OCA Area Detail - Windows OS

Back to Reports

Windows OS

Windows workstations and servers

Minor Concern

6.2%

Combined Weighted Score

Score Breakdown

27 / 424

CAT I Open / Total

6.4% open rate (weight: 10)

344 / 5275

CAT II Open / Total

6.5% open rate (weight: 4)

11 / 324

CAT III Open / Total

3.4% open rate (weight: 1)

Percentages are open-rate values (`Open / Total`). Closed/compliance rate is `100% - open rate`.

Checklist Files Contributing to This Area (60)

These hostname + STIG combinations are mapped to this assessment area

Checklist File	Hostname	STIG Benchmark	Version	Actions
MONT-SW-89134_Win10_V3R5_20251217-201218.ckl	MONT-SW-89134	Microsoft Windows 10 Security Technical Implementation Guide	V3R6	Edit
MONT-SW-89134_Win10_V3R5_20251217-201218.ckl	MONT-SW-89134	Microsoft Windows 10 Security Technical Implementation Guide	V3R4 Outdated: Latest V3R6	Edit
MONT-SW-89134_MSOffice365_V3R4_20251217-201101.ckl	MONT-SW-89134	Microsoft Office 365 ProPlus Security Technical Implementation Guide	V3R5	Edit
MONT-SW-89134_MSOffice365_V3R4_20251217-201101.ckl	MONT-SW-89134	Microsoft Office 365 ProPlus Security Technical Implementation Guide	V3R4 Outdated: Latest V3R5	Edit
MONT-SW-89134_MSEdge_V2R3_20251217-201011.ckl	MONT-SW-89134	Microsoft Edge Security Technical Implementation Guide	V2R5	Edit
MONT-SW-89134_IE11_V2R5_20251217-201035.ckl	MONT-SW-89134	Microsoft Internet Explorer 11 Security Technical Implementation Guide	V2R5	Edit
MONT-SW-89134_Firefox_V6R6_20251217-201244.ckl	MONT-SW-89134	Mozilla Firefox Security Technical Implementation Guide	V6R7	Edit
MONT-SW-89134_DotNET4_V2R7_20251217-201000.ckl	MONT-SW-89134	Microsoft DotNet Framework 4.0 Security Technical Implementation Guide	V2R8	Edit
MONT-SW-89134_Chrome_V2R11_20251217-200930.ckl	MONT-SW-89134	Google Chrome Current Windows Security Technical Implementation Guide	V2R11	Edit
MONT-SW-89134_AdobeReaderDCContinuous_V2R1_20251217-200921.ckl	MONT-SW-89134	Adobe Acrobat Reader DC Continuous Track Security Technical Implementation Guide	V2R1	Edit
MONT-SW-89108_Win10_V3R5_20251217-203019.ckl	MONT-SW-89108	Microsoft Windows 10 Security Technical Implementation Guide	V3R6	Edit
MONT-SW-89108_Win10_V3R5_20251217-203019.ckl	MONT-SW-89108	Microsoft Windows 10 Security Technical Implementation Guide	V3R4 Outdated: Latest V3R6	Edit
MONT-SW-89108_MSOffice365_V3R4_20251217-202911.ckl	MONT-SW-89108	Microsoft Office 365 ProPlus Security Technical Implementation Guide	V3R5	Edit
MONT-SW-89108_MSOffice365_V3R4_20251217-202911.ckl	MONT-SW-89108	Microsoft Office 365 ProPlus Security Technical Implementation Guide	V3R4 Outdated: Latest V3R5	Edit
MONT-SW-89108_MSEdge_V2R3_20251217-202829.ckl	MONT-SW-89108	Microsoft Edge Security Technical Implementation Guide	V2R5	Edit
MONT-SW-89108_IE11_V2R5_20251217-202849.ckl	MONT-SW-89108	Microsoft Internet Explorer 11 Security Technical Implementation Guide	V2R5	Edit
MONT-SW-89108_Firefox_V6R6_20251217-203042.ckl	MONT-SW-89108	Mozilla Firefox Security Technical Implementation Guide	V6R7	Edit
MONT-SW-89108_DotNET4_V2R7_20251217-202821.ckl	MONT-SW-89108	Microsoft DotNet Framework 4.0 Security Technical Implementation Guide	V2R8	Edit
MONT-SW-89108_Chrome_V2R11_20251217-202759.ckl	MONT-SW-89108	Google Chrome Current Windows Security Technical Implementation Guide	V2R11	Edit
MONT-SW-89108_AdobeReaderDCContinuous_V2R1_20251217-202743.ckl	MONT-SW-89108	Adobe Acrobat Reader DC Continuous Track Security Technical Implementation Guide	V2R1	Edit
MONT-AP-002_WinServer2016_V2R10_20251023-144214.ckl	MONT-AP-002	Microsoft Windows Server 2016 Security Technical Implementation Guide	V2R10	Edit
MONT-AP-002_IE11_V2R5_20251023-144037.ckl	MONT-AP-002	Microsoft Internet Explorer 11 Security Technical Implementation Guide	V2R5	Edit
MONT-AP-002_DotNET4_V2R7_20251023-144010.ckl	MONT-AP-002	Microsoft DotNet Framework 4.0 Security Technical Implementation Guide	V2R8	Edit
MONT-BE-002_WinServer2016_V2R10_20251023-143943.ckl	MONT-BE-002	Microsoft Windows Server 2016 Security Technical Implementation Guide	V2R10	Edit
MONT-BE-002_IE11_V2R5_20251023-143812.ckl	MONT-BE-002	Microsoft Internet Explorer 11 Security Technical Implementation Guide	V2R5	Edit
MONT-BE-002_DotNET4_V2R7_20251023-143746.ckl	MONT-BE-002	Microsoft DotNet Framework 4.0 Security Technical Implementation Guide	V2R8	Edit
MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl	MONT-DB-002	Microsoft Windows Server 2016 Security Technical Implementation Guide	V2R10	Edit
MONT-DB-002_IE11_V2R5_20251023-143958.ckl	MONT-DB-002	Microsoft Internet Explorer 11 Security Technical Implementation Guide	V2R5	Edit
MONT-DB-002_DotNET4_V2R7_20251023-143930.ckl	MONT-DB-002	Microsoft DotNet Framework 4.0 Security Technical Implementation Guide	V2R8	Edit
MONT-DC-003_WinServer2016_V2R10_20251023-172220.ckl	MONT-DC-003	Microsoft Windows Server 2016 Security Technical Implementation Guide	V2R10	Edit
MONT-DC-003_IE11_V2R5_20251023-172012.ckl	MONT-DC-003	Microsoft Internet Explorer 11 Security Technical Implementation Guide	V2R5	Edit
MONT-DC-003_DotNET4_V2R7_20251023-171946.ckl	MONT-DC-003	Microsoft DotNet Framework 4.0 Security Technical Implementation Guide	V2R8	Edit
MONT-DP-001_WinServer2016_V2R10_20251023-144106.ckl	MONT-DP-001	Microsoft Windows Server 2016 Security Technical Implementation Guide	V2R10	Edit
MONT-DP-001_IE11_V2R5_20251023-143936.ckl	MONT-DP-001	Microsoft Internet Explorer 11 Security Technical Implementation Guide	V2R5	Edit
MONT-DP-001_DotNET4_V2R7_20251023-143731.ckl	MONT-DP-001	Microsoft DotNet Framework 4.0 Security Technical Implementation Guide	V2R8	Edit
MONT-MB-002_WinServer2016_V2R10_20251023-152736.ckl	MONT-MB-002	Microsoft Windows Server 2016 Security Technical Implementation Guide	V2R10	Edit
MONT-MB-002_IE11_V2R5_20251023-152627.ckl	MONT-MB-002	Microsoft Internet Explorer 11 Security Technical Implementation Guide	V2R5	Edit
MONT-MB-002_DotNET4_V2R7_20251023-152339.ckl	MONT-MB-002	Microsoft DotNet Framework 4.0 Security Technical Implementation Guide	V2R8	Edit
MONT-VSF-003_WinServer2016_V2R10_20251023-143935.ckl	MONT-VSF-003	Microsoft Windows Server 2016 Security Technical Implementation Guide	V2R10	Edit
MONT-VSF-003_IE11_V2R5_20251023-143759.ckl	MONT-VSF-003	Microsoft Internet Explorer 11 Security Technical Implementation Guide	V2R5	Edit
MONT-VSF-003_DotNET4_V2R7_20251023-143732.ckl	MONT-VSF-003	Microsoft DotNet Framework 4.0 Security Technical Implementation Guide	V2R8	Edit
MONT-VSF-004_WinServer2016_V2R10_20251023-143909.ckl	MONT-VSF-004	Microsoft Windows Server 2016 Security Technical Implementation Guide	V2R10	Edit
MONT-VSF-004_IE11_V2R5_20251023-143737.ckl	MONT-VSF-004	Microsoft Internet Explorer 11 Security Technical Implementation Guide	V2R5	Edit
MONT-VSF-004_DotNET4_V2R7_20251023-143711.ckl	MONT-VSF-004	Microsoft DotNet Framework 4.0 Security Technical Implementation Guide	V2R8	Edit
MONT-WS-92010_Win10_V3R4_20251023-141133.ckl	MONT-WS-92010	Microsoft Windows 10 Security Technical Implementation Guide	V3R6	Edit
MONT-WS-92010_Win10_V3R4_20251023-141133.ckl	MONT-WS-92010	Microsoft Windows 10 Security Technical Implementation Guide	V3R4 Outdated: Latest V3R6	Edit
MONT-WS-92010_MSOffice365_V3R3_20251023-141031.ckl	MONT-WS-92010	Microsoft Office 365 ProPlus Security Technical Implementation Guide	V3R5	Edit
MONT-WS-92010_MSEdge_V2R3_20251023-141013.ckl	MONT-WS-92010	Microsoft Edge Security Technical Implementation Guide	V2R5	Edit
MONT-WS-92010_Firefox_V6R6_20251023-141154.ckl	MONT-WS-92010	Mozilla Firefox Security Technical Implementation Guide	V6R7	Edit
MONT-WS-92010_DotNET4_V2R7_20251023-141005.ckl	MONT-WS-92010	Microsoft DotNet Framework 4.0 Security Technical Implementation Guide	V2R8	Edit
MONT-WS-92010_Chrome_V2R11_20251023-140804.ckl	MONT-WS-92010	Google Chrome Current Windows Security Technical Implementation Guide	V2R11	Edit
MONT-WS-92010_AdobeAcrobatProDCContinuous_V2R1_20251023-140757.ckl	MONT-WS-92010	Adobe Acrobat Professional DC Continuous Track Security Technical Implementation Guide	V2R1	Edit
MONT-WS-92040_Win10_V3R4_20251023-142421.ckl	MONT-WS-92040	Microsoft Windows 10 Security Technical Implementation Guide	V3R6	Edit
MONT-WS-92040_Win10_V3R4_20251023-142421.ckl	MONT-WS-92040	Microsoft Windows 10 Security Technical Implementation Guide	V3R4 Outdated: Latest V3R6	Edit
MONT-WS-92040_MSOffice365_V3R3_20251023-142330.ckl	MONT-WS-92040	Microsoft Office 365 ProPlus Security Technical Implementation Guide	V3R5	Edit
MONT-WS-92040_MSEdge_V2R3_20251023-142313.ckl	MONT-WS-92040	Microsoft Edge Security Technical Implementation Guide	V2R5	Edit
MONT-WS-92040_Firefox_V6R6_20251023-142444.ckl	MONT-WS-92040	Mozilla Firefox Security Technical Implementation Guide	V6R7	Edit
MONT-WS-92040_DotNET4_V2R7_20251023-142306.ckl	MONT-WS-92040	Microsoft DotNet Framework 4.0 Security Technical Implementation Guide	V2R8	Edit
MONT-WS-92040_Chrome_V2R11_20251023-142120.ckl	MONT-WS-92040	Google Chrome Current Windows Security Technical Implementation Guide	V2R11	Edit
MONT-WS-92040_AdobeReaderDCContinuous_V2R1_20251023-142113.ckl	MONT-WS-92040	Adobe Acrobat Reader DC Continuous Track Security Technical Implementation Guide	V2R1	Edit

Open Findings (382)

Findings that remain open and contribute to the score

MONT-AP-002

Microsoft Windows Server 2016 Security Technical Implementation Guide MONT-AP-002_WinServer2016_V2R10_20251023-144214.ckl

Edit 17 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-224819	Users with Administrative privileges must have separate accounts for administrat...	Open (Open)
CAT I	V-224821	Administrative accounts must not be used with applications that access the Inter...	Open (Open)
CAT II	V-224820	Passwords for the built-in Administrator account must be changed at least every ...	Open (Open)
CAT II	V-224825	Shared user accounts must not be permitted on the system.	Open (Open)
CAT II	V-224826	Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow ...	Open (Open)
CAT II	V-224837	Outdated or unused accounts must be removed from the system or disabled.	Open (Open)
CAT II	V-224840	System files must be monitored for unauthorized changes.	Open (Open)
CAT II	V-224841	Non-system-created file shares on a system must limit access to groups that requ...	Open (Open)
CAT II	V-224842	Software certificate installation files must be removed from Windows Server 2016...	Open (Open)
CAT II	V-224845	The roles and features required by the system must be documented.	Open (Open)
CAT II	V-224875	Audit records must be backed up to a different system or media than the system b...	Open (Open)
CAT II	V-224876	Windows Server 2016 must, at a minimum, offload audit records of interconnected ...	Open (Open)
CAT II	V-225015	The "Deny access to this computer from the network" user right on member servers...	Open (Open)
CAT II	V-225017	The "Deny log on as a service" user right on member servers must be configured t...	Open (Open)
CAT II	V-225018	The "Deny log on locally" user right on member servers must be configured to pre...	Open (Open)
CAT II	V-225019	The "Deny log on through Remote Desktop Services" user right on member servers m...	Open (Open)
CAT II	V-257502	Windows Server 2016 must have PowerShell Transcription enabled.	Open (Open)

