| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 2F5A03118F95BE99F7982FCF5690595BB04E2973 ~~~~~ Certificate .p12 and/or .pfx files: --------------------- File: MONTFOR-AP-001.montford-point.navy.mil.p12 Path: E:\SAMM Installers\Tomcat Applications\Backup\SAMM-2018062562431 Created: 06/19/2023 21:59:21 File: Tomcat SAMM Vessel.p12 Path: E:\SAMM Installers\Tomcat Applications\Certificate\Keystore Created: 06/19/2023 21:59:21 File: Tomcat SAMM Vessel.p12 Path: E:\TOMCAT APPLICATIONS\Backup\Keystore-20250319142850 Created: 03/19/2025 14:30:26 File: Tomcat SAMM Vessel.p12 Path: E:\TOMCAT APPLICATIONS\Backup\SAMM-20230621171449 Created: 06/21/2023 17:14:54 File: Tomcat SAMM Vessel.p12 Path: E:\TOMCAT APPLICATIONS\Backup\SAMM-20230621171635 Created: 06/21/2023 17:16:37 File: Tomcat SAMM Vessel.p12 Path: E:\TOMCAT APPLICATIONS\Backup\SAMM-20250319141848 Created: 03/19/2025 14:18:54 File: MONT-AP-002.MONTFORD-POINT.navy.mil.pfx Path: E:\TOMCAT APPLICATIONS\Certificate\DoD Created: 06/21/2023 17:14:55 File: MONT-DB-002.MONTFORD-POINT.navy.mil.pfx Path: E:\TOMCAT APPLICATIONS\Certificate\DoD Created: 06/21/2023 17:16:07 File: Tomcat SAMM Vessel.p12 Path: E:\TOMCAT APPLICATIONS\Certificate\Keystore Created: 05/25/2021 17:03:00 File: emprise.pfx Path: E:\TOMCAT APPLICATIONS\webapps\logbook\WEB-INF\classes\certificates Created: 03/19/2025 14:38:23 File: emprise.pfx Path: E:\TOMCAT APPLICATIONS\webapps\shipslog\WEB-INF\classes\certificates Created: 03/19/2025 14:38:27 File: MONT-AP-002.MONTFORD-POINT.navy.mil.pfx Path: E:\Vol1\SAMM temp staging\Tomcat\Certificate\DoD Created: 03/19/2025 14:22:48 File: MONT-DB-002.MONTFORD-POINT.navy.mil.pfx Path: E:\Vol1\SAMM temp staging\Tomcat\Certificate\DoD Created: 03/19/2025 14:22:48 File: Tomcat SAMM Vessel.p12 Path: E:\Vol1\SAMM temp staging\Tomcat\Certificate\Keystore Created: 03/19/2025 14:22:48 File: intermediate.p12 Path: E:\Vol1\SMIS_APP\Certificates\CA Created: 02/26/2025 18:51:28 Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6D1B1446FB5CC2634D5EADF74C6B8A5903ECB08C ~~~~~ No .p12 or .pfx certificate files found. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 0D40248E7448FCD0ECA615A2881C86BAFE70E90B ~~~~~ Certificate .p12 and/or .pfx files: --------------------- File: MONT-DB-002.montford-point.navy.mil.pfx Path: E:\SQL Anywhere 16\Application Certificate Files\DoD Created: 06/21/2023 15:54:54 File: MONTFOR-DB-001.montford-point.navy.mil.pfx Path: E:\SQL Anywhere 16\Backup\SAMMDatabase-20230620161919\DoD Created: 06/20/2023 16:21:04 File: MONTFOR-DB-001.montford-point.navy.mil.pfx Path: E:\SQL Anywhere 16\Backup\SAMMDatabase-20230620212252\DoD Created: 06/20/2023 21:22:56 File: MONT-DB-002.montford-point.navy.mil.pfx Path: E:\SQL Anywhere 16\Backup\SAMMDatabase-20230621155610\DoD Created: 06/21/2023 15:56:15 File: MONT-DB-002.montford-point.navy.mil.pfx Path: E:\SQL Anywhere 16\Backup\SAMMDatabase-20230621160233\DoD Created: 06/21/2023 16:02:36 File: MONT-DB-002.montford-point.navy.mil.pfx Path: E:\SQL Anywhere 16\Backup\SAMMDatabase-20230621161956\DoD Created: 06/21/2023 16:19:59 Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 1E905A685F637BB40DE0CCC74A42DFE14AD3B097 ~~~~~ Certificate .p12 and/or .pfx files: --------------------- File: MONT-DC-003.pfx Path: C:\Temp Created: 06/13/2023 20:57:19 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6D1B1446FB5CC2634D5EADF74C6B8A5903ECB08C ~~~~~ No .p12 or .pfx certificate files found. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6D1B1446FB5CC2634D5EADF74C6B8A5903ECB08C ~~~~~ No .p12 or .pfx certificate files found. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6D1B1446FB5CC2634D5EADF74C6B8A5903ECB08C ~~~~~ No .p12 or .pfx certificate files found. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6D1B1446FB5CC2634D5EADF74C6B8A5903ECB08C ~~~~~ No .p12 or .pfx certificate files found. Comments |
|||||
Check Text
Search all drives for *.p12 and *.pfx files. If any files with these extensions exist, this is a finding. This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.
Fix Text
Remove any certificate installation files (*.p12 and *.pfx) found on a system. Note: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A8361572FCF4DDE4D6872D094DE902234124BB6E ~~~~~ No enabled accounts found that do not require a password. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A8361572FCF4DDE4D6872D094DE902234124BB6E ~~~~~ No enabled accounts found that do not require a password. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A8361572FCF4DDE4D6872D094DE902234124BB6E ~~~~~ No enabled accounts found that do not require a password. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A8361572FCF4DDE4D6872D094DE902234124BB6E ~~~~~ No enabled accounts found that do not require a password. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A8361572FCF4DDE4D6872D094DE902234124BB6E ~~~~~ No enabled accounts found that do not require a password. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A8361572FCF4DDE4D6872D094DE902234124BB6E ~~~~~ No enabled accounts found that do not require a password. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 7E4EA29E6AB3D37B00EC100EB5AAF2A1F79908D4 ~~~~~ Failed accounts: --------------------- Name: X_Admin SID: S-1-5-21-4236012249-4164713760-2408648245-500 Enabled: True Password Req: False Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 55B744C718819D40F62B384D9AADDB1BFC4A7C84 ~~~~~ Failed accounts: --------------------- Name: X_Admin SID: S-1-5-21-2502410760-3344595884-382061215-500 Enabled: True Password Req: False Comments |
|||||
Check Text
Review the password required status for enabled user accounts. Open "PowerShell". Domain Controllers: Enter "Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs). If "Passwordnotrequired" is "True" or blank for any enabled user account, this is a finding. Member servers and standalone or nondomain-joined systems: Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. Exclude disabled accounts (e.g., DefaultAccount, Guest). If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding.
