Skip to content
Log In

Microsoft Windows Server 2022 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions.

    Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. The SYSVOL directory contains public files (to the domain) such as po...
    Rule High Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.

    When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or dest...
    Rule High Severity
    Show

  • SRG-OS-000138-GPOS-00069

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2022 domain controllers must run on a machine dedicated to that function.

    Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the...
    Rule Medium Severity
    Show

  • SRG-OS-000396-GPOS-00176

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000163-GPOS-00072

    Group
    Show

  • SRG-OS-000327-GPOS-00127

    Group
    Show

  • SRG-OS-000327-GPOS-00127

    Group
    Show

  • SRG-OS-000327-GPOS-00127

    Group
    Show

  • SRG-OS-000327-GPOS-00127

    Group
    Show

  • Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.

    When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact...
    Rule Medium Severity
    Show

  • SRG-OS-000327-GPOS-00127

    Group
    Show

  • Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings.

    When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact...
    Rule Medium Severity
    Show

  • SRG-OS-000327-GPOS-00127

    Group
    Show

  • SRG-OS-000004-GPOS-00004

    Group
    Show

  • SRG-OS-000327-GPOS-00127

    Group
    Show

  • SRG-OS-000327-GPOS-00127

    Group
    Show

  • SRG-OS-000327-GPOS-00127

    Group
    Show

  • Windows Server 2022 must be configured to audit DS Access - Directory Service Changes successes.

    Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...
    Rule Medium Severity
    Show

  • SRG-OS-000066-GPOS-00034

    Group
    Show

  • Windows Server 2022 domain controllers must have a PKI server certificate.

    Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain controller cannot be verified. Domain controllers must...
    Rule Medium Severity
    Show

  • SRG-OS-000066-GPOS-00034

    Group
    Show

  • SRG-OS-000066-GPOS-00034

    Group
    Show

  • Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).

    A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have li...
    Rule High Severity
    Show

  • SRG-OS-000105-GPOS-00052

    Group
    Show

  • SRG-OS-000423-GPOS-00187

    Group
    Show

  • Windows Server 2022 domain controllers must require LDAP access signing.

    Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. In...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Access this computer from the network" right may access resources on...
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • Windows Server 2022 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Allow log on through Remote Desktop Services" user right can access ...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • Windows Server 2022 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny access to this computer from the network" user right defines the accounts tha...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • Windows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log on as a batch job" user right defines accounts that are prevented from lo...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • Windows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log on as a service" user right defines accounts that are denied logon as a s...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • Windows Server 2022 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log on locally" user right defines accounts that are prevented from logging o...
    Rule Medium Severity
    Show

  • SRG-OS-000297-GPOS-00115

    Group
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Enable computer and user accounts to be trusted for delegation" user right allows ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules