Microsoft Windows Server 2016 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Non-administrative accounts or groups must only have print permissions on printer shares.
Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration can permit access to devices and data beyond a...Rule Low Severity -
Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidential...Rule High Severity -
Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours.
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of al...Rule Medium Severity -
Windows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activatio...Rule Medium Severity -
The TFTP Client must not be installed.
Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.Rule Medium Severity -
The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.Rule Medium Severity -
Windows PowerShell 2.0 must not be installed.
Windows PowerShell 5.0 added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade a...Rule Medium Severity -
FTP servers must be configured to prevent access to the system drive.
The FTP service allows remote users to access shared files and directories that could provide access to system resources and compromise the system, especially if the user can gain access to the roo...Rule Medium Severity -
Secure Boot must be enabled on Windows Server 2016 systems.
Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security features in Windows Server 2016, including Virtualizat...Rule Low Severity -
Windows Server 2016 maximum password age must be configured to 60 days or less.
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.