| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 9909794486C8A4818F6C510A4F518CE94F2C267A ~~~~~ Feature Name: IIS-WebServerRole State: Disabled Feature Name: IIS-HostableWebCore State: Disabled Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 9909794486C8A4818F6C510A4F518CE94F2C267A ~~~~~ Feature Name: IIS-WebServerRole State: Disabled Feature Name: IIS-HostableWebCore State: Disabled Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9909794486C8A4818F6C510A4F518CE94F2C267A ~~~~~ Feature Name: IIS-WebServerRole State: Disabled Feature Name: IIS-HostableWebCore State: Disabled Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9909794486C8A4818F6C510A4F518CE94F2C267A ~~~~~ Feature Name: IIS-WebServerRole State: Disabled Feature Name: IIS-HostableWebCore State: Disabled Comments |
|||||
Check Text
IIS is not installed by default. Verify it has not been installed on the system. Run "Programs and Features". Select "Turn Windows features on or off". If the entries for "Internet Information Services" or "Internet Information Services Hostable Web Core" are selected, this is a finding. If an application requires IIS or a subset to be installed to function, this needs be documented with the ISSO. In addition, any applicable requirements from the IIS STIG must be addressed.
Fix Text
Uninstall "Internet Information Services" or "Internet Information Services Hostable Web Core" from the system.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 12/17/2025 ResultHash: E6502904487C2D388E0134DE9AA5D3378AFB5240 ~~~~~ Windows 10 version is 2009 so this requirement is NA. Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 12/17/2025 ResultHash: E6502904487C2D388E0134DE9AA5D3378AFB5240 ~~~~~ Windows 10 version is 2009 so this requirement is NA. Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: E6502904487C2D388E0134DE9AA5D3378AFB5240 ~~~~~ Windows 10 version is 2009 so this requirement is NA. Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: E6502904487C2D388E0134DE9AA5D3378AFB5240 ~~~~~ Windows 10 version is 2009 so this requirement is NA. Comments |
|||||
Check Text
This is applicable to Windows 10 prior to v1709. Verify SEHOP is turned on. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\kernel\ Value Name: DisableExceptionChainValidation Value Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to "Enabled". This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0 Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0 Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0 Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0 Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store passwords using reversible encryption" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 12/17/2025 ResultHash: 35876C8966B85EC1E2B626A04F1F3A7173B7D72A ~~~~~ System is a 'Standalone Workstation' so this requirement is NA. Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 12/17/2025 ResultHash: 35876C8966B85EC1E2B626A04F1F3A7173B7D72A ~~~~~ System is a 'Standalone Workstation' so this requirement is NA. Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1 Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1 Comments |
|||||
Check Text
Confirm Credential Guard is running on domain-joined systems. For devices that support Credential Guard, this feature must be enabled. Organizations must take the appropriate action to acquire and implement compatible hardware with Credential Guard enabled. Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDIs) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is Not Applicable. Run "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Virtualization-based Security Services Running" does not list "Credential Guard", this is finding. The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: LsaCfgFlags Value Type: REG_DWORD Value: 0x00000001 (1) (Enabled with UEFI lock)
Fix Text
Virtualization based security, including Credential Guard, currently cannot be implemented in VDIs due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is Not Applicable. For VDIs with persistent desktops, this may be downgraded to a CAT II only where administrators have specific tokens for the VDI. Administrator accounts on virtual desktops must only be used on systems in the VDI; they may not have administrative privileges on any other systems such as servers and physical workstations. Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration:". v1507 LTSB does not include selection options; select "Enable Credential Guard". A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 710AE588AB6A9F5E0B92559BED20BF35AFCB73BE ~~~~~ 'Configure Solicited Remote Assistance' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Value Name: fAllowToGetHelp Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 710AE588AB6A9F5E0B92559BED20BF35AFCB73BE ~~~~~ 'Configure Solicited Remote Assistance' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Value Name: fAllowToGetHelp Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 710AE588AB6A9F5E0B92559BED20BF35AFCB73BE ~~~~~ 'Configure Solicited Remote Assistance' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Value Name: fAllowToGetHelp Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 710AE588AB6A9F5E0B92559BED20BF35AFCB73BE ~~~~~ 'Configure Solicited Remote Assistance' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Value Name: fAllowToGetHelp Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fAllowToGetHelp Value Type: REG_DWORD Value: 0
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Assistance >> "Configure Solicited Remote Assistance" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 429F8E88ADA237E5E5322A9AFBD48B8E33D2C07A ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 429F8E88ADA237E5E5322A9AFBD48B8E33D2C07A ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 429F8E88ADA237E5E5322A9AFBD48B8E33D2C07A ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 429F8E88ADA237E5E5322A9AFBD48B8E33D2C07A ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Value Type: REG_DWORD Value: 1
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Disallow Autoplay for non-volume devices" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 01637DF3E70F327F92A796B403FE836B3C86FDF8 ~~~~~ 'Set the default behavior for AutoRun' is Enabled: (Do not execute any autorun commands) Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 01637DF3E70F327F92A796B403FE836B3C86FDF8 ~~~~~ 'Set the default behavior for AutoRun' is Enabled: (Do not execute any autorun commands) Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 01637DF3E70F327F92A796B403FE836B3C86FDF8 ~~~~~ 'Set the default behavior for AutoRun' is Enabled: (Do not execute any autorun commands) Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 01637DF3E70F327F92A796B403FE836B3C86FDF8 ~~~~~ 'Set the default behavior for AutoRun' is Enabled: (Do not execute any autorun commands) Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Value Type: REG_DWORD Value: 1
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Set the default behavior for AutoRun" to "Enabled:Do not execute any autorun commands".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 13FD2420C2B8D6429B41A57DD6B60EA04E2990AA ~~~~~ 'Turn off AutoPlay' is Enabled: (All Drives) Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 13FD2420C2B8D6429B41A57DD6B60EA04E2990AA ~~~~~ 'Turn off AutoPlay' is Enabled: (All Drives) Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 13FD2420C2B8D6429B41A57DD6B60EA04E2990AA ~~~~~ 'Turn off AutoPlay' is Enabled: (All Drives) Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 13FD2420C2B8D6429B41A57DD6B60EA04E2990AA ~~~~~ 'Turn off AutoPlay' is Enabled: (All Drives) Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Value Type: REG_DWORD Value: 0x000000ff (255) Note: If the value for NoDriveTypeAutorun is entered manually, it must be entered as "ff" when Hexadecimal is selected, or "255" with Decimal selected. Using the policy value specified in the Fix section will enter it correctly.
