Skip to content

Microsoft Windows Server 2019 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 "Deny log on as a service" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.

    &lt;VulnDiscussion&gt;Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log o...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 "Deny log on locally" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.

    &lt;VulnDiscussion&gt;Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log o...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group.

    &lt;VulnDiscussion&gt;Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with t...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must have the roles and features required by the system documented.

    &lt;VulnDiscussion&gt;Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must not have the Fax Server role installed.

    &lt;VulnDiscussion&gt;Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authe...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must not have the Peer Name Resolution Protocol installed.

    &lt;VulnDiscussion&gt;Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authe...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must not have Simple TCP/IP Services installed.

    &lt;VulnDiscussion&gt;Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authe...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must not have the TFTP Client installed.

    &lt;VulnDiscussion&gt;Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authe...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must not have the Server Message Block (SMB) v1 protocol installed.

    &lt;VulnDiscussion&gt;SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks s...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.

    &lt;VulnDiscussion&gt;SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks s...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.

    &lt;VulnDiscussion&gt;SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks s...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must not have Windows PowerShell 2.0 installed.

    &lt;VulnDiscussion&gt;Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a syst...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must prevent the display of slide shows on the lock screen.

    &lt;VulnDiscussion&gt;Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off ...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must have WDigest Authentication disabled.

    &lt;VulnDiscussion&gt;When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsyste...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 downloading print driver packages over HTTP must be turned off.

    &lt;VulnDiscussion&gt;Some features may communicate with the vendor, sending system information or downloading data or components for the feature. ...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 printing over HTTP must be turned off.

    &lt;VulnDiscussion&gt;Some features may communicate with the vendor, sending system information or downloading data or components for the feature. ...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.

    &lt;VulnDiscussion&gt;Enabling interaction with the network selection UI allows users to change connections to available networks without signing i...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.

    &lt;VulnDiscussion&gt;Some features may communicate with the vendor, sending system information or downloading data or components for the feature. ...
    Rule Low Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 Windows Defender SmartScreen must be enabled.

    &lt;VulnDiscussion&gt;Windows Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP.

    &lt;VulnDiscussion&gt;Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must prevent Indexing of encrypted files.

    &lt;VulnDiscussion&gt;Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.&lt;/VulnDisc...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 domain controllers must run on a machine dedicated to that function.

    &lt;VulnDiscussion&gt;Executing application servers on the same host machine with a directory server may substantially weaken the security of the d...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 local users on domain-joined member servers must not be enumerated.

    &lt;VulnDiscussion&gt;The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of us...
    Rule Medium Severity
  • SRG-OS-000096-GPOS-00050

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.

    &lt;VulnDiscussion&gt;Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authe...
    Rule Medium Severity
  • SRG-OS-000096-GPOS-00050

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must not have the Telnet Client installed.

    &lt;VulnDiscussion&gt;Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authe...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules