CIS Microsoft Windows Server 2022 v3.0.0 L1 Member Server

Audit Details

Name: CIS Microsoft Windows Server 2022 v3.0.0 L1 Member Server

Updated: 6/17/2024

Authority: CIS

Plugin: Windows

Revision: 1.1

Estimated Item Count: 324

File Details

Filename: CIS_Microsoft_Windows_Server_2022_v3.0.0_L1_Member_Server.audit

Size: 891 kB

MD5: 28528accf93e7707f24b1b49bde5abcf
SHA256: bc9cc8775d78d4e49a5dfb7eed77c5802cec626e3b97a8df4fa15c1214d30f1c

Audit Items

DescriptionCategories
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'

IDENTIFICATION AND AUTHENTICATION

1.1.2 (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'

IDENTIFICATION AND AUTHENTICATION

1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'

IDENTIFICATION AND AUTHENTICATION

1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'

IDENTIFICATION AND AUTHENTICATION

1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'

IDENTIFICATION AND AUTHENTICATION

1.1.6 (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'

IDENTIFICATION AND AUTHENTICATION

1.1.7 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'

ACCESS CONTROL

1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'

ACCESS CONTROL

1.2.3 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled' (MS only)

ACCESS CONTROL

1.2.4 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'

ACCESS CONTROL

2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.3 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.4 (L1) Ensure 'Act as part of the operating system' is set to 'No One'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.6 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.8 (L1) Ensure 'Allow log on locally' is set to 'Administrators' (MS only)

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.10 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.11 (L1) Ensure 'Back up files and directories' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.12 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.13 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.14 (L1) Ensure 'Create a pagefile' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.15 (L1) Ensure 'Create a token object' is set to 'No One'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.16 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.17 (L1) Ensure 'Create permanent shared objects' is set to 'No One'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.19 (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.20 (L1) Ensure 'Debug programs' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.22 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.23 (L1) Ensure 'Deny log on as a batch job' to include 'Guests'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.24 (L1) Ensure 'Deny log on as a service' to include 'Guests'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.25 (L1) Ensure 'Deny log on locally' to include 'Guests'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.27 (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.29 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.30 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.31 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.33 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.34 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.35 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.36 (L1) Ensure 'Lock pages in memory' is set to 'No One'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.39 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.40 (L1) Ensure 'Modify an object label' is set to 'No One'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.41 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.42 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.43 (L1) Ensure 'Profile single process' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.44 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.45 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.46 (L1) Ensure 'Restore files and directories' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.47 (L1) Ensure 'Shut down the system' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.49 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.3.1.1 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'

ACCESS CONTROL

2.3.1.2 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)

IDENTIFICATION AND AUTHENTICATION