DISA_STIG_Windows_Server_2016_v2r3.audit from DISA Microsoft Windows Server 2016 v2r3 STIG

WN16-00-000010 - Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.

CAT|I

CCI|CCI-000366

Rule-ID|SV-224819r569186_rule

STIG-ID|WN16-00-000010

STIG-Legacy|SV-87869

STIG-Legacy|V-73217

Vuln-ID|V-224819

WN16-00-000030 - Passwords for the built-in Administrator account must be changed at least every 60 days.

800-53|IA-5(1)

CAT|II

CCI|CCI-000199

Rule-ID|SV-224820r793230_rule

STIG-ID|WN16-00-000030

STIG-Legacy|SV-87875

STIG-Legacy|V-73223

Vuln-ID|V-224820

WN16-00-000040 - Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.

Rule-ID|SV-224821r569186_rule

STIG-ID|WN16-00-000040

STIG-Legacy|SV-87877

STIG-Legacy|V-73225

Vuln-ID|V-224821

WN16-00-000050 - Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.

800-53|AC-5

Rule-ID|SV-224822r569186_rule

STIG-ID|WN16-00-000050

STIG-Legacy|SV-87879

STIG-Legacy|V-73227

Vuln-ID|V-224822

WN16-00-000060 - Manually managed application account passwords must be at least 15 characters in length.

CCI|CCI-000205

Rule-ID|SV-224823r569186_rule

STIG-ID|WN16-00-000060

STIG-Legacy|SV-87881

STIG-Legacy|V-73229

Vuln-ID|V-224823

WN16-00-000070 - Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.

800-53|IA-5

Rule-ID|SV-224824r569186_rule

STIG-ID|WN16-00-000070

STIG-Legacy|SV-87883

STIG-Legacy|V-73231

Vuln-ID|V-224824

WN16-00-000080 - Shared user accounts must not be permitted on the system.

800-53|AC-2(9)

CCI|CCI-000764

Rule-ID|SV-224825r569186_rule

STIG-ID|WN16-00-000080

STIG-Legacy|SV-87885

STIG-Legacy|V-73233

Vuln-ID|V-224825

WN16-00-000090 - Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

800-53|CM-7(5)

CCI|CCI-001774

Rule-ID|SV-224826r569186_rule

STIG-ID|WN16-00-000090

STIG-Legacy|SV-87887

STIG-Legacy|V-73235

Vuln-ID|V-224826

WN16-00-000100 - Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use - TPM enabled and ready for use.

Rule-ID|SV-224827r569186_rule

STIG-ID|WN16-00-000100

STIG-Legacy|SV-87889

STIG-Legacy|V-73237

Vuln-ID|V-224827

WN16-00-000110 - Systems must be maintained at a supported servicing level.

800-53|CM-8(1)

Rule-ID|SV-224828r569186_rule

STIG-ID|WN16-00-000110

STIG-Legacy|SV-87891

STIG-Legacy|V-73239

Vuln-ID|V-224828

WN16-00-000120 - The Windows Server 2016 system must use an anti-virus program.

800-53|SI-3

Rule-ID|SV-224829r569237_rule

STIG-ID|WN16-00-000120

STIG-Legacy|SV-87893

STIG-Legacy|V-73241

Vuln-ID|V-224829

WN16-00-000140 - Servers must have a host-based intrusion detection or prevention system.

Rule-ID|SV-224830r793223_rule

STIG-ID|WN16-00-000140

STIG-Legacy|SV-87897

STIG-Legacy|V-73245

Vuln-ID|V-224830

WN16-00-000150 - Local volumes must use a format that supports NTFS attributes.

800-53|CM-6

CCI|CCI-000213

Rule-ID|SV-224831r569186_rule

STIG-ID|WN16-00-000150

STIG-Legacy|SV-87899

STIG-Legacy|V-73247

Vuln-ID|V-224831

WN16-00-000160 - Permissions for the system drive root directory (usually C:\) must conform to minimum requirements.

800-53|AC-6(7)

CCI|CCI-002165

CSCv6|3.1

Rule-ID|SV-224832r569186_rule

STIG-ID|WN16-00-000160

STIG-Legacy|SV-87901

STIG-Legacy|V-73249

Vuln-ID|V-224832

WN16-00-000170 - Permissions for program file directories must conform to minimum requirements - Program Files

Rule-ID|SV-224833r569186_rule

STIG-ID|WN16-00-000170

STIG-Legacy|SV-87903

STIG-Legacy|V-73251

Vuln-ID|V-224833

WN16-00-000170 - Permissions for program file directories must conform to minimum requirements - Program Files (x86)

WN16-00-000180 - Permissions for the Windows installation directory must conform to minimum requirements.

