|
V-205660
|
Medium
|
Windows Server 2019 password history must be configured to 24 passwords remembered
|
|
V-253300
|
Medium
|
The password history must be configured to 24 passwords remembered
|
|
V-220742
|
Medium
|
The password history must be configured to 24 passwords remembered
|
|
V-254258
|
Medium
|
Windows Server 2022 passwords must be configured to expire
|
|
V-205658
|
Medium
|
Windows Server 2019 passwords must be configured to expire
|
|
V-253273
|
Medium
|
Accounts must be configured to require password expiration
|
|
V-220716
|
Medium
|
Accounts must be configured to require password expiration
|
|
V-254377
|
Medium
|
Windows Server 2022 PowerShell script block logging must be enabled
|
|
V-205639
|
Medium
|
Windows Server 2019 PowerShell script block logging must be enabled
|
|
V-253414
|
Medium
|
PowerShell script block logging must be enabled on Windows 11
|
|
V-220860
|
Medium
|
PowerShell script block logging must be enabled on Windows 10
|
|
V-254278
|
Medium
|
Windows Server 2022 must not have Windows PowerShell 2.0 installed
|
|
V-205685
|
Medium
|
Windows Server 2019 must not have Windows PowerShell 2.0 installed
|
|
V-253285
|
Medium
|
The Windows PowerShell 2.0 feature must be disabled on the system
|
|
V-220728
|
Medium
|
The Windows PowerShell 2.0 feature must be disabled on the system
|
|
V-205869
|
Medium
|
Windows Server 2019 Telemetry must be configured to Security or Basic
|
|
V-253393
|
Medium
|
Windows Telemetry must not be configured to Full
|
|
V-220834
|
Medium
|
Windows Telemetry must not be configured to Full
|
|
V-254367
|
Medium
|
Windows Server 2022 Remote Desktop Services must always prompt a client for passwords upon connec...
|
|
V-205809
|
Medium
|
Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connec...
|
|
V-253404
|
Medium
|
Remote Desktop Services must always prompt a client for passwords upon connection
|
|
V-220850
|
Medium
|
Remote Desktop Services must always prompt a client for passwords upon connection
|
|
V-254369
|
Medium
|
Windows Server 2022 Remote Desktop Services must be configured with the client connection encrypt...
|
|
V-205637
|
Medium
|
Windows Server 2019 Remote Desktop Services must be configured with the client connection encrypt...
|
|
V-253406
|
Medium
|
Remote Desktop Services must be configured with the client connection encryption set to the requi...
|
|
V-220852
|
Medium
|
Remote Desktop Services must be configured with the client connection encryption set to the requi...
|
|
V-260471
|
Medium
|
Ubuntu 22.04 LTS must initiate session audits at system startup
|
|
V-260473
|
Medium
|
Ubuntu 22.04 LTS must disable kernel core dumps so that it can fail to a secure state if system i...
|
|
V-260474
|
Medium
|
Ubuntu 22.04 LTS must implement address space layout randomization to protect its memory from una...
|
|
V-260475
|
Medium
|
Ubuntu 22.04 LTS must implement nonexecutable data to protect its memory from unauthorized code e...
|
|
V-260477
|
Medium
|
Ubuntu 22.04 LTS must be configured so that the Advance Package Tool (APT) removes all software c...
|
|
V-260478
|
Medium
|
Ubuntu 22.04 LTS must have the "libpam-pwquality" package installed
|
|
V-260484
|
Medium
|
Ubuntu 22.04 LTS must implement cryptographic mechanisms to prevent unauthorized disclosure and m...
|
|
V-260485
|
Medium
|
Ubuntu 22.04 LTS must have directories that contain system commands set to a mode of "755" or les...
|
|
V-260486
|
Medium
|
Ubuntu 22.04 LTS must have system commands set to a mode of "755" or less permissive
|
|
V-260487
|
Medium
|
Ubuntu 22.04 LTS library files must have mode "755" or less permissive
|
|
V-260488
|
Medium
|
Ubuntu 22.04 LTS must configure the "/var/log" directory to have mode "755" or less permissive
|
|
V-260489
|
Medium
|
Ubuntu 22.04 LTS must generate error messages that provide information necessary for corrective a...
|
|
V-260490
|
Medium
|
Ubuntu 22.04 LTS must generate system journal entries without revealing information that could be...
|
|
V-260491
|
Medium
|
Ubuntu 22.04 LTS must configure "/var/log/syslog" file with mode "640" or less permissive
|
|
V-260492
|
Medium
|
Ubuntu 22.04 LTS must configure audit tools with a mode of "755" or less permissive
|
|
V-260493
|
Medium
|
Ubuntu 22.04 LTS must have directories that contain system commands owned by "root"
|
|
V-260494
|
Medium
|
Ubuntu 22.04 LTS must have directories that contain system commands group-owned by "root"
|
|
V-260495
|
Medium
|
Ubuntu 22.04 LTS must have system commands owned by "root" or a system account
|
|
V-260496
|
Medium
|
Ubuntu 22.04 LTS must have system commands group-owned by "root" or a system account
|
|
V-260497
|
Medium
|
Ubuntu 22.04 LTS library directories must be owned by "root"
|
|
V-260498
|
Medium
|
Ubuntu 22.04 LTS library directories must be group-owned by "root"
|
|
V-260499
|
Medium
|
Ubuntu 22.04 LTS library files must be owned by "root"
|
|
V-260500
|
Medium
|
Ubuntu 22.04 LTS library files must be group-owned by "root"
|
|
V-260501
|
Medium
|
Ubuntu 22.04 LTS must configure the directories used by the system journal to be owned by "root"
|
|
V-260502
|
Medium
|
Ubuntu 22.04 LTS must configure the directories used by the system journal to be group-owned by "...
|
|
V-260503
|
Medium
|
Ubuntu 22.04 LTS must configure the files used by the system journal to be owned by "root"
|
|
V-260504
|
Medium
|
Ubuntu 22.04 LTS must configure the files used by the system journal to be group-owned by "system...
|
|
V-260505
|
Medium
|
Ubuntu 22.04 LTS must be configured so that the "journalctl" command is owned by "root"
|
|
V-260506
|
Medium
|
Ubuntu 22.04 LTS must be configured so that the "journalctl" command is group-owned by "root"
|
|
V-260507
|
Medium
|
Ubuntu 22.04 LTS must configure audit tools to be owned by "root"
|
|
V-260508
|
Medium
|
Ubuntu 22.04 LTS must configure the "/var/log" directory to be owned by "root"
|
|
V-260509
|
Medium
|
Ubuntu 22.04 LTS must configure the "/var/log" directory to be group-owned by "syslog"
|
|
V-260510
|
Medium
|
Ubuntu 22.04 LTS must configure "/var/log/syslog" file to be owned by "syslog"
|
|
V-260511
|
Medium
|
Ubuntu 22.04 LTS must configure the "/var/log/syslog" file to be group-owned by "adm"
|
|
V-260512
|
Medium
|
Ubuntu 22.04 LTS must be configured so that the "journalctl" command is not accessible by unautho...