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Turn off AutoPlay" to "Enabled:All Drives".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 453F878DFDBD58EA0B57A6EFB51F819380F02365 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 453F878DFDBD58EA0B57A6EFB51F819380F02365 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 453F878DFDBD58EA0B57A6EFB51F819380F02365 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 453F878DFDBD58EA0B57A6EFB51F819380F02365 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Value Type: REG_DWORD Value: 0
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Always install with elevated privileges" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 30889CFD34559B587AF9B23229EE47BF3019880E ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 30889CFD34559B587AF9B23229EE47BF3019880E ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 30889CFD34559B587AF9B23229EE47BF3019880E ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 30889CFD34559B587AF9B23229EE47BF3019880E ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Value Type: REG_DWORD Value: 0
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow Basic authentication" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 05DABD310D5297F9FE1F997D158377A95C402A44 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 05DABD310D5297F9FE1F997D158377A95C402A44 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 05DABD310D5297F9FE1F997D158377A95C402A44 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 05DABD310D5297F9FE1F997D158377A95C402A44 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Value Type: REG_DWORD Value: 0
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow Basic authentication" to "Disabled". Severity Override Guidance: The AO can allow the severity override if they have reviewed the overall protection. This would only be allowed temporarily for implementation as documented and approved. …. Allowing Basic authentication to be used for the sole creation of Office 365 DoD tenants. …. A documented mechanism and or script that can disable Basic authentication once administration completes. …. Use of a Privileged Access Workstation (PAW) and adherence to the Clean Source principle for administration.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0 Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0 Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0 Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0 Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Allow anonymous SID/Name translation" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 2870C547CA5060B258B072ED5120B1CF7E989A0E ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 2870C547CA5060B258B072ED5120B1CF7E989A0E ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2870C547CA5060B258B072ED5120B1CF7E989A0E ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2870C547CA5060B258B072ED5120B1CF7E989A0E ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value Type: REG_DWORD Value: 1
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 1051CF51ECBB5E3283B3A4B53296BE7627D31DDD ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 1051CF51ECBB5E3283B3A4B53296BE7627D31DDD ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1051CF51ECBB5E3283B3A4B53296BE7627D31DDD ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1051CF51ECBB5E3283B3A4B53296BE7627D31DDD ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value Type: REG_DWORD Value: 1
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 19F7DCB438329890D8ED0ADB49701F95E47913B7 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 19F7DCB438329890D8ED0ADB49701F95E47913B7 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 19F7DCB438329890D8ED0ADB49701F95E47913B7 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 19F7DCB438329890D8ED0ADB49701F95E47913B7 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value Type: REG_DWORD Value: 1
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict anonymous access to Named Pipes and Shares" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: CC740FB3C2FC52E2AA528E6AB393D9E2FB79E3B5 ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: CC740FB3C2FC52E2AA528E6AB393D9E2FB79E3B5 ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CC740FB3C2FC52E2AA528E6AB393D9E2FB79E3B5 ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CC740FB3C2FC52E2AA528E6AB393D9E2FB79E3B5 ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value Type: REG_DWORD Value: 1
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Do not store LAN Manager hash value on next password change" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 2DB6BD8F09ADE45E5C4D9B0B24BFDBF70E5F49E5 ~~~~~ 'Network security: LAN Manager authentication level' is Send NTLMv2 response only. Refuse LM & NTLM Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 2DB6BD8F09ADE45E5C4D9B0B24BFDBF70E5F49E5 ~~~~~ 'Network security: LAN Manager authentication level' is Send NTLMv2 response only. Refuse LM & NTLM Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2DB6BD8F09ADE45E5C4D9B0B24BFDBF70E5F49E5 ~~~~~ 'Network security: LAN Manager authentication level' is Send NTLMv2 response only. Refuse LM & NTLM Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2DB6BD8F09ADE45E5C4D9B0B24BFDBF70E5F49E5 ~~~~~ 'Network security: LAN Manager authentication level' is Send NTLMv2 response only. Refuse LM & NTLM Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value Type: REG_DWORD Value: 5
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right. Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right. Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right. Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right. Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Act as part of the operating system" to be defined but containing no entries (blank).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right. Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right. Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right. Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right. Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts are granted the "Create a token object" user right, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a token object" to be defined but containing no entries (blank).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: AAF881443B1EF7292F901DB868FAA5B091A864F8 ~~~~~ Debug Programs: BUILTIN\Administrators Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: AAF881443B1EF7292F901DB868FAA5B091A864F8 ~~~~~ Debug Programs: BUILTIN\Administrators Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: AAF881443B1EF7292F901DB868FAA5B091A864F8 ~~~~~ Debug Programs: BUILTIN\Administrators Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: AAF881443B1EF7292F901DB868FAA5B091A864F8 ~~~~~ Debug Programs: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Debug Programs" user right, this is a finding: Administrators
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Debug programs" to only include the following groups or accounts: Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: B16ADE515E363F887C68C49630239CB917515255 ~~~~~ 'Protect document metadata for rights managed Office Open XML Files' is Enabled Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\security Value Name: DRMEncryptProperty Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: B16ADE515E363F887C68C49630239CB917515255 ~~~~~ 'Protect document metadata for rights managed Office Open XML Files' is Enabled Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\security Value Name: DRMEncryptProperty Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: B16ADE515E363F887C68C49630239CB917515255 ~~~~~ 'Protect document metadata for rights managed Office Open XML Files' is Enabled Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\security Value Name: DRMEncryptProperty Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: B16ADE515E363F887C68C49630239CB917515255 ~~~~~ 'Protect document metadata for rights managed Office Open XML Files' is Enabled Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\security Value Name: DRMEncryptProperty Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings "Protect document metadata for rights managed Office Open XML Files" is