Skip to content

III - Administrative Public

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000002-GPOS-00002

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours.

    &lt;VulnDiscussion&gt;If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain...
    Rule Medium Severity
  • SRG-OS-000004-GPOS-00004

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must be configured to audit Account Management - Security Group Management successes.

    &lt;VulnDiscussion&gt;Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...
    Rule Medium Severity
  • SRG-OS-000004-GPOS-00004

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must be configured to audit Account Management - User Account Management successes.

    &lt;VulnDiscussion&gt;Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...
    Rule Medium Severity
  • SRG-OS-000004-GPOS-00004

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must be configured to audit Account Management - User Account Management failures.

    &lt;VulnDiscussion&gt;Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...
    Rule Medium Severity
  • SRG-OS-000004-GPOS-00004

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes.

    &lt;VulnDiscussion&gt;Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...
    Rule Medium Severity
  • SRG-OS-000021-GPOS-00005

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less.

    &lt;VulnDiscussion&gt;The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the...
    Rule Medium Severity
  • SRG-OS-000021-GPOS-00005

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.

    &lt;VulnDiscussion&gt;The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the ...
    Rule Medium Severity
  • SRG-OS-000023-GPOS-00006

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 required legal notice must be configured to display before console logon.

    &lt;VulnDiscussion&gt;Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access...
    Rule Medium Severity
  • SRG-OS-000023-GPOS-00006

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text.

    &lt;VulnDiscussion&gt;Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access...
    Rule Low Severity
  • SRG-OS-000028-GPOS-00009

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.

    &lt;VulnDiscussion&gt;Unattended systems are susceptible to unauthorized use and should be locked when unattended. The screen saver should be set a...
    Rule Medium Severity
  • SRG-OS-000032-GPOS-00013

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must be configured to audit logon successes.

    &lt;VulnDiscussion&gt;Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...
    Rule Medium Severity
  • SRG-OS-000032-GPOS-00013

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must be configured to audit logon failures.

    &lt;VulnDiscussion&gt;Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...
    Rule Medium Severity
  • SRG-OS-000033-GPOS-00014

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.

    &lt;VulnDiscussion&gt;Allowing unsecure RPC communication exposes the system to man-in-the-middle attacks and data disclosure attacks. A man-in-the...
    Rule Medium Severity
  • SRG-OS-000033-GPOS-00014

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.

    &lt;VulnDiscussion&gt;Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will en...
    Rule Medium Severity
  • SRG-OS-000042-GPOS-00020

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 command line data must be included in process creation events.

    &lt;VulnDiscussion&gt;Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...
    Rule Medium Severity
  • SRG-OS-000042-GPOS-00020

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 PowerShell script block logging must be enabled.

    &lt;VulnDiscussion&gt;Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...
    Rule Medium Severity
  • SRG-OS-000057-GPOS-00027

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts.

    &lt;VulnDiscussion&gt;Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...
    Rule Medium Severity
  • SRG-OS-000057-GPOS-00027

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts.

    &lt;VulnDiscussion&gt;Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...
    Rule Medium Severity
  • SRG-OS-000057-GPOS-00027

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts.

    &lt;VulnDiscussion&gt;Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...
    Rule Medium Severity
  • SRG-OS-000057-GPOS-00027

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group.

    &lt;VulnDiscussion&gt;Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with t...
    Rule Medium Severity
  • SRG-OS-000062-GPOS-00031

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings.

    &lt;VulnDiscussion&gt;Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, ...
    Rule Medium Severity
  • SRG-OS-000066-GPOS-00034

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 domain controllers must have a PKI server certificate.

    &lt;VulnDiscussion&gt;Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authentic...
    Rule Medium Severity
  • SRG-OS-000066-GPOS-00034

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).

    &lt;VulnDiscussion&gt;A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is s...
    Rule High Severity
  • SRG-OS-000066-GPOS-00034

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).

    &lt;VulnDiscussion&gt;A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is s...
    Rule High Severity
  • SRG-OS-000066-GPOS-00034

    <GroupDescription></GroupDescription>
    Group
  • Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.

    &lt;VulnDiscussion&gt;To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root CAs. The DoD roo...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules