| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Determine whether organization policy, at a minimum, prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. If it does not, this is a finding. The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement.
Fix Text
Establish a policy, at minimum, to prohibit administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Ensure the policy is enforced. The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.
Fix Text
Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 6275DCDEF057117A4E22688BC519EA5B675A222E ~~~~~ The following SSL flags are missing: Ssl SslRequireCert Ssl128 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Exchange Back End ResultHash: 20F984A5D3F505EAE457B229ADD97C44EF33D3DC ~~~~~ The following SSL flags are missing: SslRequireCert Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 20F984A5D3F505EAE457B229ADD97C44EF33D3DC ~~~~~ The following SSL flags are missing: SslRequireCert Comments |
|||||
Check Text
Notes: - If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 10.0 server, and the IIS 10.0 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server. In this case, this requirement is not applicable. - If this is a public-facing web server, this requirement is not applicable. - If this server is hosting WSUS, this requirement is not applicable. - If the server being reviewed is hosting SharePoint, this is not applicable. - If the server being reviewed is hosting Simple Certificate Enrollment Services (SCEP), this is not applicable. - If the server being reviewed is hosting Network Device Enrollment Services (NDES), this is not applicable. - If the server is providing OCSP, and not otherwise hosting any content, this requirement is not applicable. - If the server is providing CRL, and not otherwise hosting any content, this requirement is not applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon under the "IIS" section. Verify "Require SSL" is checked. Verify "Client Certificates Required" is selected. Click the site under review. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.webServer/security/access". The value for "sslFlags" set must include "ssl128". If the "Require SSL" is not selected, this is a finding. If the "Client Certificates Required" is not selected, this is a finding. Note: "Client Certificates Required" can be considered Not Applicable in a Single Sign On (SSO) scenario where client certificates are no longer processed locally. If the "sslFlags" is not set to "ssl128", this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon under the "IIS" section. Select the "Require SSL" setting. Select the "Client Certificates Required" setting. Click "Apply" in the "Actions" pane. Click the site under review. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.webServer/security/access". Click on the drop-down list for "sslFlags". Select the "Ssl128" check box. Click "Apply" in the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: DC46B573621F6ECBBEBFC3EAC3FFB498356150AF ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONT-AP-002\DOD_Admin objectClass: User objectSID: S-1-5-21-3515710802-3801378020-2101878990-1000 Name: MONT-AP-002\X_Admin objectClass: User objectSID: S-1-5-21-3515710802-3801378020-2101878990-500 Name: MONTFORD-POINT\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1109 Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 04D272EFF579CBFBB029CA64C75D595999410214 ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONT-BE-002\DOD_Admin objectClass: User objectSID: S-1-5-21-2559903909-3818771750-2130456036-1000 Name: MONT-BE-002\X_Admin objectClass: User objectSID: S-1-5-21-2559903909-3818771750-2130456036-500 Name: MONTFORD-POINT\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1109 Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 3079F2CB216B05B092D336E25D350B864AFC05D2 ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONT-DB-002\DOD_Admin objectClass: User objectSID: S-1-5-21-3489894170-526094123-3548415114-1000 Name: MONT-DB-002\X_Admin objectClass: User objectSID: S-1-5-21-3489894170-526094123-3548415114-500 Name: MONTFORD-POINT\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1109 Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 26130FDD7AA4586B373FC80745ACC1E59F170514 ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONT-DP-001\DOD_Admin objectClass: User objectSID: S-1-5-21-388225469-2825430915-2362864043-1000 Name: MONT-DP-001\X_Admin objectClass: User objectSID: S-1-5-21-388225469-2825430915-2362864043-500 Name: MONTFORD-POINT\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1109 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 195D3A4C9E0C1244F68BAB51B457A6CB3424C6A3 ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONTFORD-POINT\Domain Admins objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-512 Name: MONTFORD-POINT\Exchange Trusted Subsystem objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1134 Name: MONTFORD-POINT\Organization Management objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1119 Name: MONT-MB-002\DOD_Admin objectClass: User objectSID: S-1-5-21-3803552116-1809661109-1744339665-1000 Name: MONT-MB-002\SHB_Admin objectClass: User objectSID: S-1-5-21-3803552116-1809661109-1744339665-500 Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: E6DF78787BB4DA1415D3FA7445592C5F0EF90842 ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONTFORD-POINT\D.Admin objectClass: User objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 Name: MONTFORD-POINT\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1109 Name: MONT-VSF-003\dod_admin objectClass: User objectSID: S-1-5-21-4236012249-4164713760-2408648245-1000 Name: MONT-VSF-003\X_Admin objectClass: User objectSID: S-1-5-21-4236012249-4164713760-2408648245-500 Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 05C0319BF2208BE823FDDFBAF79265AC39289D00 ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONTFORD-POINT\D.Admin objectClass: User objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 Name: MONTFORD-POINT\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1109 Name: MONT-VSF-004\dod_admin objectClass: User objectSID: S-1-5-21-2502410760-3344595884-382061215-1000 Name: MONT-VSF-004\X_Admin objectClass: User objectSID: S-1-5-21-2502410760-3344595884-382061215-500 Comments |
|||||
Check Text
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Open "Computer Management". Navigate to "Groups" under "Local Users and Groups". Review the local "Administrators" group. Only administrator groups or accounts responsible for administration of the system may be members of the group. For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group. Standard user accounts must not be members of the local Administrator group. If accounts that do not have responsibility for administration of the system are members of the local Administrators group, this is a finding. If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding.
Fix Text
Configure the local "Administrators" group to include only administrator groups or accounts responsible for administration of the system. For domain-joined member servers, replace the Domain Admins group with a domain member server administrator group. Remove any standard user accounts.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: AE41F3DF4C82029ED7404BA4BE6A75115B769621 ~~~~~ BitLocker Network Unlock is not in use. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseAdvancedStartup Value: 0x00000001 (1) Value: REG_DWORD TPM Startup PIN Configuration: --------------------------- Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMPIN Value: 0x00000001 (1) [Compliant] Value: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: AE41F3DF4C82029ED7404BA4BE6A75115B769621 ~~~~~ BitLocker Network Unlock is not in use. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseAdvancedStartup Value: 0x00000001 (1) Value: REG_DWORD TPM Startup PIN Configuration: --------------------------- Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMPIN Value: 0x00000001 (1) [Compliant] Value: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: A0DEB1E83D788131EFCA0954E181AD87591B969A ~~~~~ BitLocker Network Unlock is not in use. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseAdvancedStartup Value: 0x00000001 (1) Value: REG_DWORD TPM Startup PIN Configuration: --------------------------- Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMPIN Value: 0x00000002 (2) [Expected '1'] Value: REG_DWORD Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMKeyPIN Value: 0x00000002 (2) [Expected '1'] Value: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: A0DEB1E83D788131EFCA0954E181AD87591B969A ~~~~~ BitLocker Network Unlock is not in use. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseAdvancedStartup Value: 0x00000001 (1) Value: REG_DWORD TPM Startup PIN Configuration: --------------------------- Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMPIN Value: 0x00000002 (2) [Expected '1'] Value: REG_DWORD Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMKeyPIN Value: 0x00000002 (2) [Expected '1'] Value: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: UseAdvancedStartup Type: REG_DWORD Value: 0x00000001 (1) If one of the following registry values does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: UseTPMPIN Type: REG_DWORD Value: 0x00000001 (1) Value Name: UseTPMKeyPIN Type: REG_DWORD Value: 0x00000001 (1) When BitLocker network unlock is used: Value Name: UseTPMPIN Type: REG_DWORD Value: 0x00000002 (2) Value Name: UseTPMKeyPIN Type: REG_DWORD Value: 0x00000002 (2) BitLocker network unlock may be used in conjunction with a BitLocker PIN. Refer to the article at the link below for information about network unlock. https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Require additional authentication at startup" to "Enabled" with "Configure TPM Startup PIN:" set to "Require startup PIN with TPM" or with "Configure TPM startup key and PIN:" set to "Require startup key and PIN with TPM".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 8BD6B22DCF9582BB99D89D5C035DF8B52BDC2CF8 ~~~~~ Data Execution Prevention is configured to 'OptIn' Windows Boot Loader ------------------- identifier {current} device partition=C: path \windows\system32\winload.efi description Windows 10 locale en-US inherit {bootloadersettings} recoverysequence {e1d40356-fa9e-11ed-a81c-d132769a72eb} displaymessageoverride Recovery recoveryenabled Yes isolatedcontext Yes allowedinmemorysettings 0x15000075 osdevice partition=C: systemroot \windows resumeobject {e1d40354-fa9e-11ed-a81c-d132769a72eb} nx OptIn bootmenupolicy Standard Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 82C3F1B697DB48695C0120630E2A8ED6B8252DF2 ~~~~~ Data Execution Prevention is configured to 'OptIn' Windows Boot Loader ------------------- identifier {current} device partition=C: path \windows\system32\winload.efi description Windows 10 locale en-US inherit {bootloadersettings} recoverysequence {86fa2db6-faa5-11ed-8cb5-f1e0456ab8cf} displaymessageoverride Recovery recoveryenabled Yes isolatedcontext Yes allowedinmemorysettings 0x15000075 osdevice partition=C: systemroot \windows resumeobject {86fa2db4-faa5-11ed-8cb5-f1e0456ab8cf} nx OptIn bootmenupolicy Standard Comments |
|||||
Check Text
Verify the DEP configuration. Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as administrator). Enter "BCDEdit /enum {current}". (If using PowerShell "{current}" must be enclosed in quotes.) If the value for "nx" is not "OptOut", this is a finding. (The more restrictive configuration of "AlwaysOn" would not be a finding.)
Fix Text
Configure DEP to at least OptOut. Note: Suspend BitLocker before making changes to the DEP configuration. Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as administrator). Enter "BCDEDIT /set {current} nx OptOut". (If using PowerShell "{current}" must be enclosed in quotes.) "AlwaysOn", a more restrictive selection, is also valid but does not allow applications that do not function properly to be opted out of DEP. Opted out exceptions can be configured in the "System Properties". Open "System" in Control Panel. Select "Advanced system settings". Click "Settings" in the "Performance" section. Select the "Data Execution Prevention" tab. Applications that are opted out are configured in the window below the selection "Turn on DEP for all programs and services except those I select:".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Determine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding.
Fix Text
Establish and enforce a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Implement technical measures where feasible such as removal of applications or use of application whitelisting to restrict the use of applications that can access the Internet.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: DD0C8EF05E5C236F6DE0AC78EFCA66F351187ECB ~~~~~ boot network not found ip boot server not found ip bootp server not found ip dns server not found ip identd not found ip finger not found ip http server not found ip rcmd rcp-enable not found ip rcmd rsh-enable not found service config not found service finger not found service tcp-small-servers not found service udp-small-servers not found service pad not found SERVICE CALL-HOME FOUND Comments |
|||||
Check Text
Verify that the router does not have any unnecessary or nonsecure ports, protocols, and services enabled. For example, the following commands should not be in the configuration: boot network ip boot server ip bootp server ip dns server ip identd ip finger ip http server ip rcmd rcp-enable ip rcmd rsh-enable service config service finger service tcp-small-servers service udp-small-servers service pad service call-home Note: Certain legacy devices may require 'service call-home' be enabled to support Smart Licensing as they do not support the newer smart transport configuration. Those devices do not incur a finding for having call-home enabled for Smart Licensing. If any unnecessary or nonsecure ports, protocols, or services are enabled, this is a finding.
Fix Text
Disable the following services if enabled as shown in the example below. R2(config)#no boot network R2(config)#no ip boot server R2(config)#no ip bootp server R2(config)#no ip dns server R2(config)#no ip identd R2(config)#no ip finger R2(config)#no ip http server R2(config)#no ip rcmd rcp-enable R2(config)#no ip rcmd rsh-enable R2(config)#no service config R2(config)#no service finger R2(config)#no service tcp-small-servers R2(config)#no service udp-small-servers R2(config)#no service pad R2(config)#no service call-home R2(config)#end
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: EC2FCBD8253B86CFC2922A92FE8E178EA3988544 ~~~~~ IP HTTP Timeout Settings no ip http server no ip http secure-server http\https servers are disabled, http\https requirements are not applicable line con 0 privilege level 15 logging synchronous login authentication USER_AUTH stopbits 1 line con 0 exec-timeout is not configured. Default value of 10 is assumed Confirm value is correctly configured by checking against 'show running-config all' configuration file Line VTY Timeout Settings line vty 0 4 session-timeout 10 access-class vty_access in session-limit 3 logging synchronous transport preferred ssh transport input ssh transport output ssh ! exec-timeout is not configured. Default value of 10 is assumed Confirm value is correctly configured by checking against 'show running-config all' configuration file Comments |
|||||
Check Text
Review the Cisco router configuration to verify that all network connections associated with a device management have an idle timeout value set to five minutes or less as shown in the following example: ip http secure-server ip http timeout-policy idle 300 life nnnn requests nn … … … line con 0 exec-timeout 5 0 line vty 0 1 exec-timeout 5 0 If the Cisco router is not configured to terminate all network connections associated with a device management after five minutes of inactivity, this is a finding.
Fix Text
Set the idle timeout value to five minutes or less on all configured login classes as shown in the example below. R1(config)#line vty 0 1 R1(config-line)#exec-timeout 5 0 R1(config-line)#exit R1(config)#line con 0 R1(config-line)#exec-timeout 5 0 R1(config-line)#exit R2(config)#ip http timeout-policy idle 300 life nnnn requests nn
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: FAA040DE8CA5849E5308201D0776B0A8AC84BA79 ~~~~~ SSH Server Algorithm is not configured per STIG check guidelines ip ssh source-interface BDI400 ip ssh logging events ip ssh version 2 ip ssh server algorithm mac hmac-sha1 ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. NOTE: Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and Government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions. SSH Example ip ssh version 2 ip ssh server algorithm mac hmac-sha2-256 If the Cisco router is not configured to use FIPS-validated HMAC to protect the integrity of remote maintenance sessions, this is a finding.
Fix Text
Configure SSH to use FIPS-validated HMAC for remote maintenance sessions as shown in the following example: SSH Example R1(config)#ip ssh version 2 R1(config)#ip ssh server algorithm mac hmac-sha2-256
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: D895FC94452D188206C29C53687CC2115A1A7E8B ~~~~~ Below is a list of local groups and their members (if any): Group: Access Control Assistance Operators Group: Administrators X_Admin DOD_Admin Server Administrator Group Group: Backup Operators Group: Certificate Service DCOM Access Group: Cryptographic Operators Group: Distributed COM Users Group: Event Log Readers Group: Guests Visitor Group: Hyper-V Administrators Group: IIS_IUSRS Group: Network Configuration Operators Group: Performance Log Users Group: Performance Monitor Users Group: Power Users Group: Print Operators Group: RDS Endpoint Servers Group: RDS Management Servers Group: RDS Remote Access Servers Group: Remote Desktop Users Group: Remote Management Users Group: Replicator Group: Storage Replica Administrators Group: System Managed Accounts Group DefaultAccount Group: Users INTERACTIVE Authenticated Users Domain Users Group: ConfigMgr Remote Control Users Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 624D7AD7D647B59D79BA27D736EAFE3764D6EA5B ~~~~~ Below is a list of local groups and their members (if any): Group: Access Control Assistance Operators Group: Administrators SHB_Admin DOD_Admin Domain Admins Organization Management Exchange Trusted Subsystem Group: Backup Operators Group: Certificate Service DCOM Access Group: Cryptographic Operators Group: Distributed COM Users Group: Event Log Readers Group: Guests SHB_Visitor Group: Hyper-V Administrators Group: IIS_IUSRS Group: Network Configuration Operators Group: Performance Log Users Group: Performance Monitor Users Group: Power Users Group: Print Operators Group: RDS Endpoint Servers Group: RDS Management Servers Group: RDS Remote Access Servers Group: Remote Desktop Users Group: Remote Management Users Group: Replicator Group: Storage Replica Administrators Group: System Managed Accounts Group DefaultAccount Group: Users INTERACTIVE Authenticated Users Domain Users Comments |
|||||
Check Text
Obtain a list of the user accounts with access to the system, including all local and domain accounts. Review the privileges to the web server for each account. Verify with the system administrator or the ISSO that all privileged accounts are mission essential and documented. Verify with the system administrator or the ISSO that all non-administrator access to shell scripts and operating system functions are mission essential and documented. If undocumented privileged accounts are found, this is a finding. If undocumented non-administrator access to shell scripts and operating system functions are found, this is a finding. If this IIS 10 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable.