|
|
V-260513
|
Medium
|
Ubuntu 22.04 LTS must set a sticky bit on all public directories to prevent unauthorized and unin...
|
|
V-260514
|
Medium
|
Ubuntu 22.04 LTS must have an application firewall installed in order to control remote access me...
|
|
V-260515
|
Medium
|
Ubuntu 22.04 LTS must enable and run the Uncomplicated Firewall (ufw)
|
|
V-260516
|
Medium
|
Ubuntu 22.04 LTS must have an application firewall enabled
|
|
V-260517
|
Medium
|
Ubuntu 22.04 LTS must configure the Uncomplicated Firewall (ufw) to rate-limit impacted network i...
|
|
V-260518
|
Medium
|
Ubuntu 22.04 LTS must be configured to prohibit or restrict the use of functions, ports, protocol...
|
|
V-260522
|
Medium
|
Ubuntu 22.04 LTS must be configured to use TCP syncookies
|
|
V-260533
|
Medium
|
Ubuntu 22.04 LTS SSH server must be configured to use only FIPS-validated key exchange algorithms
|
|
V-260534
|
Medium
|
Ubuntu 22.04 LTS must use strong authenticators in establishing nonlocal maintenance and diagnost...
|
|
V-260537
|
Medium
|
Ubuntu 22.04 LTS must retain a user's session lock until that user reestablishes access using est...
|
|
V-260538
|
Medium
|
Ubuntu 22.04 LTS must initiate a graphical session lock after 15 minutes of inactivity
|
|
V-260540
|
Medium
|
Ubuntu 22.04 LTS must disable automatic mounting of Universal Serial Bus (USB) mass storage driver
|
|
V-260541
|
Medium
|
Ubuntu 22.04 LTS must disable all wireless network adapters
|
|
V-260542
|
Medium
|
Ubuntu 22.04 LTS must prevent direct login into the root account
|
|
V-260543
|
Medium
|
Ubuntu 22.04 LTS must uniquely identify interactive users
|
|
V-260545
|
Medium
|
Ubuntu 22.04 LTS must enforce 24 hours/one day as the minimum password lifetime. Passwords for ne...
|
|
V-260546
|
Medium
|
Ubuntu 22.04 LTS must enforce a 60-day maximum password lifetime restriction. Passwords for new u...
|
|
V-260547
|
Medium
|
Ubuntu 22.04 LTS must disable account identifiers (individuals, groups, roles, and devices) after...
|
|
V-260535
|
Medium
|
Ubuntu 22.04 LTS must enable the graphical user logon banner to display the Standard Mandatory DO...
|
|
V-260548
|
Medium
|
Ubuntu 22.04 LTS must automatically expire temporary accounts within 72 hours
|
|
V-260553
|
Medium
|
Ubuntu 22.04 LTS must allow users to directly initiate a session lock for all connection types
|
|
V-260554
|
Medium
|
Ubuntu 22.04 LTS must automatically exit interactive command shell user sessions after 15 minutes...
|
|
V-260535
|
Medium
|
Ubuntu 22.04 LTS must enable the graphical user logon banner to display the Standard Mandatory DO...
|
|
V-260536
|
Medium
|
Ubuntu 22.04 LTS must display the Standard Mandatory DOD Notice and Consent Banner before grantin...
|
|
V-260555
|
Medium
|
Ubuntu 22.04 LTS default filesystem permissions must be defined in such a way that all authentica...
|
|
V-260556
|
Medium
|
Ubuntu 22.04 LTS must have the "apparmor" package installed
|
|
V-260557
|
Medium
|
Ubuntu 22.04 LTS must be configured to use AppArmor
|
|
V-260558
|
Medium
|
Ubuntu 22.04 LTS must require users to reauthenticate for privilege escalation or when changing r...
|
|
V-260560
|
Medium
|
Ubuntu 22.04 LTS must enforce password complexity by requiring at least one uppercase character b...
|
|
V-260561
|
Medium
|
Ubuntu 22.04 LTS must enforce password complexity by requiring at least one lowercase character b...
|
|
V-260562
|
Medium
|
Ubuntu 22.04 LTS must enforce password complexity by requiring that at least one numeric characte...
|
|
V-260563
|
Medium
|
Ubuntu 22.04 LTS must enforce password complexity by requiring that at least one special characte...
|
|
V-260564
|
Medium
|
Ubuntu 22.04 LTS must prevent the use of dictionary words for passwords
|
|
V-260565
|
Medium
|
Ubuntu 22.04 LTS must enforce a minimum 15-character password length
|
|
V-260566
|
Medium
|
Ubuntu 22.04 LTS must require the change of at least eight characters when passwords are changed
|
|
V-260567
|
Medium
|
Ubuntu 22.04 LTS must be configured so that when passwords are changed or new passwords are estab...
|
|
V-260569
|
Medium
|
Ubuntu 22.04 LTS must store only encrypted representations of passwords
|
|
V-260572
|
Medium
|
Ubuntu 22.04 LTS must encrypt all stored passwords with a FIPS 140-3-approved cryptographic hashi...
|
|
V-260573
|
Medium
|
Ubuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accoun...
|
|
V-260574
|
Medium
|
Ubuntu 22.04 LTS must accept personal identity verification (PIV) credentials
|
|
V-260575
|
Medium
|
Ubuntu 22.04 LTS must implement smart card logins for multifactor authentication for local and ne...
|
|
V-260576
|
Medium
|
Ubuntu 22.04 LTS must electronically verify personal identity verification (PIV) credentials
|
|
V-260577
|
Medium
|
Ubuntu 22.04 LTS, for PKI-based authentication, must validate certificates by constructing a cert...
|
|
V-260578
|
Medium
|
Ubuntu 22.04 LTS for PKI-based authentication, must implement a local cache of revocation data in...
|
|
V-260580
|
Medium
|
Ubuntu 22.04 LTS must use DOD PKI-established certificate authorities for verification of the est...
|
|
V-260582
|
Medium
|
Ubuntu 22.04 LTS must use a file integrity tool to verify correct operation of all security funct...
|
|
V-260583
|
Medium
|
Ubuntu 22.04 LTS must configure AIDE to perform file integrity checking on the file system
|
|
V-260584
|
Medium
|
Ubuntu 22.04 LTS must notify designated personnel if baseline configurations are changed in an un...
|
|
V-260585
|
Medium
|
Ubuntu 22.04 LTS must be configured so that the script that runs each 30 days or less to check fi...
|
|
V-260586
|
Medium
|
Ubuntu 22.04 LTS must use cryptographic mechanisms to protect the integrity of audit tools
|
|
V-260588
|
Medium
|
Ubuntu 22.04 LTS must be configured to preserve log records from failure events
|
|
V-260589
|
Medium
|
Ubuntu 22.04 LTS must monitor remote access methods
|
|
V-260590
|
Medium
|
Ubuntu 22.04 LTS must have the "auditd" package installed
|
|
V-260591
|
Medium
|
Ubuntu 22.04 LTS must produce audit records and reports containing information to establish when,...
