| 2.3.9.5 Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 18.9.11.3.3 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' | CIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0 | Windows | CONTINGENCY PLANNING, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.9.1.4 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' or higher | CIS Microsoft Windows 11 Enterprise v3.0.0 L2 + BitLocker | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.9.1.5 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' or higher | CIS Microsoft Windows 11 Enterprise v3.0.0 L1 + BL | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.9.1.9 (L1) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False' | CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.9.3.4 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' | CIS Microsoft Windows 10 Stand-alone v3.0.0 L2 BL NG | Windows | MEDIA PROTECTION |
| 18.10.9.3.4 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' | CIS Microsoft Windows 11 Enterprise v3.0.0 BL | Windows | MEDIA PROTECTION |
| 18.10.9.3.4 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' | CIS Microsoft Windows 11 Stand-alone v3.0.0 BL | Windows | MEDIA PROTECTION |
| 18.10.9.3.5 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | CIS Microsoft Windows 10 Stand-alone v3.0.0 L2 BL NG | Windows | MEDIA PROTECTION |
| 18.10.9.3.5 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | CIS Microsoft Windows 11 Enterprise v3.0.0 BL | Windows | MEDIA PROTECTION |
| 18.10.9.3.5 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | CIS Microsoft Windows 10 Enterprise v3.0.0 BL | Windows | MEDIA PROTECTION |
| 18.10.9.3.9 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False' | CIS Microsoft Windows 11 Enterprise v3.0.0 BL | Windows | MEDIA PROTECTION |
| 18.10.9.3.9 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False' | CIS Microsoft Windows 11 Enterprise v3.0.0 L1 + BL | Windows | MEDIA PROTECTION |
| 18.10.9.3.9 (L1) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False' | CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1 | Windows | MEDIA PROTECTION |
| AllowLLTDIOOndomain | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| AllowRspndrOndomain | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| C:\Program Files (x86) | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| DisableWPDRegistrar | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| EnableLLTDIO | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| If V-6831 is set, this can be NA | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| Root CA 4 | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| WN12-00-000006 - Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-00-000009-01 - Members of the Backup Operators group must be documented. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-00-000014 - System-level information must be backed up in accordance with local recovery time and recovery point objectives. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-00-000190 - Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2012 / 2012 R2. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-AC-000003 - The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | ACCESS CONTROL |
| WN12-AC-000004 - The password history must be configured to 24 passwords remembered. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN12-AU-000023 - The system must be configured to audit Detailed Tracking - Process Creation successes. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | AUDIT AND ACCOUNTABILITY |
| WN12-AU-000053 - The system must be configured to audit Logon/Logoff - Special Logon successes. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | AUDIT AND ACCOUNTABILITY |
| WN12-AU-000101 - The system must be configured to audit Privilege Use - Sensitive Privilege Use successes. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| WN12-AU-000203-01 - Audit records must be backed up onto a different system or media than the system being audited. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | AUDIT AND ACCOUNTABILITY |
| WN12-AU-000206 - Permissions for the System event log must prevent access by nonprivileged accounts. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | AUDIT AND ACCOUNTABILITY |
| WN12-CC-000012 - The configuration of wireless devices using Windows Connect Now must be disabled | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000013 - The Windows Connect Now wizards must be disabled. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000018 - Optional component installation and component repair must be prevented from using Windows Update. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000026 - Users must not be prompted to search Windows Update for device drivers. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000054 - Users must be prompted to authenticate on resume from sleep (on battery). | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN12-CC-000055 - The user must be prompted to authenticate on resume from sleep (plugged in). | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN12-CC-000058 - The system must be configured to prevent unsolicited remote assistance offers. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WN12-CC-000062 - Remote Assistance log files must be generated. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000067 - Access to Windows Online Troubleshooting Service (WOTS) must be prevented. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000070 - Trusted app installation must be enabled to allow for signed enterprise line of business apps. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000096 - Passwords must not be saved in the Remote Desktop Client. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN12-CC-000100 - Remote Desktop Services must be configured with the client connection encryption set to the required level. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | ACCESS CONTROL, MAINTENANCE |
| WN12-CC-000105 - Attachments must be prevented from being downloaded from RSS feeds. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000117 - Users must be notified if a web-based program attempts to install software. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000121 - Users must not be presented with Privacy and Installation options on first use of Windows Media Player. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000122 - Windows Media Player must be configured to prevent automatic checking for updates. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000123 - The Windows Remote Management (WinRM) client must not use Basic authentication. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | MAINTENANCE |
| WN12-CC-000126 - The Windows Remote Management (WinRM) service must not use Basic authentication. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | MAINTENANCE |