Fix Text
Ensure non-administrators are not allowed access to the directory tree, the shell, or other operating system functions and utilities. All non-administrator access to shell scripts and operating system functions must be mission essential and documented.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8AE742FA7487414B54F49AFC49412799439832C2 ~~~~~ Local user accounts on this system. Confirm if any are used by IIS and if so, verify that default passwords have been changed: Name: DOD_Admin Enabled: True SID: S-1-5-21-388225469-2825430915-2362864043-1000 Password Age: 884 days Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 7B7215D4389023C21A17987544BF8519AB42A58E ~~~~~ Local user accounts on this system. Confirm if any are used by IIS and if so, verify that default passwords have been changed: Name: DOD_Admin Enabled: True SID: S-1-5-21-3803552116-1809661109-1744339665-1000 Password Age: 888 days Comments |
|||||
Check Text
Access the IIS 10.0 web server. Access the "Apps" menu. Under "Administrative Tools", select "Computer Management". In left pane, expand "Local Users and Groups" and click "Users". Review the local users listed in the middle pane. If any local accounts are present and used by IIS 10.0, verify with System Administrator that default passwords have been changed. If passwords have not been changed from the default, this is a finding.
Fix Text
Access the IIS 10.0 web server. Access the "Apps" menu. Under Administrative Tools, select Computer Management. In left pane, expand "Local Users and Groups" and click on "Users". Change passwords for any local accounts present that are used by IIS 10.0, then verify with System Administrator default passwords have been changed. Develop an internal process for changing passwords on a regular basis.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA349E0F1566CFDFB09D8F996B3AD3B036574454 ~~~~~ The router is not configured to send log data to the syslog server, this is a finding. Comments |
|||||
Check Text
Verify that the router is configured to send logs to at least two syslog servers. The configuration should look similar to the example below: logging x.x.x.x logging x.x.x.x If the router is not configured to send log data to the syslog servers, this is a finding.
Fix Text
Configure the router to send log messages to the syslog servers as shown in the example below. R4(config)#logging host x.x.x.x R4(config)#logging host x.x.x.x
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F616F024AD309ED67328DF3127A0A41B41DA2441 ~~~~~ Check with vendor for support status of the device Device Info: Hostname : MONTPOINTGTWYRTR DomainName : MACAddress : DeviceInfo : {Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.4, RELEASE SOFTWARE (fc5)} CiscoOS : IOS-XE CiscoOSVer : 16.12.4 CiscoSoftware : ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M) SerialNumber : FLM2122V0D9 Model : ISR4351/K9 DeviceType : Router Comments |
|||||
Check Text
Verify that the router is in compliance with this requirement by having the router administrator enter the following command: show version Verify that the release is still supported by Cisco. All releases supported by Cisco can be found on the following URL: www.cisco.com/c/en/us/support/ios-nx-os-software If the router is not running a supported release, this is a finding.
Fix Text
Upgrade the router to a supported release.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 3D3B4BF9D172F1653F4CA64457844979FAECE364 ~~~~~ Trusted Suffix: MONTFORD-POINT.navy.mil DC Cert Subject: CN=MONT-DC-003.MONTFORD-POINT.navy.mil, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US DC Cert Issuer: CN=DOD SW CA-67, OU=PKI, OU=DoD, O=U.S. Government, C=US DC Cert Thumbprint: 09D2721B5061A5BD0B8E3C771D94CCF915BA291C Trusted Suffix: mil DC Cert Subject: Well Known UPN suffix DC Cert Issuer: Well Known UPN suffix DC Cert Thumbprint: Well Known UPN suffix There are 7 account findings: ------------------------------------- Name: SHB_Admin Enabled: True UPN: DN: CN=SHB_Admin,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil Name: S.Admin Enabled: True UPN: DN: CN=S.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: N.Admin Enabled: True UPN: DN: CN=N.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONT-EM-NAA Enabled: True UPN: DN: CN=MONT-EM-NAA,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONT-EM-SVRCP Enabled: True UPN: DN: CN=MONT-EM-SVRCP,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONT-EM-WKSCP Enabled: True UPN: DN: CN=MONT-EM-WKSCP,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONT-EM-Admin Enabled: True UPN: DN: CN=MONT-EM-Admin,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review user account mappings to PKI certificates. Open "Windows PowerShell". Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding. For standard NIPRNet certificates the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI). Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization. NIPRNet Example: Name - User Principal Name User1 - 1234567890@mil See PKE documentation for other network domain suffixes. If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.
Fix Text
Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1 Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1 Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1 Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: E80A78FBEDDA324884CAAB1E479460FD319F84B4 ~~~~~ SecurityServicesRunning: 0 Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1 Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1 Comments |
|||||
Check Text
For domain controllers and standalone or nondomain-joined systems, this is NA. Open "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Device Guard Security Services Running" does not list "Credential Guard", this is a finding. The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: LsaCfgFlags Value Type: REG_DWORD Value: 0x00000001 (1) (Enabled with UEFI lock) A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration". A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements Severity Override Guidance: The AO can allow the severity override if they have reviewed the overall protection provided to the affected servers that are not capable of complying with the Credential Guard requirement. Items that should be reviewed/considered for compliance or mitigation for non-Credential Guard compliance are: The use of Microsoft Local Administrator Password Solution (LAPS) or similar products to control different local administrative passwords for all affected affected servers. This is to include a strict password change requirement (60 days or less). …. Strict separation of roles and duties. Server administrator credentials cannot be used on Windows 10 desktop to administer it. Documentation of all exceptions should be supplied. …. Use of a Privileged Access Workstation (PAW) and adherence to the Clean Source principle for administering affected affected servers. …. Boundary Protection that is currently in place to protect from vulnerabilities in the network/servers. …. Windows Defender rule block credential stealing from LSASS.exe is applied. This rule can only be applied if Windows Defender is in use. …. The overall number of vulnerabilities that are unmitigated on the network/servers.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) found this to be OPEN on 10/23/2025 ResultHash: 1852EDAFFD0549867EBD2E419B98256759732803 ~~~~~ Members of 'Enterprise Admins' ========================= Name: MONTFORD-POINT\Alexandra.M.Perl objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1160 DistinguishedName: CN=Perl\, Alexandra M.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT ALL HANDS MONTFORD-POINT RADIO MONTFORD-POINT LAN Management MONTFORD-POINT EO Name: MONTFORD-POINT\altucker.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1224 DistinguishedName: CN=Tucker\, Adam L.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Domain Administrator Group Domain Admins [FINDING] Remote Desktop Users Name: MONTFORD-POINT\amperl.admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1638 DistinguishedName: CN=ADMIN\, AMPerl,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT LAN Management Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Remote Management Users Name: MONTFORD-POINT\d.admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 DistinguishedName: CN=D.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Schema Admins [FINDING] Remote Management Users Remote Desktop Users Name: MONTFORD-POINT\jrsanders.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1253 DistinguishedName: CN=Sanders\, James R.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Remote Management Users Remote Desktop Users Name: MONTFORD-POINT\MONT-EM-Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1157 DistinguishedName: CN=MONT-EM-Admin,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Domain Administrator Group Domain Admins [FINDING] Remote Desktop Users Administrators [FINDING] Name: MONTFORD-POINT\montford.exchange [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1118 DistinguishedName: CN=Exchange Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Organization Management Schema Admins [FINDING] Administrators [FINDING] Name: MONTFORD-POINT\SHB_Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-500 DistinguishedName: CN=SHB_Admin,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Group Policy Creator Owners Domain Admins [FINDING] Schema Admins [FINDING] Administrators [FINDING] Name: MONTFORD-POINT\Thomas.L.Jones objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1176 DistinguishedName: CN=Jones\, Thomas L.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT ENG MONTFORD-POINT ALL HANDS MONTFORD-POINT RADIO MONTFORD-POINT LAN Management MONTFORD-POINT EO Name: MONTFORD-POINT\TLJones.Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1250 DistinguishedName: CN=Jones\, Thomas L.\, Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT LAN Management Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Remote Management Users Comments |
|||||
Check Text
Review the Enterprise Admins group in Active Directory Users and Computers. Any accounts that are members of the Enterprise Admins group must be documented with the IAO. Each Enterprise Administrator must have a separate unique account specifically for managing the Active Directory forest. If any account listed in the Enterprise Admins group is a member of other administrator groups including the Domain Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding.