MONT-BE-002

Microsoft Windows Server 2016 Security Technical Implementation Guide MONT-BE-002_WinServer2016_V2R10_20251023-143943.ckl

Edit 17 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-224819	Users with Administrative privileges must have separate accounts for administrat...	Open (Open)
CAT I	V-224821	Administrative accounts must not be used with applications that access the Inter...	Open (Open)
CAT II	V-224820	Passwords for the built-in Administrator account must be changed at least every ...	Open (Open)
CAT II	V-224824	Manually managed application account passwords must be changed at least annually...	Open (Open)
CAT II	V-224825	Shared user accounts must not be permitted on the system.	Open (Open)
CAT II	V-224826	Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow ...	Open (Open)
CAT II	V-224837	Outdated or unused accounts must be removed from the system or disabled.	Open (Open)
CAT II	V-224840	System files must be monitored for unauthorized changes.	Open (Open)
CAT II	V-224845	The roles and features required by the system must be documented.	Open (Open)
CAT II	V-224863	Orphaned security identifiers (SIDs) must be removed from user rights on Windows...	Open (Open)
CAT II	V-224875	Audit records must be backed up to a different system or media than the system b...	Open (Open)
CAT II	V-224876	Windows Server 2016 must, at a minimum, offload audit records of interconnected ...	Open (Open)
CAT II	V-225015	The "Deny access to this computer from the network" user right on member servers...	Open (Open)
CAT II	V-225017	The "Deny log on as a service" user right on member servers must be configured t...	Open (Open)
CAT II	V-225018	The "Deny log on locally" user right on member servers must be configured to pre...	Open (Open)
CAT II	V-225019	The "Deny log on through Remote Desktop Services" user right on member servers m...	Open (Open)
CAT II	V-257502	Windows Server 2016 must have PowerShell Transcription enabled.	Open (Open)

MONT-DB-002

Microsoft Windows Server 2016 Security Technical Implementation Guide MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl

Edit 16 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-224819	Users with Administrative privileges must have separate accounts for administrat...	Open (Open)
CAT I	V-224821	Administrative accounts must not be used with applications that access the Inter...	Open (Open)
CAT II	V-224820	Passwords for the built-in Administrator account must be changed at least every ...	Open (Open)
CAT II	V-224825	Shared user accounts must not be permitted on the system.	Open (Open)
CAT II	V-224826	Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow ...	Open (Open)
CAT II	V-224837	Outdated or unused accounts must be removed from the system or disabled.	Open (Open)
CAT II	V-224840	System files must be monitored for unauthorized changes.	Open (Open)
CAT II	V-224842	Software certificate installation files must be removed from Windows Server 2016...	Open (Open)
CAT II	V-224845	The roles and features required by the system must be documented.	Open (Open)
CAT II	V-224875	Audit records must be backed up to a different system or media than the system b...	Open (Open)
CAT II	V-224876	Windows Server 2016 must, at a minimum, offload audit records of interconnected ...	Open (Open)
CAT II	V-225015	The "Deny access to this computer from the network" user right on member servers...	Open (Open)
CAT II	V-225017	The "Deny log on as a service" user right on member servers must be configured t...	Open (Open)
CAT II	V-225018	The "Deny log on locally" user right on member servers must be configured to pre...	Open (Open)
CAT II	V-225019	The "Deny log on through Remote Desktop Services" user right on member servers m...	Open (Open)
CAT II	V-257502	Windows Server 2016 must have PowerShell Transcription enabled.	Open (Open)

MONT-DC-003

Microsoft Windows Server 2016 Security Technical Implementation Guide MONT-DC-003_WinServer2016_V2R10_20251023-172220.ckl

Edit 34 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-224821	Administrative accounts must not be used with applications that access the Inter...	Open (Open)
CAT I	V-224993	PKI certificates associated with user accounts must be issued by the DoD PKI or ...	Open (Open)
CAT I	V-271430	Windows Server 2016 must be configured for name-based strong mappings for certif...	Open (Open)
CAT II	V-224820	Passwords for the built-in Administrator account must be changed at least every ...	Open (Open)
CAT II	V-224824	Manually managed application account passwords must be changed at least annually...	Open (Open)
CAT II	V-224825	Shared user accounts must not be permitted on the system.	Open (Open)
CAT II	V-224826	Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow ...	Open (Open)
CAT II	V-224837	Outdated or unused accounts must be removed from the system or disabled.	Open (Open)
CAT II	V-224839	Passwords must be configured to expire.	Open (Open)
CAT II	V-224840	System files must be monitored for unauthorized changes.	Open (Open)
CAT II	V-224842	Software certificate installation files must be removed from Windows Server 2016...	Open (Open)
CAT II	V-224863	Orphaned security identifiers (SIDs) must be removed from user rights on Windows...	Open (Open)
CAT II	V-224875	Audit records must be backed up to a different system or media than the system b...	Open (Open)
CAT II	V-224876	Windows Server 2016 must, at a minimum, offload audit records of interconnected ...	Open (Open)
CAT II	V-224940	Windows Server 2016 Windows SmartScreen must be enabled.	Open (Open)
CAT II	V-224976	Domain controllers must run on a machine dedicated to that function.	Open (Open)
CAT II	V-224981	The Active Directory Domain object must be configured with proper audit settings...	Open (Open)
CAT II	V-224982	The Active Directory Infrastructure object must be configured with proper audit ...	Open (Open)
CAT II	V-224983	The Active Directory Domain Controllers Organizational Unit (OU) object must be ...	Open (Open)
CAT II	V-224984	The Active Directory AdminSDHolder object must be configured with proper audit s...	Open (Open)
CAT II	V-224985	The Active Directory RID Manager$ object must be configured with proper audit se...	Open (Open)
CAT II	V-224994	Active Directory user accounts, including administrators, must be configured to ...	Open (Open)
CAT II	V-224995	Domain controllers must require LDAP access signing.	Open (Open)
CAT II	V-224997	The Access this computer from the network user right must only be assigned to th...	Open (Open)
CAT II	V-224998	The Add workstations to domain user right must only be assigned to the Administr...	Open (Open)
CAT II	V-225072	The Allow log on locally user right must only be assigned to the Administrators ...	Open (Open)
CAT II	V-225073	The Back up files and directories user right must only be assigned to the Admini...	Open (Open)
CAT II	V-225080	The Force shutdown from a remote system user right must only be assigned to the ...	Open (Open)
CAT II	V-225084	The Load and unload device drivers user right must only be assigned to the Admin...	Open (Open)
CAT II	V-225086	The Manage auditing and security log user right must only be assigned to the Adm...	Open (Open)
CAT II	V-225092	The Restore files and directories user right must only be assigned to the Admini...	Open (Open)
CAT II	V-257502	Windows Server 2016 must have PowerShell Transcription enabled.	Open (Open)
CAT III	V-224862	The time service must synchronize with an appropriate DoD time source.	Open (Open)
CAT III	V-224979	The directory service must be configured to terminate LDAP-based network connect...	Open (Open)

MONT-DP-001

Microsoft Windows Server 2016 Security Technical Implementation Guide MONT-DP-001_WinServer2016_V2R10_20251023-144106.ckl

Edit 16 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-224819	Users with Administrative privileges must have separate accounts for administrat...	Open (Open)
CAT I	V-224821	Administrative accounts must not be used with applications that access the Inter...	Open (Open)
CAT II	V-224820	Passwords for the built-in Administrator account must be changed at least every ...	Open (Open)
CAT II	V-224824	Manually managed application account passwords must be changed at least annually...	Open (Open)
CAT II	V-224825	Shared user accounts must not be permitted on the system.	Open (Open)
CAT II	V-224826	Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow ...	Open (Open)
CAT II	V-224837	Outdated or unused accounts must be removed from the system or disabled.	Open (Open)
CAT II	V-224840	System files must be monitored for unauthorized changes.	Open (Open)
CAT II	V-224845	The roles and features required by the system must be documented.	Open (Open)
CAT II	V-224875	Audit records must be backed up to a different system or media than the system b...	Open (Open)
CAT II	V-224876	Windows Server 2016 must, at a minimum, offload audit records of interconnected ...	Open (Open)
CAT II	V-225015	The "Deny access to this computer from the network" user right on member servers...	Open (Open)
CAT II	V-225017	The "Deny log on as a service" user right on member servers must be configured t...	Open (Open)
CAT II	V-225018	The "Deny log on locally" user right on member servers must be configured to pre...	Open (Open)
CAT II	V-225019	The "Deny log on through Remote Desktop Services" user right on member servers m...	Open (Open)
CAT II	V-257502	Windows Server 2016 must have PowerShell Transcription enabled.	Open (Open)

MONT-MB-002

Microsoft Windows Server 2016 Security Technical Implementation Guide MONT-MB-002_WinServer2016_V2R10_20251023-152736.ckl

Edit 22 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-224819	Users with Administrative privileges must have separate accounts for administrat...	Open (Open)
CAT I	V-224821	Administrative accounts must not be used with applications that access the Inter...	Open (Open)
CAT I	V-225007	Only administrators responsible for the member server or standalone or nondomain...	Open (Open)
CAT I	V-225012	Windows Server 2016 must be running Credential Guard on domain-joined member ser...	Open (Open)
CAT II	V-224820	Passwords for the built-in Administrator account must be changed at least every ...	Open (Open)
CAT II	V-224824	Manually managed application account passwords must be changed at least annually...	Open (Open)
CAT II	V-224825	Shared user accounts must not be permitted on the system.	Open (Open)
CAT II	V-224826	Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow ...	Open (Open)
CAT II	V-224837	Outdated or unused accounts must be removed from the system or disabled.	Open (Open)
CAT II	V-224840	System files must be monitored for unauthorized changes.	Open (Open)
CAT II	V-224841	Non-system-created file shares on a system must limit access to groups that requ...	Open (Open)
CAT II	V-224845	The roles and features required by the system must be documented.	Open (Open)
CAT II	V-224875	Audit records must be backed up to a different system or media than the system b...	Open (Open)
CAT II	V-224876	Windows Server 2016 must, at a minimum, offload audit records of interconnected ...	Open (Open)
CAT II	V-224923	Windows Server 2016 virtualization-based security must be enabled with the platf...	Open (Open)
CAT II	V-225015	The "Deny access to this computer from the network" user right on member servers...	Open (Open)
CAT II	V-225016	The "Deny log on as a batch job" user right on member servers must be configured...	Open (Open)
CAT II	V-225017	The "Deny log on as a service" user right on member servers must be configured t...	Open (Open)
CAT II	V-225018	The "Deny log on locally" user right on member servers must be configured to pre...	Open (Open)
CAT II	V-225019	The "Deny log on through Remote Desktop Services" user right on member servers m...	Open (Open)
CAT II	V-225082	The Impersonate a client after authentication user right must only be assigned t...	Open (Open)
CAT II	V-257502	Windows Server 2016 must have PowerShell Transcription enabled.	Open (Open)

MONT-VSF-003

Microsoft Windows Server 2016 Security Technical Implementation Guide MONT-VSF-003_WinServer2016_V2R10_20251023-143935.ckl

Edit 17 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-224819	Users with Administrative privileges must have separate accounts for administrat...	Open (Open)
CAT I	V-224821	Administrative accounts must not be used with applications that access the Inter...	Open (Open)
CAT I	V-225007	Only administrators responsible for the member server or standalone or nondomain...	Open (Open)
CAT II	V-224820	Passwords for the built-in Administrator account must be changed at least every ...	Open (Open)
CAT II	V-224825	Shared user accounts must not be permitted on the system.	Open (Open)
CAT II	V-224826	Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow ...	Open (Open)
CAT II	V-224838	Windows Server 2016 accounts must require passwords.	Open (Open)
CAT II	V-224839	Passwords must be configured to expire.	Open (Open)
CAT II	V-224840	System files must be monitored for unauthorized changes.	Open (Open)
CAT II	V-224845	The roles and features required by the system must be documented.	Open (Open)
CAT II	V-224875	Audit records must be backed up to a different system or media than the system b...	Open (Open)
CAT II	V-224876	Windows Server 2016 must, at a minimum, offload audit records of interconnected ...	Open (Open)
CAT II	V-225015	The "Deny access to this computer from the network" user right on member servers...	Open (Open)
CAT II	V-225017	The "Deny log on as a service" user right on member servers must be configured t...	Open (Open)
CAT II	V-225018	The "Deny log on locally" user right on member servers must be configured to pre...	Open (Open)
CAT II	V-225019	The "Deny log on through Remote Desktop Services" user right on member servers m...	Open (Open)
CAT II	V-257502	Windows Server 2016 must have PowerShell Transcription enabled.	Open (Open)

MONT-VSF-004

Microsoft Windows Server 2016 Security Technical Implementation Guide MONT-VSF-004_WinServer2016_V2R10_20251023-143909.ckl

Edit 17 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-224819	Users with Administrative privileges must have separate accounts for administrat...	Open (Open)
CAT I	V-224821	Administrative accounts must not be used with applications that access the Inter...	Open (Open)
CAT I	V-225007	Only administrators responsible for the member server or standalone or nondomain...	Open (Open)
CAT II	V-224820	Passwords for the built-in Administrator account must be changed at least every ...	Open (Open)
CAT II	V-224825	Shared user accounts must not be permitted on the system.	Open (Open)
CAT II	V-224826	Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow ...	Open (Open)
CAT II	V-224838	Windows Server 2016 accounts must require passwords.	Open (Open)
CAT II	V-224839	Passwords must be configured to expire.	Open (Open)
CAT II	V-224840	System files must be monitored for unauthorized changes.	Open (Open)
CAT II	V-224845	The roles and features required by the system must be documented.	Open (Open)
CAT II	V-224875	Audit records must be backed up to a different system or media than the system b...	Open (Open)
CAT II	V-224876	Windows Server 2016 must, at a minimum, offload audit records of interconnected ...	Open (Open)
CAT II	V-225015	The "Deny access to this computer from the network" user right on member servers...	Open (Open)
CAT II	V-225017	The "Deny log on as a service" user right on member servers must be configured t...	Open (Open)
CAT II	V-225018	The "Deny log on locally" user right on member servers must be configured to pre...	Open (Open)
CAT II	V-225019	The "Deny log on through Remote Desktop Services" user right on member servers m...	Open (Open)
CAT II	V-257502	Windows Server 2016 must have PowerShell Transcription enabled.	Open (Open)

