| 1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.2.5 (L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only) | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.6 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.12 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.13 (L1) Ensure 'Create a pagefile' is set to 'Administrators' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.39 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.41 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.45 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.1.5 (L1) Configure 'Accounts: Rename guest account' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.5.3 (L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only) | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.7.2 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 2.3.7.5 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only) | CIS Microsoft Windows Server 2008 Member Server Level 2 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.7.6 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.7.8 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.2.8 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 17.4.2 (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only) | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 17.5.2 (L1) Ensure 'Audit Logoff' is set to include 'Success' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 17.5.5 (L1) Ensure 'Audit Special Logon' is set to include 'Success' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 18.4.4 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.4.8 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.4.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' | CIS Microsoft Windows Server 2008 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.5.4.1 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.8.22.1.4 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.8.34.6.1 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 18.8.48.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.8.53.1.2 (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only) | CIS Microsoft Windows Server 2008 Member Server Level 2 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 18.9.8.2 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | MEDIA PROTECTION |
| 18.9.47.4.1 (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.47.15 (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.65.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.65.3.9.4 (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.65.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)' | CIS Microsoft Windows Server 2008 Member Server Level 2 v3.3.1 | Windows | ACCESS CONTROL |
| 18.9.86.2.1 (L1) Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.90.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 18.9.102.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.103.1 (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 19.7.43.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
