I - Mission Critical Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000104-GPOS-00051
Group -
Windows Server 2019 shared user accounts must not be permitted.
Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation...Rule Medium Severity -
SRG-OS-000104-GPOS-00051
Group -
Windows Server 2019 accounts must require passwords.
The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accoun...Rule Medium Severity -
SRG-OS-000105-GPOS-00052
Group -
Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
Smart cards such as the CAC support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of the username and password for authentication. ...Rule Medium Severity -
SRG-OS-000112-GPOS-00057
Group -
Windows Server 2019 Kerberos user logon restrictions must be enforced.
This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is e...Rule Medium Severity -
SRG-OS-000112-GPOS-00057
Group -
Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connectio...Rule Medium Severity -
SRG-OS-000112-GPOS-00057
Group -
Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.
In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limit...Rule Medium Severity -
SRG-OS-000112-GPOS-00057
Group -
Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
This setting determines the period of time (in days) during which a user's TGT may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access...Rule Medium Severity -
SRG-OS-000112-GPOS-00057
Group -
Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.
This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two cl...Rule Medium Severity -
SRG-OS-000118-GPOS-00060
Group -
Windows Server 2019 outdated or unused accounts must be removed or disabled.
Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.Rule Medium Severity -
SRG-OS-000120-GPOS-00061
Group -
Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption. Note: Organizations with domain controllers running earlier ve...Rule Medium Severity -
SRG-OS-000121-GPOS-00062
Group -
Windows Server 2019 must have the built-in guest account disabled.
A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows systems and cannot be deleted. This account is ini...Rule Medium Severity -
SRG-OS-000123-GPOS-00064
Group -
Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activatio...Rule Medium Severity -
SRG-OS-000125-GPOS-00065
Group -
Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.
Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.Rule High Severity -
SRG-OS-000125-GPOS-00065
Group -
Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.
Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce this potential.Rule Medium Severity -
SRG-OS-000125-GPOS-00065
Group -
Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.
Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.Rule High Severity -
SRG-OS-000134-GPOS-00068
Group -
Windows Server 2019 administrator accounts must not be enumerated during elevation.
Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a usern...Rule Medium Severity -
SRG-OS-000134-GPOS-00068
Group -
Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.
A compromised local administrator account can provide means for an attacker to move laterally between domain systems. With User Account Control enabled, filtering the privileged token for local ad...Rule Medium Severity -
SRG-OS-000134-GPOS-00068
Group -
Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface Accessibility...Rule Medium Severity -
SRG-OS-000134-GPOS-00068
Group -
Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements...Rule Medium Severity -
SRG-OS-000134-GPOS-00068
Group -
Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.
User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to applic...Rule Medium Severity -
SRG-OS-000134-GPOS-00068
Group -
Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.
UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a...Rule Medium Severity -
SRG-OS-000134-GPOS-00068
Group -
Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.
UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtuali...Rule Medium Severity -
SRG-OS-000138-GPOS-00069
Group -
Windows Server 2019 non-system-created file shares must limit access to groups that require it.
Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to accounts that requir...Rule Medium Severity -
SRG-OS-000138-GPOS-00069
Group -
Windows Server 2019 Remote Desktop Services must prevent drive redirection.
Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of sensitive data.Rule Medium Severity -
SRG-OS-000138-GPOS-00069
Group -
Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files.
When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory serv...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.