Fix Text
Create the necessary documentation that identifies the members of the Enterprise Admins group. Ensure that each member has a separate unique account that can only be used to manage the Active Directory Forest. Remove any Enterprise Admin accounts from other administrator groups.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) found this to be OPEN on 10/23/2025 ResultHash: 7225AB9272CF53F1FFEA5139423A0233F41DA652 ~~~~~ Members of 'Domain Admins' ========================= Name: MONTFORD-POINT\adsmith.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1249 DistinguishedName: CN=Smith\, Alexander D.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Name: MONTFORD-POINT\altucker.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1224 DistinguishedName: CN=Tucker\, Adam L.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Domain Administrator Group Enterprise Admins [FINDING] Remote Desktop Users Name: MONTFORD-POINT\amperl.admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1638 DistinguishedName: CN=ADMIN\, AMPerl,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT LAN Management Member Server Administrator Group Domain Administrator Group Enterprise Admins [FINDING] Remote Management Users Name: MONTFORD-POINT\ANOC.FIM objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1203 DistinguishedName: CN=FIM\, ANOC,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Organization Management Domain Administrator Group Name: MONTFORD-POINT\d.admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 DistinguishedName: CN=D.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Member Server Administrator Group Domain Administrator Group Enterprise Admins [FINDING] Schema Admins [FINDING] Remote Management Users Remote Desktop Users Name: MONTFORD-POINT\iwgonzalez.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1242 DistinguishedName: CN=Gonzalez\, Ian W.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Name: MONTFORD-POINT\jrsanders.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1253 DistinguishedName: CN=Sanders\, James R.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Member Server Administrator Group Domain Administrator Group Enterprise Admins [FINDING] Remote Management Users Remote Desktop Users Name: MONTFORD-POINT\jtbegarek.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1212 DistinguishedName: CN=IA ADMIN\, JTBegarek,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Organization Management Member Server Administrator Group Domain Administrator Group Domain Users Name: MONTFORD-POINT\MONT-EM-Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1157 DistinguishedName: CN=MONT-EM-Admin,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Domain Administrator Group Enterprise Admins [FINDING] Remote Desktop Users Administrators [FINDING] Name: MONTFORD-POINT\montford.exchange [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1118 DistinguishedName: CN=Exchange Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Organization Management Enterprise Admins [FINDING] Schema Admins [FINDING] Administrators [FINDING] Name: MONTFORD-POINT\RDRivera.IAADMIN objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1213 DistinguishedName: CN=Rivera\, RJ,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Name: MONTFORD-POINT\scan.admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1192 DistinguishedName: CN=Scan Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Workstation Administrator Group Member Server Administrator Group Remote Desktop Users Name: MONTFORD-POINT\SHB_Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-500 DistinguishedName: CN=SHB_Admin,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Group Policy Creator Owners Enterprise Admins [FINDING] Schema Admins [FINDING] Administrators [FINDING] Name: MONTFORD-POINT\tagavrilovic.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1231 DistinguishedName: CN=Gavrilovic\, Tyler A.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Remote Desktop Users Administrators [FINDING] Name: MONTFORD-POINT\TLJones.Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1250 DistinguishedName: CN=Jones\, Thomas L.\, Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT LAN Management Member Server Administrator Group Domain Administrator Group Enterprise Admins [FINDING] Remote Management Users Comments |
|||||
Check Text
Review the Domain Admins group in Active Directory Users and Computers. Any accounts that are members of the Domain Admins group must be documented with the IAO. Each Domain Administrator must have a separate unique account specifically for managing the Active Directory domain and domain controllers. If any account listed in the Domain Admins group is a member of other administrator groups including the Enterprise Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding.
Fix Text
Create the necessary documentation that identifies the members of the Domain Admins group. Ensure that each member has a separate unique account that can only be used to manage the Active Directory domain and domain controllers. Remove any Domain Admin accounts from other administrator groups.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review the properties of all privileged accounts in Active Directory Users and Computers. Under the Account tab, verify "Account is sensitive and cannot be delegated" is selected in the Account Options section. If delegation is not prohibited for any privileged account, this is a finding.
Fix Text
Open Active Directory Users and Computers. View the properties of all privileged accounts. Under the Account tab, select "Account is sensitive and cannot be delegated" in the Account Options section.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 6BC616B0CF84131BFB017A9DC62E207CE8D4CF40 ~~~~~ Server is a 'Primary Domain Controller' This requirement is a permanent finding for server 2016 domain controllers per DOD CIO Memo Upgrading of MS Domain Controller OS to MS Server 2019 or Later (CIO000911-23) Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This requirement is not applicable for Member Servers. Note: This requirement is a permanent finding for server 2016 domain controllers per DOD CIO Memo Upgrading of MS Domain Controller OS to MS Server 2019 or Later (CIO000911-23). If the server is acting as a domain controller, this is a finding.
Fix Text
For servers acting as a domain controller, upgrade the operating system to Microsoft Server 2019 or greater.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DB-002 | - | 2026-03-06 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
If all accounts are authenticated by the organization-level authentication/access mechanism and not by the DBMS, this is not a finding. If there are any accounts managed by the DBMS, review the system documentation for justification and approval of these accounts. If any DBMS-managed accounts exist that are not documented and approved, this is a finding.
Fix Text
Integrate DBMS security with an organization-level authentication/access mechanism providing account management for all users, groups, roles, and any other principals. For each DBMS-managed account that is not documented and approved, either transfer it to management by the external mechanism, or document the need for it and obtain approval, as appropriate.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DB-002 | - | 2026-03-06 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Check DBMS settings to determine whether users are restricted from accessing objects and data they are not authorized to access. If appropriate access controls are not implemented to restrict access to authorized users and to restrict the access of those users to objects and data they are authorized to see, this is a finding.
Fix Text
Configure the DBMS settings and access controls to permit user access only to objects and data that the user is authorized to view or interact with, and to prevent access to all other objects and data.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DB-002 | - | 2026-03-06 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review procedures for controlling, granting access to, and tracking use of the DBMS software installation account. If access or use of this account is not restricted to the minimum number of personnel required or if unauthorized access to the account has been granted, this is a finding.
Fix Text
Develop, document, and implement procedures to restrict and track use of the DBMS software installation account.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DB-002 | - | 2026-03-06 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
If DBMS authentication, using passwords, is not employed, this is not a finding. If the DBMS is configured to inherit password complexity and lifetime rules from the operating system or access control program, this is not a finding. Review the DBMS settings relating to password complexity. Determine whether the following rules are enforced. If any are not, this is a finding. a. minimum of 15 characters, including at least one of each of the following character sets: - Uppercase. - Lowercase. - Numerics. - Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <). b. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight. Review the DBMS settings relating to password lifetime. Determine whether the following rules are enforced. If any are not, this is a finding. a. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days. b. Password lifetime limits for noninteractive accounts: Minimum 24 hours, maximum 365 days. c. Number of password changes before an old one may be reused: Minimum of five.
Fix Text
If the use of passwords is not needed, configure the DBMS to prevent their use if it is capable of this; if it is not, institute policies and procedures to prohibit their use. If the DBMS can inherit password complexity rules from the operating system or access control program, configure it to do so. Otherwise, use DBMS configuration parameters and/or custom code to enforce the following rules for passwords: a. Minimum of 15 characters, including at least one of each of the following character sets: - Uppercase. - Lowercase. - Numerics. - Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <). b. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight. c. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days. d. Password lifetime limits for non-interactive accounts: Minimum 24 hours, maximum 365 days. e. Number of password changes before an old one may be reused: Minimum of five.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DB-002 | - | 2026-03-06 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review the list of DBMS database objects, database configuration files, associated scripts, and applications defined within and external to the DBMS that access the database. The list should also include files or settings used to configure the operational environment for the DBMS and for interactive DBMS user accounts. Determine whether any DBMS database objects, database configuration files, associated scripts, applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings contain database passwords. If any do, confirm that DBMS passwords stored internally or externally to the DBMS are hashed using FIPS-approved cryptographic algorithms and include a salt. If any passwords are stored in clear text, this is a finding. If any passwords are stored with reversible encryption, this is a finding. If any passwords are stored using unsalted hashes, this is a finding.
Fix Text
Develop, document, and maintain a list of DBMS database objects, database configuration files, associated scripts, applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings in the System Security Plan. Record whether they do or do not contain DBMS passwords. If passwords are present, ensure they are correctly hashed using one-way, salted hashing functions, and that the hashes are protected by host system security.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DB-002 | - | 2026-03-06 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review configuration settings for encrypting passwords in transit across the network. If passwords are not encrypted, this is a finding. If it is determined that passwords are passed unencrypted at any point along the transmission path between the source and destination, this is a finding.
Fix Text
Configure encryption for transmission of passwords across the network. If the database does not provide encryption for logon events natively, employ encryption at the OS or network level. Ensure passwords remain encrypted from source to destination.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DB-002 | - | 2026-03-06 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review DBMS configuration to determine whether appropriate access controls exist to protect the DBMS's private key(s). If the DMBS’s private key(s) are not stored in a FIPS 140-2 or 140-3 validated cryptographic module, this is a finding. If access to the DBMS’s private key(s) is not restricted to authenticated and authorized users, this is a finding.
Fix Text
Store all DBMS PKI private keys in a FIPS 140-2 or 140-3 validated cryptographic module. Ensure access to the DBMS PKI private keys is restricted to only authenticated and authorized users.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DB-002 | - | 2026-03-06 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
If all interaction with the user for purposes of authentication is handled by a software component separate from the DBMS, this is not a finding. If any application, tool or feature associated with the DBMS/database displays any authentication secrets (to include PINs and passwords) during - or after - the authentication process, this is a finding.
Fix Text
Modify and configure each non-compliant application, tool, or feature associated with the DBMS/database so that it does not display authentication secrets.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DB-002 | - | 2026-03-06 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review DBMS configuration to verify it is using NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations. If NIST FIPS 140-2 or 140-3 validated modules are not being used for all cryptographic operations, this is a finding.
Fix Text
Utilize NIST FIPS 140-2 or 140-3 validated cryptographic modules for all cryptographic operations.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DB-002 | - | 2026-03-06 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding. Review DBMS settings to determine whether controls exist to protect the confidentiality and integrity of data at rest in the database. If controls do not exist or are not enabled, this is a finding.
Fix Text
Apply appropriate controls to protect the confidentiality and integrity of data at rest in the database.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DB-002 | - | 2026-03-06 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of the DBMS, operating system/file system, and additional software as relevant. If any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding.
Fix Text
Configure the DBMS, operating system/file system, and additional software as relevant, to provide the required level of cryptographic protection.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DB-002 | - | 2026-03-06 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from disclosure, which must include, at a minimum, PII and classified information. If the documentation indicates no information requires such protections, this is not a finding. Review the configuration of the DBMS, operating system/file system, and additional software as relevant. If any of the information defined as requiring protection is not encrypted in a manner that provides the required level of protection and is not physically secured to the required level, this is a finding.
Fix Text
Configure the DBMS, operating system/file system, and additional software as relevant, to provide the required level of cryptographic protection for information requiring cryptographic protection against disclosure. Secure the premises, equipment, and media to provide the required level of physical protection.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-AdobeAcrobatProDCContinuous_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8A5C406AE5197A673C1E9CCAF985C1CF27558D6A ~~~~~ Name: Adobe Acrobat DC Version: DC Track: Continuous DisplayVersion: 25.001.20756 Architecture: x64 Comments |
|||||
Check Text
Open Adobe Acrobat Pro DC. Navigate to and click on Help >> About Adobe Acrobat Pro DC. Verify that the latest security-related software updates by Adobe are being applied. If the latest security-related software updates by Adobe are not being applied, this is a finding.
Fix Text
Apply the latest security-related software updates to the Adobe Acrobat Pro DC application.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-AdobeReaderDCContinuous_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 55F395109A6C5171DE708830F5FECF87BC7FEB32 ~~~~~ Name: Adobe Reader DC Version: DC Track: Continuous DisplayVersion: 25.001.20997 Architecture: x86 Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-AdobeReaderDCContinuous_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 55F395109A6C5171DE708830F5FECF87BC7FEB32 ~~~~~ Name: Adobe Reader DC Version: DC Track: Continuous DisplayVersion: 25.001.20997 Architecture: x86 Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-AdobeReaderDCContinuous_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 52C747ED8AD535C8D5B3C3BFCE49764504D0FE1D ~~~~~ Name: Adobe Reader DC Version: DC Track: Continuous DisplayVersion: 25.001.20756 Architecture: x86 Comments |
|||||
Check Text
Determine the method for doing this (e.g., connection to a WSUS server, local procedure, auto update, etc.). Open Adobe Acrobat Reader DC. Navigate to and click on Help >> About Adobe Acrobat Reader DC. Verify that the latest security-related software updates by Adobe are being applied. If the latest security-related software updates by Adobe are not being applied, this is a finding.
Fix Text
Apply the latest security-related software updates to the Adobe Acrobat Reader application.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments |
|||||
Check Text
Determine if SQL Server is configured to allow the use of contained databases, if it is, take the appropriate precautions to limit their risk. 1) In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance, select "Properties", and then select the "Advanced" page. If "Enabled Contained Databases" is "False", this is not a finding. 2) If "Enabled Contained Databases" is "True", then in a query interface such as the SSMS Transact-SQL editor, run the statement: EXEC sp_configure 'contained database authentication' If the returned value in the "config_value" and/or "run_value" column is "0", this is not a finding. 3) Determine whether SQL Server is configured to use only Windows authentication. In a query interface such as the SSMS Transact-SQL editor, run the statement: SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'Windows and SQL Server Authentication' END as [Authentication Mode] If the returned value in the "Authentication Mode" column is "Windows Authentication", this is not a finding. If mixed mode (both SQL Server authentication and Windows authentication) is in use, then it must be documented and approved. From the documentation, obtain the list of accounts authorized to be managed by SQL Server. Determine the accounts (SQL Logins) actually managed by SQL Server. Run the statement: SELECT name FROM sys.database_principals WHERE type_desc = 'SQL_USER' AND authentication_type_desc = 'DATABASE'; If any accounts listed by the query are not listed in the documentation, this is a finding. Documentation must be approved by the information system security officer (ISSO)/ information system security manager (ISSM).
Fix Text
If mixed mode is required, document the need and justification; describe the measures taken to ensure the use of SQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; and obtain official approval. If mixed mode is not required, disable it as follows: In the SSMS Object Explorer, right-click on the server instance, select Properties >> Security page. Click the radio button for "Windows Authentication Mode", and then click "OK". Restart the SQL Server instance. OR Run the statement: USE [master] EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 2 GO Restart the SQL Server instance. For each account being managed by SQL Server but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a User in the SSMS Object Explorer: Navigate to Databases >> Security Users. Right-click on the User name, and then click "Delete". To drop a User via a query: USE database_name; DROP USER <user_name>;
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: E72A43AA1F56BC880CAFBD122F108E27602D0980 ~~~~~ This is the 'tempdb' database so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: CD95A213FC4476B7F4C08031802041EE9D911C58 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 391 -403485259 Roles 17 348690621 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo SQLAgentUserRole SQLAgentReaderRole SQLAgentReaderRole SQLAgentOperatorRole SQLAgentUserRole dc_operator db_ssisltduser dc_operator db_ssisoperator dc_operator dc_operator dc_admin db_ssisltduser dc_proxy db_ssisoperator dc_proxy SQLAgentUserRole MS_DataCollectorInternalUser db_ssisoperator MS_DataCollectorInternalUser dc_admin MS_DataCollectorInternalUser SQLAgentOperatorRole PolicyAdministratorRole ServerGroupReaderRole ServerGroupAdministratorRole PolicyAdministratorRole ##MS_PolicyEventProcessingLogin## PolicyAdministratorRole ##MS_PolicyTsqlExecutionLogin## UtilityIMRReader UtilityIMRWriter Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable ------------ ------- ---------- --------------- --------------- --------------- --------- SQL_USER ##MS_PolicyEventProcessingLogin## GRANT CONNECT DATABASE msdb SQL_USER ##MS_PolicyEventProcessingLogin## GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_events_reader SQL_USER ##MS_PolicyTsqlExecutionLogin## GRANT CONNECT DATABASE msdb DATABASE_ROLE DatabaseMailUserRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_send_dbmail DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_allitems DATABASE_ROLE DatabaseMailUserRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sysmail_delete_mailitems_sp DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_event_log DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_faileditems DATABASE_ROLE DatabaseMailUserRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sysmail_help_status_sp DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_mailattachments DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_sentitems DATABASE_ROLE DatabaseMailUserRole GRANT SELECT VIEW dbo sysmail_unsentitems DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addfolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addlogentry DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletefolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackageroles DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_renamefolder DATABASE_ROLE db_ssisadmin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_setpackageroles DATABASE_ROLE db_ssisadmin GRANT DELETE USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT INSERT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT REFERENCES USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT SELECT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisadmin GRANT UPDATE USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addfolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addlogentry DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletefolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackageroles DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_renamefolder DATABASE_ROLE db_ssisltduser GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_setpackageroles DATABASE_ROLE db_ssisltduser GRANT INSERT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisltduser GRANT SELECT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages DATABASE_ROLE db_ssisoperator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage DATABASE_ROLE db_ssisoperator GRANT INSERT USER_TABLE dbo sysssislog DATABASE_ROLE db_ssisoperator GRANT SELECT USER_TABLE dbo sysssislog SQL_USER dbo GRANT CONNECT DATABASE msdb DATABASE_ROLE dc_admin GRANT IMPERSONATE DATABASE_PRINCIPAL MS_DataCollectorInternalUser DATABASE_ROLE dc_admin GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_highest_incompatible_mdw_version DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Generic SQL Trace Collector Type DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Generic SQL Trace Collector Type DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Generic T-SQL Query Collector... DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Generic T-SQL Query Collector... DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Performance Counters Collecto... DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Performance Counters Collecto... DATABASE_ROLE dc_admin GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Query Activity Collector Type DATABASE_ROLE dc_admin GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Query Activity Collector Type DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_cleanup_collector DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collection_item DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collection_set DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collector_type DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collection_item DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collection_set DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collector_type DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_cache_directory DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_cache_window DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_warehouse_database_name DATABASE_ROLE dc_admin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_warehouse_instance_name DATABASE_ROLE dc_operator GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_find_collection_set_root DATABASE_ROLE dc_operator GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_details DATABASE_ROLE dc_operator GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_log_tree DATABASE_ROLE dc_operator GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_stats DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_tsql_query_collector DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_execution_log_tree DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_disable_collector DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_enable_collector DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_tsql_query_collector_packag... DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_run_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_start_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_stop_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_update_collection_item DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_update_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_upload_collection_set DATABASE_ROLE dc_operator GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_verify_subsystems DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_collection_items DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_collection_sets DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_collector_types DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_config_store DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_execution_log DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_execution_log_full DATABASE_ROLE dc_operator GRANT SELECT VIEW dbo syscollector_execution_stats DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_highest_incompatible_mdw_version DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_tsql_query_collector DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_oncollectionbegin DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_oncollectionend DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onerror DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackagebegin DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackageend DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackageupdate DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onstatsupdate DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_tsql_query_collector_packag... DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_warehouse_connection_string DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_snapshot_dm_exec_query_stats DATABASE_ROLE dc_proxy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_snapshot_dm_exec_requests DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_collection_items DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_collection_sets DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_collector_types DATABASE_ROLE dc_proxy GRANT SELECT VIEW dbo syscollector_config_store SQL_USER guest GRANT CONNECT DATABASE msdb SQL_USER MS_DataCollectorInternalUser GRANT CONNECT DATABASE msdb DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_object_set DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy_category_subscription DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_target_set DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_target_set_level DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_configure DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_create_purge_job DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_object_set DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy_category_subscription DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_dispatch_event DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_detail DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_end DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_start DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_purge_health_state DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_purge_history DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_repair_policy_automation DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_config_enabled DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_config_history_retention DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_log_on_success DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_condition DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_policy DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_policy_category DATABASE_ROLE PolicyAdministratorRole GRANT EXECUTE SQL_STORED_PROCEDURE ---truncated results. met character limit--- Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 67138811F3D3035DB7C13B6F224A4015F4C21EB3 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 3 -2020448801 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable column_name grantor_type grantor ------------ ------- ---------- --------------- --------------- --------------- --------- ----------- ------------ ------- SQL_USER dbo GRANT CONNECT DATABASE model SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE model SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE model SQL_USER dbo Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: A5133F4A8B2717CDEB397EC5433932ABBE14A87B ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 2260 -1243632689 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable ------------ ------- ---------- --------------- --------------- --------------- --------- CERTIFICATE_MAPPED_USER ##MS_AgentSigningCertificate## GRANT CONNECT DATABASE master CERTIFICATE_MAPPED_USER ##MS_AgentSigningCertificate## GRANT EXECUTE DATABASE master SQL_USER ##MS_PolicyEventProcessingLogin## GRANT CONNECT DATABASE master SQL_USER ##MS_PolicyEventProcessingLogin## GRANT EXECUTE SQL_STORED_PROCEDURE sys sp_syspolicy_execute_policy SQL_USER dbo GRANT CONNECT DATABASE master SQL_USER guest GRANT CONNECT DATABASE master DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1005... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1030... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1042... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1046... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1059... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1063... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1069... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1078... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1090... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1104... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1163... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1182... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1189... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1337... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1361... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1369... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1425... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1465... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1529... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1786... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1792... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -1814... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2059... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2063... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2144... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2271... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2318... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2397... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2456... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2456... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2462... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2520... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2610... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -2978... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3055... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3144... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3160... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3226... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3319... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3462... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3508... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3624... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3825... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -3984... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4083... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4095... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4129... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4159... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4167... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4258... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4317... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4438... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4633... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4642... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4714... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4730... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4810... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4828... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -4975... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5004... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5043... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5200... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5221... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5233... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5261... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5313... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5378... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5381... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5462... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5576... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5683... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5846... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -590 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5905... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -591 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -592 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -593 *** DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -5963... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6084... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6219... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6234... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6259... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6366... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6383... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6385... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6495... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6584... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6724... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -6980... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7167... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7264... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7310... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7327... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7362... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7494... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7578... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7644... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7786... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7850... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7909... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7947... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -7989... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8028... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8167... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8186... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8248... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8268... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8300... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8481... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8483... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8604... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8752... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8824... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8834... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8962... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -8986... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9111... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9139... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9273... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9343... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9442... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9679... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9764... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9798... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9861... DATABASE_ROLE public GRANT SELECT OBJECT *** Internal Hidden Object : -9886... DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE master DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE master DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_db DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_dev DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_usg DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_monitor DATABASE_ROLE public GRANT SELECT VIEW dbo spt_values DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CHECK_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMN_PRIVILEGES DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMNS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA DOMAIN_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA DOMAINS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA KEY_COLUMN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA PARAMETERS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA ROUTINE_COLUMNS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA ROUTINES DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA SCHEMATA DATABASE_ROLE public GRANT SELECT VIEW INFORMA ---truncated results. met character limit--- Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 4E0BE29691469BB6268E1305E905DFBC61DC8366 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 59 -882091564 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable column_name grantor_type grantor ------------ ------- ---------- --------------- --------------- --------------- --------- ----------- ------------ ------- SQL_USER dbo GRANT CONNECT DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatDeletionEventProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatFragmentProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatMediaProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatPieceIdTableProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo DeleteOrphandedResourcesProc SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo InsertVirtualSet SQL_USER dbo Comments |
|||||
Check Text
Review the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql".
Fix Text
Use GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments |
|||||
Check Text
Review the system documentation to determine whether the organization has defined the information at rest be protected from modification, which must include at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of SQL Server, Windows, and additional software as relevant. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, verify it is enabled: SELECT db.name AS DatabaseName, db.is_encrypted AS IsEncrypted, CASE WHEN dm.encryption_state = 0 THEN 'No database encryption key present, no encryption' WHEN dm.encryption_state = 1 THEN 'Unencrypted' WHEN dm.encryption_state = 2 THEN 'Encryption in progress' WHEN dm.encryption_state = 3 THEN 'Encrypted' WHEN dm.encryption_state = 4 THEN 'Key change in progress' WHEN dm.encryption_state = 5 THEN 'Decryption in progress' WHEN dm.encryption_state = 6 THEN 'Protection change in progress' END AS EncryptionState, dm.encryption_state AS EncryptionState, dm.key_algorithm AS KeyAlgorithm, dm.key_length AS KeyLength FROM sys.databases db LEFT OUTER JOIN sys.dm_database_encryption_keys dm ON db.database_id = dm.database_id WHERE db.database_id NOT IN (1,2,3,4) For each user database for which encryption is called for and that is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encrypted settings. If any of the information that requires cryptographic protection is not encrypted, this is a finding.
Fix Text
Where full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments |
|||||
Check Text
Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from disclosure, which must include, at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, check whether it is enabled: SELECT DB_NAME(database_id) AS [Database Name], CASE encryption_state WHEN 0 THEN 'No database encryption key present, no encryption' WHEN 1 THEN 'Unencrypted' WHEN 2 THEN 'Encryption in progress' WHEN 3 THEN 'Encrypted' WHEN 4 THEN 'Key change in progress' WHEN 5 THEN 'Decryption in progress' WHEN 6 THEN 'Protection change in progress' END AS [Encryption State] FROM sys.dm_database_encryption_keys For each user database for which encryption is called for and it is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encryption settings, if any of the information defined as requiring cryptographic protection is not encrypted this is a finding.
Fix Text
Where full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the table/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6FFE5E388F143FAEAC142114D4F65C55EDC01323 ~~~~~ service password-encryption Comments |
|||||
Check Text
Review the router configuration to determine if passwords are encrypted as shown in the example below. service password-encryption If the router is not configured to encrypt passwords, this is a finding.
Fix Text
Configure the router to encrypt all passwords. R4(config)#service password-encryption R4(config)#end
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 93C96089FB06A0232EAFE70A05C0C894B0598049 ~~~~~ ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr Comments |
|||||
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement. SSH Example ip ssh version 2 ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr If the router is not configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm, this is a finding.
Fix Text
Configure the Cisco router to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm as shown in the examples below. SSH Example R1(config)#ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONTPOINTGTWYRTR | 10.10.10.1 | 2026-01-14 | |||
Finding Detailsaaa new-model ! ! aaa group server radius AR21-Radius server name AR21-DC003 server name AR21-DC004 ip radius source-interface BDI400 load-balance method least-outstanding ! aaa group server tacacs+ ISE server-private 164.231.72.99 key 7 060B1C22424F1F0044 server-private 164.231.111.4 key 7 060B1C22424F1F0044 ip tacacs source-interface BDI400 ! aaa authentication login default group ISE group AR21-Radius local aaa authentication enable default group ISE group AR21-Radius enable aaa authorization config-commands aaa authorization exec default group ISE group AR21-Radius local if-authenticated aaa authorization network ISE group AR21-Radius local if-authenticated aaa accounting exec default start-stop group ISE group AR21-Radius ! aaa common-criteria policy PASSWORD_POLICY min-length 15 max-length 127 numeric-count 1 upper-case 1 lower-case 1 special-case 1 char-changes 8 ! ! ! ! ! ! aaa session-id common call-home ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications. contact-email-addr sch-smart-licensing@cisco.com profile "CiscoTAC-1" active destination transport-method http no destination transport-method email no ip source-route ! ! ! ! ! ! ! no ip domain lookup ip domain name MONTPOINTGTWRTR.navy.mil ! ! ! login block-for 900 attempts 3 within 120 login on-failure log login on-success log ipv6 hop-limit 32 Comments |
|||||
Check Text
Review the Cisco router configuration to verify the device is configured to use at least two authentication servers as primary source for authentication as shown in the following example: aaa new-model ! aaa authentication CONSOLE group radius local aaa authentication login LOGIN_AUTHENTICATION group radius local … … … ip http authentication aaa login-authentication LOGIN_AUTHENTICATION ip http secure-server … … … radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxxxx radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxxxx … … … line con 0 exec-timeout 5 0 login authentication CONSOLE line vty 0 1 exec-timeout 5 0 login authentication LOGIN_AUTHENTICATION If the Cisco router is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.
Fix Text
Step 1: Configure the Cisco router to use at least two authentication servers as shown in the following example: R4(config)#radius host 10.1.48.2 key xxxxxx R4(config)#radius host 10.1.48.3 key xxxxxx Step 2: Configure the authentication order to use the authentication servers as primary source for authentication as shown in the following example: R4(config)#aaa authentication CONSOLE group radius local R4(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local Step 3: Configure all network connections associated with a device management to use the authentication servers for the purpose of login authentication. R4(config)#line vty 0 1 R4(config-line)#login authentication LOGIN_AUTHENTICATION R4(config-line)#exit R4(config)#line con 0 R4(config-line)#login authentication CONSOLE R4(config-line)#exit R4(config)#ip http authentication aaa login-authentication LOGIN_AUTHENTICATION
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Default Web Site ResultHash: 11B73503DAE06F01B5185CC126C80F8941A56D00 ~~~~~ Anonymous Authentication is Enabled and using the account 'IUSR' for authentication. IUSR is not a member of any privileged groups. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Exchange Back End ResultHash: 11B73503DAE06F01B5185CC126C80F8941A56D00 ~~~~~ Anonymous Authentication is Enabled and using the account 'IUSR' for authentication. IUSR is not a member of any privileged groups. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Default Web Site ResultHash: 11B73503DAE06F01B5185CC126C80F8941A56D00 ~~~~~ Anonymous Authentication is Enabled and using the account 'IUSR' for authentication. IUSR is not a member of any privileged groups. Comments |
|||||
Check Text
Check the account used for anonymous access to the website. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click "Authentication" in the IIS section of the website’s Home Pane. If "Anonymous access" is disabled, this is Not a Finding. If "Anonymous access" is enabled, click "Anonymous Authentication". Click "Edit" in the "Actions" pane. If the "Specific user" radio button is enabled and an ID is specified in the adjacent control box, this is the ID being used for anonymous access. Note the account name. If nothing is tied to "Specific User", this is Not a Finding. Check privileged groups that may allow the anonymous account inappropriate membership: Open "Computer Management" on the machine. Expand "Local Users and Groups". Open "Groups". Review the members of any of the following privileged groups: Administrators Backup Operators Certificate Services (of any designation) Distributed COM Users Event Log Readers Network Configuration Operators Performance Log Users Performance Monitor Users Power Users Print Operators Remote Desktop Users Replicator Double-click each group and review its members. If the IUSR account or any account noted above used for anonymous access is a member of any group with privileged access, this is a finding.
Fix Text
Remove the Anonymous access account from all privileged accounts and all privileged groups.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: A61E6E1F4236FBB1D74C63FF96102D9E19672555 ~~~~~ There are no files or folders with names containing 'sample' in the targeted directories. To determine the correct status, a manual review is still required to identify if any example code, example applications or tutorials exist and are not explicitly used by the production website per the check text. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: A61E6E1F4236FBB1D74C63FF96102D9E19672555 ~~~~~ There are no files or folders with names containing 'sample' in the targeted directories. To determine the correct status, a manual review is still required to identify if any example code, example applications or tutorials exist and are not explicitly used by the production website per the check text. Comments |
|||||
Check Text
Navigate to the following folders: inetpub\ Program Files\Common Files\System\msadc Program Files (x86)\Common Files\System\msadc If the folder or sub-folders contain any executable sample code, example applications, or tutorials which are not explicitly used by a production website, this is a finding.
Fix Text
Remove any executable sample code, example applications, or tutorials which are not explicitly used by a production website.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B61C09790F563535A9E85CCAE0DFEC8635007810 ~~~~~ HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server ValueName 'DisabledByDefault' is '0' (REG_DWORD) ValueName 'Enabled' is '1' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B61C09790F563535A9E85CCAE0DFEC8635007810 ~~~~~ HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server ValueName 'DisabledByDefault' is '0' (REG_DWORD) ValueName 'Enabled' is '1' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) Comments |
|||||
Check Text
Access the IIS 10.0 Web Server. Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Verify a REG_DWORD value of "0" for "DisabledByDefault". Verify a REG_DWORD value of "1" for "Enabled". Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server Verify a REG_DWORD value of "1" for "DisabledByDefault". Verify a REG_DWORD value of "0" for "Enabled". If any of the respective registry paths do not exist or are configured with the wrong value, this is a finding. SSL 3.0 is disabled by default in newer Operating Systems. If SSL 3.0 has a registry DWORD enabled with a value of 1, this is a finding. If this key is not present, this is not a finding.
