Microsoft Windows Server 2019 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Windows Server 2019 system files must be monitored for unauthorized changes.
<VulnDiscussion>Monitoring system files for changes against a baseline on a regular basis may help detect the possible introduction of malici...Rule Medium Severity -
SRG-OS-000368-GPOS-00154
<GroupDescription></GroupDescription>Group -
SRG-OS-000125-GPOS-00065
<GroupDescription></GroupDescription>Group -
SRG-OS-000134-GPOS-00068
<GroupDescription></GroupDescription>Group -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
SRG-OS-000004-GPOS-00004
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must be configured to audit Account Management - Security Group Management successes.
<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must be configured to audit Account Management - User Account Management successes.
<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
<GroupDescription></GroupDescription>Group -
SRG-OS-000028-GPOS-00009
<GroupDescription></GroupDescription>Group -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
SRG-OS-000095-GPOS-00049
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must be configured to audit Account Management - User Account Management failures.
<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes.
<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less.
<VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
<VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the ...Rule Medium Severity -
SRG-OS-000023-GPOS-00006
<GroupDescription></GroupDescription>Group -
Windows Server 2019 required legal notice must be configured to display before console logon.
<VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access...Rule Medium Severity -
SRG-OS-000023-GPOS-00006
<GroupDescription></GroupDescription>Group -
Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text.
<VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access...Rule Low Severity -
Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.
<VulnDiscussion>Unattended systems are susceptible to unauthorized use and should be locked when unattended. The screen saver should be set a...Rule Medium Severity -
SRG-OS-000032-GPOS-00013
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must be configured to audit logon successes.
<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...Rule Medium Severity -
SRG-OS-000032-GPOS-00013
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must be configured to audit logon failures.
<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...Rule Medium Severity -
SRG-OS-000033-GPOS-00014
<GroupDescription></GroupDescription>Group -
Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
<VulnDiscussion>Allowing unsecure RPC communication exposes the system to man-in-the-middle attacks and data disclosure attacks. A man-in-the...Rule Medium Severity -
SRG-OS-000033-GPOS-00014
<GroupDescription></GroupDescription>Group -
Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.
<VulnDiscussion>Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will en...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
<GroupDescription></GroupDescription>Group -
Windows Server 2019 command line data must be included in process creation events.
<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
<GroupDescription></GroupDescription>Group -
Windows Server 2019 PowerShell script block logging must be enabled.
<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
<GroupDescription></GroupDescription>Group -
Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts.
<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
<GroupDescription></GroupDescription>Group -
Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts.
<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
<GroupDescription></GroupDescription>Group -
Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts.
<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must not have the Peer Name Resolution Protocol installed.
<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authe...Rule Medium Severity -
Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group.
<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with t...Rule Medium Severity -
SRG-OS-000062-GPOS-00031
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings.
<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...Rule Medium Severity -
SRG-OS-000066-GPOS-00034
<GroupDescription></GroupDescription>Group -
Windows Server 2019 domain controllers must have a PKI server certificate.
<VulnDiscussion>Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authentic...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.