Skip to main content
CUI

Browse STIG Rules

Back to Framework Data
Vuln ID Title Severity Status Benchmark
V-202017 The network device must be configured to assign appropriate user roles or access levels to authenticated users. CAT I Active Network Device Management Security Requirements Guide
V-202049 The network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services CAT I Active Network Device Management Security Requirements Guide
V-202064 The network device must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash for password-based authentication. CAT I Active Network Device Management Security Requirements Guide
V-202065 The network device must transmit only encrypted representations of passwords. CAT I Active Network Device Management Security Requirements Guide
V-202071 The network device must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. CAT I Active Network Device Management Security Requirements Guide
V-202072 The network device must use FIPS 140-2 approved algorithms for authentication to a cryptographic module. CAT I Active Network Device Management Security Requirements Guide
V-202074 The network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements. CAT I Active Network Device Management Security Requirements Guide
V-202078 The network device must only allow authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media (such as a flash drive). CAT I Active Network Device Management Security Requirements Guide
V-202093 The network device must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. CAT I Active Network Device Management Security Requirements Guide
V-202117 The network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications. CAT I Active Network Device Management Security Requirements Guide
V-202118 The network device must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions CAT I Active Network Device Management Security Requirements Guide
V-202132 The network device must be configured to use at least one authentication server for the purpose of authenticating users prior to granting administrative access. For boundary devices, two authentication servers are required. CAT I Active Network Device Management Security Requirements Guide
V-203603 The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions. CAT I Active General Purpose Operating System Security Requirements Guide
V-203629 The operating system must store only encrypted representations of passwords. CAT I Active General Purpose Operating System Security Requirements Guide
V-203630 The operating system must transmit only encrypted representations of passwords. CAT I Active General Purpose Operating System Security Requirements Guide
V-203653 The operating system must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. CAT I Active General Purpose Operating System Security Requirements Guide
V-203669 The operating system must implement cryptography to protect the integrity of remote access sessions. CAT I Active General Purpose Operating System Security Requirements Guide
V-203682 The operating system must use cryptographic mechanisms to protect the integrity of audit tools. CAT I Active General Purpose Operating System Security Requirements Guide
V-203695 The operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. CAT I Active General Purpose Operating System Security Requirements Guide
V-203720 The operating system must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. CAT I Active General Purpose Operating System Security Requirements Guide
V-203736 The operating system must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. CAT I Active General Purpose Operating System Security Requirements Guide
V-203737 The operating system must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. CAT I Active General Purpose Operating System Security Requirements Guide
V-203739 The operating system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. CAT I Active General Purpose Operating System Security Requirements Guide
V-203745 The operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all operating system components. CAT I Active General Purpose Operating System Security Requirements Guide
V-203746 The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest on all operating system components. CAT I Active General Purpose Operating System Security Requirements Guide
V-203748 The operating system must protect the confidentiality and integrity of transmitted information. CAT I Active General Purpose Operating System Security Requirements Guide
V-203749 The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS). CAT I Active General Purpose Operating System Security Requirements Guide
V-203776 The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. CAT I Active General Purpose Operating System Security Requirements Guide
V-203782 The operating system must not allow an unattended or automatic logon to the system. CAT I Active General Purpose Operating System Security Requirements Guide
V-204657 AAA Services must be configured to use secure protocols when connecting to directory services. CAT I Active AAA Services Security Requirements Guide
V-204658 AAA Services must be configured to use protocols that encrypt credentials when authenticating clients, as defined in the PPSM CAL and vulnerability assessments. CAT I Active AAA Services Security Requirements Guide
V-204660 AAA Services must be configured to uniquely identify and authenticate organizational users. CAT I Active AAA Services Security Requirements Guide
V-204671 For password-based authentication, AAA Services must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash. CAT I Active AAA Services Security Requirements Guide
V-204672 AAA Services must be configured to encrypt transmitted credentials using a FIPS-validated cryptographic module. CAT I Active AAA Services Security Requirements Guide
V-204675 AAA Services must be configured to only accept certificates issued by a DoD-approved Certificate Authority for PKI-based authentication. CAT I Active AAA Services Security Requirements Guide
V-204676 AAA Services must be configured to not accept certificates that have been revoked for PKI-based authentication. CAT I Active AAA Services Security Requirements Guide
V-204679 AAA Services must be configured to protect the confidentiality and integrity of all information at rest. CAT I Active AAA Services Security Requirements Guide
V-204746 The application server must use multifactor authentication for network access to privileged accounts. CAT I Active Application Server Security Requirements Guide
V-204747 The application server must use multifactor authentication for local access to privileged accounts. CAT I Active Application Server Security Requirements Guide
V-204758 The application server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes. CAT I Active Application Server Security Requirements Guide
V-204766 The application server must generate a unique session identifier using a FIPS 140-2 approved random number generator. CAT I Active Application Server Security Requirements Guide
V-204800 The application server must accept Personal Identity Verification (PIV) credentials to access the management interface. CAT I Active Application Server Security Requirements Guide