Fix Text
Configure all enabled user accounts to require passwords. The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F915C7251A4E90CA60C449A93F6E7915DDC9F180 ~~~~~ The following non-system-created shares have been identified. Verify permissions for each is appropriate: Name: Common (E:\Common) Path: E:\Common --------------------------------------------- Identity Reference: BUILTIN\Administrators File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: Everyone File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: MONTFORD-POINT\D.Admin File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: MONTFORD-POINT\Joshua.J.Jordan File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: MONTFORD-POINT\MONTFORD-POINT CHENG-1-1860720990 File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: MONTFORD-POINT\MONTFORD-POINT CHMATE-1915368927 File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: MONTFORD-POINT\MONTFORD-POINT MASTER-1-1408640001 File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: MONTFORD-POINT\MONTFORD-POINT RADIO-1-199284185 File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: MONTFORD-POINT\Ryan.W.Arnold File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: MONTFORD-POINT\S.Admin File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: MONTFORD-POINT\Steven.Corachan File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: MONTFORD-POINT\Thomas.C.Kozarski File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Name: CRL (E:\CRL) Path: E:\CRL --------------------------------------------- Identity Reference: BUILTIN\Administrators File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: ReadAndExecute, Synchronize Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: AppendData Inheritance Flags: ContainerInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: CreateFiles Inheritance Flags: ContainerInherit Propagation Flags: None Identity Reference: CREATOR OWNER File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: InheritOnly Identity Reference: MONTFORD-POINT\D.Admin File System Rights: FullControl Inheritance Flags: None Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Name: Profiles (E:\Profiles) Path: E:\Profiles --------------------------------------------- Identity Reference: BUILTIN\Administrators File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: Everyone File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: MONTFORD-POINT\D.Admin File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Name: Users (E:\Users) Path: E:\Users --------------------------------------------- Identity Reference: BUILTIN\Administrators File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: Everyone File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: MONTFORD-POINT\D.Admin File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Name: Vol1 (E:\Vol1) Path: E:\Vol1 --------------------------------------------- Identity Reference: BUILTIN\Administrators File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: ReadAndExecute, Synchronize Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: AppendData Inheritance Flags: ContainerInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: CreateFiles Inheritance Flags: ContainerInherit Propagation Flags: None Identity Reference: CREATOR OWNER File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: InheritOnly Identity Reference: MONTFORD-POINT\D.Admin File System Rights: FullControl Inheritance Flags: None Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: FE6E08BCA44D55D33AD47289B0481DA21EA7058A ~~~~~ Only system-created shares exist on this system so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: FE6E08BCA44D55D33AD47289B0481DA21EA7058A ~~~~~ Only system-created shares exist on this system so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: FE6E08BCA44D55D33AD47289B0481DA21EA7058A ~~~~~ Only system-created shares exist on this system so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: FE6E08BCA44D55D33AD47289B0481DA21EA7058A ~~~~~ Only system-created shares exist on this system so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F302F3BFDE7B2B329AD1AFE97E8A74F69D634011 ~~~~~ The following non-system-created shares have been identified. Verify permissions for each is appropriate: Name: address (E:\ExchangeV15\Mailbox\address) Path: E:\ExchangeV15\Mailbox\address --------------------------------------------- Identity Reference: BUILTIN\Administrators File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: MONTFORD-POINT\montford.exchange File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: NT AUTHORITY\Authenticated Users File System Rights: Read, Synchronize Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: None Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Name: CertificateRequests (C:\CertificateRequests) Path: C:\CertificateRequests --------------------------------------------- Identity Reference: BUILTIN\Administrators File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: CreateFiles Inheritance Flags: ContainerInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: ReadAndExecute, Synchronize Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: AppendData Inheritance Flags: ContainerInherit Propagation Flags: None Identity Reference: CREATOR OWNER File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: InheritOnly Identity Reference: MONTFORD-POINT\montford.exchange File System Rights: FullControl Inheritance Flags: None Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: FE6E08BCA44D55D33AD47289B0481DA21EA7058A ~~~~~ Only system-created shares exist on this system so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: FE6E08BCA44D55D33AD47289B0481DA21EA7058A ~~~~~ Only system-created shares exist on this system so this requirement is NA. Comments |
|||||
Check Text
If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. (System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) Run "Computer Management". Navigate to System Tools >> Shared Folders >> Shares. Right-click any non-system-created shares. Select "Properties". Select the "Share Permissions" tab. If the file shares have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding. Select the "Security" tab. If the permissions have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.
