DISA Windows 10 STIG v2r2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Windows 10 STIG v2r2

Updated: 3/3/2022

Authority: DISA STIG

Plugin: Windows

Revision: 1.7

Estimated Item Count: 310

Audit Items

DescriptionCategories
DISA_STIG_Windows_10_v2r2.audit from DISA Windows 10 v2r2 STIG
WN10-00-000005 - Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version - 64-bit

CONFIGURATION MANAGEMENT

WN10-00-000005 - Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.

CONFIGURATION MANAGEMENT

WN10-00-000010 - Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use - TPM enabled and ready for use.

CONFIGURATION MANAGEMENT

WN10-00-000015 - Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.

CONFIGURATION MANAGEMENT

WN10-00-000020 - Secure Boot must be enabled on Windows 10 systems.

CONFIGURATION MANAGEMENT

WN10-00-000025 - Windows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).

SYSTEM AND INFORMATION INTEGRITY

WN10-00-000030 - Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.

SYSTEM AND COMMUNICATIONS PROTECTION

WN10-00-000031 - Windows 10 systems must use a BitLocker PIN for pre-boot authentication - UseAdvancedStartup

SYSTEM AND COMMUNICATIONS PROTECTION

WN10-00-000031 - Windows 10 systems must use a BitLocker PIN for pre-boot authentication - UseTPMPin / UseTPMKeyPin

SYSTEM AND COMMUNICATIONS PROTECTION

WN10-00-000032 - Windows 10 systems must use a BitLocker PIN with a minimum length of 6 digits for pre-boot authentication.

SYSTEM AND COMMUNICATIONS PROTECTION

WN10-00-000035 - The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

CONFIGURATION MANAGEMENT

WN10-00-000040 - Windows 10 systems must be maintained at a supported servicing level.

CONFIGURATION MANAGEMENT

WN10-00-000045 - The Windows 10 system must use an anti-virus program.

CONFIGURATION MANAGEMENT

WN10-00-000050 - Local volumes must be formatted using NTFS.

ACCESS CONTROL

WN10-00-000055 - Alternate operating systems must not be permitted on the same system.

CONFIGURATION MANAGEMENT

WN10-00-000060 - Non system-created file shares on a system must limit access to groups that require it.

SYSTEM AND COMMUNICATIONS PROTECTION

WN10-00-000065 - Unused accounts must be disabled or removed from the system after 35 days of inactivity.

IDENTIFICATION AND AUTHENTICATION

WN10-00-000070 - Only accounts responsible for the administration of a system must have Administrator rights on the system.

ACCESS CONTROL

WN10-00-000075 - Only accounts responsible for the backup operations must be members of the Backup Operators group.

CONFIGURATION MANAGEMENT

WN10-00-000080 - Only authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems.

CONFIGURATION MANAGEMENT

WN10-00-000085 - Standard local user accounts must not exist on a system in a domain.

CONFIGURATION MANAGEMENT

WN10-00-000090 - Accounts must be configured to require password expiration.

IDENTIFICATION AND AUTHENTICATION

WN10-00-000095 - Permissions for system files and directories must conform to minimum requirements - C:\

ACCESS CONTROL

WN10-00-000095 - Permissions for system files and directories must conform to minimum requirements - C:\Program Files

ACCESS CONTROL

WN10-00-000095 - Permissions for system files and directories must conform to minimum requirements - C:\Windows

ACCESS CONTROL

WN10-00-000100 - Internet Information System (IIS) or its subcomponents must not be installed on a workstation.

CONFIGURATION MANAGEMENT

WN10-00-000105 - Simple Network Management Protocol (SNMP) must not be installed on the system.

CONFIGURATION MANAGEMENT

WN10-00-000110 - Simple TCP/IP Services must not be installed on the system.

CONFIGURATION MANAGEMENT

WN10-00-000115 - The Telnet Client must not be installed on the system.

CONFIGURATION MANAGEMENT

WN10-00-000120 - The TFTP Client must not be installed on the system.

CONFIGURATION MANAGEMENT

WN10-00-000130 - Software certificate installation files must be removed from Windows 10.

CONFIGURATION MANAGEMENT

WN10-00-000135 - A host-based firewall must be installed and enabled on the system.

CONFIGURATION MANAGEMENT

WN10-00-000140 - Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts.

CONFIGURATION MANAGEMENT

WN10-00-000145 - Data Execution Prevention (DEP) must be configured to at least OptOut.

SYSTEM AND INFORMATION INTEGRITY

WN10-00-000150 - Structured Exception Handling Overwrite Protection (SEHOP) must be enabled - SEHOP must be turned on.

SYSTEM AND INFORMATION INTEGRITY

WN10-00-000155 - The Windows PowerShell 2.0 feature must be disabled on the system.

CONFIGURATION MANAGEMENT

WN10-00-000160 - The Server Message Block (SMB) v1 protocol must be disabled on the system.

CONFIGURATION MANAGEMENT

WN10-00-000165 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.

CONFIGURATION MANAGEMENT

WN10-00-000170 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.

CONFIGURATION MANAGEMENT

WN10-00-000175 - The Secondary Logon service must be disabled on Windows 10.

CONFIGURATION MANAGEMENT

WN10-00-000190 - Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.

CONFIGURATION MANAGEMENT

WN10-00-000210 - Bluetooth must be turned off unless approved by the organization.

CONFIGURATION MANAGEMENT

WN10-00-000220 - Bluetooth must be turned off when not in use.

CONFIGURATION MANAGEMENT

WN10-00-000230 - The system must notify the user when a Bluetooth device attempts to connect.

CONFIGURATION MANAGEMENT

WN10-00-000240 - Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.

CONFIGURATION MANAGEMENT

WN10-00-000250 - Windows 10 non-persistent VM sessions should not exceed 24 hours.

SYSTEM AND COMMUNICATIONS PROTECTION

WN10-AC-000005 - Windows 10 account lockout duration must be configured to 15 minutes or greater.

ACCESS CONTROL

WN10-AC-000010 - The number of allowed bad logon attempts must be configured to 3 or less.

ACCESS CONTROL

WN10-AC-000015 - The period of time before the bad logon counter is reset must be configured to 15 minutes.

ACCESS CONTROL