DISA Windows Server 2016 STIG v2r3

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Windows Server 2016 STIG v2r3

Updated: 6/22/2022

Authority: Operating Systems and Applications

Plugin: Windows

Revision: 1.5

Estimated Item Count: 285

Audit Items

Description	Categories
DISA_STIG_Windows_Server_2016_v2r3.audit from DISA Microsoft Windows Server 2016 v2r3 STIG
WN16-00-000010 - Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
WN16-00-000030 - Passwords for the built-in Administrator account must be changed at least every 60 days.	IDENTIFICATION AND AUTHENTICATION
WN16-00-000040 - Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
WN16-00-000050 - Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.	ACCESS CONTROL
WN16-00-000060 - Manually managed application account passwords must be at least 15 characters in length.
WN16-00-000070 - Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.	IDENTIFICATION AND AUTHENTICATION
WN16-00-000080 - Shared user accounts must not be permitted on the system.	ACCESS CONTROL
WN16-00-000090 - Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.	CONFIGURATION MANAGEMENT
WN16-00-000100 - Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use - TPM enabled and ready for use.
WN16-00-000110 - Systems must be maintained at a supported servicing level.	CONFIGURATION MANAGEMENT
WN16-00-000120 - The Windows Server 2016 system must use an anti-virus program.	SYSTEM AND INFORMATION INTEGRITY
WN16-00-000140 - Servers must have a host-based intrusion detection or prevention system.
WN16-00-000150 - Local volumes must use a format that supports NTFS attributes.	CONFIGURATION MANAGEMENT
WN16-00-000160 - Permissions for the system drive root directory (usually C:\) must conform to minimum requirements.	ACCESS CONTROL, CONFIGURATION MANAGEMENT
WN16-00-000170 - Permissions for program file directories must conform to minimum requirements - Program Files	ACCESS CONTROL, CONFIGURATION MANAGEMENT
WN16-00-000170 - Permissions for program file directories must conform to minimum requirements - Program Files (x86)	ACCESS CONTROL, CONFIGURATION MANAGEMENT
WN16-00-000180 - Permissions for the Windows installation directory must conform to minimum requirements.	ACCESS CONTROL, CONFIGURATION MANAGEMENT
WN16-00-000190 - Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained - HKEY_LOCAL_MACHINE\SECURITY	ACCESS CONTROL, CONFIGURATION MANAGEMENT
WN16-00-000190 - Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained - HKEY_LOCAL_MACHINE\SOFTWARE	ACCESS CONTROL, CONFIGURATION MANAGEMENT
WN16-00-000190 - Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained - HKEY_LOCAL_MACHINE\SYSTEM	ACCESS CONTROL, CONFIGURATION MANAGEMENT
WN16-00-000200 - Non-administrative accounts or groups must only have print permissions on printer shares.
WN16-00-000210 - Outdated or unused accounts must be removed from the system or disabled.	ACCESS CONTROL
WN16-00-000220 - Windows Server 2016 accounts must require passwords.	IDENTIFICATION AND AUTHENTICATION
WN16-00-000230 - Passwords must be configured to expire.	IDENTIFICATION AND AUTHENTICATION
WN16-00-000240 - System files must be monitored for unauthorized changes.
WN16-00-000250 - Non-system-created file shares on a system must limit access to groups that require it.	CONFIGURATION MANAGEMENT
WN16-00-000270 - Software certificate installation files must be removed from Windows Server 2016.	SYSTEM AND COMMUNICATIONS PROTECTION
WN16-00-000280 - Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
WN16-00-000290 - Protection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
WN16-00-000300 - The roles and features required by the system must be documented.	CONFIGURATION MANAGEMENT
WN16-00-000310 - A host-based firewall must be installed and enabled on the system.	SYSTEM AND COMMUNICATIONS PROTECTION
WN16-00-000320 - Windows Server 2016 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP) - CNDSP.
WN16-00-000330 - Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours.
WN16-00-000340 - Windows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
WN16-00-000350 - The Fax Server role must not be installed.	CONFIGURATION MANAGEMENT
WN16-00-000360 - The Microsoft FTP service must not be installed unless required.	CONFIGURATION MANAGEMENT
WN16-00-000370 - The Peer Name Resolution Protocol must not be installed.	CONFIGURATION MANAGEMENT
WN16-00-000380 - Simple TCP/IP Services must not be installed.	CONFIGURATION MANAGEMENT
WN16-00-000390 - The Telnet Client must not be installed.	CONFIGURATION MANAGEMENT
WN16-00-000400 - The TFTP Client must not be installed.	CONFIGURATION MANAGEMENT
WN16-00-000410 - The Server Message Block (SMB) v1 protocol must be uninstalled.	CONFIGURATION MANAGEMENT
WN16-00-000411 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.	CONFIGURATION MANAGEMENT
WN16-00-000412 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.	CONFIGURATION MANAGEMENT
WN16-00-000420 - Windows PowerShell 2.0 must not be installed.	CONFIGURATION MANAGEMENT
WN16-00-000430 - FTP servers must be configured to prevent anonymous logons.
WN16-00-000440 - FTP servers must be configured to prevent access to the system drive.
WN16-00-000450 - The time service must synchronize with an appropriate DoD time source.	AUDIT AND ACCOUNTABILITY
WN16-00-000460 - Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.	CONFIGURATION MANAGEMENT
WN16-00-000470 - Secure Boot must be enabled on Windows Server 2016 systems.	CONFIGURATION MANAGEMENT

Detections

Analytics

DISA Windows Server 2016 STIG v2r3

Warning! Audit Deprecated

Audit Details

Audit Items