Fix Text
If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. Remove any unnecessary non-system-created shares.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 31FA001D95F799B1779974DAE788547F7248BA04 ~~~~~ No unresolved SIDs are assigned any User Right Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 00DB1BF4BA8D6BB55AD9BB46BFE4CF80CC243DE9 ~~~~~ The following User Rights are assigned to orphaned SIDs: SeIncreaseQuotaPrivilege: S-1-5-80-2980902195-1579531004-3011574206-2415361120-2386510705, S-1-5-80-929668618-3423318027-389485234-279070536-4061300613 SeServiceLogonRight: S-1-5-80-2980902195-1579531004-3011574206-2415361120-2386510705, S-1-5-80-929668618-3423318027-389485234-279070536-4061300613 SeAssignPrimaryTokenPrivilege: S-1-5-80-2980902195-1579531004-3011574206-2415361120-2386510705, S-1-5-80-929668618-3423318027-389485234-279070536-4061300613 SeChangeNotifyPrivilege: S-1-5-80-2980902195-1579531004-3011574206-2415361120-2386510705, S-1-5-80-929668618-3423318027-389485234-279070536-4061300613 Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 31FA001D95F799B1779974DAE788547F7248BA04 ~~~~~ No unresolved SIDs are assigned any User Right Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 6C2D5BEB844806AC4BBE37CC47B70EAC29983551 ~~~~~ The following User Rights are assigned to orphaned SIDs: SeSecurityPrivilege: S-1-5-21-1199390858-2101972093-2013113664-1129, S-1-5-21-270843172-1021756428-1876623829-2158 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 31FA001D95F799B1779974DAE788547F7248BA04 ~~~~~ No unresolved SIDs are assigned any User Right Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 31FA001D95F799B1779974DAE788547F7248BA04 ~~~~~ No unresolved SIDs are assigned any User Right Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 31FA001D95F799B1779974DAE788547F7248BA04 ~~~~~ No unresolved SIDs are assigned any User Right Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 31FA001D95F799B1779974DAE788547F7248BA04 ~~~~~ No unresolved SIDs are assigned any User Right Comments |
|||||
Check Text
Review the effective User Rights setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. Review each User Right listed for any unresolved SIDs to determine whether they are valid, such as due to being temporarily disconnected from the domain. (Unresolved SIDs have the format of "*S-1-…".) If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding. For server core installations, run the following command: Secedit /export /areas USER_RIGHTS /cfg c:\path\UserRights.txt The results in the file identify user right assignments by SID instead of group name. Review the SIDs for unidentified ones. A list of typical SIDs \ Groups is below, search Microsoft for articles on well-known SIDs for others. If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding. SID - Group S-1-5-11 - Authenticated Users S-1-5-113 - Local account S-1-5-114 - Local account and member of Administrators group S-1-5-19 - Local Service S-1-5-20 - Network Service S-1-5-32-544 - Administrators S-1-5-32-546 - Guests S-1-5-6 - Service S-1-5-9 - Enterprise Domain Controllers S-1-5-domain-512 - Domain Admins S-1-5-root domain-519 - Enterprise Admins S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 - NT Service\WdiServiceHost
Fix Text
Remove any unresolved SIDs found in User Rights assignments and determined to not be for currently valid accounts or groups by removing the accounts or groups from the appropriate group policy.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A35F1C37518BA5BE7F9CEF7DDAAE6530ED947399 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 2 Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A35F1C37518BA5BE7F9CEF7DDAAE6530ED947399 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 2 Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A35F1C37518BA5BE7F9CEF7DDAAE6530ED947399 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 2 Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A35F1C37518BA5BE7F9CEF7DDAAE6530ED947399 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 2 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A35F1C37518BA5BE7F9CEF7DDAAE6530ED947399 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 2 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 5A95DCD6553036523AF8C7763AD372FDE3799CA2 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 1 Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A35F1C37518BA5BE7F9CEF7DDAAE6530ED947399 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 2 Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A35F1C37518BA5BE7F9CEF7DDAAE6530ED947399 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 2 Comments |
|||||
Check Text
For standalone or nondomain-joined systems, this is NA. Open "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "RequiredSecurityProperties" does not include a value of "2" indicating "Secure Boot" (e.g., "{1, 2}"), this is a finding. If "Secure Boot and DMA Protection" is configured, "3" will also be displayed in the results (e.g., "{1, 2, 3}"). If "VirtualizationBasedSecurityStatus" is not a value of "2" indicating "Running", this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Device Guard Virtualization based security" does not display "Running", this is a finding. If "Device Guard Required Security Properties" does not display "Base Virtualization Support, Secure Boot", this is a finding. If "Secure Boot and DMA Protection" is configured, "DMA Protection" will also be displayed (e.g., "Base Virtualization Support, Secure Boot, DMA Protection"). The policy settings referenced in the Fix section will configure the following registry values. However, due to hardware requirements, the registry values alone do not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: EnableVirtualizationBasedSecurity Value Type: REG_DWORD Value: 0x00000001 (1) Value Name: RequirePlatformSecurityFeatures Value Type: REG_DWORD Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and DMA Protection) A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Secure Boot" or "Secure Boot and DMA Protection" selected. A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CB204EC43075AD6A99D572BAF19EAEA87325DC6C ~~~~~ 'Configure Windows SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CB204EC43075AD6A99D572BAF19EAEA87325DC6C ~~~~~ 'Configure Windows SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CB204EC43075AD6A99D572BAF19EAEA87325DC6C ~~~~~ 'Configure Windows SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 98C5AA677C378D823FFF089EBE87265FA619F43F ~~~~~ 'Configure Windows SmartScreen' is NOT Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000000 (0) [Expected 1] Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CB204EC43075AD6A99D572BAF19EAEA87325DC6C ~~~~~ 'Configure Windows SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CB204EC43075AD6A99D572BAF19EAEA87325DC6C ~~~~~ 'Configure Windows SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CB204EC43075AD6A99D572BAF19EAEA87325DC6C ~~~~~ 'Configure Windows SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CB204EC43075AD6A99D572BAF19EAEA87325DC6C ~~~~~ 'Configure Windows SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
This is applicable to unclassified systems; for other systems, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows SmartScreen" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: E0BDF45798C79C9D7292EC79FDB5523BD31F5459 ~~~~~ Non-compliant roles installed: --------------------- DHCP Server Network Policy and Access Services Compliant roles installed: --------------------- Active Directory Domain Services DNS Server File and Storage Services Installed software: --------------------- ActivID ActivClient x64 Axway Desktop Validator CRLAutoCache DoD Secure Host Baseline Server InstallRoot Microsoft NetBanner Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33130 Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.38.33130 Trellix Agent Trellix Data Loss Prevention - Endpoint Trellix Endpoint Security Firewall Trellix Endpoint Security Platform Trellix Endpoint Security Threat Prevention Trellix Policy Auditor Agent Trellix Solidifier Veritas Backup Exec Remote Agent for Windows Windows Resource Kit Tools WinZip 27.0 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers, It is NA for other systems. Review the installed roles the domain controller is supporting. Start "Server Manager". Select "AD DS" in the left pane and the server name under "Servers" to the right. Select "Add (or Remove) Roles and Features" from "Tasks" in the "Roles and Features" section. (Cancel before any changes are made.) Determine if any additional server roles are installed. A basic domain controller setup will include the following: - Active Directory Domain Services - DNS Server - File and Storage Services If any roles not requiring installation on a domain controller are installed, this is a finding. A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. Run "Programs and Features". Review installed applications. If any applications are installed that are not required for the domain controller, this is a finding.
Fix Text
Remove additional roles or applications such as web, database, and email from the domain controller.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 19746D1E477B8F7DA30F943E64E42D2E57BA187F ~~~~~ Object Name: MONTFORD-POINT Object DN: DC=MONTFORD-POINT,DC=navy,DC=mil Object Class: domainDNS --------------------- AuditFlags : Success IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : ExtendedRight IsInherited : False InheritanceType : None AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : False InheritanceType : All AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner IsInherited : False InheritanceType : None AuditFlags : Success IdentityReference : MONTFORD-POINT\Domain Users ActiveDirectoryRights : ExtendedRight IsInherited : False InheritanceType : None --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for the Domain object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the domain being reviewed in the left pane. Right-click the domain name and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the Domain object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - None Applies to - Special Type - Success Principal - Domain Users Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Administrators Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: Write all properties, Modify permissions, Modify owner)
Fix Text
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the domain being reviewed in the left pane. Right-click the domain name and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for Domain object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - None Applies to - Special Type - Success Principal - Domain Users Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Administrators Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: Write all properties, Modify permissions, Modify owner.)
