DISA Windows Server 2012 and 2012 R2 DC STIG v3r1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Windows Server 2012 and 2012 R2 DC STIG v3r1

Updated: 11/4/2021

Authority: DISA STIG

Plugin: Windows

Revision: 1.8

Estimated Item Count: 402

Audit Items

Description	Categories
DISA_STIG_Server_2012_and_2012_R2_DC_v3r1.audit from DISA Microsoft Windows Server 2012/2012 R2 Domain Controller v3r1 STIG
WN12-00-000001 - Server systems must be located in a controlled access area, accessible only to authorized personnel.	CONFIGURATION MANAGEMENT
WN12-00-000004 - Users with administrative privilege must be documented.	CONFIGURATION MANAGEMENT
WN12-00-000005 - Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.	CONFIGURATION MANAGEMENT
WN12-00-000006 - Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control.	CONFIGURATION MANAGEMENT
WN12-00-000007 - Windows 2012/2012 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.	CONFIGURATION MANAGEMENT
WN12-00-000008 - Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.	CONFIGURATION MANAGEMENT
WN12-00-000009-01 - Members of the Backup Operators group must be documented.	CONFIGURATION MANAGEMENT
WN12-00-000009-02 - Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.	CONFIGURATION MANAGEMENT
WN12-00-000010 - Policy must require application account passwords be at least 15 characters in length.	IDENTIFICATION AND AUTHENTICATION
WN12-00-000011 - Windows 2012/2012 R2 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.	CONFIGURATION MANAGEMENT
WN12-00-000012 - Shared user accounts must not be permitted on the system.	IDENTIFICATION AND AUTHENTICATION
WN12-00-000013 - Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.	CONFIGURATION MANAGEMENT
WN12-00-000014 - System-level information must be backed up in accordance with local recovery time and recovery point objectives.	CONFIGURATION MANAGEMENT
WN12-00-000015 - User-level information must be backed up in accordance with local recovery time and recovery point objectives.	CONFIGURATION MANAGEMENT
WN12-00-000016 - Backups of system-level information must be protected.	CONFIGURATION MANAGEMENT
WN12-00-000017 - System-related documentation must be backed up in accordance with local recovery time and recovery point objectives.	CONFIGURATION MANAGEMENT
WN12-00-000018 - The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.	CONFIGURATION MANAGEMENT
WN12-00-000019 - Protection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.	SYSTEM AND COMMUNICATIONS PROTECTION
WN12-00-000020 - Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.	SYSTEM AND COMMUNICATIONS PROTECTION
WN12-00-000100 - The Windows 2012 / 2012 R2 system must use an anti-virus program.	CONFIGURATION MANAGEMENT
WN12-00-000160 - The Server Message Block (SMB) v1 protocol must be disabled on Windows 2012 R2.	CONFIGURATION MANAGEMENT
WN12-00-000170 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.	CONFIGURATION MANAGEMENT
WN12-00-000180 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB client - LanManWorkstation	CONFIGURATION MANAGEMENT
WN12-00-000180 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB client - mrxsmb10	CONFIGURATION MANAGEMENT
WN12-00-000190 - Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2012 / 2012 R2.	CONFIGURATION MANAGEMENT
WN12-00-000200 - Windows PowerShell must be updated to a version that supports script block logging on Windows 2012/2012 R2.	CONFIGURATION MANAGEMENT
WN12-00-000210 - PowerShell script block logging must be enabled on Windows 2012/2012 R2 - Enabled	AUDIT AND ACCOUNTABILITY
WN12-00-000210 - PowerShell script block logging must be enabled on Windows 2012/2012 R2 - Patch	AUDIT AND ACCOUNTABILITY
WN12-00-000220 - Windows PowerShell 2.0 must not be installed on Windows 2012/2012 R2.	CONFIGURATION MANAGEMENT
WN12-AC-000001 - Windows 2012 account lockout duration must be configured to 15 minutes or greater.	ACCESS CONTROL
WN12-AC-000002 - The number of allowed bad logon attempts must meet minimum requirements.	ACCESS CONTROL
WN12-AC-000003 - The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012.	ACCESS CONTROL
WN12-AC-000004 - The password history must be configured to 24 passwords remembered.	IDENTIFICATION AND AUTHENTICATION
WN12-AC-000005 - The maximum password age must meet requirements.	IDENTIFICATION AND AUTHENTICATION
WN12-AC-000006 - The minimum password age must meet requirements.	IDENTIFICATION AND AUTHENTICATION
WN12-AC-000007 - Passwords must, at a minimum, be 14 characters.	IDENTIFICATION AND AUTHENTICATION
WN12-AC-000008 - The built-in Windows password complexity policy must be enabled.	IDENTIFICATION AND AUTHENTICATION
WN12-AC-000009 - Reversible password encryption must be disabled.	IDENTIFICATION AND AUTHENTICATION
WN12-AC-000010-DC - Kerberos user logon restrictions must be enforced.	CONFIGURATION MANAGEMENT
WN12-AC-000011-DC - The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.	CONFIGURATION MANAGEMENT
WN12-AC-000012-DC - The Kerberos user ticket lifetime must be limited to 10 hours or less.	CONFIGURATION MANAGEMENT
WN12-AC-000013-DC - The Kerberos policy user ticket renewal maximum lifetime must be limited to 7 days or less.	CONFIGURATION MANAGEMENT
WN12-AC-000014-DC - The computer clock synchronization tolerance must be limited to 5 minutes or less.	IDENTIFICATION AND AUTHENTICATION
WN12-AD-000001-DC - Active Directory data files must have proper access control permissions.	ACCESS CONTROL
WN12-AD-000002-DC - The Active Directory SYSVOL directory must have the proper access control permissions.	ACCESS CONTROL
WN12-AD-000003-DC - Active Directory Group Policy objects must have proper access control permissions.	ACCESS CONTROL
WN12-AD-000004-DC - The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.	ACCESS CONTROL
WN12-AD-000005-DC - Domain created Active Directory Organizational Unit (OU) objects must have proper access control permissions.	ACCESS CONTROL
WN12-AD-000006-DC - Data files owned by users must be on a different logical partition from the directory server data files.	SYSTEM AND COMMUNICATIONS PROTECTION

Detections

Analytics

DISA Windows Server 2012 and 2012 R2 DC STIG v3r1

Warning! Audit Deprecated

Audit Details

Audit Items