Detections
Analytics

DISA Windows Server 2019 STIG v2r2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Windows Server 2019 STIG v2r2

Updated: 2/22/2022

Authority: DISA STIG

Plugin: Windows

Revision: 1.9

Estimated Item Count: 319

Audit Changelog

Ā 
Revision 1.9

Feb 22, 2022

Functional Update
  • WN19-MS-000080 - Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
  • WN19-MS-000090 - Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000110 - Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000120 - Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
Miscellaneous
  • Audit deprecated.
  • Metadata updated.
  • References updated.
Revision 1.8

Dec 17, 2021

Functional Update
  • WN19-00-000060 - Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
  • WN19-MS-000080 - Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
  • WN19-MS-000090 - Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000110 - Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000120 - Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
Revision 1.7

Nov 23, 2021

Functional Update
  • WN19-MS-000080 - Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
  • WN19-MS-000090 - Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000110 - Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000120 - Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
Added
  • WN19-00-000020 - Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days.
Removed
  • WN19-00-000020 - Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days.
Revision 1.6

Sep 21, 2021

Functional Update
  • WN19-00-000070 - Windows Server 2019 shared user accounts must not be permitted.
  • WN19-00-000080 - Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
  • WN19-MS-000080 - Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
  • WN19-MS-000090 - Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000110 - Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000120 - Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
Revision 1.5

Sep 10, 2021

Functional Update
  • WN19-MS-000080 - Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
  • WN19-MS-000090 - Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000110 - Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000120 - Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
Revision 1.4

Aug 11, 2021

Functional Update
  • WN19-00-000240 - Windows Server 2019 must have software certificate installation files removed.
  • WN19-EP-000060 - Windows Server 2019 Exploit Protection mitigations must be configured for Acrobat.exe.
  • WN19-EP-000070 - Windows Server 2019 Exploit Protection mitigations must be configured for AcroRd32.exe.
  • WN19-EP-000080 - Windows Server 2019 Exploit Protection mitigations must be configured for chrome.exe.
  • WN19-EP-000090 - Windows Server 2019 Exploit Protection mitigations must be configured for EXCEL.EXE.
  • WN19-EP-000100 - Windows Server 2019 Exploit Protection mitigations must be configured for firefox.exe.
  • WN19-EP-000110 - Windows Server 2019 Exploit Protection mitigations must be configured for FLTLDR.EXE.
  • WN19-EP-000120 - Windows Server 2019 Exploit Protection mitigations must be configured for GROOVE.EXE.
  • WN19-EP-000130 - Windows Server 2019 Exploit Protection mitigations must be configured for iexplore.exe.
  • WN19-EP-000140 - Windows Server 2019 Exploit Protection mitigations must be configured for INFOPATH.EXE.
  • WN19-EP-000150 - Windows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe - java
  • WN19-EP-000150 - Windows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe - javaw
  • WN19-EP-000150 - Windows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe - javaws
  • WN19-EP-000160 - Windows Server 2019 Exploit Protection mitigations must be configured for lync.exe.
  • WN19-EP-000170 - Windows Server 2019 Exploit Protection mitigations must be configured for MSACCESS.EXE.
  • WN19-EP-000180 - Windows Server 2019 Exploit Protection mitigations must be configured for MSPUB.EXE.
  • WN19-EP-000190 - Windows Server 2019 Exploit Protection mitigations must be configured for OIS.EXE.
  • WN19-EP-000200 - Windows Server 2019 Exploit Protection mitigations must be configured for OneDrive.exe.
  • WN19-EP-000210 - Windows Server 2019 Exploit Protection mitigations must be configured for OUTLOOK.EXE.
  • WN19-EP-000220 - Windows Server 2019 Exploit Protection mitigations must be configured for plugin-container.exe.
  • WN19-EP-000230 - Windows Server 2019 Exploit Protection mitigations must be configured for POWERPNT.EXE.
  • WN19-EP-000240 - Windows Server 2019 Exploit Protection mitigations must be configured for PPTVIEW.EXE.
  • WN19-EP-000250 - Windows Server 2019 Exploit Protection mitigations must be configured for VISIO.EXE.
  • WN19-EP-000260 - Windows Server 2019 Exploit Protection mitigations must be configured for VPREVIEW.EXE.
  • WN19-EP-000270 - Windows Server 2019 Exploit Protection mitigations must be configured for WINWORD.EXE.
  • WN19-EP-000280 - Windows Server 2019 Exploit Protection mitigations must be configured for wmplayer.exe.
  • WN19-EP-000290 - Windows Server 2019 Exploit Protection mitigations must be configured for wordpad.exe.
  • WN19-MS-000080 - Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
  • WN19-MS-000090 - Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000110 - Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000120 - Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
Informational Update
  • WN19-00-000240 - Windows Server 2019 must have software certificate installation files removed.
Revision 1.3

Jul 30, 2021

Functional Update
  • WN19-MS-000080 - Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
  • WN19-MS-000090 - Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000110 - Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000120 - Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.2

Jun 22, 2021

Functional Update
  • WN19-DC-000080 - Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions.
  • WN19-MS-000080 - Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
  • WN19-MS-000090 - Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000110 - Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000120 - Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
Miscellaneous
  • Variables updated.
Revision 1.1

Jun 17, 2021

Functional Update
  • WN19-MS-000080 - Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
  • WN19-MS-000090 - Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000110 - Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
  • WN19-MS-000120 - Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
Miscellaneous
  • Metadata updated.
  • References updated.