II - Mission Support Classified

SRG-OS-000138-GPOS-00069

Windows Server 2019 must not allow anonymous enumeration of shares.

SRG-OS-000138-GPOS-00069

Windows Server 2019 must restrict anonymous access to Named Pipes and Shares.

SRG-OS-000163-GPOS-00072

Windows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.

SRG-OS-000185-GPOS-00079

Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

SRG-OS-000191-GPOS-00080

Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).

SRG-OS-000240-GPOS-00090

Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures.

SRG-OS-000257-GPOS-00098

Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.

SRG-OS-000297-GPOS-00115

Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.

SRG-OS-000297-GPOS-00115

Windows Server 2019 "Deny log on through Remote Desktop Services" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.

SRG-OS-000312-GPOS-00122

Windows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.