set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\security If the value DRMEncryptProperty is REG_DWORD = 1, this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings "Protect document metadata for rights managed Office Open XML Files" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B6AC25614EB7418F4A5ED5C1A135A4467FB661C5 ~~~~~ Operating system is 'Windows Server 2016 Standard 1607' (10.0.14393) End of Support Date: Jan 12, 2027 End of Support Link: https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2016 Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B6AC25614EB7418F4A5ED5C1A135A4467FB661C5 ~~~~~ Operating system is 'Windows Server 2016 Standard 1607' (10.0.14393) End of Support Date: Jan 12, 2027 End of Support Link: https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2016 Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B6AC25614EB7418F4A5ED5C1A135A4467FB661C5 ~~~~~ Operating system is 'Windows Server 2016 Standard 1607' (10.0.14393) End of Support Date: Jan 12, 2027 End of Support Link: https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2016 Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B6AC25614EB7418F4A5ED5C1A135A4467FB661C5 ~~~~~ Operating system is 'Windows Server 2016 Standard 1607' (10.0.14393) End of Support Date: Jan 12, 2027 End of Support Link: https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2016 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B6AC25614EB7418F4A5ED5C1A135A4467FB661C5 ~~~~~ Operating system is 'Windows Server 2016 Standard 1607' (10.0.14393) End of Support Date: Jan 12, 2027 End of Support Link: https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2016 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B6AC25614EB7418F4A5ED5C1A135A4467FB661C5 ~~~~~ Operating system is 'Windows Server 2016 Standard 1607' (10.0.14393) End of Support Date: Jan 12, 2027 End of Support Link: https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2016 Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7BEF854B89F42EC500A0B759D80C9F3FAE4D1E65 ~~~~~ Operating system is 'Windows Server 2016 Datacenter 1607' (10.0.14393) End of Support Date: Jan 12, 2027 End of Support Link: https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2016 Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7BEF854B89F42EC500A0B759D80C9F3FAE4D1E65 ~~~~~ Operating system is 'Windows Server 2016 Datacenter 1607' (10.0.14393) End of Support Date: Jan 12, 2027 End of Support Link: https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2016 Comments |
|||||
Check Text
This STIG is sunset and no longer maintained. Open "Command Prompt". Enter "winver.exe". If the "About Windows" dialog box displays "Microsoft Windows Server Version 1607 (Build 14393.xxx)" and there is not documented extended support for Microsoft Windows Server 2016, this is a finding.
Fix Text
Upgrade the operating system to a supported version.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 265FFF3B14F0922A007BF8136F3FA18973CFB244 ~~~~~ Windows Defender Antivirus is NOT installed. Feature: Windows-Defender State: Disabled Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 265FFF3B14F0922A007BF8136F3FA18973CFB244 ~~~~~ Windows Defender Antivirus is NOT installed. Feature: Windows-Defender State: Disabled Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 265FFF3B14F0922A007BF8136F3FA18973CFB244 ~~~~~ Windows Defender Antivirus is NOT installed. Feature: Windows-Defender State: Disabled Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 265FFF3B14F0922A007BF8136F3FA18973CFB244 ~~~~~ Windows Defender Antivirus is NOT installed. Feature: Windows-Defender State: Disabled Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 265FFF3B14F0922A007BF8136F3FA18973CFB244 ~~~~~ Windows Defender Antivirus is NOT installed. Feature: Windows-Defender State: Disabled Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 265FFF3B14F0922A007BF8136F3FA18973CFB244 ~~~~~ Windows Defender Antivirus is NOT installed. Feature: Windows-Defender State: Disabled Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 265FFF3B14F0922A007BF8136F3FA18973CFB244 ~~~~~ Windows Defender Antivirus is NOT installed. Feature: Windows-Defender State: Disabled Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 265FFF3B14F0922A007BF8136F3FA18973CFB244 ~~~~~ Windows Defender Antivirus is NOT installed. Feature: Windows-Defender State: Disabled Comments |
|||||
Check Text
Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. If there is no anti-virus solution installed on the system, this is a finding. Verify if Windows Defender is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName” Verify if third-party anti-virus is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName” Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName”
Fix Text
If no anti-virus software is in use, install Windows Defender or third-party anti-virus. Open "PowerShell". Enter "Install-WindowsFeature -Name Windows-Defender” For third-party anti-virus, install per anti-virus instructions and disable Windows Defender. Open "PowerShell". Enter “Uninstall-WindowsFeature -Name Windows-Defender”.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 23FFCAA6C6211240C05DB0BA16F53867DB70E6FF ~~~~~ All disk file systems are NTFS or ReFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Device ID: D: Drive Type: Local Disk (3) Volume Name: PROGLOGS File System: NTFS Device ID: E: Drive Type: Local Disk (3) Volume Name: DATA File System: NTFS Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 12939B13563B98C1C0E9CF7E99396A1849389DE8 ~~~~~ All disk file systems are NTFS or ReFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: BE-002-OS File System: NTFS Device ID: D: Drive Type: Local Disk (3) Volume Name: PROGLOGS File System: NTFS Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 27E3EFED84E2366F9C7E05423896CE7B66B7D30A ~~~~~ All disk file systems are NTFS or ReFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: DB-002-OS File System: NTFS Device ID: D: Drive Type: Local Disk (3) Volume Name: PROGLOGS File System: NTFS Device ID: E: Drive Type: Local Disk (3) Volume Name: DATA File System: NTFS Device ID: G: Drive Type: Local Disk (3) Volume Name: LogiQuest File System: NTFS Device ID: O: Drive Type: Local Disk (3) Volume Name: IBS File System: NTFS Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 970CB0CF367610B48D3175A7F6732146B363AA1D ~~~~~ All disk file systems are NTFS or ReFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: DC-003-OS File System: NTFS Device ID: D: Drive Type: Local Disk (3) Volume Name: PROGLOGS File System: NTFS Device ID: E: Drive Type: Local Disk (3) Volume Name: AD-SYSVOL File System: NTFS Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: AE8384DF4A6DF1101B40668690E53B482CFFDD59 ~~~~~ All disk file systems are NTFS or ReFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Device ID: E: Drive Type: Local Disk (3) Volume Name: New Volume File System: NTFS Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 94622EDF56DD29A3ACA656BF9588E97EB7B69BA3 ~~~~~ All disk file systems are NTFS or ReFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: MB-002-OS File System: NTFS Device ID: D: Drive Type: Local Disk (3) Volume Name: PROGLOGS File System: NTFS Device ID: E: Drive Type: Local Disk (3) Volume Name: Exchange File System: NTFS Device ID: M: Drive Type: Local Disk (3) Volume Name: Mailbox File System: NTFS Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5CA0759465086F9D66DF595519D98FCAA4B739D2 ~~~~~ All disk file systems are NTFS or ReFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Device ID: E: Drive Type: Local Disk (3) Volume Name: VMs File System: NTFS Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5CA0759465086F9D66DF595519D98FCAA4B739D2 ~~~~~ All disk file systems are NTFS or ReFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Device ID: E: Drive Type: Local Disk (3) Volume Name: VMs File System: NTFS Comments |
|||||
Check Text
Open "Computer Management". Select "Disk Management" under "Storage". For each local volume, if the file system does not indicate "NTFS", this is a finding. "ReFS" (resilient file system) is also acceptable and would not be a finding. This does not apply to system partitions such the Recovery and EFI System Partition.
Fix Text
Format volumes to use NTFS or ReFS.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If they do not, this is a finding.
Fix Text
Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0 Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0 Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0 Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0 Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0 Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0 Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Store passwords using reversible encryption" is not set to "Disabled", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "ClearTextPassword" equals "1" in the file, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store passwords using reversible encryption" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06CF0EC4F30E3C377A3E10B39BA0BD384D98F394 ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06CF0EC4F30E3C377A3E10B39BA0BD384D98F394 ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06CF0EC4F30E3C377A3E10B39BA0BD384D98F394 ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06CF0EC4F30E3C377A3E10B39BA0BD384D98F394 ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06CF0EC4F30E3C377A3E10B39BA0BD384D98F394 ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06CF0EC4F30E3C377A3E10B39BA0BD384D98F394 ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06CF0EC4F30E3C377A3E10B39BA0BD384D98F394 ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06CF0EC4F30E3C377A3E10B39BA0BD384D98F394 ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Disallow Autoplay for non-volume devices" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 763263DA63BB845D32A031E492E9C3FA975310FB ~~~~~ 'Set the default behavior for AutoRun' is Enabled with 'Do not execute any autorun commands' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 763263DA63BB845D32A031E492E9C3FA975310FB ~~~~~ 'Set the default behavior for AutoRun' is Enabled with 'Do not execute any autorun commands' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 763263DA63BB845D32A031E492E9C3FA975310FB ~~~~~ 'Set the default behavior for AutoRun' is Enabled with 'Do not execute any autorun commands' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 763263DA63BB845D32A031E492E9C3FA975310FB ~~~~~ 'Set the default behavior for AutoRun' is Enabled with 'Do not execute any autorun commands' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 763263DA63BB845D32A031E492E9C3FA975310FB ~~~~~ 'Set the default behavior for AutoRun' is Enabled with 'Do not execute any autorun commands' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 763263DA63BB845D32A031E492E9C3FA975310FB ~~~~~ 'Set the default behavior for AutoRun' is Enabled with 'Do not execute any autorun commands' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 763263DA63BB845D32A031E492E9C3FA975310FB ~~~~~ 'Set the default behavior for AutoRun' is Enabled with 'Do not execute any autorun commands' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 763263DA63BB845D32A031E492E9C3FA975310FB ~~~~~ 'Set the default behavior for AutoRun' is Enabled with 'Do not execute any autorun commands' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Set the default behavior for AutoRun" to "Enabled" with "Do not execute any autorun commands" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: AE0235811E2BDD415A15CD26D20BB620C605AC2D ~~~~~ 'Turn off AutoPlay' is Enabled with 'All Drives' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: AE0235811E2BDD415A15CD26D20BB620C605AC2D ~~~~~ 'Turn off AutoPlay' is Enabled with 'All Drives' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: AE0235811E2BDD415A15CD26D20BB620C605AC2D ~~~~~ 'Turn off AutoPlay' is Enabled with 'All Drives' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: AE0235811E2BDD415A15CD26D20BB620C605AC2D ~~~~~ 'Turn off AutoPlay' is Enabled with 'All Drives' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: AE0235811E2BDD415A15CD26D20BB620C605AC2D ~~~~~ 'Turn off AutoPlay' is Enabled with 'All Drives' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: AE0235811E2BDD415A15CD26D20BB620C605AC2D ~~~~~ 'Turn off AutoPlay' is Enabled with 'All Drives' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: AE0235811E2BDD415A15CD26D20BB620C605AC2D ~~~~~ 'Turn off AutoPlay' is Enabled with 'All Drives' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: AE0235811E2BDD415A15CD26D20BB620C605AC2D ~~~~~ 'Turn off AutoPlay' is Enabled with 'All Drives' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Type: REG_DWORD Value: 0x000000ff (255)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Turn off AutoPlay" to "Enabled" with "All Drives" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B8FA2EABE0FF7A96734CD88AEF585CD72E3FFAE8 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B8FA2EABE0FF7A96734CD88AEF585CD72E3FFAE8 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B8FA2EABE0FF7A96734CD88AEF585CD72E3FFAE8 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B8FA2EABE0FF7A96734CD88AEF585CD72E3FFAE8 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B8FA2EABE0FF7A96734CD88AEF585CD72E3FFAE8 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B8FA2EABE0FF7A96734CD88AEF585CD72E3FFAE8 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B8FA2EABE0FF7A96734CD88AEF585CD72E3FFAE8 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B8FA2EABE0FF7A96734CD88AEF585CD72E3FFAE8 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Always install with elevated privileges" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E4E40CE41CC8DAC825405E07025044FB81EE5440 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E4E40CE41CC8DAC825405E07025044FB81EE5440 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E4E40CE41CC8DAC825405E07025044FB81EE5440 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E4E40CE41CC8DAC825405E07025044FB81EE5440 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E4E40CE41CC8DAC825405E07025044FB81EE5440 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E4E40CE41CC8DAC825405E07025044FB81EE5440 