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 910E0557232C81D7B2E612D54715A1B79B1AC045 ~~~~~ Object Name: Infrastructure Object DN: CN=Infrastructure,DC=MONTFORD-POINT,DC=navy,DC=mil Object Class: infrastructureUpdate --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, ExtendedRight IsInherited : False InheritanceType : None --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for Infrastructure object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the domain being reviewed in the left pane. Right-click the "Infrastructure" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the Infrastructure object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
Fix Text
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the domain being reviewed in the left pane. Right-click the "Infrastructure" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for Infrastructure object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: A9A635A5963F6C60BDED8092F28CCE6E36D2C153 ~~~~~ Object Name: Domain Controllers Object DN: OU=Domain Controllers,DC=MONTFORD-POINT,DC=navy,DC=mil Object Class: organizationalUnit --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : All AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : CreateChild, DeleteChild, DeleteTree, Delete, WriteDacl, WriteOwner IsInherited : False InheritanceType : None --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for the Domain Controller OU object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the "Domain Controllers OU" under the domain being reviewed in the left pane. Right-click the "Domain Controllers OU" object and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the Domain Controllers OU object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object and all descendant objects The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: all create, delete and modify permissions) Type - Success Principal - Everyone Access - Write all properties Inherited from - None Applies to - This object and all descendant objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
Fix Text
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the "Domain Controllers OU" under the domain being reviewed in the left pane. Right-click the "Domain Controllers OU" object and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for Domain Controllers OU object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: all create, delete and modify permissions) Type - Success Principal - Everyone Access - Write all properties Inherited from - None Applies to - This object and all descendant objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 85D03424A16D29FC0BFB271FD90C04F70F183AD8 ~~~~~ Object Name: AdminSDHolder Object DN: CN=AdminSDHolder,CN=System,DC=MONTFORD-POINT,DC=navy,DC=mil Object Class: container --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner IsInherited : False InheritanceType : None --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for the "AdminSDHolder" object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select "System" under the domain being reviewed in the left pane. Right-click the "AdminSDHolder" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the "AdminSDHolder" object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Write all properties, Modify permissions, Modify owner) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
Fix Text
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select "System" under the domain being reviewed in the left pane. Right-click the "AdminSDHolder" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for AdminSDHolder object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Write all properties, Modify permissions, Modify owner) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 6F9F8BF32EFEA4B816B61252C0673C259CD504E9 ~~~~~ Object Name: RID Manager$ Object DN: CN=RID Manager$,CN=System,DC=MONTFORD-POINT,DC=navy,DC=mil Object Class: rIDManager --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, ExtendedRight IsInherited : False InheritanceType : None --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for the "RID Manager$" object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select "System" under the domain being reviewed in the left pane. Right-click the "RID Manager$" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the "RID Manager$" object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Write all properties, All extended rights, Change RID master) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
Fix Text
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select "System" under the domain being reviewed in the left pane. Right-click the "RID Manager$" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for RID Manager$ object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Write all properties, All extended rights, Change RID master) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8321877B1939868783133E67C0DB12AC4A135F79 ~~~~~ The following accounts are enabled without requiring a smart card. Account Name: SHB_Admin Account Enabled: True Smart card Required: False Account Name: DOD_Admin Account Enabled: True Smart card Required: False Account Name: D.Admin Account Enabled: True Smart card Required: False Account Name: S.Admin Account Enabled: True Smart card Required: False Account Name: W.Admin Account Enabled: True Smart card Required: False Account Name: N.Admin Account Enabled: True Smart card Required: False Account Name: Exchange Admin Account Enabled: True Smart card Required: False Account Name: HealthMailbox03020cb359cd4879a5fd73f010bde991 Account Enabled: True Smart card Required: False Account Name: HealthMailbox3295a98105294ef195ff4f5394ae0e3c Account Enabled: True Smart card Required: False Account Name: HealthMailbox8d8eb4c107e64340876668cde6c1289e Account Enabled: True Smart card Required: False Account Name: HealthMailboxfd82eb3f816c4428bcc7a1706f017682 Account Enabled: True Smart card Required: False Account Name: HealthMailbox4ffeb90d1e3e42808987669877a590dc Account Enabled: True Smart card Required: False Account Name: HealthMailboxa7603ef65a894a7abd37cc7afcd0498f Account Enabled: True Smart card Required: False Account Name: HealthMailbox0045b0edfe864ade8de6332392102884 Account Enabled: True Smart card Required: False Account Name: HealthMailbox2a4e029adc2c45d7a2377f21fc959267 Account Enabled: True Smart card Required: False Account Name: HealthMailboxff1c61cd50724325bd1467262f3ab3f7 Account Enabled: True Smart card Required: False Account Name: HealthMailbox476aa3607f714413bb95f561ccbef1c1 Account Enabled: True Smart card Required: False Account Name: HealthMailboxa75cf849d12c447fb0c70e70b866e36e Account Enabled: True Smart card Required: False Account Name: MONT-EM-NAA Account Enabled: True Smart card Required: False Account Name: MONT-EM-SVRCP Account Enabled: True Smart card Required: False Account Name: MONT-EM-WKSCP Account Enabled: True Smart card Required: False Account Name: MONT-EM-Admin Account Enabled: True Smart card Required: False Account Name: Backup Account Enabled: True Smart card Required: False Account Name: Walton, Nicole E., CTR Account Enabled: True Smart card Required: False Account Name: Scan Admin Account Enabled: True Smart card Required: False Account Name: FIM, ANOC Account Enabled: True Smart card Required: False Account Name: IA ADMIN, JTBegarek Account Enabled: True Smart card Required: False Account Name: user, test Account Enabled: True Smart card Required: False Account Name: Gonzalez, Ian W., CTR Account Enabled: True Smart card Required: False Account Name: MSMEODUser Account Enabled: True Smart card Required: False Account Name: User, Test C., CTR Account Enabled: True Smart card Required: False Account Name: Smith, Alexander D., CTR Account Enabled: True Smart card Required: False Account Name: Jones, Thomas L., Admin Account Enabled: True Smart card Required: False Account Name: Jones, Thomas Account Enabled: True Smart card Required: False Account Name: Green, Fred D., CTR Account Enabled: True Smart card Required: False Account Name: Sanders, James R., CTR Account Enabled: True Smart card Required: False Account Name: Muchuslky, Joey Account Enabled: True Smart card Required: False Account Name: Simon, Anthony E., CTR Account Enabled: True Smart card Required: False Account Name: Begarek, Justin T., CIV Account Enabled: True Smart card Required: False Account Name: Smith, Josh A., CTR Account Enabled: True Smart card Required: False Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Open "PowerShell". Enter the following: "Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name" ("DistinguishedName" may be substituted for "Name" for more detailed output.) If any user accounts, including administrators, are listed, this is a finding. Alternately: To view sample accounts in "Active Directory Users and Computers" (available from various menus or run "dsa.msc"): Select the Organizational Unit (OU) where the user accounts are located. (By default, this is the Users node; however, accounts may be under other organization-defined OUs.) Right-click the sample user account and select "Properties". Select the "Account" tab. If any user accounts, including administrators, do not have "Smart card is required for interactive logon" checked in the "Account Options" area, this is a finding.
