DISA Windows Server 2022 STIG v2r2

Audit Details

Name: DISA Windows Server 2022 STIG v2r2

Updated: 11/15/2024

Authority: DISA STIG

Plugin: Windows

Revision: 1.0

Estimated Item Count: 274

File Details

Filename: DISA_STIG_Microsoft_Windows_Server_2022_v2r2.audit

Size: 720 kB

MD5: edf867a228c656ba100c3660b3a4133c
SHA256: d099bd4c2751d21a568c0a92dbf542d5f48cb9ddc52484bd4083fd841bb20ff4

Audit Items

DescriptionCategories
DISA_STIG_Microsoft_Windows_Server_2022_v2r2.audit from DISA Microsoft Windows Server 2022 v2r2 STIG
WN22-00-000010 - Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.

CONFIGURATION MANAGEMENT

WN22-00-000020 - Windows Server 2022 passwords for the built-in Administrator account must be changed at least every 60 days.

IDENTIFICATION AND AUTHENTICATION

WN22-00-000030 - Windows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

WN22-00-000040 - Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.

CONFIGURATION MANAGEMENT

WN22-00-000050 - Windows Server 2022 manually managed application account passwords must be at least 14 characters in length.

IDENTIFICATION AND AUTHENTICATION

WN22-00-000060 - Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.

CONFIGURATION MANAGEMENT

WN22-00-000070 - Windows Server 2022 shared user accounts must not be permitted.

IDENTIFICATION AND AUTHENTICATION

WN22-00-000080 - Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

CONFIGURATION MANAGEMENT

WN22-00-000090 - Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.

CONFIGURATION MANAGEMENT

WN22-00-000100 - Windows Server 2022 must be maintained at a supported servicing level.

CONFIGURATION MANAGEMENT

WN22-00-000110 - Windows Server 2022 must use an antivirus program.

CONFIGURATION MANAGEMENT

WN22-00-000120 - Windows Server 2022 must have a host-based intrusion detection or prevention system.

CONFIGURATION MANAGEMENT

WN22-00-000130 - Windows Server 2022 local volumes must use a format that supports NTFS attributes.

ACCESS CONTROL

WN22-00-000140 - Windows Server 2022 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.

ACCESS CONTROL

WN22-00-000150 - Windows Server 2022 permissions for program file directories must conform to minimum requirements.

ACCESS CONTROL

WN22-00-000160 - Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements.

ACCESS CONTROL

WN22-00-000170 - Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.

ACCESS CONTROL

WN22-00-000180 - Windows Server 2022 nonadministrative accounts or groups must only have print permissions on printer shares.

ACCESS CONTROL

WN22-00-000190 - Windows Server 2022 outdated or unused accounts must be removed or disabled.

IDENTIFICATION AND AUTHENTICATION

WN22-00-000200 - Windows Server 2022 accounts must require passwords.

IDENTIFICATION AND AUTHENTICATION

WN22-00-000210 - Windows Server 2022 passwords must be configured to expire.

IDENTIFICATION AND AUTHENTICATION

WN22-00-000220 - Windows Server 2022 system files must be monitored for unauthorized changes.

CONFIGURATION MANAGEMENT

WN22-00-000230 - Windows Server 2022 nonsystem-created file shares must limit access to groups that require it.

SYSTEM AND COMMUNICATIONS PROTECTION

WN22-00-000240 - Windows Server 2022 must have software certificate installation files removed.

CONFIGURATION MANAGEMENT

WN22-00-000250 - Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

SYSTEM AND COMMUNICATIONS PROTECTION

WN22-00-000260 - Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.

SYSTEM AND COMMUNICATIONS PROTECTION

WN22-00-000270 - Windows Server 2022 must have the roles and features required by the system documented.

CONFIGURATION MANAGEMENT

WN22-00-000280 - Windows Server 2022 must have a host-based firewall installed and enabled.

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT

WN22-00-000290 - Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).

CONFIGURATION MANAGEMENT

WN22-00-000300 - Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours.

ACCESS CONTROL

WN22-00-000310 - Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.

ACCESS CONTROL

WN22-00-000320 - Windows Server 2022 must not have the Fax Server role installed.

CONFIGURATION MANAGEMENT

WN22-00-000330 - Windows Server 2022 must not have the Microsoft FTP service installed unless required by the organization.

CONFIGURATION MANAGEMENT

WN22-00-000340 - Windows Server 2022 must not have the Peer Name Resolution Protocol installed.

CONFIGURATION MANAGEMENT

WN22-00-000350 - Windows Server 2022 must not have Simple TCP/IP Services installed.

CONFIGURATION MANAGEMENT

WN22-00-000360 - Windows Server 2022 must not have the Telnet Client installed.

CONFIGURATION MANAGEMENT

WN22-00-000370 - Windows Server 2022 must not have the TFTP Client installed.

CONFIGURATION MANAGEMENT

WN22-00-000380 - Windows Server 2022 must not the Server Message Block (SMB) v1 protocol installed.

CONFIGURATION MANAGEMENT

WN22-00-000390 - Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.

CONFIGURATION MANAGEMENT

WN22-00-000400 - Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.

CONFIGURATION MANAGEMENT

WN22-00-000410 - Windows Server 2022 must not have Windows PowerShell 2.0 installed.

CONFIGURATION MANAGEMENT

WN22-00-000420 - Windows Server 2022 FTP servers must be configured to prevent anonymous logons.

CONFIGURATION MANAGEMENT

WN22-00-000430 - Windows Server 2022 FTP servers must be configured to prevent access to the system drive.

CONFIGURATION MANAGEMENT

WN22-00-000440 - The Windows Server 2022 time service must synchronize with an appropriate DOD time source.

AUDIT AND ACCOUNTABILITY

WN22-00-000450 - Windows Server 2022 must have orphaned security identifiers (SIDs) removed from user rights.

CONFIGURATION MANAGEMENT

WN22-00-000460 - Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.

CONFIGURATION MANAGEMENT

WN22-00-000470 - Windows Server 2022 must have Secure Boot enabled.

CONFIGURATION MANAGEMENT

WN22-AC-000010 - Windows Server 2022 account lockout duration must be configured to 15 minutes or greater.

ACCESS CONTROL

WN22-AC-000020 - Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less.

ACCESS CONTROL