Scan: _Reviewed/MONT-DB-002/Checklist/MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl

Back to USNS MONTFORD POINT Scans

Scan Information

Ship: USNS MONTFORD POINT
Hull Number: T-ESD-1
Scan Date: 2026-01-14
Source File: MONT-DB-002 WinServer2016 20251023-144132
Source Tool: Evaluate-STIG
Imported: 2026-01-14 17:57
Hostname (from CKL asset — override if blank or incorrect)

Upgrade History Export CSV Export Excel

STIG Benchmark

Microsoft Windows Server 2016 Security Technical Implementation Guide

Version

V2R10

Score

94.1%

Total

273

Open

OCA Technology Area

Assign this checklist to an OCA assessment area for scoring

Hostname: MONT-DB-002
STIG Benchmark: Microsoft Windows Server 2016 Security Technical Implementation Guide

Current Area: Windows OS

Change Area

View all findings in Windows OS area →

STIG Rule Mapping

273

Mapped to STIG

Unmapped

273

Total Findings

All findings mapped to STIG rules.

Checklist Scoring

Severity	Not a Finding	Not Applicable	Open	Total
CAT I	23	10	2	35
CAT II	170	41	14	225
CAT III	11	2	0	13
Total	204	53	16	273

Comparison with Previous Scan

New

Resolved

Changed

190

Unchanged

NA to NF

Warning: 10 finding(s) changed from Not Applicable to Not a Finding

This may indicate a regression or improper status change. Please review these findings.

Status transitions: NotAFinding → Open: 1 Open → Not_Applicable: 14 Open → NotAFinding: 10 Not_Reviewed → Open: 1 NotAFinding → Not_Applicable: 26 Not_Reviewed → Not_Applicable: 4 Not_Applicable → NotAFinding: 10 Not_Applicable → Open: 4

Filter:

Status:

Severity:

Vuln IDs (273)

V-224819 Users with Administrative privileges must have sep...

V-224820 Passwords for the built-in Administrator account m...

V-224821 Administrative accounts must not be used with appl...

V-224822 Members of the Backup Operators group must have se...

V-224823 Manually managed application account passwords mus...

V-224824 Manually managed application account passwords mus...

V-224825 Shared user accounts must not be permitted on the ...

V-224826 Windows Server 2016 must employ a deny-all, permit...

V-224827 Windows Server 2016 domain-joined systems must hav...

V-224828 Systems must be maintained at a supported servicin...

V-224829 The Windows Server 2016 system must use an anti-vi...

V-224830 Servers must have a host-based intrusion detection...

V-224831 Local volumes must use a format that supports NTFS...

V-224832 Permissions for the system drive root directory (u...

V-224833 Permissions for program file directories must conf...

V-224834 Permissions for the Windows installation directory...

V-224835 Default permissions for the HKEY_LOCAL_MACHINE reg...

V-224836 Non-administrative accounts or groups must only ha...

V-224837 Outdated or unused accounts must be removed from t...

V-224838 Windows Server 2016 accounts must require password...

V-224839 Passwords must be configured to expire.

V-224840 System files must be monitored for unauthorized ch...

V-224841 Non-system-created file shares on a system must li...

V-224842 Software certificate installation files must be re...

V-224843 Systems requiring data at rest protections must em...

V-224844 Protection methods such as TLS, encrypted VPNs, or...

V-224845 The roles and features required by the system must...

V-224846 A host-based firewall must be installed and enable...

V-224847 Windows Server 2016 must employ automated mechani...

V-224848 Windows Server 2016 must automatically remove or d...

V-224849 Windows Server 2016 must automatically remove or d...

V-224850 The Fax Server role must not be installed.

V-224851 The Microsoft FTP service must not be installed un...

V-224852 The Peer Name Resolution Protocol must not be inst...

V-224853 Simple TCP/IP Services must not be installed.

V-224854 The Telnet Client must not be installed.

V-224855 The TFTP Client must not be installed.

V-224856 The Server Message Block (SMB) v1 protocol must be...

V-224857 The Server Message Block (SMB) v1 protocol must be...

V-224858 The Server Message Block (SMB) v1 protocol must be...

V-224859 Windows PowerShell 2.0 must not be installed.

V-224860 FTP servers must be configured to prevent anonymou...

V-224861 FTP servers must be configured to prevent access t...

V-224862 The time service must synchronize with an appropri...

V-224863 Orphaned security identifiers (SIDs) must be remov...

V-224864 Secure Boot must be enabled on Windows Server 2016...