Fix Text
Configure all user accounts, including administrator accounts, in Active Directory to enable the option "Smart card is required for interactive logon". Run "Active Directory Users and Computers" (available from various menus or run "dsa.msc"): Select the OU where the user accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.) Right-click the user account and select "Properties". Select the "Account" tab. Check "Smart card is required for interactive logon" in the "Account Options" area.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: F7AD9B106F09B1E5992AFB251D89A3E532494619 ~~~~~ 'Domain controller: LDAP server signing requirements' is NOT Require signing Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ Value Name: LDAPServerIntegrity Value: 0x00000001 (1) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ Value Name: LDAPServerIntegrity Value Type: REG_DWORD Value: 0x00000002 (2)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain controller: LDAP server signing requirements" to "Require signing".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: E5B8DE6F5B9AB5EF925507653B31D7770DEA4089 ~~~~~ SeNetworkLogonRight: BUILTIN\Administrators BUILTIN\Pre-Windows 2000 Compatible Access Everyone NT AUTHORITY\Authenticated Users NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding. - Administrators - Authenticated Users - Enterprise Domain Controllers For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeNetworkLogonRight" user right, this is a finding. S-1-5-32-544 (Administrators) S-1-5-11 (Authenticated Users) S-1-5-9 (Enterprise Domain Controllers) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to include only the following accounts or groups: - Administrators - Authenticated Users - Enterprise Domain Controllers
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 3306581CC2A5040D88182FF80C3D4D63A9960E69 ~~~~~ SeMachineAccountPrivilege: BUILTIN\Administrators NT AUTHORITY\Authenticated Users Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Add workstations to domain" right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeMachineAccountPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Add workstations to domain" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3269727D2232F7C9C8B33EADB868AEDDB9E50831 ~~~~~ Deny log on as a batch job: BUILTIN\Guests MONTFORD-POINT\Domain Admins MONTFORD-POINT\Enterprise Admins Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3269727D2232F7C9C8B33EADB868AEDDB9E50831 ~~~~~ Deny log on as a batch job: BUILTIN\Guests MONTFORD-POINT\Domain Admins MONTFORD-POINT\Enterprise Admins Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3269727D2232F7C9C8B33EADB868AEDDB9E50831 ~~~~~ Deny log on as a batch job: BUILTIN\Guests MONTFORD-POINT\Domain Admins MONTFORD-POINT\Enterprise Admins Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3269727D2232F7C9C8B33EADB868AEDDB9E50831 ~~~~~ Deny log on as a batch job: BUILTIN\Guests MONTFORD-POINT\Domain Admins MONTFORD-POINT\Enterprise Admins Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: E719DE9AE81DFE3B722F6884328A5AF9192E5A68 ~~~~~ Deny log on as a batch job: BUILTIN\Guests Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3269727D2232F7C9C8B33EADB868AEDDB9E50831 ~~~~~ Deny log on as a batch job: BUILTIN\Guests MONTFORD-POINT\Domain Admins MONTFORD-POINT\Enterprise Admins Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3269727D2232F7C9C8B33EADB868AEDDB9E50831 ~~~~~ Deny log on as a batch job: BUILTIN\Guests MONTFORD-POINT\Domain Admins MONTFORD-POINT\Enterprise Admins Comments |
|||||
Check Text
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding. Domain Systems Only: - Enterprise Admins Group - Domain Admins Group All Systems: - Guests Group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the "SeDenyBatchLogonRight" user right, this is a finding. Domain Systems Only: S-1-5-root domain-519 (Enterprise Admins) S-1-5-domain-512 (Domain Admins) All Systems: S-1-5-32-546 (Guests)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a batch job" to include the following: Domain Systems Only: - Enterprise Admins Group - Domain Admins Group All Systems: - Guests Group
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: D200BCD671BA155A1AD2AADCC3F00DA00CCEC9A4 ~~~~~ Allow log on locally: BUILTIN\Account Operators BUILTIN\Administrators BUILTIN\Backup Operators BUILTIN\Print Operators BUILTIN\Server Operators NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeInteractiveLogonRight" user right, this is a finding. S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 66B9CC04EDA273C9465066EEB8F5B51DCB20665F ~~~~~ Back up files and directories: BUILTIN\Administrators BUILTIN\Backup Operators BUILTIN\Server Operators Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeBackupPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Back up files and directories" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 150B29A1ABAE9F69632BC9C91BD3932B9BA7386E ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators BUILTIN\Server Operators Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeRemoteShutdownPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 5BC21D57FBD511471E1BD90139EDF70B7AE5455A ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators BUILTIN\IIS_IUSRS NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding. - Administrators - Service - Local Service - Network Service For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeImpersonatePrivilege" user right, this is a finding. S-1-5-32-544 (Administrators) S-1-5-6 (Service) S-1-5-19 (Local Service) S-1-5-20 (Network Service) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Impersonate a client after authentication" to include only the following accounts or groups: - Administrators - Service - Local Service - Network Service
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 35ACECBB96E5CA1C13A0ACC365FA8728B3EFA5D1 ~~~~~ Load and unload device drivers: BUILTIN\Administrators BUILTIN\Print Operators Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeLoadDriverPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Load and unload device drivers" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 69373A71D638B53717ED5715BFFAE3EDDB82633A ~~~~~ Manage auditing and security log: BUILTIN\Administrators Exchange Servers S-1-5-21-1199390858-2101972093-2013113664-1129 S-1-5-21-270843172-1021756428-1876623829-2158 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeSecurityPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators) If the organization has an Auditors group, the assignment of this group to the user right would not be a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Manage auditing and security log" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 8615B5BE092ADB083D1714DF2DE2B96AF77C0968 ~~~~~ Restore files and directories: BUILTIN\Administrators BUILTIN\Backup Operators BUILTIN\Server Operators Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeRestorePrivilege" user right, this is a finding. S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Restore files and directories" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 32DC8AB7505CC76A00A3AA01E66117BC0E5181E3 ~~~~~ The local Backup Operators group has no members so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 32DC8AB7505CC76A00A3AA01E66117BC0E5181E3 ~~~~~ The local Backup Operators group has no members so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 32DC8AB7505CC76A00A3AA01E66117BC0E5181E3 ~~~~~ The local Backup Operators group has no members so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 32DC8AB7505CC76A00A3AA01E66117BC0E5181E3 ~~~~~ The local Backup Operators group has no members so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 32DC8AB7505CC76A00A3AA01E66117BC0E5181E3 ~~~~~ The local Backup Operators group has no members so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 32DC8AB7505CC76A00A3AA01E66117BC0E5181E3 ~~~~~ The local Backup Operators group has no members so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 32DC8AB7505CC76A00A3AA01E66117BC0E5181E3 ~~~~~ The local Backup Operators group has no members so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 32DC8AB7505CC76A00A3AA01E66117BC0E5181E3 ~~~~~ The local Backup Operators group has no members so this requirement is NA. Comments |
|||||
Check Text
If no accounts are members of the Backup Operators group, this is NA. Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding.