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E4E40CE41CC8DAC825405E07025044FB81EE5440 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E4E40CE41CC8DAC825405E07025044FB81EE5440 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow Basic authentication" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 68310D9F3AC255CDE6A52457A3F8A1FBA287B140 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 68310D9F3AC255CDE6A52457A3F8A1FBA287B140 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 68310D9F3AC255CDE6A52457A3F8A1FBA287B140 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 68310D9F3AC255CDE6A52457A3F8A1FBA287B140 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 68310D9F3AC255CDE6A52457A3F8A1FBA287B140 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 68310D9F3AC255CDE6A52457A3F8A1FBA287B140 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 68310D9F3AC255CDE6A52457A3F8A1FBA287B140 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 68310D9F3AC255CDE6A52457A3F8A1FBA287B140 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow Basic authentication" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: AECE488AF9D6FA206476E02B634ED70FCEA9659F ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONTFORD-POINT\DOD_Admin objectClass: User objectSID: S-1-5-21-1360995287-4027491577-3040029667-1000 Name: MONTFORD-POINT\Domain Admins objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-512 Name: MONTFORD-POINT\Enterprise Admins objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-519 Name: MONTFORD-POINT\MONT-EM-Admin objectClass: User objectSID: S-1-5-21-1360995287-4027491577-3040029667-1157 Name: MONTFORD-POINT\Montford.backup objectClass: User objectSID: S-1-5-21-1360995287-4027491577-3040029667-1614 Name: MONTFORD-POINT\montford.exchange objectClass: User objectSID: S-1-5-21-1360995287-4027491577-3040029667-1118 Name: MONTFORD-POINT\SHB_Admin objectClass: User objectSID: S-1-5-21-1360995287-4027491577-3040029667-500 Name: MONTFORD-POINT\tagavrilovic.iaadmin objectClass: User objectSID: S-1-5-21-1360995287-4027491577-3040029667-1231 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. A separate version applies to other systems. Review the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. Standard user accounts must not be members of the local administrator group. If prohibited accounts are members of the local administrators group, this is a finding. If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding.
Fix Text
Configure the Administrators group to include only administrator groups or accounts that are responsible for the system. Remove any standard user accounts.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3892B0B5063C129F18466B33431EF51304032F8C ~~~~~ There are 12 compliant files out of 12 total file(s) in 'E:\Logs'. There are 1 compliant files out of 1 total files in 'E:\Logs'. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Run "Regedit". Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters". Note the directory locations in the values for: Database log files path DSA Database file By default, they will be \Windows\NTDS. If the locations are different, the following will need to be run for each. Open "Command Prompt (Admin)". Navigate to the NTDS directory (\Windows\NTDS by default). Run "icacls *.*". If the permissions on each file are not as restrictive as the following, this is a finding. NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) (I) - permission inherited from parent container (F) - full access
Fix Text
Maintain the permissions on NTDS database and log files as follows: NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) (I) - permission inherited from parent container (F) - full access
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNT AUTHORITY\Authenticated Users:(RX) NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) BUILTIN\Server Operators:(RX) BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) BUILTIN\Administrators:(RX,W,WDAC,WO) BUILTIN\Administrators:(OI)(CI)(IO)(WDAC,WO,GR,GW,GE) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) CREATOR OWNER:(OI)(CI)(IO)(WDAC,WO,GR,GW,GE) --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Open a command prompt. Run "net share". Make note of the directory location of the SYSVOL share. By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. The default permissions noted below meet this requirement. Open "Command Prompt". Run "icacls c:\Windows\SYSVOL". The following results should be displayed: NT AUTHORITY\Authenticated Users:(RX) NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) BUILTIN\Server Operators:(RX) BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) BUILTIN\Administrators:(M,WDAC,WO) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M,WDAC,WO) CREATOR OWNER:(OI)(CI)(IO)(F) (RX) - Read & execute Run "icacls /help" to view definitions of other permission codes.
Fix Text
Maintain the permissions on the SYSVOL directory. Do not allow greater than "Read & execute" permissions for standard user accounts or groups. The defaults below meet this requirement. C:\Windows\SYSVOL Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read & execute - This folder, subfolder, and files Server Operators - Read & execute- This folder, subfolder, and files Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control) CREATOR OWNER - Full control - Subfolders and files only Administrators - Full control - Subfolders and files only SYSTEM - Full control - This folder, subfolders, and files
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 0C64CE6EC5AA5EE43B5C88120001A05A00313856 ~~~~~ GPO Name: AR21 - Edge FIX FEB2022 GPO GUID: 003a4b00-8a6c-4430-82c7-eb242f312734 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Internet Explorer 11 V1R19 - User GPO GUID: 009ff87d-d932-441b-a2f6-3ba585dc8949 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: Domain User Pol Adds 04-22 GPO GUID: 0ab94efd-80cb-4182-8be0-4d5c77808fad --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Microsoft Edge v1r1 Computer GPO GUID: 0df1b468-68c7-4e60-bd66-971fbbabb95a --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: DotNet4 Fix 04-22 GPO GUID: 114ae059-841b-429a-aa8a-cea9346c4aa4 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - BitLocker Backup to Active Directory GPO GUID: 13cf8084-13ec-427b-9cab-f3243723b027 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: V-236000 Preview pane 02-22 GPO GUID: 18de13be-ce1c-4e53-9612-e440386ed806 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Microsoft Office 2016 - Outlook V2R1 User GPO GUID: 1adacc11-67f9-42e9-be04-f32b3799dcc6 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: Firefox 04-22 GPO GUID: 202579c9-9c90-480b-a706-cd206212448b --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Server Event Log Backup GPO GUID: 211d022b-3225-4167-99e4-0c48f09f6567 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Adobe Reader DC Continuous V1R2 User GPO GUID: 2401b4fb-1b36-42a9-84c3-4340dc2e7502 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Microsoft Office 2016 - PowerPoint V1R1 User GPO GUID: 27a66feb-16c8-4d31-85c6-38bd47c8fd20 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: Server Event Logs GPO GUID: 2e1d00fc-0115-4b8b-8c28-f17f7cc47ed4 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: Default Domain Policy GPO GUID: 31b2f340-016d-11d2-945f-00c04fb984f9 --------------------- Trustee : Domain Admins TrusteeType : Group Permission : GpoCustom Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoCustom Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False --------------------- GPO Name: AR21 - Windows 10 FIX FEB2022 GPO GUID: 330cdbf2-c03b-4b9c-b9ec-b6b872dde8db --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Disable Sleep/Hibernate GPO GUID: 35d3d931-a7dc-4b8b-9be0-a67cfbd6268d --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Adobe Add-In Removal GPO GUID: 3a0de786-3214-4547-b689-920a1783dd34 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Support Users Drive Mapping GPO GUID: 3c0b7467-8063-47b4-844e-2b1db72234f6 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Internet Explorer 11 V1R19 - Computer GPO GUID: 3c3c67e4-a139-4561-af7b-d5ac7cae2ad1 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Google Chrome FIX FEB2022 GPO GUID: 4077a504-b830-4b59-868a-35847b93e9c6 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR 2.1 - LAPS Configuration Policy GPO GUID: 446e9640-684e-4528-a16f-a72f31b95b67 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Google Chrome V2R1 - Computer GPO GUID: 466a3169-b8b0-4e46-bc61-6ca031284f5e --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: V-2244896 V-224897 Audits 02-22 GPO GUID: 5101821e-891e-495e-ad1b-05150a0fb41c --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Mozilla Firefox FIX FEB2022 GPO GUID: 5464ea36-f45c-4be0-89e6-a0043741fa96 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: Map CAC GPO GUID: 54f949d4-864c-40fc-9756-59a367edaf66 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Disable print spooler inbound GPO GUID: 57995639-3cc1-481e-871d-b60d68b54f2a --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - OneNote and OneDrive STIGs GPO GUID: 57db8f1d-cf8e-45dd-afb2-4747c1fa02e8 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Add Server Admins to Local Administrators GPO GUID: 59e937c0-585e-4d7a-b2bc-17f943583d35 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Microsoft Office 2016 - Office System V1R1 Computer GPO GUID: 5ad817c7-2bbb-40fa-b6ce-ad8ac845a998 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: User Pol 4 Exchange 5-22 GPO GUID: 5ce6ea3f-55a6-49f0-bf68-18a8bcc32bfb --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Windows 10 v2r1 Computer GPO GUID: 633bf66a-4f82-4562-a78f-eefa83686f95 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: Default Domain Controllers Policy GPO GUID: 6ac1786c-016f-11d2-945f-00c04fb984f9 --------------------- Trustee : Domain Admins TrusteeType : Group Permission : GpoCustom Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoCustom Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False --------------------- GPO Name: AR21 - Axway Enterprise Configuration GPO GUID: 6c45f92c-56f0-46e4-a921-2ffbdc92a92a --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Windows 10 v2r1 User GPO GUID: 6f85b0d1-36d3-491e-91c4-c6ba3cef6d91 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Adobe Disable FIPS GPO GUID: 6faf5e3a-caf7-4ac5-a9b3-201db0ca8011 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Adobe Reader DC Continuous protected view MAR2022 GPO GUID: 73fb4c08-5e4e-4613-9c92-a1935473c0b8 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Microsoft Office 2016 - Word V1R1 User GPO GUID: 795e8ed2-6ce5-4658-a2c3-d52595e7c6e3 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Microsoft Office 2016 - Office System V1R1 User GPO GUID: 7cf27d8d-3025-453a-a598-1c52df19feba --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Adobe Reader DC Continuous V1R2 Computer GPO GUID: 80340fc8-26a3-4c92-a327-dea83f1ed6d6 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Windows Server 2016 V2R1 - DC - Computer GPO GUID: 816b5f36-4efa-4a32-82c0-a88cf0cecbf3 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - RBAC GPO GUID: 88602f3d-3a9f-4447-934a-2dde7e6ac06d --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Axway Configuration GPO GUID: 9a2e7ffb-86b0-4c62-bfc8-6e7ac786a1ed --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: V-224921 Hardened UNC 02-22 GPO GUID: 9f2930fd-254e-4f1b-ae4d-722bb9f35b41 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: DoD Adobe Acrobat Pro DC Continuous STIG Computer V1R2 GPO GUID: a1c7ddff-5f74-49b9-9ac2-f92d1735189a --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Drive Mapping GPO GUID: a5fcab78-2b37-4b84-8487-bcd275a129a6 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModify ---truncated results. met character limit--- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the permissions on Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select each Group or user name. View the permissions. If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on organization created Group Policy objects.
