I - Mission Critical Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000138-GPOS-00069
Group -
Windows Server 2019 must not allow anonymous enumeration of shares.
Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.Rule High Severity -
SRG-OS-000138-GPOS-00069
Group -
Windows Server 2019 must restrict anonymous access to Named Pipes and Shares.
Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in "Network access: Named Pipes that can be ...Rule High Severity -
SRG-OS-000163-GPOS-00072
Group -
Windows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.
The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker ...Rule Low Severity -
SRG-OS-000185-GPOS-00079
Group -
Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidential...Rule High Severity -
SRG-OS-000191-GPOS-00080
Group -
Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits prese...Rule Medium Severity -
SRG-OS-000240-GPOS-00090
Group -
Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
SRG-OS-000257-GPOS-00098
Group -
Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operatio...Rule Medium Severity -
SRG-OS-000297-GPOS-00115
Group -
Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log on through Remote Desktop Services" user right defines the accounts that ...Rule Medium Severity -
SRG-OS-000297-GPOS-00115
Group -
Windows Server 2019 "Deny log on through Remote Desktop Services" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log on through Remote Desktop Services" user right defines the accounts that ...Rule Medium Severity -
SRG-OS-000312-GPOS-00122
Group -
Windows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.
Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. The default permissions a...Rule Medium Severity -
SRG-OS-000312-GPOS-00122
Group -
Windows Server 2019 permissions for program file directories must conform to minimum requirements.
Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. The default permissions a...Rule Medium Severity -
SRG-OS-000312-GPOS-00122
Group -
Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements.
Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. The default permissions a...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibility of unauthorized and anonymous modification...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
Windows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system.
An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and mak...Rule High Severity -
SRG-OS-000324-GPOS-00125
Group -
Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access.
Improper access permissions for directory data-related files could allow unauthorized users to read, modify, or delete directory data or audit trails.Rule High Severity -
SRG-OS-000324-GPOS-00125
Group -
Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions.
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. The SYSVOL directory contains public files (to the domain) such as po...Rule High Severity -
SRG-OS-000324-GPOS-00125
Group -
Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions.
When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or dest...Rule High Severity -
SRG-OS-000324-GPOS-00125
Group -
Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the in...Rule High Severity -
SRG-OS-000324-GPOS-00125
Group -
Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or dest...Rule High Severity -
SRG-OS-000324-GPOS-00125
Group -
Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Add workstations to domain" right may add computers to a domain. Thi...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Enable computer and user accounts to be trusted for delegation" user right allows ...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system.
An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and mak...Rule High Severity -
SRG-OS-000324-GPOS-00125
Group -
Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
The Windows SAM stores users' passwords. Restricting Remote Procedure Call (RPC) connections to the SAM to Administrators helps protect those credentials.Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
Windows Server 2019 "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Enable computer and user accounts to be trusted for delegation" user right allows ...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Access Credential Manager as a trusted caller" user right may be abl...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.