Fix Text
Ensure each member of the Backup Operators group has separate accounts for backup functions and standard user functions.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6BE08ACAB8AD3365003019D2702FDF3075E0F32E ~~~~~ 'Minimum password length' is Configured MinimumPasswordLength: 14 Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6BE08ACAB8AD3365003019D2702FDF3075E0F32E ~~~~~ 'Minimum password length' is Configured MinimumPasswordLength: 14 Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6BE08ACAB8AD3365003019D2702FDF3075E0F32E ~~~~~ 'Minimum password length' is Configured MinimumPasswordLength: 14 Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6BE08ACAB8AD3365003019D2702FDF3075E0F32E ~~~~~ 'Minimum password length' is Configured MinimumPasswordLength: 14 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6BE08ACAB8AD3365003019D2702FDF3075E0F32E ~~~~~ 'Minimum password length' is Configured MinimumPasswordLength: 14 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6BE08ACAB8AD3365003019D2702FDF3075E0F32E ~~~~~ 'Minimum password length' is Configured MinimumPasswordLength: 14 Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6BE08ACAB8AD3365003019D2702FDF3075E0F32E ~~~~~ 'Minimum password length' is Configured MinimumPasswordLength: 14 Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6BE08ACAB8AD3365003019D2702FDF3075E0F32E ~~~~~ 'Minimum password length' is Configured MinimumPasswordLength: 14 Comments |
|||||
Check Text
Determine if manually managed application/service accounts exist. If none exist, this is NA. Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 14 characters in length. If such a policy does not exist or has not been implemented, this is a finding.
Fix Text
Establish a policy that requires application/service account passwords that are manually managed to be at least 14 characters in length. Ensure the policy is enforced.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 346611FFEC18CA874CE847DB523A17BC711DFFEF ~~~~~ TPM Preset = True TPM Ready = True TPM Specification Version = 2.0 Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 346611FFEC18CA874CE847DB523A17BC711DFFEF ~~~~~ TPM Preset = True TPM Ready = True TPM Specification Version = 2.0 Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 346611FFEC18CA874CE847DB523A17BC711DFFEF ~~~~~ TPM Preset = True TPM Ready = True TPM Specification Version = 2.0 Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 346611FFEC18CA874CE847DB523A17BC711DFFEF ~~~~~ TPM Preset = True TPM Ready = True TPM Specification Version = 2.0 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 346611FFEC18CA874CE847DB523A17BC711DFFEF ~~~~~ TPM Preset = True TPM Ready = True TPM Specification Version = 2.0 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 346611FFEC18CA874CE847DB523A17BC711DFFEF ~~~~~ TPM Preset = True TPM Ready = True TPM Specification Version = 2.0 Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A6071219C7B5832E096B4B2EC953A7273440F873 ~~~~~ TPM Preset = True TPM Ready = True TPM Specification Version = 1.2 Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A6071219C7B5832E096B4B2EC953A7273440F873 ~~~~~ TPM Preset = True TPM Ready = True TPM Specification Version = 1.2 Comments |
|||||
Check Text
For standalone or nondomain-joined systems, this is NA. Verify the system has a TPM and it is ready for use. Run "tpm.msc". Review the sections in the center pane. "Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken". TPM Manufacturer Information - Specific Version = 2.0 or 1.2 If a TPM is not found or is not ready for use, this is a finding.
Fix Text
Ensure domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.) The TPM must be enabled in the firmware. Run "tpm.msc" for configuration options in Windows.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Determine whether there is a HIDS or HIPS on each server. If the HIPS component of ESS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. A HIDS device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the ISSO. If a HIDS is not installed on the system, this is a finding.
Fix Text
Install a HIDS or HIPS on each server.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 92D82AE87C8D5C9F6FF1AD627DC76B5149DC38B0 ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\ --------------------- Default permissions are in place. Current ACL: NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) --------------------- Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 92D82AE87C8D5C9F6FF1AD627DC76B5149DC38B0 ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\ --------------------- Default permissions are in place. Current ACL: NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) --------------------- Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 92D82AE87C8D5C9F6FF1AD627DC76B5149DC38B0 ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\ --------------------- Default permissions are in place. Current ACL: NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) --------------------- Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 92D82AE87C8D5C9F6FF1AD627DC76B5149DC38B0 ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\ --------------------- Default permissions are in place. Current ACL: NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 92D82AE87C8D5C9F6FF1AD627DC76B5149DC38B0 ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\ --------------------- Default permissions are in place. Current ACL: NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) --------------------- Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 92D82AE87C8D5C9F6FF1AD627DC76B5149DC38B0 ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\ --------------------- Default permissions are in place. Current ACL: NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) --------------------- Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 92D82AE87C8D5C9F6FF1AD627DC76B5149DC38B0 ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\ --------------------- Default permissions are in place. Current ACL: NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) --------------------- Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 92D82AE87C8D5C9F6FF1AD627DC76B5149DC38B0 ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\ --------------------- Default permissions are in place. Current ACL: NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) --------------------- Comments |
|||||
Check Text
The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (WN16-SO-000290). Review the permissions for the system drive's root directory (usually C:\). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) If permissions are not as restrictive as the default permissions listed below, this is a finding. Viewing in File Explorer: View the Properties of the system drive's root directory. Select the "Security" tab, and the "Advanced" button. Default permissions: C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders, and files Administrators - Full control - This folder, subfolders, and files Users - Read & execute - This folder, subfolders, and files Users - Create folders/append data - This folder and subfolders Users - Create files/write data - Subfolders only CREATOR OWNER - Full Control - Subfolders and files only Alternately, use icacls: Open "Command Prompt (Admin)". Enter "icacls" followed by the directory: "icacls c:\" The following results should be displayed: c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files
Fix Text
Maintain the default permissions for the system drive's root directory and configure the Security Option "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN16-SO-000290). Default Permissions C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders, and files Administrators - Full control - This folder, subfolders, and files Users - Read & execute - This folder, subfolders, and files Users - Create folders/append data - This folder and subfolders Users - Create files/write data - Subfolders only CREATOR OWNER - Full Control - Subfolders and files only
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 23EF7DA08B6E3EB321A5BDB262DB6CC252B1D54B ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\Program Files --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- C:\Program Files (x86) --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 23EF7DA08B6E3EB321A5BDB262DB6CC252B1D54B ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\Program Files --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- C:\Program Files (x86) --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 23EF7DA08B6E3EB321A5BDB262DB6CC252B1D54B ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\Program Files --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- C:\Program Files (x86) --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 23EF7DA08B6E3EB321A5BDB262DB6CC252B1D54B ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\Program Files --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- C:\Program Files (x86) --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 23EF7DA08B6E3EB321A5BDB262DB6CC252B1D54B ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\Program Files --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- C:\Program Files (x86) --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 23EF7DA08B6E3EB321A5BDB262DB6CC252B1D54B ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\Program Files --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- C:\Program Files (x86) --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 23EF7DA08B6E3EB321A5BDB262DB6CC252B1D54B ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\Program Files --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- C:\Program Files (x86) --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 23EF7DA08B6E3EB321A5BDB262DB6CC252B1D54B ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\Program Files --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- C:\Program Files (x86) --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
Check Text
The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (WN16-SO-000290). Review the permissions for the program file directories (Program Files and Program Files [x86]). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. (Individual accounts must not be used to assign permissions.) If permissions are not as restrictive as the default permissions listed below, this is a finding. Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default permissions: \Program Files and \Program Files (x86) Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files Alternately, use icacls: Open a Command prompt (admin). Enter "icacls" followed by the directory: 'icacls "c:\program files"' 'icacls "c:\program files (x86)"' The following results should be displayed for each when entered: c:\program files (c:\program files (x86)) NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files
Fix Text
Maintain the default permissions for the program file directories and configure the Security Option "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN16-SO-000290). Default permissions: \Program Files and \Program Files (x86) Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders, and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 635F20DE9559932714310E99DE7045500DD6E01C ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\windows --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 635F20DE9559932714310E99DE7045500DD6E01C ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\windows --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 635F20DE9559932714310E99DE7045500DD6E01C ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\windows --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 635F20DE9559932714310E99DE7045500DD6E01C ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\windows --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 635F20DE9559932714310E99DE7045500DD6E01C ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\windows --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 635F20DE9559932714310E99DE7045500DD6E01C ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\windows --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 635F20DE9559932714310E99DE7045500DD6E01C ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\windows --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 635F20DE9559932714310E99DE7045500DD6E01C ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 C:\windows --------------------- Default permissions are in place. Current ACL: NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) --------------------- Comments |
|||||
Check Text
The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (WN16-SO-000290). Review the permissions for the Windows installation directory (usually C:\Windows). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. (Individual accounts must not be used to assign permissions.) If permissions are not as restrictive as the default permissions listed below, this is a finding. Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab and the "Advanced" button. Default permissions: \Windows Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders, and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files Alternately, use icacls: Open a Command prompt (admin). Enter "icacls" followed by the directory: "icacls c:\windows" The following results should be displayed for each when entered: c:\windows NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files
Fix Text
Maintain the default file ACLs and configure the Security Option "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN16-SO-000290). Default permissions: Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders, and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CABF011305CC75CBB6DFA0F71B8D6306258A97C7 ~~~~~ HKLM:\SECURITY --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadPermissions, ChangePermissions AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SOFTWARE --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SYSTEM --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : InheritOnly RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CABF011305CC75CBB6DFA0F71B8D6306258A97C7 ~~~~~ HKLM:\SECURITY --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadPermissions, ChangePermissions AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SOFTWARE --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SYSTEM --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : InheritOnly RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CABF011305CC75CBB6DFA0F71B8D6306258A97C7 ~~~~~ HKLM:\SECURITY --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadPermissions, ChangePermissions AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SOFTWARE --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SYSTEM --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : InheritOnly RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4622FD254FF6A79BAE1AF05CB5EF2C19BE31CD4F ~~~~~ HKLM:\SECURITY --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadPermissions, ChangePermissions AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SOFTWARE --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SYSTEM --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Server Operators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : InheritOnly RegistryRights : ReadKey AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CABF011305CC75CBB6DFA0F71B8D6306258A97C7 ~~~~~ HKLM:\SECURITY --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadPermissions, ChangePermissions AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SOFTWARE --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SYSTEM --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : InheritOnly RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CABF011305CC75CBB6DFA0F71B8D6306258A97C7 ~~~~~ HKLM:\SECURITY --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadPermissions, ChangePermissions AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SOFTWARE --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SYSTEM --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : InheritOnly RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CABF011305CC75CBB6DFA0F71B8D6306258A97C7 ~~~~~ HKLM:\SECURITY --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadPermissions, ChangePermissions AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SOFTWARE --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SYSTEM --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : InheritOnly RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CABF011305CC75CBB6DFA0F71B8D6306258A97C7 ~~~~~ HKLM:\SECURITY --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadPermissions, ChangePermissions AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SOFTWARE --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- HKLM:\SYSTEM --------------------- Default permissions are in place. Current ACL: RegistryRights : ReadKey AccessControlType : Allow IdentityReference : APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : ReadKey AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None RegistryRights : FullControl AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : InheritOnly RegistryRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : False InheritanceFlags : ContainerInherit PropagationFlags : None --------------------- Comments |
|||||
Check Text
Review the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive noted below. If any non-privileged groups such as Everyone, Users, or Authenticated Users have greater than Read permission, this is a finding. If permissions are not as restrictive as the default permissions listed below, this is a finding. Run "Regedit". Right-click on the registry areas noted below. Select "Permissions..." and the "Advanced" button. HKEY_LOCAL_MACHINE\SECURITY Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full Control - This key and subkeys Administrators - Special - This key and subkeys HKEY_LOCAL_MACHINE\SOFTWARE Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys HKEY_LOCAL_MACHINE\SYSTEM Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - Subkeys only ALL APPLICATION PACKAGES - Read - This key and subkeys Server Operators – Read – This Key and subkeys (Domain controllers only) Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission. If the defaults have not been changed, these are not a finding.