MONT-WS-92010

Microsoft Windows 10 Security Technical Implementation Guide MONT-WS-92010_Win10_V3R4_20251023-141133.ckl

Edit 14 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-220703	Windows 10 systems must use a BitLocker PIN for pre-boot authentication.	Open (Open)
CAT I	V-220737	Administrative accounts must not be used with applications that access the Inter...	Open (Open)
CAT II	V-220705	The operating system must employ a deny-all, permit-by-exception policy to allow...	Open (Open)
CAT II	V-220716	Accounts must be configured to require password expiration.	Open (Open)
CAT II	V-220836	The Windows Defender SmartScreen for Explorer must be enabled.	Open (Open)
CAT II	V-220952	Passwords for enabled local Administrator accounts must be changed at least ever...	Open (Open)
CAT II	V-220957	The Access this computer from the network user right must only be assigned to th...	Open (Open)
CAT II	V-220968	The Deny access to this computer from the network user right on workstations mus...	Open (Open)
CAT II	V-220970	The Deny log on as a service user right on Windows 10 domain-joined workstations...	Open (Open)
CAT II	V-220971	The Deny log on locally user right on workstations must be configured to prevent...	Open (Open)
CAT II	V-220972	The Deny log on through Remote Desktop Services user right on Windows 10 worksta...	Open (Open)
CAT II	V-257589	Windows 10 must have command line process auditing events enabled for failures.	Open (Open)
CAT II	V-268315	Copilot must be disabled for Windows 10.	Open (Open)
CAT III	V-252903	Virtualization-based protection of code integrity must be enabled.	Open (Open)

MONT-WS-92010 Outdated: V3R6

Microsoft Windows 10 Security Technical Implementation Guide MONT-WS-92010_Win10_V3R4_20251023-141133.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-220726	Data Execution Prevention (DEP) must be configured to at least OptOut.	Open (Open)

MONT-WS-92040

Microsoft Windows 10 Security Technical Implementation Guide MONT-WS-92040_Win10_V3R4_20251023-142421.ckl

Edit 14 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-220703	Windows 10 systems must use a BitLocker PIN for pre-boot authentication.	Open (Open)
CAT I	V-220737	Administrative accounts must not be used with applications that access the Inter...	Open (Open)
CAT II	V-220705	The operating system must employ a deny-all, permit-by-exception policy to allow...	Open (Open)
CAT II	V-220716	Accounts must be configured to require password expiration.	Open (Open)
CAT II	V-220836	The Windows Defender SmartScreen for Explorer must be enabled.	Open (Open)
CAT II	V-220952	Passwords for enabled local Administrator accounts must be changed at least ever...	Open (Open)
CAT II	V-220957	The Access this computer from the network user right must only be assigned to th...	Open (Open)
CAT II	V-220968	The Deny access to this computer from the network user right on workstations mus...	Open (Open)
CAT II	V-220970	The Deny log on as a service user right on Windows 10 domain-joined workstations...	Open (Open)
CAT II	V-220971	The Deny log on locally user right on workstations must be configured to prevent...	Open (Open)
CAT II	V-220972	The Deny log on through Remote Desktop Services user right on Windows 10 worksta...	Open (Open)
CAT II	V-257589	Windows 10 must have command line process auditing events enabled for failures.	Open (Open)
CAT II	V-268315	Copilot must be disabled for Windows 10.	Open (Open)
CAT III	V-252903	Virtualization-based protection of code integrity must be enabled.	Open (Open)

MONT-WS-92040 Outdated: V3R6

Microsoft Windows 10 Security Technical Implementation Guide MONT-WS-92040_Win10_V3R4_20251023-142421.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT I	V-220726	Data Execution Prevention (DEP) must be configured to at least OptOut.	Open (Open)

MONT-AP-002

Microsoft DotNet Framework 4.0 Security Technical Implementation Guide MONT-AP-002_DotNET4_V2R7_20251023-144010.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-225238	Update and configure the .NET Framework to support TLS.	Open (Open)

MONT-BE-002

Microsoft DotNet Framework 4.0 Security Technical Implementation Guide MONT-BE-002_DotNET4_V2R7_20251023-143746.ckl

Edit 3 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-225236	Software utilizing .Net 4.0 must be identified and relevant access controls conf...	Open (Open)
CAT II	V-225238	Update and configure the .NET Framework to support TLS.	Open (Open)
CAT III	V-225234	.NET default proxy settings must be reviewed and approved.	Open (Open)

MONT-DB-002

Microsoft DotNet Framework 4.0 Security Technical Implementation Guide MONT-DB-002_DotNET4_V2R7_20251023-143930.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-225238	Update and configure the .NET Framework to support TLS.	Open (Open)

MONT-DC-003

Microsoft DotNet Framework 4.0 Security Technical Implementation Guide MONT-DC-003_DotNET4_V2R7_20251023-171946.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-225238	Update and configure the .NET Framework to support TLS.	Open (Open)

MONT-DP-001

Microsoft DotNet Framework 4.0 Security Technical Implementation Guide MONT-DP-001_DotNET4_V2R7_20251023-143731.ckl

Edit 2 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-225238	Update and configure the .NET Framework to support TLS.	Open (Open)
CAT III	V-225234	.NET default proxy settings must be reviewed and approved.	Open (Open)

MONT-MB-002

Microsoft DotNet Framework 4.0 Security Technical Implementation Guide MONT-MB-002_DotNET4_V2R7_20251023-152339.ckl

Edit 2 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-225224	The Trust Providers Software Publishing State must be set to 0x23C00.	Open (Open)
CAT II	V-225233	Trust must be established prior to enabling the loading of remote code in .Net 4...	Open (Open)

MONT-SW-89108

Adobe Acrobat Reader DC Continuous Track Security Technical Implementation Guide MONT-SW-89108_AdobeReaderDCContinuous_V2R1_20251217-202743.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-213193	Adobe Reader DC must enable FIPS mode.	Open (Open)

MONT-SW-89108

Microsoft Windows 10 Security Technical Implementation Guide MONT-SW-89108_Win10_V3R5_20251217-203019.ckl

Edit 8 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-220716	Accounts must be configured to require password expiration.	Open (Open)
CAT II	V-220952	Passwords for enabled local Administrator accounts must be changed at least ever...	Open (Open)
CAT II	V-278918	Windows 10 must be configured to audit file system failures.	Open (Open)
CAT II	V-278919	Windows 10 must be configured to audit file system successes.	Open (Open)
CAT II	V-278920	Windows 10 must be configured to audit handle manipulation failures.	Open (Open)
CAT II	V-278921	Windows 10 must be configured to audit handle manipulation successes.	Open (Open)
CAT II	V-278922	Windows 10 must be configured to audit registry successes.	Open (Open)
CAT II	V-278923	Windows 10 must be configured to audit registry failures.	Open (Open)

