Microsoft Windows Server 2019 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000066-GPOS-00034
Group -
SRG-OS-000066-GPOS-00034
Group -
Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root CAs. The DoD root certificates will ensure that the trust chain is established for serve...Rule Medium Severity -
SRG-OS-000066-GPOS-00034
Group -
SRG-OS-000066-GPOS-00034
Group -
Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB In...Rule Medium Severity -
SRG-OS-000067-GPOS-00035
Group -
SRG-OS-000069-GPOS-00037
Group -
Windows Server 2019 must have the built-in Windows password complexity policy enabled.
The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (n...Rule Medium Severity -
SRG-OS-000073-GPOS-00041
Group -
SRG-OS-000073-GPOS-00041
Group -
Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.
The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether a LAN Manager hash of the...Rule High Severity -
SRG-OS-000074-GPOS-00042
Group -
SRG-OS-000075-GPOS-00043
Group -
Windows Server 2019 minimum password age must be configured to at least one day.
Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose o...Rule Medium Severity -
SRG-OS-000076-GPOS-00044
Group -
Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days.
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password mi...Rule Medium Severity -
SRG-OS-000076-GPOS-00044
Group -
Windows Server 2019 passwords must be configured to expire.
Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.Rule Medium Severity -
SRG-OS-000076-GPOS-00044
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.