|
|
V-260594
|
Medium
|
Ubuntu 22.04 LTS must shut down by default upon audit failure
|
|
V-260597
|
Medium
|
Ubuntu 22.04 LTS must be configured so that audit log files are not read- or write-accessible by ...
|
|
V-260598
|
Medium
|
Ubuntu 22.04 LTS must be configured to permit only authorized users ownership of the audit log files
|
|
V-260599
|
Medium
|
Ubuntu 22.04 LTS must permit only authorized groups ownership of the audit log files
|
|
V-260600
|
Medium
|
Ubuntu 22.04 LTS must be configured so that the audit log directory is not write-accessible by un...
|
|
V-260601
|
Medium
|
Ubuntu 22.04 LTS must be configured so that audit configuration files are not write-accessible by...
|
|
V-260602
|
Medium
|
Ubuntu 22.04 LTS must permit only authorized accounts to own the audit configuration files
|
|
V-260603
|
Medium
|
Ubuntu 22.04 LTS must permit only authorized groups to own the audit configuration files
|
|
V-260604
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the apparmor_par...
|
|
V-260605
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the chacl command
|
|
V-260606
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the chage command
|
|
V-260607
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the chcon command
|
|
V-260608
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the chfn command
|
|
V-260609
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the chsh command
|
|
V-260610
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the crontab command
|
|
V-260611
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful attempts to use the fdis...
|
|
V-260612
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the gpasswd command
|
|
V-260613
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful attempts to use the kmod...
|
|
V-260613
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful attempts to use the kmod...
|
|
V-260614
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful attempts to use modprobe...
|
|
V-260615
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the mount command
|
|
V-260616
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the newgrp command
|
|
V-260617
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the pam_timestam...
|
|
V-260618
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the passwd command
|
|
V-260619
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the setfacl command
|
|
V-260620
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the ssh-agent co...
|
|
V-260621
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the ssh-keysign ...
|
|
V-260622
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the su command
|
|
V-260623
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the sudo command
|
|
V-260624
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the sudoedit com...
|
|
V-260625
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the umount command
|
|
V-260626
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the unix_update ...
|
|
V-260627
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the usermod command
|
|
V-260628
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling,...
|
|
V-260629
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling,...
|
|
V-260630
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling,...
|
|
V-260631
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling,...
|
|
V-260632
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for all account creations, modifications, disabling,...
|
|
V-260633
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the chmod, fchmo...
|
|
V-260634
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the chown, fchow...
|
|
V-260635
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the creat, open,...
|
|
V-260636
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the delete_modul...
|
|
V-260637
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful uses of the init_module ...
|
|
V-260638
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for any use of the setxattr, fsetxattr, lsetxattr, r...
|
|
V-260639
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for any successful/unsuccessful use of unlink, unlin...
|
|
V-260640
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for all events that affect the systemd journal files
|
|
V-260641
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for the /var/log/btmp file
|
|
V-260642
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for the /var/log/wtmp file
|
|
V-260643
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for the /var/run/utmp file
|
|
V-260644
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for the use and modification of faillog file
|
|
V-260645
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for the use and modification of the lastlog file
|
|
V-260646
|
Medium
|
Ubuntu 22.04 LTS must generate audit records when successful/unsuccessful attempts to modify the ...
|
|
V-260647
|
Medium
|
Ubuntu 22.04 LTS must generate audit records when successful/unsuccessful attempts to modify the ...
|
|
V-260648
|
Medium
|
Ubuntu 22.04 LTS must prevent all software from executing at higher privilege levels than users e...
|
|
V-260649
|
Medium
|
Ubuntu 22.04 LTS must generate audit records for privileged activities, nonlocal maintenance, dia...
|
|
V-254365
|
Medium
|
Windows Server 2022 must not save passwords in the Remote Desktop Client
|
|
V-205808
|
Medium
|
Windows Server 2019 must not save passwords in the Remote Desktop Client
|
|
V-253402
|
Medium
|
Passwords must not be saved in the Remote Desktop Client
|
|
V-220848
|
Medium
|
Passwords must not be saved in the Remote Desktop Client
|
|
V-254366
|
Medium
|
Windows Server 2022 Remote Desktop Services must prevent drive redirection
|
|
V-205722
|
Medium
|
Windows Server 2019 Remote Desktop Services must prevent drive redirection
|
|
V-224820
|
Medium
|
Passwords for the built-in Administrator account must be changed at least every 60 days
|
|
V-224822
|
Medium
|
Members of the Backup Operators group must have separate accounts for backup duties and normal op...
|
|
V-224823
|
Medium
|
Manually managed application account passwords must be at least 14 characters in length
|
|
V-224824
|
Medium
|
Manually managed application account passwords must be changed at least annually or when a system...
|
|
V-224825
|
Medium
|
Shared user accounts must not be permitted on the system
|
|
V-224826
|
Medium
|
Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of ...
|
|
V-224827
|
Medium
|
Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and r...
|
|
V-224830
|
Medium
|
Servers must have a host-based intrusion detection or prevention system
|
|
V-224832
|
Medium
|
Permissions for the system drive root directory (usually C:\) must conform to minimum requirements
|
|
V-224833
|
Medium
|
Permissions for program file directories must conform to minimum requirements
|
|
V-224834
|
Medium
|
Permissions for the Windows installation directory must conform to minimum requirements
|
|
V-224835
|
Medium
|
Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained
|
|
V-224837
|
Medium
|
Outdated or unused accounts must be removed from the system or disabled
|
|
V-224838
|
Medium
|
Windows Server 2016 accounts must require passwords
|
|
V-224839
|
Medium
|
Passwords must be configured to expire
|
|
V-224840
|
Medium
|
System files must be monitored for unauthorized changes
|
|
V-224841
|
Medium
|
Non-system-created file shares on a system must limit access to groups that require it
|
|
V-254368
|
Medium
|
Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) commu...
|
|
V-205636
|
Medium
|
Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) commu...
|
|
V-254431
|
Medium
|
Windows Server 2022 must restrict unauthenticated Remote Procedure Call (RPC) clients from connec...
|
|
V-205814
|
Medium
|
Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connec...
|
|
V-253383
|
Medium
|
Unauthenticated RPC clients must be restricted from connecting to the RPC server
|
|
V-220824
|
Medium
|
Unauthenticated RPC clients must be restricted from connecting to the RPC server
|
|
V-254379
|
Medium
|
Windows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-205816
|
Medium
|
Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-253417
|
Medium
|
The Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-220863
|
Medium
|
The Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-224842
|
Medium
|
Software certificate installation files must be removed from Windows Server 2016
|
|
V-224844
|
Medium
|
Protection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner ha...
|
|
V-224845
|
Medium
|
The roles and features required by the system must be documented
|
|
V-224846
|
Medium
|
A host-based firewall must be installed and enabled on the system
|
|
V-224847
|
Medium
|
Windows Server 2016 must employ automated mechanisms to determine the state of system components ...