V-224865 Windows 2016 systems must have Unified Extensible ...

V-224866 Windows 2016 account lockout duration must be conf...

V-224867 Windows Server 2016 must have the number of allowe...

V-224868 Windows Server 2016 must have the period of time b...

V-224869 Windows Server 2016 password history must be confi...

V-224870 Windows Server 2016 maximum password age must be c...

V-224871 Windows Server 2016 minimum password age must be c...

V-224872 Windows Server 2016 minimum password length must b...

V-224873 Windows Server 2016 must have the built-in Windows...

V-224874 Windows Server 2016 reversible password encryption...

V-224875 Audit records must be backed up to a different sys...

V-224876 Windows Server 2016 must, at a minimum, offload au...

V-224877 Permissions for the Application event log must pre...

V-224878 Permissions for the Security event log must preven...

V-224879 Permissions for the System event log must prevent ...

V-224880 Event Viewer must be protected from unauthorized m...

V-224881 Windows Server 2016 must be configured to audit Ac...

V-224882 Windows Server 2016 must be configured to audit Ac...

V-224883 Windows Server 2016 must be configured to audit Ac...

V-224884 Windows Server 2016 must be configured to audit Ac...

V-224885 Windows Server 2016 must be configured to audit Ac...

V-224886 Windows Server 2016 must be configured to audit Ac...

V-224887 Windows Server 2016 must be configured to audit De...

V-224888 Windows Server 2016 must be configured to audit De...

V-224890 Windows Server 2016 must be configured to audit Lo...

V-224891 Windows Server 2016 must be configured to audit Lo...

V-224892 Windows Server 2016 must be configured to audit Lo...

V-224893 Windows Server 2016 must be configured to audit Lo...

V-224894 Windows Server 2016 must be configured to audit Lo...

V-224895 Windows Server 2016 must be configured to audit Lo...

V-224896 Windows 2016 must be configured to audit Object Ac...

V-224897 Windows 2016 must be configured to audit Object Ac...

V-224898 Windows Server 2016 must be configured to audit Ob...

V-224899 Windows Server 2016 must be configured to audit Ob...

V-224900 Windows Server 2016 must be configured to audit Po...

V-224901 Windows Server 2016 must be configured to audit Po...

V-224902 Windows Server 2016 must be configured to audit Po...

V-224903 Windows Server 2016 must be configured to audit Po...

V-224904 Windows Server 2016 must be configured to audit Pr...

V-224905 Windows Server 2016 must be configured to audit Pr...

V-224906 Windows Server 2016 must be configured to audit Sy...

V-224907 Windows Server 2016 must be configured to audit Sy...

V-224908 Windows Server 2016 must be configured to audit Sy...

V-224909 Windows Server 2016 must be configured to audit Sy...

V-224910 Windows Server 2016 must be configured to audit Sy...

V-224911 Windows Server 2016 must be configured to audit Sy...

V-224912 Windows Server 2016 must be configured to audit Sy...

V-224913 Windows Server 2016 must be configured to audit Sy...

V-224914 The display of slide shows on the lock screen must...

V-224915 WDigest Authentication must be disabled on Windows...

V-224916 Internet Protocol version 6 (IPv6) source routing ...

V-224917 Source routing must be configured to the highest p...

V-224918 Windows Server 2016 must be configured to prevent ...

V-224919 Windows Server 2016 must be configured to ignore N...

V-224920 Insecure logons to an SMB server must be disabled.

V-224921 Hardened UNC paths must be defined to require mutu...

V-224922 Command line data must be included in process crea...

V-224923 Windows Server 2016 virtualization-based security ...

V-224924 Early Launch Antimalware, Boot-Start Driver Initia...

V-224925 Group Policy objects must be reprocessed even if t...

V-224926 Downloading print driver packages over HTTP must b...

V-224927 Printing over HTTP must be prevented.

V-224928 The network selection user interface (UI) must not...

V-224929 Users must be prompted to authenticate when the sy...

V-224930 Users must be prompted to authenticate when the sy...

V-224931 The Application Compatibility Program Inventory mu...

V-224932 AutoPlay must be turned off for non-volume devices...

V-224933 The default AutoRun behavior must be configured to...

V-224934 AutoPlay must be disabled for all drives.

V-224935 Administrator accounts must not be enumerated duri...

V-224936 Windows Telemetry must be configured to Security o...

V-224937 The Application event log size must be configured ...

V-224938 The Security event log size must be configured to ...

