| 2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only) | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only) | CIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.10.9.2.17 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM' | CIS Microsoft Windows 11 Stand-alone v3.0.0 BL | Windows | ACCESS CONTROL |
| 18.10.9.3.4 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' | CIS Microsoft Windows 11 Enterprise v3.0.0 L2 + BitLocker | Windows | MEDIA PROTECTION |
| 18.10.9.3.5 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | CIS Microsoft Windows 10 Stand-alone v3.0.0 BL | Windows | MEDIA PROTECTION |
| Backup Operators Group is empty | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| Check for duration to be greater than 15 | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| Check if server is Standalone or Member Server | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| DisableUPnPRegistrar | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| Firewall Domain Profile Enabled | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| NoReadingPane | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| Program Files | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| ProhibitRspndrOnPrivateNet | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| System is a member of a domain | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| Test the Lockout Threshold | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | |
| WN12-00-000008 - Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-00-000010 - Policy must require application account passwords be at least 15 characters in length. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN12-00-000012 - Shared user accounts must not be permitted on the system. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN12-00-000016 - Backups of system-level information must be protected. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-00-000019 - Protection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WN12-00-000100 - The Windows 2012 / 2012 R2 system must use an anti-virus program. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-00-000200 - Windows PowerShell must be updated to a version that supports script block logging on Windows 2012/2012 R2. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-00-000210 - PowerShell script block logging must be enabled on Windows 2012/2012 R2 - Enabled | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | AUDIT AND ACCOUNTABILITY |
| WN12-AC-000007 - Passwords must, at a minimum, be 14 characters. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN12-AC-000008 - The built-in Windows password complexity policy must be enabled. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN12-AU-000017 - The system must be configured to audit Account Management - Security Group Management successes. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| WN12-AU-000045 - The system must be configured to audit Logon/Logoff - Logoff successes. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| WN12-AU-000059 - The system must be configured to audit Object Access - Central Access Policy Staging successes. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | AUDIT AND ACCOUNTABILITY |
| WN12-AU-000086 - The system must be configured to audit Policy Change - Audit Policy Change failures. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| WN12-AU-000102 - The system must be configured to audit Privilege Use - Sensitive Privilege Use failures. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| WN12-AU-000103 - The system must be configured to audit System - IPsec Driver successes. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | AUDIT AND ACCOUNTABILITY |
| WN12-AU-000107 - The system must be configured to audit System - Security State Change successes. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| WN12-AU-000109 - The system must be configured to audit System - Security System Extension successes. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| WN12-AU-000111 - The system must be configured to audit System - System Integrity successes. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| WN12-AU-000203-02 - The operating system must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | AUDIT AND ACCOUNTABILITY |
| WN12-AU-000204 - Permissions for the Application event log must prevent access by nonprivileged accounts. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | AUDIT AND ACCOUNTABILITY |
| WN12-AU-000213 - Event Viewer must be protected from unauthorized modification and deletion. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | AUDIT AND ACCOUNTABILITY |
| WN12-CC-000001 - The Mapper I/O network protocol (LLTDIO) driver must be disabled | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000006 - All Direct Access traffic must be routed through the internal network. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000011 - IP stateless autoconfiguration limits state must be enabled. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000021 - A system restore point must be created when a new device driver is installed. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000027 - Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000029 - Group Policies must be refreshed in the background if the user is logged on. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000032 - Downloading print driver packages over HTTP must be prevented. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000048 - Copying of user input methods to the system account for sign-in must be prevented. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000065 - The detection of compatibility issues for applications and drivers must be turned off. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000072 - Autoplay must be turned off for non-volume devices. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000074 - Autoplay must be disabled for all drives. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000103 - Remote Desktop Services must delete temporary folders when a session is terminated. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
| WN12-CC-000118 - Nonadministrators must be prevented from applying vendor-signed updates. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | CONFIGURATION MANAGEMENT |