|
|
V-224848
|
Medium
|
Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours
|
|
V-224849
|
Medium
|
Windows Server 2016 must automatically remove or disable emergency accounts after the crisis is r...
|
|
V-224850
|
Medium
|
The Fax Server role must not be installed
|
|
V-224851
|
Medium
|
The Microsoft FTP service must not be installed unless required
|
|
V-224852
|
Medium
|
The Peer Name Resolution Protocol must not be installed
|
|
V-224853
|
Medium
|
Simple TCP/IP Services must not be installed
|
|
V-224854
|
Medium
|
The Telnet Client must not be installed
|
|
V-224855
|
Medium
|
The TFTP Client must not be installed
|
|
V-224856
|
Medium
|
The Server Message Block (SMB) v1 protocol must be uninstalled
|
|
V-224857
|
Medium
|
The Server Message Block (SMB) v1 protocol must be disabled on the SMB server
|
|
V-224858
|
Medium
|
The Server Message Block (SMB) v1 protocol must be disabled on the SMB client
|
|
V-224859
|
Medium
|
Windows PowerShell 2.0 must not be installed
|
|
V-224860
|
Medium
|
FTP servers must be configured to prevent anonymous logons
|
|
V-224861
|
Medium
|
FTP servers must be configured to prevent access to the system drive
|
|
V-224863
|
Medium
|
Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016
|
|
V-224866
|
Medium
|
Windows 2016 account lockout duration must be configured to 15 minutes or greater
|
|
V-254380
|
Medium
|
Windows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-205712
|
Medium
|
Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-253421
|
Medium
|
The Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-220868
|
Medium
|
The Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-253426
|
Medium
|
Windows 11 Kernel (Direct Memory Access) DMA Protection must be enabled
|
|
V-220902
|
Medium
|
Windows 10 Kernel (Direct Memory Access) DMA Protection must be enabled
|
|
V-224867
|
Medium
|
Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less
|
|
V-224868
|
Medium
|
Windows Server 2016 must have the period of time before the bad logon counter is reset configured...
|
|
V-224869
|
Medium
|
Windows Server 2016 password history must be configured to 24 passwords remembered
|
|
V-224870
|
Medium
|
Windows Server 2016 maximum password age must be configured to 60 days or less
|
|
V-224871
|
Medium
|
Windows Server 2016 minimum password age must be configured to at least one day
|
|
V-224872
|
Medium
|
Windows Server 2016 minimum password length must be configured to 14 characters
|
|
V-224873
|
Medium
|
Windows Server 2016 must have the built-in Windows password complexity policy enabled
|
|
V-224875
|
Medium
|
Audit records must be backed up to a different system or media than the system being audited
|
|
V-224876
|
Medium
|
Windows Server 2016 must, at a minimum, offload audit records of interconnected systems in real t...
|
|
V-224877
|
Medium
|
Permissions for the Application event log must prevent access by non-privileged accounts
|
|
V-224878
|
Medium
|
Permissions for the Security event log must prevent access by non-privileged accounts
|
|
V-224879
|
Medium
|
Permissions for the System event log must prevent access by non-privileged accounts
|
|
V-218822
|
Medium
|
The IIS 10.0 web server must maintain the confidentiality of controlled information during transm...
|
|
V-218821
|
Medium
|
An IIS 10.0 web server must maintain the confidentiality of controlled information during transmi...
|
|
V-254263
|
Medium
|
Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if th...
|
|
V-205829
|
Medium
|
Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if th...
|
|
V-254343
|
Medium
|
Windows Server 2022 virtualization-based security must be enabled with the platform security leve...
|
|
V-205864
|
Medium
|
Windows Server 2019 virtualization-based security must be enabled with the platform security leve...
|
|
V-253369
|
Medium
|
Virtualization-based Security must be enabled on Windows 11 with the platform security level conf...
Compliance
|
|
V-220811
|
Medium
|
Virtualization Based Security must be enabled on Windows 10 with the platform security level conf...
|
|
V-224880
|
Medium
|
Event Viewer must be protected from unauthorized modification and deletion
|
|
V-224881
|
Medium
|
Windows Server 2016 must be configured to audit Account Logon - Credential Validation successes
|
|
V-224882
|
Medium
|
Windows Server 2016 must be configured to audit Account Logon - Credential Validation failures
|
|
V-224883
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - Other Account Management Eve...
|
|
V-224884
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - Security Group Management su...
|
|
V-224885
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - User Account Management succ...
|
|
V-224886
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - User Account Management fail...
|
|
V-224887
|
Medium
|
Windows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes
|
|
V-224888
|
Medium
|
Windows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes
|
|
V-224890
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures
|
|
V-224891
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes
|
|
V-224892
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Logoff successes
|
|
V-224893
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes
|
|
V-224894
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Logon failures
|
|
V-224895
|
Medium
|
Windows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes
|
|
V-224896
|
Medium
|
Windows 2016 must be configured to audit Object Access - Other Object Access Events successes
|
|
V-224897
|
Medium
|
Windows 2016 must be configured to audit Object Access - Other Object Access Events failures
|
|
V-224898
|
Medium
|
Windows Server 2016 must be configured to audit Object Access - Removable Storage successes
|
|
V-224899
|
Medium
|
Windows Server 2016 must be configured to audit Object Access - Removable Storage failures
|
|
V-224900
|
Medium
|
Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes
|
|
V-224901
|
Medium
|
Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures
|
|
V-224902
|
Medium
|
Windows Server 2016 must be configured to audit Policy Change - Authentication Policy Change succ...
|
|
V-224903
|
Medium
|
Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change succe...
|
|
V-224904
|
Medium
|
Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes
|
|
V-224905
|
Medium
|
Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures
|
|
V-224906
|
Medium
|
Windows Server 2016 must be configured to audit System - IPsec Driver successes
|
|
V-224907
|
Medium
|
Windows Server 2016 must be configured to audit System - IPsec Driver failures
|
|
V-224908
|
Medium
|
Windows Server 2016 must be configured to audit System - Other System Events successes
|
|
V-224909
|
Medium
|
Windows Server 2016 must be configured to audit System - Other System Events failures
|
|
V-224910
|
Medium
|
Windows Server 2016 must be configured to audit System - Security State Change successes
|
|
V-224911
|
Medium
|
Windows Server 2016 must be configured to audit System - Security System Extension successes
|
|
V-224912
|
Medium
|
Windows Server 2016 must be configured to audit System - System Integrity successes
|
|
V-224913
|
Medium
|
Windows Server 2016 must be configured to audit System - System Integrity failures
|
|
V-224914
|
Medium
|
The display of slide shows on the lock screen must be disabled
|
|
V-224915
|
Medium
|
WDigest Authentication must be disabled on Windows Server 2016
|
|
V-224920
|
Medium
|
Insecure logons to an SMB server must be disabled
|
|
V-224921
|
Medium
|
Hardened UNC paths must be defined to require mutual authentication and integrity for at least th...
|
|
V-224922
|
Medium
|
Command line data must be included in process creation events
|
|
V-224923
|
Medium
|
Windows Server 2016 virtualization-based security must be enabled with the platform security leve...
