Microsoft Windows Server 2019 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000138-GPOS-00069
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must not allow anonymous enumeration of shares.
<VulnDiscussion>Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can pr...Rule High Severity -
SRG-OS-000138-GPOS-00069
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must restrict anonymous access to Named Pipes and Shares.
<VulnDiscussion>Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restri...Rule High Severity -
SRG-OS-000163-GPOS-00072
<GroupDescription></GroupDescription>Group -
Windows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.
<VulnDiscussion>The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The ...Rule Low Severity -
SRG-OS-000185-GPOS-00079
<GroupDescription></GroupDescription>Group -
Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
<VulnDiscussion>This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organiz...Rule Medium Severity -
SRG-OS-000191-GPOS-00080
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
<VulnDiscussion>Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating syste...Rule Medium Severity -
SRG-OS-000240-GPOS-00090
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures.
<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...Rule Medium Severity -
SRG-OS-000257-GPOS-00098
<GroupDescription></GroupDescription>Group -
Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.
<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefo...Rule Medium Severity -
SRG-OS-000297-GPOS-00115
<GroupDescription></GroupDescription>Group -
Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log o...Rule Medium Severity -
SRG-OS-000297-GPOS-00115
<GroupDescription></GroupDescription>Group -
Windows Server 2019 "Deny log on through Remote Desktop Services" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log o...Rule Medium Severity -
SRG-OS-000312-GPOS-00122
<GroupDescription></GroupDescription>Group -
Windows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.
<VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the...Rule Medium Severity -
SRG-OS-000312-GPOS-00122
<GroupDescription></GroupDescription>Group -
Windows Server 2019 permissions for program file directories must conform to minimum requirements.
<VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the...Rule Medium Severity -
SRG-OS-000312-GPOS-00122
<GroupDescription></GroupDescription>Group -
Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements.
<VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
<GroupDescription></GroupDescription>Group -
Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
<VulnDiscussion>The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permi...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system.
<VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to...Rule High Severity -
SRG-OS-000324-GPOS-00125
<GroupDescription></GroupDescription>Group -
Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access.
<VulnDiscussion>Improper access permissions for directory data-related files could allow unauthorized users to read, modify, or delete direct...Rule High Severity -
SRG-OS-000324-GPOS-00125
<GroupDescription></GroupDescription>Group -
Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions.
<VulnDiscussion>Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data...Rule High Severity -
SRG-OS-000324-GPOS-00125
<GroupDescription></GroupDescription>Group -
Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions.
<VulnDiscussion>When directory service database objects do not have appropriate access control permissions, it may be possible for malicious ...Rule High Severity -
SRG-OS-000324-GPOS-00125
<GroupDescription></GroupDescription>Group -
Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
<VulnDiscussion>When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to c...Rule High Severity -
SRG-OS-000324-GPOS-00125
<GroupDescription></GroupDescription>Group -
Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
<VulnDiscussion>When directory service database objects do not have appropriate access control permissions, it may be possible for malicious ...Rule High Severity -
SRG-OS-000324-GPOS-00125
<GroupDescription></GroupDescription>Group -
Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with t...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
<GroupDescription></GroupDescription>Group -
Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Enable com...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system.
<VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to...Rule High Severity -
SRG-OS-000324-GPOS-00125
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
<VulnDiscussion>The Windows SAM stores users' passwords. Restricting Remote Procedure Call (RPC) connections to the SAM to Administrators hel...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
<GroupDescription></GroupDescription>Group -
Windows Server 2019 "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.
<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Enable com...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
<GroupDescription></GroupDescription>Group -
Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with t...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.