Rule-ID|SV-224834r569186_rule

STIG-ID|WN16-00-000180

STIG-Legacy|SV-87905

STIG-Legacy|V-73253

Vuln-ID|V-224834

WN16-00-000190 - Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained - HKEY_LOCAL_MACHINE\SECURITY

CCI|CCI-002235

Rule-ID|SV-224835r793228_rule

STIG-ID|WN16-00-000190

STIG-Legacy|SV-87907

STIG-Legacy|V-73255

Vuln-ID|V-224835

WN16-00-000190 - Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained - HKEY_LOCAL_MACHINE\SOFTWARE

WN16-00-000190 - Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained - HKEY_LOCAL_MACHINE\SYSTEM

WN16-00-000200 - Non-administrative accounts or groups must only have print permissions on printer shares.

CAT|III

Rule-ID|SV-224836r569186_rule

STIG-ID|WN16-00-000200

STIG-Legacy|SV-87909

STIG-Legacy|V-73257

Vuln-ID|V-224836

WN16-00-000210 - Outdated or unused accounts must be removed from the system or disabled.

800-53|AC-2(3)

CCI|CCI-000795

CSCv6|16.1

CSCv6|16.6

Rule-ID|SV-224837r569186_rule

STIG-ID|WN16-00-000210

STIG-Legacy|SV-87911

STIG-Legacy|V-73259

Vuln-ID|V-224837

WN16-00-000220 - Windows Server 2016 accounts must require passwords.

Rule-ID|SV-224838r569186_rule

STIG-ID|WN16-00-000220

STIG-Legacy|SV-87913

STIG-Legacy|V-73261

Vuln-ID|V-224838

WN16-00-000230 - Passwords must be configured to expire.

Rule-ID|SV-224839r569186_rule

STIG-ID|WN16-00-000230

STIG-Legacy|SV-87915

STIG-Legacy|V-73263

Vuln-ID|V-224839

WN16-00-000240 - System files must be monitored for unauthorized changes.

CCI|CCI-001744

Rule-ID|SV-224840r804011_rule

STIG-ID|WN16-00-000240

STIG-Legacy|SV-87917

STIG-Legacy|V-73265

Vuln-ID|V-224840

WN16-00-000250 - Non-system-created file shares on a system must limit access to groups that require it.

CCI|CCI-001090

Rule-ID|SV-224841r569186_rule

STIG-ID|WN16-00-000250

STIG-Legacy|SV-87919

STIG-Legacy|V-73267

Vuln-ID|V-224841

WN16-00-000270 - Software certificate installation files must be removed from Windows Server 2016.

800-53|SC-12

Rule-ID|SV-224842r569186_rule

STIG-ID|WN16-00-000270

STIG-Legacy|SV-87923

STIG-Legacy|V-73271

Vuln-ID|V-224842

WN16-00-000280 - Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

CCI|CCI-001199

CCI|CCI-002475

CCI|CCI-002476

Rule-ID|SV-224843r569186_rule

STIG-ID|WN16-00-000280

STIG-Legacy|SV-87925

STIG-Legacy|V-73273

Vuln-ID|V-224843

WN16-00-000290 - Protection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.

CCI|CCI-002420

CCI|CCI-002422

Rule-ID|SV-224844r790513_rule

STIG-ID|WN16-00-000290

STIG-Legacy|SV-87927

STIG-Legacy|V-73275

Vuln-ID|V-224844

WN16-00-000300 - The roles and features required by the system must be documented.

800-53|CM-8

CCI|CCI-000381

Rule-ID|SV-224845r569186_rule

STIG-ID|WN16-00-000300

STIG-Legacy|SV-87929

STIG-Legacy|V-73277

Vuln-ID|V-224845

Detections

Analytics

DISA Windows Server 2016 STIG v2r3

Warning! Audit Deprecated

Audit Details

Audit Changelog

Revision 1.5

Miscellaneous

Revision 1.4

Miscellaneous

Revision 1.3

Functional Update

Revision 1.2

Miscellaneous

Revision 1.1

Functional Update


Revision 1.5 Jun 22, 2022 Miscellaneous Audit deprecated. Metadata updated. References updated.
Revision 1.4 May 5, 2022 Miscellaneous Metadata updated.
Revision 1.3 May 3, 2022 Functional Update WN16-00-000220 - Windows Server 2016 accounts must require passwords.
Revision 1.2 Apr 25, 2022 Miscellaneous References updated.
Revision 1.1 Mar 18, 2022 Functional Update WN16-MS-000380 - The Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems. WN16-MS-000390 - The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right. WN16-MS-000400 - The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems. WN16-MS-000410 - The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.