|
|
V-224924
|
Medium
|
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers ident...
|
|
V-224925
|
Medium
|
Group Policy objects must be reprocessed even if they have not changed
|
|
V-224926
|
Medium
|
Downloading print driver packages over HTTP must be prevented
|
|
V-224927
|
Medium
|
Printing over HTTP must be prevented
|
|
V-224928
|
Medium
|
The network selection user interface (UI) must not be displayed on the logon screen
|
|
V-224929
|
Medium
|
Users must be prompted to authenticate when the system wakes from sleep (on battery)
|
|
V-224930
|
Medium
|
Users must be prompted to authenticate when the system wakes from sleep (plugged in)
|
|
V-224935
|
Medium
|
Administrator accounts must not be enumerated during elevation
|
|
V-224936
|
Medium
|
Windows Telemetry must be configured to Security or Basic
|
|
V-224937
|
Medium
|
The Application event log size must be configured to 32768 KB or greater
|
|
V-224938
|
Medium
|
The Security event log size must be configured to 196608 KB or greater
|
|
V-224939
|
Medium
|
The System event log size must be configured to 32768 KB or greater
|
|
V-224940
|
Medium
|
Windows Server 2016 Windows SmartScreen must be enabled
|
|
V-224941
|
Medium
|
Explorer Data Execution Prevention must be enabled
|
|
V-224943
|
Medium
|
File Explorer shell protocol must run in protected mode
|
|
V-224944
|
Medium
|
Passwords must not be saved in the Remote Desktop Client
|
|
V-224945
|
Medium
|
Local drives must be prevented from sharing with Remote Desktop Session Hosts
|
|
V-224946
|
Medium
|
Remote Desktop Services must always prompt a client for passwords upon connection
|
|
V-224947
|
Medium
|
The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications
|
|
V-224948
|
Medium
|
Remote Desktop Services must be configured with the client connection encryption set to High Level
|
|
V-224949
|
Medium
|
Attachments must be prevented from being downloaded from RSS feeds
|
|
V-236000
|
Medium
|
The Windows Explorer Preview pane must be disabled for Windows Server 2016
|
|
V-224951
|
Medium
|
Basic authentication for RSS feeds over HTTP must not be used
|
|
V-224952
|
Medium
|
Indexing of encrypted files must be turned off
|
|
V-224953
|
Medium
|
Users must be prevented from changing installation options
|
|
V-224955
|
Medium
|
Users must be notified if a web-based program attempts to install software
|
|
V-224956
|
Medium
|
Automatically signing in the last interactive user after a system-initiated restart must be disabled
|
|
V-224957
|
Medium
|
PowerShell script block logging must be enabled
|
|
V-224959
|
Medium
|
The Windows Remote Management (WinRM) client must not allow unencrypted traffic
|
|
V-224960
|
Medium
|
The Windows Remote Management (WinRM) client must not use Digest authentication
|
|
V-224962
|
Medium
|
The Windows Remote Management (WinRM) service must not allow unencrypted traffic
|
|
V-224963
|
Medium
|
The Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-257502
|
Medium
|
Windows Server 2016 must have PowerShell Transcription enabled
|
|
V-224965
|
Medium
|
Kerberos user logon restrictions must be enforced
|
|
V-224966
|
Medium
|
The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less
|
|
V-224967
|
Medium
|
The Kerberos user ticket lifetime must be limited to 10 hours or less
|
|
V-224968
|
Medium
|
The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less
|
|
V-224969
|
Medium
|
The computer clock synchronization tolerance must be limited to 5 minutes or less
|
|
V-224975
|
Medium
|
Data files owned by users must be on a different logical partition from the directory server data...
|
|
V-224976
|
Medium
|
Domain controllers must run on a machine dedicated to that function
|
|
V-224977
|
Medium
|
Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transi...
|
|
V-224980
|
Medium
|
Active Directory Group Policy objects must be configured with proper audit settings
|
|
V-224981
|
Medium
|
The Active Directory Domain object must be configured with proper audit settings
|
|
V-224982
|
Medium
|
The Active Directory Infrastructure object must be configured with proper audit settings
|
|
V-224983
|
Medium
|
The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with p...
|
|
V-224984
|
Medium
|
The Active Directory AdminSDHolder object must be configured with proper audit settings
|
|
V-224985
|
Medium
|
The Active Directory RID Manager$ object must be configured with proper audit settings
|
|
V-224986
|
Medium
|
Windows Server 2016 must be configured to audit Account Management - Computer Account Management ...
|
|
V-224987
|
Medium
|
Windows Server 2016 must be configured to audit DS Access - Directory Service Access successes
|
|
V-224988
|
Medium
|
Windows Server 2016 must be configured to audit DS Access - Directory Service Access failures
|
|
V-224989
|
Medium
|
Windows Server 2016 must be configured to audit DS Access - Directory Service Changes successes
|
|
V-224991
|
Medium
|
Domain controllers must have a PKI server certificate
|
|
V-224994
|
Medium
|
Active Directory user accounts, including administrators, must be configured to require the use o...
|
|
V-254373
|
Medium
|
Windows Server 2022 must prevent users from changing installation options
|
|
V-205801
|
Medium
|
Windows Server 2019 must prevent users from changing installation options
|
|
V-253410
|
Medium
|
Users must be prevented from changing installation options
|
|
V-220856
|
Medium
|
Users must be prevented from changing installation options
|
|
V-254375
|
Medium
|
Windows Server 2022 users must be notified if a web-based program attempts to install software
|
|
V-205874
|
Medium
|
Windows Server 2019 users must be notified if a web-based program attempts to install software
|
|
V-253412
|
Medium
|
Users must be notified if a web-based program attempts to install software
|
|
V-220858
|
Medium
|
Users must be notified if a web-based program attempts to install software
|
|
V-254362
|
Medium
|
Windows Server 2022 Explorer Data Execution Prevention must be enabled
|
|
V-205830
|
Medium
|
Windows Server 2019 Explorer Data Execution Prevention must be enabled
|
|
V-253396
|
Medium
|
Explorer Data Execution Prevention must be enabled
|
|
V-220837
|
Medium
|
Explorer Data Execution Prevention must be enabled
|
|
V-254442
|
Medium
|
Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in t...
|
|
V-205648
|
Medium
|
Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in t...
|
|
V-253427
|
Medium
|
The DoD Root CA certificates must be installed in the Trusted Root Store
|
|
V-220903
|
Medium
|
The DoD Root CA certificates must be installed in the Trusted Root Store
|
|
V-254269
|
Medium
|
Windows Server 2022 must not have the Fax Server role installed
|
|
V-205678
|
Medium
|
Windows Server 2019 must not have the Fax Server role installed
|
|
V-254270
|
Medium
|
Windows Server 2022 must not have the Microsoft FTP service installed unless required by the orga...
|
|
V-205697
|
Medium
|
Windows Server 2019 must not have the Microsoft FTP service installed unless required by the orga...