Fix Text
Access the IIS 10.0 Web Server. Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Create a REG_DWORD named "DisabledByDefault" with a value of "0". Create a REG_DWORD named "Enabled" with a value of "1". Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server For each protocol: Create a REG_DWORD named "DisabledByDefault" with a value of "1". Create a REG_DWORD named "Enabled" with a value of "0".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: CD1B9B58B26C7C0564EB502A00E7A6FB74E3E282 ~~~~~ All disk(s) encrypted with BitLocker. Mount Point: C: Encryption Method: XtsAes128 Volume Type: OperatingSystem Volume Status: FullyEncrypted Protection Status: Off Lock Status: Unlocked Encryption %: 100 Key Protector: RecoveryPassword, Tpm Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: CD1B9B58B26C7C0564EB502A00E7A6FB74E3E282 ~~~~~ All disk(s) encrypted with BitLocker. Mount Point: C: Encryption Method: XtsAes128 Volume Type: OperatingSystem Volume Status: FullyEncrypted Protection Status: Off Lock Status: Unlocked Encryption %: 100 Key Protector: RecoveryPassword, Tpm Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 374DA62AC80E33993305E73BF38A7CE33E45FF4B ~~~~~ All disk(s) encrypted with BitLocker. Mount Point: C: Encryption Method: XtsAes128 Volume Type: OperatingSystem Volume Status: FullyEncrypted Protection Status: On Lock Status: Unlocked Encryption %: 100 Key Protector: Tpm, RecoveryPassword Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 374DA62AC80E33993305E73BF38A7CE33E45FF4B ~~~~~ All disk(s) encrypted with BitLocker. Mount Point: C: Encryption Method: XtsAes128 Volume Type: OperatingSystem Volume Status: FullyEncrypted Protection Status: On Lock Status: Unlocked Encryption %: 100 Key Protector: Tpm, RecoveryPassword Comments |
|||||
Check Text
Verify all Windows 10 information systems (including SIPRNet) employ BitLocker for full disk encryption. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. If full disk encryption using BitLocker is not implemented, this is a finding. Verify BitLocker is turned on for the operating system drive and any fixed data drives. Open "BitLocker Drive Encryption" from the Control Panel. If the operating system drive or any fixed data drives have "Turn on BitLocker", this is a finding. NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032).
Fix Text
Enable full disk encryption on all information systems (including SIPRNet) using BitLocker. BitLocker, included in Windows, can be enabled in the Control Panel under "BitLocker Drive Encryption" as well as other management tools. NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: FC6199A9C32FADB82FFBB308E7C19D62F33E6804 ~~~~~ 'Configure minimum PIN length for startup' is Enabled: (Minimum characters set to 6 or greater) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: MinimumPIN Value: 0x00000006 (6) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: FC6199A9C32FADB82FFBB308E7C19D62F33E6804 ~~~~~ 'Configure minimum PIN length for startup' is Enabled: (Minimum characters set to 6 or greater) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: MinimumPIN Value: 0x00000006 (6) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FC6199A9C32FADB82FFBB308E7C19D62F33E6804 ~~~~~ 'Configure minimum PIN length for startup' is Enabled: (Minimum characters set to 6 or greater) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: MinimumPIN Value: 0x00000006 (6) Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FC6199A9C32FADB82FFBB308E7C19D62F33E6804 ~~~~~ 'Configure minimum PIN length for startup' is Enabled: (Minimum characters set to 6 or greater) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: MinimumPIN Value: 0x00000006 (6) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: MinimumPIN Type: REG_DWORD Value: 0x00000006 (6) or greater
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Configure minimum PIN length for startup" to "Enabled" with "Minimum characters:" set to "6" or greater.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 43A1582C809B264B02D1678B8CB1FFE0AB4890CA ~~~~~ Operating system is 'Windows 10 Enterprise LTSC 2021 21H2' (10.0.19044) Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 43A1582C809B264B02D1678B8CB1FFE0AB4890CA ~~~~~ Operating system is 'Windows 10 Enterprise LTSC 2021 21H2' (10.0.19044) Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 43A1582C809B264B02D1678B8CB1FFE0AB4890CA ~~~~~ Operating system is 'Windows 10 Enterprise LTSC 2021 21H2' (10.0.19044) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 43A1582C809B264B02D1678B8CB1FFE0AB4890CA ~~~~~ Operating system is 'Windows 10 Enterprise LTSC 2021 21H2' (10.0.19044) Comments |
|||||
Check Text
Run "winver.exe". If the "About Windows" dialog box does not display a version supported by the vendor, this is a finding.
Fix Text
Upgrade to a supported version of the operating system.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 9F637B38FFA9011906DB3132B81BF7C3A5BDC17C ~~~~~ WMI Namespace: ROOT/SecurityCenter2 WMI Class: AntiVirusProduct Display Name: Trellix Endpoint Security Product State: On Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 9F637B38FFA9011906DB3132B81BF7C3A5BDC17C ~~~~~ WMI Namespace: ROOT/SecurityCenter2 WMI Class: AntiVirusProduct Display Name: Trellix Endpoint Security Product State: On Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9F637B38FFA9011906DB3132B81BF7C3A5BDC17C ~~~~~ WMI Namespace: ROOT/SecurityCenter2 WMI Class: AntiVirusProduct Display Name: Trellix Endpoint Security Product State: On Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9F637B38FFA9011906DB3132B81BF7C3A5BDC17C ~~~~~ WMI Namespace: ROOT/SecurityCenter2 WMI Class: AntiVirusProduct Display Name: Trellix Endpoint Security Product State: On Comments |
|||||
Check Text
Verify an antivirus solution is installed on the system and in use. The antivirus solution may be bundled with an approved Endpoint Security Solution. Verify if Windows Defender is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName" Verify third-party antivirus is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName" Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName" Enter "get-service | where {$_.DisplayName -Like "*trellix*"} | Select Status,DisplayName" If there is no antivirus solution installed on the system, this is a finding.
Fix Text
If no antivirus software is on the system and in use, install Windows Defender or a third-party antivirus solution.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 3902149AE7346482F89E57F8AC8722F42D01C119 ~~~~~ All disk(s) formatted as NTFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 3902149AE7346482F89E57F8AC8722F42D01C119 ~~~~~ All disk(s) formatted as NTFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3902149AE7346482F89E57F8AC8722F42D01C119 ~~~~~ All disk(s) formatted as NTFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3902149AE7346482F89E57F8AC8722F42D01C119 ~~~~~ All disk(s) formatted as NTFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Comments |
|||||
Check Text
Run "Computer Management". Navigate to Storage >> Disk Management. If the "File System" column does not indicate "NTFS" for each volume assigned a drive letter, this is a finding. This does not apply to system partitions such the Recovery and EFI System Partition.
Fix Text
Format all local volumes to use NTFS.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 20E099B9F72979B59022E9A2A9ED1BDEE0865FF1 ~~~~~ The following are members of the local Administrators group: ============== Name: MONT-SW-89108\AMPerl.IAAdmin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1018 Name: MONT-SW-89108\dod_admin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1001 Name: MONT-SW-89108\jtbegarek.iaadmin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1024 Name: MONT-SW-89108\Scan.Admin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1016 Name: MONT-SW-89108\tljones.iaadmin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1023 Name: MONT-SW-89108\xAdministrator objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-500 Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 755D0E653E43EF30F999A01A9B8C1F315C41FADD ~~~~~ The following are members of the local Administrators group: ============== Name: MONT-SW-89134\AMPerl.IAAdmin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1021 Name: MONT-SW-89134\dod_admin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1001 Name: MONT-SW-89134\jtbegarek.iaadmin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1026 Name: MONT-SW-89134\scan.admin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1022 Name: MONT-SW-89134\tljones.iaadmin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1024 Name: MONT-SW-89134\xAdministrator objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-500 Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8CF8EB2216BA99A2A79DC17F45300F57F0A47C32 ~~~~~ The following are members of the local Administrators group: ============== Name: MONTFORD-POINT\Workstation Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1110 Name: MONT-WS-92010\dod_admin objectClass: User objectSID: S-1-5-21-2586659569-2484290388-2027984285-1001 Name: MONT-WS-92010\X_Admin objectClass: User objectSID: S-1-5-21-2586659569-2484290388-2027984285-500 Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 3E830C5BCEA1AA12EC57417D52A215ACB2E2E5E1 ~~~~~ The following are members of the local Administrators group: ============== Name: MONTFORD-POINT\Workstation Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1110 Name: MONT-WS-92040\dod_admin objectClass: User objectSID: S-1-5-21-3703204072-2228436765-3422267048-1001 Name: MONT-WS-92040\X_Admin objectClass: User objectSID: S-1-5-21-3703204072-2228436765-3422267048-500 Comments |
|||||
Check Text
Run "Computer Management". Navigate to System Tools >> Local Users and Groups >> Groups. Review the members of the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. Standard user accounts must not be members of the local administrator group. If prohibited accounts are members of the local administrators group, this is a finding. The built-in Administrator account or other required administrative accounts would not be a finding.
Fix Text
Configure the system to include only administrator groups or accounts that are responsible for the system in the local Administrators group. For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. Remove any standard user accounts.