MONT-SW-89108

Microsoft Office 365 ProPlus Security Technical Implementation Guide MONT-SW-89108_MSOffice365_V3R4_20251217-202911.ckl

Edit 16 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-223280	Macros must be blocked from running in Access files from the Internet.	Open (Open)
CAT II	V-223297	Consistent MIME handling must be enabled for all Office 365 ProPlus programs.	Open (Open)
CAT II	V-223299	The Information Bar must be enabled in all Office programs.	Open (Open)
CAT II	V-223300	The Local Machine Zone Lockdown Security must be enabled in all Office programs.	Open (Open)
CAT II	V-223301	The MIME Sniffing safety feature must be enabled in all Office programs.	Open (Open)
CAT II	V-223303	Object Caching Protection must be enabled in all Office programs.	Open (Open)
CAT II	V-223311	VBA Macros not digitally signed must be blocked in Excel.	Open (Open)
CAT II	V-223323	Open/save of Excel 95 workbooks must be blocked.	Open (Open)
CAT II	V-223324	Open/save of Excel 95-97 workbooks and templates must be blocked.	Open (Open)
CAT II	V-223377	VBA Macros not digitally signed must be blocked in PowerPoint.	Open (Open)
CAT II	V-223408	Open/Save of Word 2000 binary documents and templates must be blocked.	Open (Open)
CAT II	V-223412	Open/Save of Word 95 binary documents and templates must be blocked.	Open (Open)
CAT II	V-223413	Open/Save of Word 97 binary documents and templates must be blocked.	Open (Open)
CAT II	V-223414	Open/Save of Word XP binary documents and templates must be blocked.	Open (Open)
CAT II	V-223417	VBA Macros not digitally signed must be blocked in Word.	Open (Open)
CAT II	V-278355	Sending of diagnostic data to Microsoft must be disabled.	Open (Open)

MONT-SW-89108

Microsoft DotNet Framework 4.0 Security Technical Implementation Guide MONT-SW-89108_DotNET4_V2R7_20251217-202821.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-225238	Update and configure the .NET Framework to support TLS.	Open (Open)

MONT-SW-89108

Google Chrome Current Windows Security Technical Implementation Guide MONT-SW-89108_Chrome_V2R11_20251217-202759.ckl

Edit 6 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-275780	Create Themes with AI must be disabled.	Open (Open)
CAT II	V-275781	DevTools Generative AI features must be disabled.	Open (Open)
CAT II	V-275782	GenAI local foundational model must be disabled.	Open (Open)
CAT II	V-275783	Help Me Write must be disabled.	Open (Open)
CAT II	V-275784	AI-powered History Search must be disabled.	Open (Open)
CAT II	V-275785	Tab Compare Settings must be disabled.	Open (Open)

MONT-SW-89108 Outdated: V3R5

Microsoft Office 365 ProPlus Security Technical Implementation Guide MONT-SW-89108_MSOffice365_V3R4_20251217-202911.ckl

Edit 4 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-278356	Connected experiences that analyze content must be disabled.	Open (Open)
CAT II	V-278357	Connected experiences that download online content must be disabled.	Open (Open)
CAT II	V-278358	Additional optional connected experiences must be disabled.	Open (Open)
CAT II	V-278359	Connected experiences must be disabled.	Open (Open)

MONT-SW-89134

Adobe Acrobat Reader DC Continuous Track Security Technical Implementation Guide MONT-SW-89134_AdobeReaderDCContinuous_V2R1_20251217-200921.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-213193	Adobe Reader DC must enable FIPS mode.	Open (Open)

MONT-SW-89134

Microsoft Windows 10 Security Technical Implementation Guide MONT-SW-89134_Win10_V3R5_20251217-201218.ckl

Edit 11 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-220705	The operating system must employ a deny-all, permit-by-exception policy to allow...	Open (Open)
CAT II	V-220716	Accounts must be configured to require password expiration.	Open (Open)
CAT II	V-220903	The DoD Root CA certificates must be installed in the Trusted Root Store.	Open (Open)
CAT II	V-220952	Passwords for enabled local Administrator accounts must be changed at least ever...	Open (Open)
CAT II	V-278918	Windows 10 must be configured to audit file system failures.	Open (Open)
CAT II	V-278919	Windows 10 must be configured to audit file system successes.	Open (Open)
CAT II	V-278920	Windows 10 must be configured to audit handle manipulation failures.	Open (Open)
CAT II	V-278921	Windows 10 must be configured to audit handle manipulation successes.	Open (Open)
CAT II	V-278922	Windows 10 must be configured to audit registry successes.	Open (Open)
CAT II	V-278923	Windows 10 must be configured to audit registry failures.	Open (Open)
CAT III	V-220711	Unused accounts must be disabled or removed from the system after 35 days of ina...	Open (Open)

MONT-SW-89134

Microsoft Office 365 ProPlus Security Technical Implementation Guide MONT-SW-89134_MSOffice365_V3R4_20251217-201101.ckl

Edit 16 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-223280	Macros must be blocked from running in Access files from the Internet.	Open (Open)
CAT II	V-223297	Consistent MIME handling must be enabled for all Office 365 ProPlus programs.	Open (Open)
CAT II	V-223299	The Information Bar must be enabled in all Office programs.	Open (Open)
CAT II	V-223300	The Local Machine Zone Lockdown Security must be enabled in all Office programs.	Open (Open)
CAT II	V-223301	The MIME Sniffing safety feature must be enabled in all Office programs.	Open (Open)
CAT II	V-223303	Object Caching Protection must be enabled in all Office programs.	Open (Open)
CAT II	V-223311	VBA Macros not digitally signed must be blocked in Excel.	Open (Open)
CAT II	V-223323	Open/save of Excel 95 workbooks must be blocked.	Open (Open)
CAT II	V-223324	Open/save of Excel 95-97 workbooks and templates must be blocked.	Open (Open)
CAT II	V-223377	VBA Macros not digitally signed must be blocked in PowerPoint.	Open (Open)
CAT II	V-223408	Open/Save of Word 2000 binary documents and templates must be blocked.	Open (Open)
CAT II	V-223412	Open/Save of Word 95 binary documents and templates must be blocked.	Open (Open)
CAT II	V-223413	Open/Save of Word 97 binary documents and templates must be blocked.	Open (Open)
CAT II	V-223414	Open/Save of Word XP binary documents and templates must be blocked.	Open (Open)
CAT II	V-223417	VBA Macros not digitally signed must be blocked in Word.	Open (Open)
CAT II	V-278355	Sending of diagnostic data to Microsoft must be disabled.	Open (Open)

MONT-SW-89134

Microsoft DotNet Framework 4.0 Security Technical Implementation Guide MONT-SW-89134_DotNET4_V2R7_20251217-201000.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-225238	Update and configure the .NET Framework to support TLS.	Open (Open)

MONT-SW-89134

Google Chrome Current Windows Security Technical Implementation Guide MONT-SW-89134_Chrome_V2R11_20251217-200930.ckl