|
|
V-254271
|
Medium
|
Windows Server 2022 must not have the Peer Name Resolution Protocol installed
|
|
V-205679
|
Medium
|
Windows Server 2019 must not have the Peer Name Resolution Protocol installed
|
|
V-254273
|
Medium
|
Windows Server 2022 must not have the Telnet Client installed
|
|
V-205698
|
Medium
|
Windows Server 2019 must not have the Telnet Client installed
|
|
V-253278
|
Medium
|
The Telnet Client must not be installed on the system
|
|
V-220721
|
Medium
|
The Telnet Client must not be installed on the system
|
|
V-254274
|
Medium
|
Windows Server 2022 must not have the TFTP Client installed
|
|
V-205681
|
Medium
|
Windows Server 2019 must not have the TFTP Client installed
|
|
V-253279
|
Medium
|
The TFTP Client must not be installed on the system
|
|
V-220722
|
Medium
|
The TFTP Client must not be installed on the system
|
|
V-254284
|
Medium
|
Windows Server 2022 must have Secure Boot enabled
|
|
V-253257
|
Medium
|
Secure Boot must be enabled on Windows 11 systems
|
|
V-224995
|
Medium
|
Domain controllers must require LDAP access signing
|
|
V-224996
|
Medium
|
Domain controllers must be configured to allow reset of machine account passwords
|
|
V-224997
|
Medium
|
The Access this computer from the network user right must only be assigned to the Administrators,...
|
|
V-224998
|
Medium
|
The Add workstations to domain user right must only be assigned to the Administrators group
|
|
V-224999
|
Medium
|
The Allow log on through Remote Desktop Services user right must only be assigned to the Administ...
|
|
V-225000
|
Medium
|
The Deny access to this computer from the network user right on domain controllers must be config...
|
|
V-225001
|
Medium
|
The Deny log on as a batch job user right on domain controllers must be configured to prevent una...
|
|
V-225002
|
Medium
|
The Deny log on as a service user right must be configured to include no accounts or groups (blan...
|
|
V-225003
|
Medium
|
The Deny log on locally user right on domain controllers must be configured to prevent unauthenti...
|
|
V-225004
|
Medium
|
The Deny log on through Remote Desktop Services user right on domain controllers must be configur...
|
|
V-225005
|
Medium
|
The Enable computer and user accounts to be trusted for delegation user right must only be assign...
|
|
V-225006
|
Medium
|
The password for the krbtgt account on a domain must be reset at least every 180 days
|
|
V-225008
|
Medium
|
Local administrator accounts must have their privileged token filtered to prevent elevated privil...
|
|
V-225009
|
Medium
|
Local users on domain-joined computers must not be enumerated
|
|
V-225010
|
Medium
|
Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC...
|
|
V-225011
|
Medium
|
Caching of logon credentials must be limited
|
|
V-225013
|
Medium
|
Remote calls to the Security Account Manager (SAM) must be restricted to Administrators
|
|
V-225014
|
Medium
|
The "Access this computer from the network" user right must only be assigned to the Administrator...
|
|
V-225015
|
Medium
|
The "Deny access to this computer from the network" user right on member servers must be configur...
|
|
V-225016
|
Medium
|
The "Deny log on as a batch job" user right on member servers must be configured to prevent acces...
|
|
V-225017
|
Medium
|
The "Deny log on as a service" user right on member servers must be configured to prevent access ...
|
|
V-225018
|
Medium
|
The "Deny log on locally" user right on member servers must be configured to prevent access from ...
|
|
V-225019
|
Medium
|
The "Deny log on through Remote Desktop Services" user right on member servers must be configured...
|
|
V-225020
|
Medium
|
The "Enable computer and user accounts to be trusted for delegation" user right must not be assig...
|
|
V-225021
|
Medium
|
The DoD Root CA certificates must be installed in the Trusted Root Store
|
|
V-225022
|
Medium
|
The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificat...
|
|
V-225023
|
Medium
|
The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Ce...
|
|
V-225024
|
Medium
|
Windows Server 2016 built-in guest account must be disabled
|
|
V-225026
|
Medium
|
Windows Server 2016 built-in administrator account must be renamed
|
|
V-225027
|
Medium
|
Windows Server 2016 built-in guest account must be renamed
|
|
V-225028
|
Medium
|
Audit policy using subcategories must be enabled
|
|
V-225029
|
Medium
|
The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configu...
|
|
V-225030
|
Medium
|
The setting Domain member: Digitally encrypt secure channel data (when possible) must be configur...
|
|
V-225031
|
Medium
|
The setting Domain member: Digitally sign secure channel data (when possible) must be configured ...
|
|
V-225032
|
Medium
|
The computer account password must not be prevented from being reset
|
|
V-225033
|
Medium
|
The maximum age for machine account passwords must be configured to 30 days or less
|
|
V-225034
|
Medium
|
Windows Server 2016 must be configured to require a strong session key
|
|
V-225035
|
Medium
|
The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver
|
|
V-225036
|
Medium
|
The required legal notice must be configured to display before console logon
|
|
V-225038
|
Medium
|
The Smart Card removal option must be configured to Force Logoff or Lock Workstation
|
|
V-225039
|
Medium
|
The setting Microsoft network client: Digitally sign communications (always) must be configured t...
|
|
V-225040
|
Medium
|
The setting Microsoft network client: Digitally sign communications (if server agrees) must be co...
|
|
V-225041
|
Medium
|
Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers
|
|
V-225042
|
Medium
|
The setting Microsoft network server: Digitally sign communications (always) must be configured t...
|
|
V-225043
|
Medium
|
The setting Microsoft network server: Digitally sign communications (if client agrees) must be co...
|
|
V-225047
|
Medium
|
Windows Server 2016 must be configured to prevent anonymous users from having the same permission...
|
|
V-225093
|
Medium
|
The Take ownership of files or other objects user right must only be assigned to the Administrato...
|
|
V-254383
|
Medium
|
Windows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-205810
|
Medium
|
Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-253420
|
Medium
|
The Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-220867
|
Medium
|
The Windows Remote Management (WinRM) service must not store RunAs credentials
|
|
V-254382
|
Medium
|
Windows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic
|
|
V-205817
|
Medium
|
Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic
|
|
V-253419
|
Medium
|
The Windows Remote Management (WinRM) service must not allow unencrypted traffic
|
|
V-254238
|
Medium
|
Windows Server 2022 users with Administrative privileges must have separate accounts for administ...
|
|
V-254239
|
Medium
|
Windows Server 2022 passwords for the built-in Administrator account must be changed at least eve...
|
|
V-205657
|
Medium
|
Windows Server 2019 passwords for the built-in Administrator account must be changed at least eve...
|
|
V-253476
|
Medium
|
Passwords for enabled local Administrator accounts must be changed at least every 60 days
|
|
V-220952
|
Medium
|
Passwords for enabled local Administrator accounts must be changed at least every 60 days
|
|
V-254241
|
Medium
|
Windows Server 2022 members of the Backup Operators group must have separate accounts for backup ...
|
|
V-205846
|
Medium
|
Windows Server 2019 members of the Backup Operators group must have separate accounts for backup ...
