II - Mission Support Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The password for the krbtgt account on a domain must be reset at least every 180 days.
<VulnDiscussion>The krbtgt account acts as a service account for the Kerberos Key Distribution Center (KDC) service. The account and passwor...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.
<VulnDiscussion>The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feat...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must be running Credential Guard on domain-joined member servers.
<VulnDiscussion>Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if comprom...Rule High Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.
<VulnDiscussion>An account without a password can allow unauthorized access to a system as only the username would be required. Password poli...Rule High Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Windows Server 2019 built-in administrator account must be renamed.
<VulnDiscussion>The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name i...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Windows Server 2019 built-in guest account must be renamed.
<VulnDiscussion>The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.
<VulnDiscussion>Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
<VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must not allow anonymous SID/Name translation.
<VulnDiscussion>Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must ...Rule High Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
<VulnDiscussion>Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thu...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.