Fix Text
Maintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO. The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created Group Policy objects.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 4D85055B89AC35AB27B6E3B6664B1897035F6EC4 ~~~~~ OU Name : Domain Controllers OU DN : OU=Domain Controllers,DC=MONTFORD-POINT,DC=navy,DC=mil --------------------- IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ListChildren AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : MONTFORD-POINT\Delegated Setup ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Domain Admins ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : CreateChild AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : DeleteTree AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : ExtendedRight AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete, WriteDacl AccessControlType : Allow IdentityReference : MONTFORD-POINT\Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\NETWORK SERVICE ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM ActiveDirectoryRights : GenericAll AccessControlType : Allow --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the permissions on the Domain Controllers OU. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Domain Controllers" OU (folder in folder icon). Right-click and select "Properties". Select the "Security" tab. If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding. The default permissions listed below satisfy this requirement. Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "View" or "Edit" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions SELF - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
Fix Text
Limit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators. The default permissions listed below satisfy this requirement. Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions. CREATOR OWNER - Special permissions SELF - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read types. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: D7A161EFD64DBDC717E086EA4DB84B3724C238CF ~~~~~ OU Name : ASHORE SUPPORT OU DN : OU=ASHORE SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil --------------------- IdentityReference : BUILTIN\Account Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ListChildren AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : BUILTIN\Print Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : Everyone ActiveDirectoryRights : DeleteChild, DeleteTree, Delete AccessControlType : Deny IdentityReference : MONTFORD-POINT\Delegated Setup ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Domain Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : CreateChild AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : DeleteTree AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : ExtendedRight AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete, WriteDacl AccessControlType : Allow IdentityReference : MONTFORD-POINT\Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\NETWORK SERVICE ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM ActiveDirectoryRights : GenericAll AccessControlType : Allow --------------------- OU Name : GROUPS OU DN : OU=GROUPS,OU=ASHORE SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil --------------------- IdentityReference : BUILTIN\Account Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ListChildren AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : BUILTIN\Print Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : Everyone ActiveDirectoryRights : DeleteTree, Delete AccessControlType : Deny IdentityReference : MONTFORD-POINT\Delegated Setup ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Domain Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : CreateChild AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : DeleteTree AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : ExtendedRight AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete, WriteDacl AccessControlType : Allow IdentityReference : MONTFORD-POINT\Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\NETWORK SERVICE ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM ActiveDirectoryRights : GenericAll AccessControlType : Allow --------------------- OU Name : USERS OU DN : OU=USERS,OU=ASHORE SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil --------------------- IdentityReference : BUILTIN\Account Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ListChildren AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : BUILTIN\Print Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : Everyone ActiveDirectoryRights : DeleteTree, Delete AccessControlType : Deny IdentityReference : MONTFORD-POINT\Delegated Setup ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Domain Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : CreateChild AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : DeleteTree AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : ExtendedRight AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete, WriteDacl AccessControlType : Allow IdentityReference : MONTFORD-POINT\Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\NETWORK SERVICE ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM ActiveDirectoryRights : GenericAll AccessControlType : Allow --------------------- OU Name : Disabled_Accounts OU DN : OU=Disabled_Accounts,DC=MONTFORD-POINT,DC=navy,DC=mil --------------------- IdentityReference : BUILTIN\Account Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ListChildren AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : BUILTIN\Print Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : Everyone ActiveDirectoryRights : DeleteTree, Delete AccessControlType : Deny IdentityReference : MONTFORD-POINT\Delegated Setup ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Domain Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : CreateChild AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : DeleteTree AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : ExtendedRight AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete, WriteDacl AccessControlType : Allow IdentityReference : MONTFORD-POINT\Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\NETWORK SERVICE ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM ActiveDirectoryRights : GenericAll AccessControlType : Allow --------------------- OU Name : GALSYNC OU DN : OU=GALSYNC,DC=MONTFORD-POINT,DC=navy,DC=mil --------------------- IdentityReference : BUILTIN\Account Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ListChildren AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : BUILTIN\Print Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : Everyone ActiveDirectoryRights : DeleteTree, Delete AccessControlType : Deny IdentityReference : MONTFORD-POINT\Delegated Setup ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Domain Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : CreateChild AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : DeleteTree AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : ExtendedRight AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete, WriteDacl AccessControlType : Allow IdentityReference : MONTFORD-POINT\Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\NETWORK SERVICE ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM ActiveDirectoryRights : GenericAll AccessControlType : Allow --------------------- OU Name : MEMBER SERVERS OU DN : OU=MEMBER SERVERS,DC=MONTFORD-POINT,DC=navy,DC=mil --------------------- IdentityReference : BUILTIN\Account Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ListChildren AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : BUILTIN\Print Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : Everyone ActiveDirectoryRights : DeleteTree, Delete AccessControlType : Deny IdentityReference : MONTFORD-POINT\Delegated Setup ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Domain Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : CreateChild AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : DeleteTree AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : ExtendedRight AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete, WriteDacl AccessControlType : Allow IdentityReference : MONTFORD-POINT\Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericAll AccessControlType ---truncated results. met character limit--- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the permissions on domain-defined OUs. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right-click the OU and select "Properties". Select the "Security" tab. If the permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs).
Fix Text
Maintain the permissions on domain-defined OUs to be at least as restrictive as the defaults below. Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read type. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are for Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Open "Command Prompt" (not elevated). Run "ldp.exe". From the "Connection menu", select "Bind". Clear the User, Password, and Domain fields. Select "Simple bind" for the Bind type and click "OK". Confirmation of anonymous access will be displayed at the end: res = ldap_simple_bind_s Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' From the "Browse" menu, select "Search". In the Search dialog, enter the DN of the domain naming context (generally something like "dc=disaost,dc=mil") in the Base DN field. Clear the Attributes field and select "Run". Error messages should display related to Bind and user not authenticated. If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding. The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access. Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.
Fix Text