|
|
V-253270
|
Medium
|
Only accounts responsible for the backup operations must be members of the Backup Operators group
|
|
V-220713
|
Medium
|
Only accounts responsible for the backup operations must be members of the Backup Operators group
|
|
V-254242
|
Medium
|
Windows Server 2022 manually managed application account passwords must be at least 14 characters...
|
|
V-205661
|
Medium
|
Windows Server 2019 manually managed application account passwords must be at least 14 characters...
|
|
V-254243
|
Medium
|
Windows Server 2022 manually managed application account passwords must be changed at least annua...
|
|
V-205847
|
Medium
|
Windows Server 2019 manually managed application account passwords must be changed at least annua...
|
|
V-254244
|
Medium
|
Windows Server 2022 shared user accounts must not be permitted
|
|
V-205699
|
Medium
|
Windows Server 2019 shared user accounts must not be permitted
|
|
V-254245
|
Medium
|
Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of ...
|
|
V-205807
|
Medium
|
Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of ...
|
|
V-253262
|
Medium
|
The operating system must employ a deny-all, permit-by-exception policy to allow the execution of...
|
|
V-220705
|
Medium
|
The operating system must employ a deny-all, permit-by-exception policy to allow the execution of...
|
|
V-254246
|
Medium
|
Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and r...
|
|
V-205848
|
Medium
|
Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and r...
|
|
V-253255
|
Medium
|
Windows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled
|
|
V-220698
|
Medium
|
Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use
|
|
V-263646
|
Medium
|
The DNS server implementation must compare the internal system clocks on an organization-defined ...
|
|
V-263645
|
Medium
|
The DNS server implementation must synchronize system clocks within and between systems or system...
|
|
V-263644
|
Medium
|
The DNS server implementation must provide protected storage for cryptographic keys with organiza...
|
|
V-263643
|
Medium
|
The DNS server implementation must include only approved trust anchors in trust stores or certifi...
|
|
V-263642
|
Medium
|
The DNS server implementation must protect nonlocal maintenance sessions by separating the mainte...
|
|
V-263641
|
Medium
|
The DNS server implementation must, for public key-based authentication, implement a local cache ...
|
|
V-263640
|
Medium
|
The DNS server implementation must, for password-based authentication, enforce organization-defin...
|
|
V-263639
|
Medium
|
The DNS server implementation must, for password-based authentication, employ automated tools to ...
|
|
V-263638
|
Medium
|
The DNS server implementation must, for password-based authentication, allow user selection of lo...
|
|
V-263637
|
Medium
|
The DNS server implementation must, for password-based authentication, require immediate selectio...
|
|
V-263636
|
Medium
|
The DNS server implementation must, for password-based authentication, store passwords using an a...
|
|
V-263635
|
Medium
|
The DNS server implementation must, for password-based authentication, verify when users create o...
|
|
V-263634
|
Medium
|
The DNS server implementation must, for password-based authentication, update the list of passwor...
|
|
V-263633
|
Medium
|
The DNS server implementation must, for password-based authentication, update the list of passwor...
|
|
V-263632
|
Medium
|
The DNS server implementation must, for password-based authentication, maintain a list of commonl...
|
|
V-263631
|
Medium
|
The DNS server implementation must implement multifactor authentication for local; network; and/o...
|
|
V-263630
|
Medium
|
The DNS server implementation must implement multifactor authentication for local; network; and/o...
|
|
V-263629
|
Medium
|
The DNS server implementation must require users to be individually authenticated before granting...
|
|
V-263628
|
Medium
|
The DNS server implementation must prevent the installation of organization-defined software and ...
|
|
V-263627
|
Medium
|
The DNS server implementation must automatically generate audit records of the enforcement actions.
|
|
V-263626
|
Medium
|
The DNS server implementation must alert organization-defined personnel or roles upon detection o...
|
|
V-263625
|
Medium
|
The DNS server implementation must implement the capability to centrally review and analyze audit...
|
|
V-263624
|
Medium
|
The DNS server implementation must disable accounts when the accounts are no longer associated to...
|
|
V-263623
|
Medium
|
The DNS server implementation must disable accounts when the accounts have expired.
|
|
V-220317
|
Medium
|
All authoritative name servers for a zone must be geographically disbursed.
|
|
V-220316
|
Medium
|
A unique TSIG key must be generated for each pair of communicating hosts.
|
|
V-205253
|
Medium
|
The DNS server implementation must be configured in accordance with the security configuration se...
|
|
V-205252
|
Medium
|
CNAME records must not point to a zone with lesser security for more than six months.
|
|
V-205251
|
Medium
|
A zone file must not include resource records that resolve to a fully qualified domain name resid...
|
|
V-205250
|
Medium
|
The private keys corresponding to both the ZSK and the KSK must not be kept on the DNSSEC-aware p...
|
|
V-205249
|
Medium
|
The private key corresponding to the ZSK, stored on name servers accepting dynamic updates, must ...
|
|
V-205248
|
Medium
|
The platform on which the name server software is hosted must be configured to send outgoing DNS ...
|
|
V-205247
|
Medium
|
The platform on which the name server software is hosted must be configured to respond to DNS tra...
|
|
V-205246
|
Medium
|
The IP address for hidden master authoritative name servers must not appear in the name servers s...
|
|
V-205245
|
Medium
|
The DNS Name Server software must run with restricted privileges.
|
|
V-205244
|
Medium
|
The DNS name server software must be at the latest version.
|
|
V-205243
|
Medium
|
The DNS must utilize valid root name servers in the local root zone file.
|
|
V-205242
|
Medium
|
The DNS implementation must implement internal/external role separation.
|
|
V-205241
|
Medium
|
The DNS implementation must enforce a Discretionary Access Control (DAC) policy that limits propa...
|
|
V-205240
|
Medium
|
The DNS implementation must be conformant to the IETF DNS specification.
|
|
V-205239
|
Medium
|
Primary authoritative name servers must be configured to only receive zone transfer requests from...
|
|
V-205238
|
Medium
|
In a split DNS configuration, where separate name servers are used between the external and inter...
|
|
V-205237
|
Medium
|
In a split DNS configuration, where separate name servers are used between the external and inter...
|
|
V-205236
|
Medium
|
For zones split between the external and internal sides of a network, the RRs for the external ho...
|
|
V-205235
|
Medium
|
Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible.
|
|
V-205234
|
Medium
|
An authoritative name server must be configured to enable DNSSEC Resource Records.
|
|
V-205233
|
Medium
|
All authoritative name servers for a zone must have the same version of zone information.
|
|
V-205232
|
Medium
|
All authoritative name servers for a zone must be located on different network segments.
|
|
V-205231
|
Medium
|
The two files generated by the dnssec-keygen program must be made accessible only to the server a...
|
|
V-205230
|
Medium
|
The DNS implementation must ensure each NS record in a zone file points to an active name server ...
|
|
V-205229
|
Medium
|
NSEC3 must be used for all internal DNS zones.
|
|
V-205228
|
Medium
|
The validity period for the RRSIGs covering a zones DNSKEY RRSet must be no less than two days an...
|
|
V-205227
|
Medium
|
The salt value for zones signed using NSEC3 RRs must be changed every time the zone is completely...
|
|
V-205226
|
Medium
|
The DNS server must implement NIST FIPS-validated cryptography for provisioning digital signature...
|
|
V-205225
|
Medium
|
The DNS implementation must generate audit records for the success and failure of all name server...
|
|
V-205224
|
Medium
|
The DNS implementation must generate audit records for the success and failure of start and stop ...
|
|
V-205223
|
Medium
|
The DNS server implementation must log the event and notify the system administrator when anomali...
|
|
V-205222
|
Medium
|
The DNS server implementation must perform verification of the correct operation of security func...
|
|
V-205221
|
Medium
|
The DNS server implementation must follow procedures to re-role a secondary name server as the ma...
|
|
V-205220
|
Medium
|
The DNS server implementation must behave in a predictable and documented manner that reflects or...
|
|
V-205219
|
Medium
|
The DNS server implementation must maintain the integrity of information during reception.
|
|
V-205218
|
Medium
|
The DNS server implementation must maintain the integrity of information during preparation for t...
|
|
V-205217
|
Medium
|
The DNS server implementation must implement cryptographic mechanisms to detect changes to inform...
|
|
V-205213
|
Medium
|
If the DNS server is using SIG(0), the DNS server implementation must only allow the use of DoD P...
|
|
V-205212
|
Medium
|
A DNS server implementation must perform data origin verification authentication on the name/addr...
|
|
V-205211
|
Medium
|
A DNS server implementation must perform data integrity verification on the name/address resoluti...
|
|
V-205210
|
Medium
|
A DNS server implementation must request data integrity verification on the name/address resoluti...
|
|
V-205209
|
Medium
|
A DNS server implementation must request data origin authentication verification on the name/addr...
|
|
V-205208
|
Medium
|
A DNS server implementation must provide additional integrity artifacts along with the authoritat...
|
|
V-205207
|
Medium
|
A DNS server implementation must provide data integrity protection artifacts for internal name/ad...
|
|
V-205206
|
Medium
|
A DNS server implementation must provide data origin artifacts for internal name/address resoluti...
|
|
V-205205
|
Medium
|
The DNS server implementation, for PKI-based authentication, must implement a local cache of revo...
|
|
V-205204
|
Medium
|
The DNS server implementation must authenticate another DNS server before establishing a remote a...
|
|
V-205203
|
Medium
|
The DNS server implementation must authenticate the other DNS server before responding to a serve...
|
|
V-205201
|
Medium
|
The DNS implementation must prohibit recursion on authoritative name servers.
|
|
V-205199
|
Medium
|
In the event of an error when validating the binding of another DNS servers identity to the DNS i...
|
|
V-205198
|
Medium
|
The DNS server implementation must validate the binding of the other DNS servers identity to the ...
|
|
V-205197
|
Medium
|
The DNS server implementation must provide the means for authorized individuals to determine the ...
|
|
V-205196
|
Medium
|
The DNS server implementation must strongly bind the identity of the DNS server with the DNS info...
|
|
V-205193
|
Medium
|
The DNS server implementation must be configured to generate audit records for failed security ve...
|
|
V-205192
|
Medium
|
The DNS server implementation must, when a component failure is detected, activate a notification...
|
|
V-205191
|
Medium
|
The DNS server implementation must check the validity of all data inputs except those specificall...
|
|
V-205190
|
Medium
|
The DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limi...
|
|
V-205189
|
Medium
|
The DNS server implementation must restrict the ability of individuals to use the DNS server to l...
|
|
V-205188
|
Medium
|
The DNS server implementation must prevent unauthorized and unintended information transfer via s...
|
|
V-205187
|
Medium
|
The DNS server implementation must protect the confidentiality and integrity of secret/private cr...
|
|
V-205186
|
Medium
|
In the event of a system failure, the DNS server implementation must preserve any information nec...
|
|
V-205185
|
Medium
|
The DNS server implementation must fail to a secure state if system initialization fails, shutdow...
|
|
V-205184
|
Medium
|
The DNS implementation must protect the authenticity of communications sessions for queries.
|
|
V-205183
|
Medium
|
The DNS implementation must protect the authenticity of communications sessions for dynamic updates.
|
|
V-205182
|
Medium
|
The DNS implementation must protect the authenticity of communications sessions for zone transfers.
|
|
V-205180
|
Medium
|
A DNS server implementation must provide the means to enable verification of a chain of trust amo...
|
|
V-205179
|
Medium
|
The DNS server implementation must enforce approved authorizations for controlling the flow of in...
|
|
V-205178
|
Medium
|
The validity period for the RRSIGs covering the DS RR for a zones delegated children must be no l...
|
|
V-205177
|
Medium
|
A DNS server implementation must provide the means to indicate the security status of child zones.
|
|
V-205176
|
Medium
|
A DNS server implementation must provide additional data origin artifacts along with the authorit...
|
|
V-205175
|
Medium
|
The DNS server implementation must employ strong authenticators in the establishment of nonlocal ...
|
|
V-205174
|
Medium
|
Signature generation using the KSK must be done off-line, using the KSK-private stored off-line.
|
|
V-205173
|
Medium
|
Only the private key corresponding to the ZSK alone must be kept on the name server that does sup...
|
|
V-205172
|
Medium
|
Read/Write access to the key file must be restricted to the account that runs the name server sof...
|
|
V-205171
|
Medium
|
The key file must be owned by the account under which the name server software is run.
|
|
V-205170
|
Medium
|
The DNS server implementation, when using PKI-based authentication, must enforce authorized acces...
|
|
V-205169
|
Medium
|
The DNS server implementation must uniquely identify the other DNS server before responding to a ...
|
|
V-205168
|
Medium
|
The DNS server implementation must be configured to prohibit or restrict unapproved ports and pro...
|
|
V-205167
|
Medium
|
The DNS server implementations audit records must be backed up at least every seven days onto a d...
|
|
V-205166
|
Medium
|
The DNS server implementation must generate audit records containing information that establishes...
|
|
V-205165
|
Medium
|
The DNS server implementation must produce audit records that contain information to establish th...
|
|
V-205164
|
Medium
|
The DNS server implementation must produce audit records containing information to establish the ...
|
|
V-205163
|
Medium
|
The DNS server implementation must produce audit records containing information to establish wher...
|
|
V-205162
|
Medium
|
The DNS server implementation must produce audit records containing information to establish when...
|
|
V-205161
|
Medium
|
The DNS server implementation must produce audit records containing information to establish what...
|
|
V-205160
|
Medium
|
The DNS server implementation must be configured to provide audit record generation capability fo...
|
|
V-205159
|
Medium
|
The DNS server implementation must be configured to provide audit record generation capability fo...
|
|
V-205158
|
Medium
|
The DNS implementation must limit the number of concurrent sessions client connections to the num...
|
|
V-205157
|
Medium
|
The DNS implementation must limit the number of concurrent sessions for zone transfers to the num...
|