DISA Windows 11 STIG v1r5

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Windows 11 STIG v1r5

Updated: 6/17/2024

Authority: DISA STIG

Plugin: Windows

Revision: 1.5

Estimated Item Count: 261

Audit Items

DescriptionCategories
DISA_STIG_Windows_11_v1r5.audit from DISA Microsoft Windows 11 v1r5 STIG
WN11-00-000005 - Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version - 64-bit
WN11-00-000005 - Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version.
WN11-00-000010 - Windows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled.
WN11-00-000015 - Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN11-00-000020 - Secure Boot must be enabled on Windows 11 systems.
WN11-00-000025 - Windows 11 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
WN11-00-000030 - Windows 11 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.
WN11-00-000031 - Windows 11 systems must use a BitLocker PIN for pre-boot authentication
WN11-00-000032 - Windows 11 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.
WN11-00-000035 - The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
WN11-00-000040 - Windows 11 systems must be maintained at a supported servicing level.
WN11-00-000045 - The Windows 11 system must use an antivirus program.
WN11-00-000050 - Local volumes must be formatted using NTFS.
WN11-00-000055 - Alternate operating systems must not be permitted on the same system.
WN11-00-000060 - Non-system-created file shares on a system must limit access to groups that require it.
WN11-00-000065 - Unused accounts must be disabled or removed from the system after 35 days of inactivity.
WN11-00-000070 - Only accounts responsible for the administration of a system must have Administrator rights on the system.
WN11-00-000075 - Only accounts responsible for the backup operations must be members of the Backup Operators group.
WN11-00-000080 - Only authorized user accounts must be allowed to create or run virtual machines on Windows 11 systems.
WN11-00-000085 - Standard local user accounts must not exist on a system in a domain.
WN11-00-000090 - Accounts must be configured to require password expiration.
WN11-00-000095 - Permissions for system files and directories must conform to minimum requirements
WN11-00-000100 - Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
WN11-00-000105 - Simple Network Management Protocol (SNMP) must not be installed on the system.
WN11-00-000110 - Simple TCP/IP Services must not be installed on the system.
WN11-00-000115 - The Telnet Client must not be installed on the system.
WN11-00-000120 - The TFTP Client must not be installed on the system.
WN11-00-000130 - Software certificate installation files must be removed from Windows 11.
WN11-00-000135 - A host-based firewall must be installed and enabled on the system.
WN11-00-000140 - Inbound exceptions to the firewall on Windows 11 domain workstations must only allow authorized remote management hosts.
WN11-00-000145 - Data Execution Prevention (DEP) must be configured to at least OptOut.
WN11-00-000150 - Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.
WN11-00-000155 - The Windows PowerShell 2.0 feature must be disabled on the system.
WN11-00-000160 - The Server Message Block (SMB) v1 protocol must be disabled on the system.
WN11-00-000165 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
WN11-00-000170 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
WN11-00-000175 - The Secondary Logon service must be disabled on Windows 11.
WN11-00-000190 - Orphaned security identifiers (SIDs) must be removed from user rights on Windows 11.
WN11-00-000210 - Bluetooth must be turned off unless approved by the organization.
WN11-00-000220 - Bluetooth must be turned off when not in use.
WN11-00-000230 - The system must notify the user when a Bluetooth device attempts to connect.
WN11-00-000240 - Administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
WN11-00-000250 - Windows 11 nonpersistent VM sessions must not exceed 24 hours.
WN11-00-000260 - The Windows 11 time service must synchronize with an appropriate DOD time source.
WN11-00-000395 - Windows 11 must not have portproxy enabled or in use.
WN11-AC-000005 - Windows 11 account lockout duration must be configured to 15 minutes or greater.
WN11-AC-000010 - The number of allowed bad logon attempts must be configured to three or less.
WN11-AC-000015 - The period of time before the bad logon counter is reset must be configured to 15 minutes.
WN11-AC-000020 - The password history must be configured to 24 passwords remembered.