Skip to content
Log In

Microsoft Windows Server 2016 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000134-GPOS-00068

    Group
    Show

  • SRG-OS-000373-GPOS-00157

    Group
    Show

  • User Account Control must run all administrators in Admin Approval Mode, enabling UAC.

    User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC. Satisfies: SRG-OS-00037...
    Rule Medium Severity
    Show

  • SRG-OS-000134-GPOS-00068

    Group
    Show

  • User Account Control must virtualize file and registry write failures to per-user locations.

    User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applicat...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Zone information must be preserved when saving attachments.

    Attachments from outside sources may contain malicious code. Preserving zone of origin (Internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Access Credential Manager as a trusted caller" user right may be abl...
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • The Allow log on locally user right must only be assigned to the Administrators group.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Allow log on locally" user right can log on interactively to a system.
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Create a pagefile user right must only be assigned to the Administrators group.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Create a pagefile" user right can change the size of a pagefile, whi...
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Create permanent shared objects user right must not be assigned to any groups or accounts.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Create permanent shared objects" user right could expose sensitive d...
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Create symbolic links user right must only be assigned to the Administrators group.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Create symbolic links" user right can create pointers to other objec...
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Debug programs user right must only be assigned to the Administrators group.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Debug programs" user right can attach a debugger to any process or t...
    Rule High Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Impersonate a client after authentication" user right allows a program to imperson...
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Increase scheduling priority user right must only be assigned to the Administrators group.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Increase scheduling priority" user right can change a scheduling pri...
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Load and unload device drivers user right must only be assigned to the Administrators group.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Load and unload device drivers" user right allows a user to load device drivers dy...
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Lock pages in memory user right must not be assigned to any groups or accounts.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Lock pages in memory" user right allows physical memory to be assigned to processe...
    Rule Medium Severity
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Perform volume maintenance tasks user right must only be assigned to the Administrators group.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Perform volume maintenance tasks" user right can manage volume and d...
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Create a token object user right must not be assigned to any groups or accounts.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Create a token object" user right allows a process to create an access token. This...
    Rule High Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Restore files and directories user right must only be assigned to the Administrators group.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Restore files and directories" user right can circumvent file and di...
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • The Windows Explorer Preview pane must be disabled for Windows Server 2016.

    A known vulnerability in Windows could allow the execution of malicious code by either opening a compromised document or viewing it in the Windows Preview pane. Organizations must disable the Wind...
    Rule Medium Severity
    Show

  • SRG-OS-000041-GPOS-00019

    Group
    Show

  • Windows Server 2016 must have PowerShell Transcription enabled.

    Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules