Microsoft Windows Server 2019 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group.
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Take ownership of files or other objects" user right can take owners...Rule Medium Severity -
Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 must be configured to audit System - Other System Events failures.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 must be configured to audit System - System Integrity successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings.
When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact...Rule Medium Severity -
Windows Server 2019 Active Directory Domain object must be configured with proper audit settings.
When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact...Rule Medium Severity -
Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact...Rule Medium Severity -
Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings.
When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact...Rule Medium Severity -
Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings.
When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact...Rule Medium Severity -
Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 account lockout duration must be configured to 15 minutes or greater.
The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified nu...Rule Medium Severity -
The Windows Server 2019 time service must synchronize with an appropriate DOD time source.
The Windows Time Service controls time synchronization settings. Time synchronization is essential for authentication and auditing purposes. If the Windows Time Service is used, it must synchronize...Rule Low Severity -
Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
Using an allowlist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential v...Rule Medium Severity -
Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC. Satisfies: SRG-OS-00037...Rule Medium Severity -
Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.
Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this. Satisfies: SRG-OS-000393-GPOS-0017...Rule Medium Severity -
Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers.
Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server...Rule Low Severity -
Windows Server 2019 domain controllers must require LDAP access signing.
Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. In...Rule Medium Severity -
Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB ...Rule Medium Severity -
Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB ...Rule Medium Severity -
Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 must be configured to audit Object Access - Other Object Access Events successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 must be configured to audit Object Access - Removable Storage failures.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
Using applications that access the Internet or have potential Internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while running...Rule High Severity -
Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are use...Rule Medium Severity -
Windows Server 2019 must be maintained at a supported servicing level.
Systems at unsupported servicing levels will not receive security updates for new vulnerabilities, which leave them subject to exploitation. Systems must be maintained at a servicing level supporte...Rule High Severity -
Windows Server 2019 must have a host-based intrusion detection or prevention system.
A properly configured Host-based Intrusion Detection System (HIDS) or Host-based Intrusion Prevention System (HIPS) provides another level of defense against unauthorized access to critical servers...Rule Medium Severity -
Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required to support additional security features in Windows, including Virtualizatio...Rule Low Severity -
Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials.
An exportable version of credentials is provided to remote hosts when using credential delegation which exposes them to theft on the remote host. Restricted Admin mode or Remote Credential Guard a...Rule Medium Severity -
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in).
A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures...Rule Medium Severity -
Windows Server 2019 Telemetry must be configured to Security or Basic.
Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information ...Rule Medium Severity -
Windows Server 2019 users must be notified if a web-based program attempts to install software.
Web-based programs may attempt to install malicious software on a system. Ensuring users are notified if a web-based program attempts to install software allows them to refuse the installation.Rule Medium Severity -
The password for the krbtgt account on a domain must be reset at least every 180 days.
The krbtgt account acts as a service account for the Kerberos Key Distribution Center (KDC) service. The account and password are created when a domain is created and the password is typically not...Rule Medium Severity -
Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.
An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a sys...Rule High Severity -
Windows Server 2019 built-in administrator account must be renamed.
The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.Rule Medium Severity -
Windows Server 2019 built-in guest account must be renamed.
The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized us...Rule Medium Severity -
Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.
Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This must be set to no more than 30 days, en...Rule Medium Severity -
Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.Rule Medium Severity -
Windows Server 2019 must prevent PKU2U authentication using online identities.
PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user acc...Rule Medium Severity -
Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compa...Rule High Severity -
Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing.
This setting controls the signing requirements for LDAP clients. This must be set to "Negotiate signing" or "Require signing", depending on the environment and type of LDAP server in use.Rule Medium Severity -
Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.Rule Medium Severity -
Windows Server 2019 default permissions of global system objects must be strengthened.
Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default Discretionary Access Control List ...Rule Low Severity -
Windows Server 2019 must have PowerShell Transcription enabled.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 must be configured for named-based strong mappings for certificates.
Weak mappings give rise to security vulnerabilities and demand hardening measures. Certificate names must be correctly mapped to the intended user account in Active Directory. A lack of strong name...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.