V-204801 The application server must electronically verify Personal Identity Verification (PIV) credentials for access to the management interface. CAT I Active Application Server Security Requirements Guide
V-204812 The application server must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components. CAT I Active Application Server Security Requirements Guide
V-204813 The application must implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components. CAT I Active Application Server Security Requirements Guide
V-204816 The application server must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version. CAT I Active Application Server Security Requirements Guide
V-204817 The application server must remove all export ciphers to protect the confidentiality and integrity of transmitted information. CAT I Active Application Server Security Requirements Guide
V-205584 The Mainframe Product must implement cryptographic mechanisms to prevent unauthorized modification of all information not cleared for public release at rest on system components outside of organization facilities. CAT I Active Mainframe Product Security Requirements Guide
V-205585 The Mainframe Product must implement cryptographic mechanisms to prevent unauthorized disclosure of all information not cleared for public release at rest on system components outside of organization facilities. CAT I Active Mainframe Product Security Requirements Guide
V-205646 Windows Server 2019 domain controller PKI certificates must be issued by the DOD PKI or an approved External Certificate Authority (ECA). CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205647 Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205653 Windows Server 2019 reversible password encryption must be disabled. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205654 Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205663 Windows Server 2019 local volumes must use a format that supports NTFS attributes. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205711 Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205713 Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205724 Windows Server 2019 must not allow anonymous enumeration of shares. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205725 Windows Server 2019 must restrict anonymous access to Named Pipes and Shares. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205727 Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205738 Windows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205739 Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205740 Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205741 Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205742 Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205743 Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205746 Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205750 Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205753 Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205757 Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205802 Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205804 Windows Server 2019 Autoplay must be turned off for non-volume devices. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205805 Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205806 Windows Server 2019 AutoPlay must be disabled for all drives. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205844 Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205845 Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205849 Windows Server 2019 must be maintained at a supported servicing level. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205850 Windows Server 2019 must use an anti-virus program. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205875 Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205907 Windows Server 2019 must be running Credential Guard on domain-joined member servers. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205908 Windows Server 2019 must prevent local accounts with blank passwords from being used from the network. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205913 Windows Server 2019 must not allow anonymous SID/Name translation. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205914 Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-205919 Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM. CAT I Active Microsoft Windows Server 2019 Security Technical Implementation Guide
V-206390 The web server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data. CAT I Active Web Server Security Requirements Guide
V-206399 The web server must generate a unique session identifier for each session using a FIPS 140-2 approved random number generator. CAT I Active Web Server Security Requirements Guide
V-206431 The web server must encrypt user identifiers and passwords. CAT I Active Web Server Security Requirements Guide
V-206434 The web server must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission. CAT I Active Web Server Security Requirements Guide
V-206447 The Central Log Server must be configured to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. CAT I Active Central Log Server Security Requirements Guide
V-206460 The Central Log Server must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). CAT I Active Central Log Server Security Requirements Guide
V-206474 For accounts using password authentication, the Central Log Server must be configured to store only cryptographic representations of passwords. CAT I Active Central Log Server Security Requirements Guide
V-206475 For accounts using password authentication, the Central Log Server must use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process. CAT I Active Central Log Server Security Requirements Guide
V-206478 The Central Log Server, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. CAT I Active Central Log Server Security Requirements Guide
V-206479 The Central Log Server, when using PKI-based authentication, must enforce authorized access to the corresponding private key. CAT I Active Central Log Server Security Requirements Guide
V-206481 The Central Log Server must obfuscate authentication information during the authentication process so that the authentication is not visible. CAT I Active Central Log Server Security Requirements Guide
V-206482 The Central Log Server must use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only). CAT I Active Central Log Server Security Requirements Guide
V-206509 The Central Log Server must be configured to protect the confidentiality and integrity of transmitted information. CAT I Active Central Log Server Security Requirements Guide
V-206510 The Central Log Server must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and/or to protect unclassified information requiring confidentiality and cryptographic protection. CAT I Active Central Log Server Security Requirements Guide
V-206520 The DBMS must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. CAT I Active Database Security Requirements Guide
V-206521 The DBMS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. CAT I Active Database Security Requirements Guide
V-206545 The DBMS software installation account must be restricted to authorized users. CAT I Active Database Security Requirements Guide
CUI