Edit 6 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-275780	Create Themes with AI must be disabled.	Open (Open)
CAT II	V-275781	DevTools Generative AI features must be disabled.	Open (Open)
CAT II	V-275782	GenAI local foundational model must be disabled.	Open (Open)
CAT II	V-275783	Help Me Write must be disabled.	Open (Open)
CAT II	V-275784	AI-powered History Search must be disabled.	Open (Open)
CAT II	V-275785	Tab Compare Settings must be disabled.	Open (Open)

MONT-SW-89134 Outdated: V3R5

Microsoft Office 365 ProPlus Security Technical Implementation Guide MONT-SW-89134_MSOffice365_V3R4_20251217-201101.ckl

Edit 4 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-278356	Connected experiences that analyze content must be disabled.	Open (Open)
CAT II	V-278357	Connected experiences that download online content must be disabled.	Open (Open)
CAT II	V-278358	Additional optional connected experiences must be disabled.	Open (Open)
CAT II	V-278359	Connected experiences must be disabled.	Open (Open)

MONT-VSF-003

Microsoft DotNet Framework 4.0 Security Technical Implementation Guide MONT-VSF-003_DotNET4_V2R7_20251023-143732.ckl

Edit 2 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-225238	Update and configure the .NET Framework to support TLS.	Open (Open)
CAT III	V-225234	.NET default proxy settings must be reviewed and approved.	Open (Open)

MONT-VSF-004

Microsoft DotNet Framework 4.0 Security Technical Implementation Guide MONT-VSF-004_DotNET4_V2R7_20251023-143711.ckl

Edit 2 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-225238	Update and configure the .NET Framework to support TLS.	Open (Open)
CAT III	V-225234	.NET default proxy settings must be reviewed and approved.	Open (Open)

MONT-WS-92010

Microsoft Office 365 ProPlus Security Technical Implementation Guide MONT-WS-92010_MSOffice365_V3R3_20251023-141031.ckl

Edit 37 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-223284	The Macro Runtime Scan Scope must be enabled for all documents.	Open (Open)
CAT II	V-223286	The Office client must be prevented from polling the SharePoint Server for publi...	Open (Open)
CAT II	V-223287	Custom user interface (UI) code must be blocked from loading in all Office appli...	Open (Open)
CAT II	V-223297	Consistent MIME handling must be enabled for all Office 365 ProPlus programs.	Open (Open)
CAT II	V-223299	The Information Bar must be enabled in all Office programs.	Open (Open)
CAT II	V-223300	The Local Machine Zone Lockdown Security must be enabled in all Office programs.	Open (Open)
CAT II	V-223301	The MIME Sniffing safety feature must be enabled in all Office programs.	Open (Open)
CAT II	V-223303	Object Caching Protection must be enabled in all Office programs.	Open (Open)
CAT II	V-223309	Flash player activation must be disabled in all Office programs.	Open (Open)
CAT II	V-223311	VBA Macros not digitally signed must be blocked in Excel.	Open (Open)
CAT II	V-223312	Dynamic Data Exchange (DDE) server launch in Excel must be blocked.	Open (Open)
CAT II	V-223313	Dynamic Data Exchange (DDE) server lookup in Excel must be blocked.	Open (Open)
CAT II	V-223323	Open/save of Excel 95 workbooks must be blocked.	Open (Open)
CAT II	V-223324	Open/save of Excel 95-97 workbooks and templates must be blocked.	Open (Open)
CAT II	V-223328	Updating of links in Excel must be prompted and not automatic.	Open (Open)
CAT II	V-223329	Loading of pictures from Web pages not created in Excel must be disabled.	Open (Open)
CAT II	V-223330	AutoRepublish in Excel must be disabled.	Open (Open)
CAT II	V-223331	AutoRepublish warning alert in Excel must be enabled.	Open (Open)
CAT II	V-223332	File extensions must be enabled to match file types in Excel.	Open (Open)
CAT II	V-223338	Untrusted Microsoft Query files must be blocked from opening in Excel.	Open (Open)
CAT II	V-223339	Untrusted database files must be opened in Excel in Protected View mode.	Open (Open)
CAT II	V-223350	Files dragged from an Outlook e-mail to the file system must be created in ANSI ...	Open (Open)
CAT II	V-223351	The junk email protection level must be set to No Automatic Filtering.	Open (Open)
CAT II	V-223355	The Publish to Global Address List (GAL) button must be disabled in Outlook.	Open (Open)
CAT II	V-223357	The warning about invalid digital signatures must be enabled to warn Outlook use...	Open (Open)
CAT II	V-223360	The ability to demote attachments from Level 2 to Level 1 must be disabled.	Open (Open)
CAT II	V-223377	VBA Macros not digitally signed must be blocked in PowerPoint.	Open (Open)
CAT II	V-223379	Open/Save of PowerPoint 97-2003 presentations, shows, templates, and add-in file...	Open (Open)
CAT II	V-223385	Files downloaded from the Internet must be opened in Protected view in PowerPoin...	Open (Open)
CAT II	V-223387	Files in unsafe locations must be opened in Protected view in PowerPoint.	Open (Open)
CAT II	V-223408	Open/Save of Word 2000 binary documents and templates must be blocked.	Open (Open)
CAT II	V-223409	Open/Save of Word 2003 binary documents and templates must be blocked.	Open (Open)
CAT II	V-223410	Open/Save of Word 2007 and later binary documents and templates must be blocked.	Open (Open)
CAT II	V-223412	Open/Save of Word 95 binary documents and templates must be blocked.	Open (Open)
CAT II	V-223413	Open/Save of Word 97 binary documents and templates must be blocked.	Open (Open)
CAT II	V-223414	Open/Save of Word XP binary documents and templates must be blocked.	Open (Open)
CAT II	V-223417	VBA Macros not digitally signed must be blocked in Word.	Open (Open)

MONT-WS-92010

Microsoft DotNet Framework 4.0 Security Technical Implementation Guide MONT-WS-92010_DotNET4_V2R7_20251023-141005.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-225238	Update and configure the .NET Framework to support TLS.	Open (Open)

MONT-WS-92010

Google Chrome Current Windows Security Technical Implementation Guide MONT-WS-92010_Chrome_V2R11_20251023-140804.ckl

Edit 7 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-245539	Session only based cookies must be enabled.	Open (Open)
CAT II	V-275780	Create Themes with AI must be disabled.	Open (Open)
CAT II	V-275781	DevTools Generative AI features must be disabled.	Open (Open)
CAT II	V-275782	GenAI local foundational model must be disabled.	Open (Open)
CAT II	V-275783	Help Me Write must be disabled.	Open (Open)
CAT II	V-275784	AI-powered History Search must be disabled.	Open (Open)
CAT II	V-275785	Tab Compare Settings must be disabled.	Open (Open)

MONT-WS-92010

Adobe Acrobat Professional DC Continuous Track Security Technical Implementation Guide MONT-WS-92010_AdobeAcrobatProDCContinuous_V2R1_20251023-140757.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-245874	Adobe Acrobat Pro DC Continuous FIPS mode must be enabled.	Open (Open)

MONT-WS-92010

Mozilla Firefox Security Technical Implementation Guide MONT-WS-92010_Firefox_V6R6_20251023-141154.ckl

Edit 3 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-251553	Firefox must be configured to block pop-up windows.	Open (Open)
CAT II	V-252908	Pocket must be disabled.	Open (Open)
CAT II	V-252909	Firefox Studies must be disabled.	Open (Open)