V-224939 The System event log size must be configured to 32...

V-224940 Windows Server 2016 Windows SmartScreen must be en...

V-224941 Explorer Data Execution Prevention must be enabled...

V-224942 Turning off File Explorer heap termination on corr...

V-224943 File Explorer shell protocol must run in protected...

V-224944 Passwords must not be saved in the Remote Desktop ...

V-224945 Local drives must be prevented from sharing with R...

V-224946 Remote Desktop Services must always prompt a clien...

V-224947 The Remote Desktop Session Host must require secur...

V-224948 Remote Desktop Services must be configured with th...

V-224949 Attachments must be prevented from being downloade...

V-224951 Basic authentication for RSS feeds over HTTP must ...

V-224952 Indexing of encrypted files must be turned off.

V-224953 Users must be prevented from changing installation...

V-224954 The Windows Installer Always install with elevated...

V-224955 Users must be notified if a web-based program atte...

V-224956 Automatically signing in the last interactive user...

V-224957 PowerShell script block logging must be enabled.

V-224958 The Windows Remote Management (WinRM) client must ...

V-224959 The Windows Remote Management (WinRM) client must ...

V-224960 The Windows Remote Management (WinRM) client must ...

V-224961 The Windows Remote Management (WinRM) service must...

V-224962 The Windows Remote Management (WinRM) service must...

V-224963 The Windows Remote Management (WinRM) service must...

V-224964 Only administrators responsible for the domain con...

V-224965 Kerberos user logon restrictions must be enforced.

V-224966 The Kerberos service ticket maximum lifetime must ...

V-224967 The Kerberos user ticket lifetime must be limited ...

V-224968 The Kerberos policy user ticket renewal maximum li...

V-224969 The computer clock synchronization tolerance must ...

V-224970 Permissions on the Active Directory data files mus...

V-224971 The Active Directory SYSVOL directory must have th...

V-224972 Active Directory Group Policy objects must have pr...

V-224973 The Active Directory Domain Controllers Organizati...

V-224974 Domain-created Active Directory Organizational Uni...

V-224975 Data files owned by users must be on a different l...

V-224976 Domain controllers must run on a machine dedicated...

V-224977 Separate, NSA-approved (Type 1) cryptography must ...

V-224978 Directory data (outside the root DSE) of a non-pub...

V-224979 The directory service must be configured to termin...

V-224980 Active Directory Group Policy objects must be conf...

V-224981 The Active Directory Domain object must be configu...

V-224982 The Active Directory Infrastructure object must be...

V-224983 The Active Directory Domain Controllers Organizati...

V-224984 The Active Directory AdminSDHolder object must be ...

V-224985 The Active Directory RID Manager$ object must be c...

V-224986 Windows Server 2016 must be configured to audit Ac...

V-224987 Windows Server 2016 must be configured to audit DS...

V-224988 Windows Server 2016 must be configured to audit DS...

V-224989 Windows Server 2016 must be configured to audit DS...

V-224991 Domain controllers must have a PKI server certific...

V-224992 Domain Controller PKI certificates must be issued ...

V-224993 PKI certificates associated with user accounts mus...

V-224994 Active Directory user accounts, including administ...

V-224995 Domain controllers must require LDAP access signin...

V-224996 Domain controllers must be configured to allow res...

V-224997 The Access this computer from the network user rig...

V-224998 The Add workstations to domain user right must onl...

V-224999 The Allow log on through Remote Desktop Services u...

V-225000 The Deny access to this computer from the network ...

V-225001 The Deny log on as a batch job user right on domai...

V-225002 The Deny log on as a service user right must be co...

V-225003 The Deny log on locally user right on domain contr...

V-225004 The Deny log on through Remote Desktop Services us...

V-225005 The Enable computer and user accounts to be truste...

V-225006 The password for the krbtgt account on a domain mu...

V-225007 Only administrators responsible for the member ser...

V-225008 Local administrator accounts must have their privi...

V-225009 Local users on domain-joined computers must not be...

V-225010 Unauthenticated Remote Procedure Call (RPC) client...

V-225011 Caching of logon credentials must be limited.

V-225012 Windows Server 2016 must be running Credential Gua...

V-225013 Remote calls to the Security Account Manager (SAM)...

V-225014 The "Access this computer from the network" user r...

V-225015 The "Deny access to this computer from the network...

V-225016 The "Deny log on as a batch job" user right on mem...

V-225017 The "Deny log on as a service" user right on membe...

V-225018 The "Deny log on locally" user right on member ser...

V-225019 The "Deny log on through Remote Desktop Services" ...

V-225020 The "Enable computer and user accounts to be trust...

V-225021 The DoD Root CA certificates must be installed in ...

V-225022 The DoD Interoperability Root CA cross-certificate...

V-225023 The US DoD CCEB Interoperability Root CA cross-cer...

V-225024 Windows Server 2016 built-in guest account must be...

V-225025 Local accounts with blank passwords must be restri...

V-225026 Windows Server 2016 built-in administrator account...

V-225027 Windows Server 2016 built-in guest account must be...

V-225028 Audit policy using subcategories must be enabled.

V-225029 The setting Domain member: Digitally encrypt or si...

V-225030 The setting Domain member: Digitally encrypt secur...

V-225031 The setting Domain member: Digitally sign secure c...

V-225032 The computer account password must not be prevente...

V-225033 The maximum age for machine account passwords must...

V-225034 Windows Server 2016 must be configured to require ...

V-225035 The machine inactivity limit must be set to 15 min...

V-225036 The required legal notice must be configured to di...

V-225037 The Windows dialog box title for the legal banner ...

V-225038 The Smart Card removal option must be configured t...

V-225039 The setting Microsoft network client: Digitally si...

V-225040 The setting Microsoft network client: Digitally si...

V-225041 Unencrypted passwords must not be sent to third-pa...

V-225042 The setting Microsoft network server: Digitally si...

V-225043 The setting Microsoft network server: Digitally si...

V-225044 Anonymous SID/Name translation must not be allowed...

V-225045 Anonymous enumeration of Security Account Manager ...

V-225046 Anonymous enumeration of shares must not be allowe...

V-225047 Windows Server 2016 must be configured to prevent ...

V-225048 Anonymous access to Named Pipes and Shares must be...

V-225049 Services using Local System that use Negotiate whe...

V-225050 NTLM must be prevented from falling back to a Null...

V-225051 PKU2U authentication using online identities must ...

V-225052 Kerberos encryption types must be configured to pr...

V-225053 Windows Server 2016 must be configured to prevent ...

V-225054 The LAN Manager authentication level must be set t...

V-225055 Windows Server 2016 must be configured to at least...

V-225056 Session security for NTLM SSP-based clients must b...

V-225057 Session security for NTLM SSP-based servers must b...

V-225058 Users must be required to enter a password to acce...

V-225059 Windows Server 2016 must be configured to use FIPS...

V-225060 The default permissions of global system objects m...

V-225061 User Account Control approval mode for the built-i...

V-225062 UIAccess applications must not be allowed to promp...

V-225063 User Account Control must, at a minimum, prompt ad...

V-225064 User Account Control must automatically deny stand...

V-225065 User Account Control must be configured to detect ...

V-225066 User Account Control must only elevate UIAccess ap...

V-225067 User Account Control must run all administrators i...

V-225068 User Account Control must virtualize file and regi...

V-225069 Zone information must be preserved when saving att...

V-225070 The Access Credential Manager as a trusted caller ...

V-225071 The Act as part of the operating system user right...

V-225072 The Allow log on locally user right must only be a...

V-225073 The Back up files and directories user right must ...

V-225074 The Create a pagefile user right must only be assi...

V-225076 The Create global objects user right must only be ...

V-225077 The Create permanent shared objects user right mus...

V-225078 The Create symbolic links user right must only be ...

V-225079 The Debug programs user right must only be assigne...

V-225080 The Force shutdown from a remote system user right...

V-225081 The Generate security audits user right must only ...

V-225082 The Impersonate a client after authentication user...

V-225083 The Increase scheduling priority user right must o...

V-225084 The Load and unload device drivers user right must...

V-225085 The Lock pages in memory user right must not be as...

V-225086 The Manage auditing and security log user right mu...

V-225087 The Modify firmware environment values user right ...

V-225088 The Perform volume maintenance tasks user right mu...

V-225089 The Profile single process user right must only be...

V-225091 The Create a token object user right must not be a...

V-225092 The Restore files and directories user right must ...

V-225093 The Take ownership of files or other objects user ...

V-236000 The Windows Explorer Preview pane must be disabled...

V-257502 Windows Server 2016 must have PowerShell Transcrip...

V-271430 Windows Server 2016 must be configured for name-ba...

Vulnerability Details

Click a Vuln ID on the left to view details.

Status & Comments

Select a finding to edit.

← Back to USNS MONTFORD POINT Scans