Skip to content
Log In

III - Administrative Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • Windows Server 2019 "Deny log on as a service" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log on as a service" user right defines accounts that are denied logon as a s...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • Windows Server 2019 "Deny log on locally" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Deny log on locally" user right defines accounts that are prevented from logging o...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group.

    Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Allow log on locally" user right can log on interactively to a system.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 must have the roles and features required by the system documented.

    Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this potential. The standard installation option (pre...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 must not have the Fax Server role installed.

    Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 must not have the Peer Name Resolution Protocol installed.

    Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 must not have Simple TCP/IP Services installed.

    Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 must not have the TFTP Client installed.

    Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 must not have the Server Message Block (SMB) v1 protocol installed.

    SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.

    SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.

    SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 must not have Windows PowerShell 2.0 installed.

    Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade a...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 must prevent the display of slide shows on the lock screen.

    Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 must have WDigest Authentication disabled.

    When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft. WDigest is disabled by defaul...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 downloading print driver packages over HTTP must be turned off.

    Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive informati...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 printing over HTTP must be turned off.

    Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive informati...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.

    Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.

    Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive informati...
    Rule Low Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 Windows Defender SmartScreen must be enabled.

    Windows Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen can block potentially malicious programs or warn users.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP.

    Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 must prevent Indexing of encrypted files.

    Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 domain controllers must run on a machine dedicated to that function.

    Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • Windows Server 2019 local users on domain-joined member servers must not be enumerated.

    The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.
    Rule Medium Severity
    Show

  • SRG-OS-000096-GPOS-00050

    Group
    Show

  • Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.

    Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.
    Rule Medium Severity
    Show

  • SRG-OS-000096-GPOS-00050

    Group
    Show

  • Windows Server 2019 must not have the Telnet Client installed.

    Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules