Microsoft Windows Server 2022 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Windows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log on through Remote Desktop Services" user right defines the accounts that ...Rule Medium Severity -
Windows Server 2022 must be running Credential Guard on domain-joined member servers.
Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Sec...Rule High Severity -
Windows Server 2022 must have the built-in guest account disabled.
A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows systems and cannot be deleted. This account is ini...Rule Medium Severity -
Windows Server 2022 must force audit policy subcategory settings to override audit policy category settings.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled.
Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure c...Rule Medium Severity -
Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.
Unattended systems are susceptible to unauthorized use and must be locked when unattended. The screen saver must be set at a maximum of 15 minutes and be password protected. This protects critical ...Rule Medium Severity -
Windows Server 2022 required legal notice must be configured to display before console logon.
Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-00002...Rule Medium Severity -
Windows Server 2022 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB ...Rule Medium Severity -
Windows Server 2022 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB ...Rule Medium Severity -
Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.