III - Administrative Public
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000480-GPOS-00227
Group -
The password for the krbtgt account on a domain must be reset at least every 180 days.
The krbtgt account acts as a service account for the Kerberos Key Distribution Center (KDC) service. The account and password are created when a domain is created and the password is typically not...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.
The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's mach...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
Windows Server 2019 must be running Credential Guard on domain-joined member servers.
Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Sec...Rule High Severity -
SRG-OS-000480-GPOS-00227
Group -
Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.
An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a sys...Rule High Severity -
SRG-OS-000480-GPOS-00227
Group -
Windows Server 2019 built-in administrator account must be renamed.
The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
Windows Server 2019 built-in guest account must be renamed.
The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized us...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.
Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This must be set to no more than 30 days, en...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
Windows Server 2019 must not allow anonymous SID/Name translation.
Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.Rule High Severity -
SRG-OS-000480-GPOS-00227
Group -
Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.