Microsoft Windows Server 2019 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log on through Remote Desktop Services" user right defines the accounts that ...Rule Medium Severity -
Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions.
When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or dest...Rule High Severity -
Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the in...Rule High Severity -
Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
The Windows SAM stores users' passwords. Restricting Remote Procedure Call (RPC) connections to the SAM to Administrators helps protect those credentials.Rule Medium Severity -
Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts.
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Create a token object" user right allows a process to create an access token. This...Rule High Severity -
Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group.
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Create symbolic links" user right can create pointers to other objec...Rule Medium Severity -
Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Generate security audits" user right specifies users and processes that can genera...Rule Medium Severity -
Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group.
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Perform volume maintenance tasks" user right can manage volume and d...Rule Medium Severity -
Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group.
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Restore files and directories" user right can circumvent file and di...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.