DISA Windows 10 STIG v3r1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Windows 10 STIG v3r1

Updated: 11/15/2024

Authority: DISA STIG

Plugin: Windows

Revision: 1.1

Estimated Item Count: 260

File Details

Filename: DISA_STIG_Windows_10_v3r1.audit

Size: 481 kB

MD5: 21b8c56061e983cb9734ecd86207dfd8
SHA256: 9228ccdb21306a870cd837fe9af32769e97af88895c2791be31376139607aeed

Audit Items

DescriptionCategories
DISA_STIG_Windows_10_v3r1.audit from DISA Microsoft Windows 10 v3r1 STIG
WN10-00-000005 - Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.
WN10-00-000010 - Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN10-00-000015 - Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN10-00-000020 - Secure Boot must be enabled on Windows 10 systems.
WN10-00-000025 - Windows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: Continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
WN10-00-000030 - Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.
WN10-00-000031 - Windows 10 systems must use a BitLocker PIN for pre-boot authentication.
WN10-00-000032 - Windows 10 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.
WN10-00-000035 - The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
WN10-00-000040 - Windows 10 systems must be maintained at a supported servicing level.
WN10-00-000045 - The Windows 10 system must use an anti-virus program.
WN10-00-000050 - Local volumes must be formatted using NTFS.
WN10-00-000055 - Alternate operating systems must not be permitted on the same system.
WN10-00-000060 - Non system-created file shares on a system must limit access to groups that require it.
WN10-00-000065 - Unused accounts must be disabled or removed from the system after 35 days of inactivity.
WN10-00-000070 - Only accounts responsible for the administration of a system must have Administrator rights on the system.
WN10-00-000075 - Only accounts responsible for the backup operations must be members of the Backup Operators group.
WN10-00-000080 - Only authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems.
WN10-00-000085 - Standard local user accounts must not exist on a system in a domain.
WN10-00-000090 - Accounts must be configured to require password expiration.
WN10-00-000095 - Permissions for system files and directories must conform to minimum requirements.
WN10-00-000100 - Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
WN10-00-000105 - Simple Network Management Protocol (SNMP) must not be installed on the system.
WN10-00-000110 - Simple TCP/IP Services must not be installed on the system.
WN10-00-000115 - The Telnet Client must not be installed on the system.
WN10-00-000120 - The TFTP Client must not be installed on the system.
WN10-00-000130 - Software certificate installation files must be removed from Windows 10.
WN10-00-000135 - A host-based firewall must be installed and enabled on the system.
WN10-00-000140 - Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts.
WN10-00-000145 - Data Execution Prevention (DEP) must be configured to at least OptOut.
WN10-00-000150 - Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.
WN10-00-000155 - The Windows PowerShell 2.0 feature must be disabled on the system.
WN10-00-000160 - The Server Message Block (SMB) v1 protocol must be disabled on the system.
WN10-00-000165 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
WN10-00-000170 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
WN10-00-000175 - The Secondary Logon service must be disabled on Windows 10.
WN10-00-000190 - Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.
WN10-00-000210 - Bluetooth must be turned off unless approved by the organization.
WN10-00-000220 - Bluetooth must be turned off when not in use.
WN10-00-000230 - The system must notify the user when a Bluetooth device attempts to connect.
WN10-00-000240 - Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
WN10-00-000250 - Windows 10 nonpersistent VM sessions must not exceed 24 hours.
WN10-00-000395 - Windows 10 must not have portproxy enabled or in use.
WN10-AC-000005 - Windows 10 account lockout duration must be configured to 15 minutes or greater.
WN10-AC-000010 - The number of allowed bad logon attempts must be configured to 3 or less.
WN10-AC-000015 - The period of time before the bad logon counter is reset must be configured to 15 minutes.
WN10-AC-000020 - The password history must be configured to 24 passwords remembered.
WN10-AC-000025 - The maximum password age must be configured to 60 days or less.
WN10-AC-000030 - The minimum password age must be configured to at least 1 day.