Configure directory data (outside the root DSE) of a non-public directory to prevent anonymous access. For AD, there are multiple configuration items that could enable anonymous access. Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc). The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7115114BC716F19307736882EE1C307D4B1D4754 ~~~~~ Compliant Certificates: --------------------------- Subject: CN=MONT-DC-003.MONTFORD-POINT.navy.mil, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US CertStore: LocalMachine\My Issuer: CN=DOD SW CA-67, OU=PKI, OU=DoD, O=U.S. Government, C=US FriendlyName: MONT-DC-003.MONTFORD-POINT.navy.mil NotAfter: 06/08/2026 17:58:05 Thumbprint: 09D2721B5061A5BD0B8E3C771D94CCF915BA291C KDCAuthKey: KDC Authentication (1.3.6.1.5.2.3.5) ApprovedChain: True CertificationPath... (0) - DoD Root CA 3 (1) - DOD SW CA-67 (2) - MONT-DC-003.MONTFORD-POINT.navy.mil Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account" and click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DoD PKI or an approved ECA, this is a finding. If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE: http://iase.disa.mil/pki-pke/function_pages/tools.html
Fix Text
Obtain a server certificate for the domain controller issued by the DoD PKI or an approved ECA.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AC1D020AB6148539D57E4FB73B39D6CD29DBDBF ~~~~~ 'Accounts: Limit local account use of blank passwords to console logon only' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AC1D020AB6148539D57E4FB73B39D6CD29DBDBF ~~~~~ 'Accounts: Limit local account use of blank passwords to console logon only' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AC1D020AB6148539D57E4FB73B39D6CD29DBDBF ~~~~~ 'Accounts: Limit local account use of blank passwords to console logon only' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AC1D020AB6148539D57E4FB73B39D6CD29DBDBF ~~~~~ 'Accounts: Limit local account use of blank passwords to console logon only' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AC1D020AB6148539D57E4FB73B39D6CD29DBDBF ~~~~~ 'Accounts: Limit local account use of blank passwords to console logon only' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AC1D020AB6148539D57E4FB73B39D6CD29DBDBF ~~~~~ 'Accounts: Limit local account use of blank passwords to console logon only' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AC1D020AB6148539D57E4FB73B39D6CD29DBDBF ~~~~~ 'Accounts: Limit local account use of blank passwords to console logon only' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AC1D020AB6148539D57E4FB73B39D6CD29DBDBF ~~~~~ 'Accounts: Limit local account use of blank passwords to console logon only' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Limit local account use of blank passwords to console logon only" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0 Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0 Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0 Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0 Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0 Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0 Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "LSAAnonymousNameLookup" equals "1" in the file, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Allow anonymous SID/Name translation" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 626DA34A65C05C1C220101534FE1788BBD495E56 ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 626DA34A65C05C1C220101534FE1788BBD495E56 ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 626DA34A65C05C1C220101534FE1788BBD495E56 ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 626DA34A65C05C1C220101534FE1788BBD495E56 ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 626DA34A65C05C1C220101534FE1788BBD495E56 ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 626DA34A65C05C1C220101534FE1788BBD495E56 ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 626DA34A65C05C1C220101534FE1788BBD495E56 ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 626DA34A65C05C1C220101534FE1788BBD495E56 ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B5021F1C8C390A907EFF7C0B541B8772B1C668D ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B5021F1C8C390A907EFF7C0B541B8772B1C668D ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B5021F1C8C390A907EFF7C0B541B8772B1C668D ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B5021F1C8C390A907EFF7C0B541B8772B1C668D ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B5021F1C8C390A907EFF7C0B541B8772B1C668D ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B5021F1C8C390A907EFF7C0B541B8772B1C668D ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B5021F1C8C390A907EFF7C0B541B8772B1C668D ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B5021F1C8C390A907EFF7C0B541B8772B1C668D ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E07BBC4D71D24D912C7B7521C5945409D833E711 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E07BBC4D71D24D912C7B7521C5945409D833E711 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E07BBC4D71D24D912C7B7521C5945409D833E711 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E07BBC4D71D24D912C7B7521C5945409D833E711 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E07BBC4D71D24D912C7B7521C5945409D833E711 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E07BBC4D71D24D912C7B7521C5945409D833E711 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E07BBC4D71D24D912C7B7521C5945409D833E711 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E07BBC4D71D24D912C7B7521C5945409D833E711 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict anonymous access to Named Pipes and Shares" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F308CA0C17B53FC330F51C46C1E3AB01AF5CBA ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F308CA0C17B53FC330F51C46C1E3AB01AF5CBA ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F308CA0C17B53FC330F51C46C1E3AB01AF5CBA ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F308CA0C17B53FC330F51C46C1E3AB01AF5CBA ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F308CA0C17B53FC330F51C46C1E3AB01AF5CBA ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F308CA0C17B53FC330F51C46C1E3AB01AF5CBA ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F308CA0C17B53FC330F51C46C1E3AB01AF5CBA ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F308CA0C17B53FC330F51C46C1E3AB01AF5CBA ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Do not store LAN Manager hash value on next password change" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C7D726018F3C569FF8F159C3F0E17B69F73A5254 ~~~~~ 'Network security: LAN Manager authentication level' is Configured with 'Send NTLMv2 response only. Refuse LM & NTLM' Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C7D726018F3C569FF8F159C3F0E17B69F73A5254 ~~~~~ 'Network security: LAN Manager authentication level' is Configured with 'Send NTLMv2 response only. Refuse LM & NTLM' Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C7D726018F3C569FF8F159C3F0E17B69F73A5254 ~~~~~ 'Network security: LAN Manager authentication level' is Configured with 'Send NTLMv2 response only. Refuse LM & NTLM' Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C7D726018F3C569FF8F159C3F0E17B69F73A5254 ~~~~~ 'Network security: LAN Manager authentication level' is Configured with 'Send NTLMv2 response only. Refuse LM & NTLM' Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C7D726018F3C569FF8F159C3F0E17B69F73A5254 ~~~~~ 'Network security: LAN Manager authentication level' is Configured with 'Send NTLMv2 response only. Refuse LM & NTLM' Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C7D726018F3C569FF8F159C3F0E17B69F73A5254 ~~~~~ 'Network security: LAN Manager authentication level' is Configured with 'Send NTLMv2 response only. Refuse LM & NTLM' Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C7D726018F3C569FF8F159C3F0E17B69F73A5254 ~~~~~ 'Network security: LAN Manager authentication level' is Configured with 'Send NTLMv2 response only. Refuse LM & NTLM' Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C7D726018F3C569FF8F159C3F0E17B69F73A5254 ~~~~~ 'Network security: LAN Manager authentication level' is Configured with 'Send NTLMv2 response only. Refuse LM & NTLM' Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value Type: REG_DWORD Value: 0x00000005 (5)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right. Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeTcbPrivilege" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070). Passwords for accounts with this user right must be protected as highly privileged accounts.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Act as part of the operating system" to be defined but containing no entries (blank).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5554733A1BAD484044698CCA1825B99C1BA28E2 ~~~~~ Debug programs: BUILTIN\Administrators Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5554733A1BAD484044698CCA1825B99C1BA28E2 ~~~~~ Debug programs: BUILTIN\Administrators Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5554733A1BAD484044698CCA1825B99C1BA28E2 ~~~~~ Debug programs: BUILTIN\Administrators Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5554733A1BAD484044698CCA1825B99C1BA28E2 ~~~~~ Debug programs: BUILTIN\Administrators Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5554733A1BAD484044698CCA1825B99C1BA28E2 ~~~~~ Debug programs: BUILTIN\Administrators Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5554733A1BAD484044698CCA1825B99C1BA28E2 ~~~~~ Debug programs: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5554733A1BAD484044698CCA1825B99C1BA28E2 ~~~~~ Debug programs: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5554733A1BAD484044698CCA1825B99C1BA28E2 ~~~~~ Debug programs: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeDebugPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070). Passwords for application accounts with this user right must be protected as highly privileged accounts.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Debug programs" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right. Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Create a token object" user right, this is a finding. If an application requires this user right, this would not be a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeCreateTokenPrivilege" user right, this is a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070). Passwords for application accounts with this user right must be protected as highly privileged accounts.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a token object" to be defined but containing no entries (blank).