MONT-WS-92010

Microsoft Edge Security Technical Implementation Guide MONT-WS-92010_MSEdge_V2R3_20251023-141013.ckl

Edit 4 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-260465	Visual Search must be disabled.	Open (Open)
CAT II	V-260466	Copilot must be disabled.	Open (Open)
CAT II	V-260467	Session only-based cookies must be enabled.	Open (Open)
CAT II	V-266981	FriendlyURLs must be disabled.	Open (Open)

MONT-WS-92040

Adobe Acrobat Reader DC Continuous Track Security Technical Implementation Guide MONT-WS-92040_AdobeReaderDCContinuous_V2R1_20251023-142113.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-213193	Adobe Reader DC must enable FIPS mode.	Open (Open)

MONT-WS-92040

Microsoft Office 365 ProPlus Security Technical Implementation Guide MONT-WS-92040_MSOffice365_V3R3_20251023-142330.ckl

Edit 37 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-223284	The Macro Runtime Scan Scope must be enabled for all documents.	Open (Open)
CAT II	V-223286	The Office client must be prevented from polling the SharePoint Server for publi...	Open (Open)
CAT II	V-223287	Custom user interface (UI) code must be blocked from loading in all Office appli...	Open (Open)
CAT II	V-223297	Consistent MIME handling must be enabled for all Office 365 ProPlus programs.	Open (Open)
CAT II	V-223299	The Information Bar must be enabled in all Office programs.	Open (Open)
CAT II	V-223300	The Local Machine Zone Lockdown Security must be enabled in all Office programs.	Open (Open)
CAT II	V-223301	The MIME Sniffing safety feature must be enabled in all Office programs.	Open (Open)
CAT II	V-223303	Object Caching Protection must be enabled in all Office programs.	Open (Open)
CAT II	V-223309	Flash player activation must be disabled in all Office programs.	Open (Open)
CAT II	V-223311	VBA Macros not digitally signed must be blocked in Excel.	Open (Open)
CAT II	V-223312	Dynamic Data Exchange (DDE) server launch in Excel must be blocked.	Open (Open)
CAT II	V-223313	Dynamic Data Exchange (DDE) server lookup in Excel must be blocked.	Open (Open)
CAT II	V-223323	Open/save of Excel 95 workbooks must be blocked.	Open (Open)
CAT II	V-223324	Open/save of Excel 95-97 workbooks and templates must be blocked.	Open (Open)
CAT II	V-223328	Updating of links in Excel must be prompted and not automatic.	Open (Open)
CAT II	V-223329	Loading of pictures from Web pages not created in Excel must be disabled.	Open (Open)
CAT II	V-223330	AutoRepublish in Excel must be disabled.	Open (Open)
CAT II	V-223331	AutoRepublish warning alert in Excel must be enabled.	Open (Open)
CAT II	V-223332	File extensions must be enabled to match file types in Excel.	Open (Open)
CAT II	V-223338	Untrusted Microsoft Query files must be blocked from opening in Excel.	Open (Open)
CAT II	V-223339	Untrusted database files must be opened in Excel in Protected View mode.	Open (Open)
CAT II	V-223350	Files dragged from an Outlook e-mail to the file system must be created in ANSI ...	Open (Open)
CAT II	V-223351	The junk email protection level must be set to No Automatic Filtering.	Open (Open)
CAT II	V-223355	The Publish to Global Address List (GAL) button must be disabled in Outlook.	Open (Open)
CAT II	V-223357	The warning about invalid digital signatures must be enabled to warn Outlook use...	Open (Open)
CAT II	V-223360	The ability to demote attachments from Level 2 to Level 1 must be disabled.	Open (Open)
CAT II	V-223377	VBA Macros not digitally signed must be blocked in PowerPoint.	Open (Open)
CAT II	V-223379	Open/Save of PowerPoint 97-2003 presentations, shows, templates, and add-in file...	Open (Open)
CAT II	V-223385	Files downloaded from the Internet must be opened in Protected view in PowerPoin...	Open (Open)
CAT II	V-223387	Files in unsafe locations must be opened in Protected view in PowerPoint.	Open (Open)
CAT II	V-223408	Open/Save of Word 2000 binary documents and templates must be blocked.	Open (Open)
CAT II	V-223409	Open/Save of Word 2003 binary documents and templates must be blocked.	Open (Open)
CAT II	V-223410	Open/Save of Word 2007 and later binary documents and templates must be blocked.	Open (Open)
CAT II	V-223412	Open/Save of Word 95 binary documents and templates must be blocked.	Open (Open)
CAT II	V-223413	Open/Save of Word 97 binary documents and templates must be blocked.	Open (Open)
CAT II	V-223414	Open/Save of Word XP binary documents and templates must be blocked.	Open (Open)
CAT II	V-223417	VBA Macros not digitally signed must be blocked in Word.	Open (Open)

MONT-WS-92040

Google Chrome Current Windows Security Technical Implementation Guide MONT-WS-92040_Chrome_V2R11_20251023-142120.ckl

Edit 7 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-245539	Session only based cookies must be enabled.	Open (Open)
CAT II	V-275780	Create Themes with AI must be disabled.	Open (Open)
CAT II	V-275781	DevTools Generative AI features must be disabled.	Open (Open)
CAT II	V-275782	GenAI local foundational model must be disabled.	Open (Open)
CAT II	V-275783	Help Me Write must be disabled.	Open (Open)
CAT II	V-275784	AI-powered History Search must be disabled.	Open (Open)
CAT II	V-275785	Tab Compare Settings must be disabled.	Open (Open)

MONT-WS-92040

Mozilla Firefox Security Technical Implementation Guide MONT-WS-92040_Firefox_V6R6_20251023-142444.ckl

Edit 3 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-251553	Firefox must be configured to block pop-up windows.	Open (Open)
CAT II	V-252908	Pocket must be disabled.	Open (Open)
CAT II	V-252909	Firefox Studies must be disabled.	Open (Open)

MONT-WS-92040

Microsoft Edge Security Technical Implementation Guide MONT-WS-92040_MSEdge_V2R3_20251023-142313.ckl

Edit 4 open

Severity	Vuln ID	Rule Title	Status
CAT II	V-260465	Visual Search must be disabled.	Open (Open)
CAT II	V-260466	Copilot must be disabled.	Open (Open)
CAT II	V-260467	Session only-based cookies must be enabled.	Open (Open)
CAT II	V-266981	FriendlyURLs must be disabled.	Open (Open)

MONT-SW-89108

Microsoft Edge Security Technical Implementation Guide MONT-SW-89108_MSEdge_V2R3_20251217-202829.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT III	V-235719	User control of proxy settings must be disabled.	Open (Open)

MONT-SW-89134

Microsoft Edge Security Technical Implementation Guide MONT-SW-89134_MSEdge_V2R3_20251217-201011.ckl

Edit 1 open

Severity	Vuln ID	Rule Title	Status
CAT III	V-235719	User control of proxy settings must be disabled.	Open (Open)

6023

Total Findings

382

Open

5641

Closed/Remediated