Fix Text
Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive. The default permissions of the higher-level keys are noted below. HKEY_LOCAL_MACHINE\SECURITY Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full Control - This key and subkeys Administrators - Special - This key and subkeys HKEY_LOCAL_MACHINE\SOFTWARE Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys HKEY_LOCAL_MACHINE\SYSTEM Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - Subkeys only ALL APPLICATION PACKAGES - Read - This key and subkeys Server Operators – Read – This Key and subkeys (Domain controllers only)
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPsec have been implemented. If protection methods have not been implemented, this is a finding.
Fix Text
Configure protection methods such as TLS, encrypted VPNs, or IPsec when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: DDEB8EC31627B565DA9A6E2585FF589E535BD0A3 ~~~~~ Active Network Connections: --------------------------- Network Category: DomainAuthenticated Windows Firewall: Disabled Windows Firewall is disabled on one or more active network profiles. Confirm a host-based firewall is in use on this system. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: DDEB8EC31627B565DA9A6E2585FF589E535BD0A3 ~~~~~ Active Network Connections: --------------------------- Network Category: DomainAuthenticated Windows Firewall: Disabled Windows Firewall is disabled on one or more active network profiles. Confirm a host-based firewall is in use on this system. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: DDEB8EC31627B565DA9A6E2585FF589E535BD0A3 ~~~~~ Active Network Connections: --------------------------- Network Category: DomainAuthenticated Windows Firewall: Disabled Windows Firewall is disabled on one or more active network profiles. Confirm a host-based firewall is in use on this system. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: DDEB8EC31627B565DA9A6E2585FF589E535BD0A3 ~~~~~ Active Network Connections: --------------------------- Network Category: DomainAuthenticated Windows Firewall: Disabled Windows Firewall is disabled on one or more active network profiles. Confirm a host-based firewall is in use on this system. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: DDEB8EC31627B565DA9A6E2585FF589E535BD0A3 ~~~~~ Active Network Connections: --------------------------- Network Category: DomainAuthenticated Windows Firewall: Disabled Windows Firewall is disabled on one or more active network profiles. Confirm a host-based firewall is in use on this system. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: DDEB8EC31627B565DA9A6E2585FF589E535BD0A3 ~~~~~ Active Network Connections: --------------------------- Network Category: DomainAuthenticated Windows Firewall: Disabled Windows Firewall is disabled on one or more active network profiles. Confirm a host-based firewall is in use on this system. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: DDEB8EC31627B565DA9A6E2585FF589E535BD0A3 ~~~~~ Active Network Connections: --------------------------- Network Category: DomainAuthenticated Windows Firewall: Disabled Windows Firewall is disabled on one or more active network profiles. Confirm a host-based firewall is in use on this system. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: DDEB8EC31627B565DA9A6E2585FF589E535BD0A3 ~~~~~ Active Network Connections: --------------------------- Network Category: DomainAuthenticated Windows Firewall: Disabled Windows Firewall is disabled on one or more active network profiles. Confirm a host-based firewall is in use on this system. Comments |
|||||
Check Text
Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. The configuration requirements will be determined by the applicable firewall STIG.
Fix Text
Install and enable a host-based firewall on the system.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Verify DoD-approved ESS software is installed and properly operating. Ask the site ISSM for documentation of the ESS software installation and configuration. If the ISSM is not able to provide a documented configuration for an installed ESS or if the ESS software is not properly maintained or used, this is a finding. Note: Example of documentation can be a copy of the site's CCB approved Software Baseline with version of software noted or a memo from the ISSM stating current ESS software and version.
Fix Text
Install a DoD-approved ESS software and ensure it is operating continuously.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 129AAEF8C98B12262CD5814E10D70D7749FB55E0 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'temporary' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 129AAEF8C98B12262CD5814E10D70D7749FB55E0 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'temporary' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 129AAEF8C98B12262CD5814E10D70D7749FB55E0 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'temporary' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8E4118BA0172823EAFB877B2F7EC4FE513DE1531 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the WhenCreated date. If there are enabled 'temporary' accounts currently in this domain, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 129AAEF8C98B12262CD5814E10D70D7749FB55E0 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'temporary' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 129AAEF8C98B12262CD5814E10D70D7749FB55E0 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'temporary' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 129AAEF8C98B12262CD5814E10D70D7749FB55E0 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'temporary' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 129AAEF8C98B12262CD5814E10D70D7749FB55E0 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'temporary' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
Check Text
Review temporary user accounts for expiration dates. Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA. Domain Controllers: Open "PowerShell". Enter "Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate". If "AccountExpirationDate" has not been defined within 72 hours for any temporary user account, this is a finding. Member servers and standalone or nondomain-joined systems: Open "Command Prompt". Run "Net user [username]", where [username] is the name of the temporary user account. If "Account expires" has not been defined within 72 hours for any temporary user account, this is a finding.
Fix Text
Configure temporary user accounts to automatically expire within 72 hours. Domain accounts can be configured with an account expiration date under "Account" properties. Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account. Delete any temporary user accounts that are no longer necessary.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: A2DFD837F05076354B18E9404AAC0860BC860EE5 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'emergency' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: A2DFD837F05076354B18E9404AAC0860BC860EE5 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'emergency' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: A2DFD837F05076354B18E9404AAC0860BC860EE5 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'emergency' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: C0319D09815FB8218DB96DF050BE89340801CCB6 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the WhenCreated date. If there are enabled 'emergency' accounts currently in this domain, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: A2DFD837F05076354B18E9404AAC0860BC860EE5 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'emergency' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: A2DFD837F05076354B18E9404AAC0860BC860EE5 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'emergency' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: A2DFD837F05076354B18E9404AAC0860BC860EE5 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'emergency' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: A2DFD837F05076354B18E9404AAC0860BC860EE5 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'emergency' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
Check Text
Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA. If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved. If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding. Domain Controllers: Open "PowerShell". Enter "Search-ADAccount –AccountExpiring | FT Name, AccountExpirationDate". If "AccountExpirationDate" has been defined and is not within 72 hours for an emergency administrator account, this is a finding. Member servers and standalone or nondomain-joined systems: Open "Command Prompt". Run "Net user [username]", where [username] is the name of the emergency account. If "Account expires" has been defined and is not within 72 hours for an emergency administrator account, this is a finding.
Fix Text
Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours. Domain accounts can be configured with an account expiration date under "Account" properties. Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D0C4B866AA7FEEDE82ECD2E8B4A22DEDE2618CF ~~~~~ Feature Name: Fax Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D0C4B866AA7FEEDE82ECD2E8B4A22DEDE2618CF ~~~~~ Feature Name: Fax Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D0C4B866AA7FEEDE82ECD2E8B4A22DEDE2618CF ~~~~~ Feature Name: Fax Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D0C4B866AA7FEEDE82ECD2E8B4A22DEDE2618CF ~~~~~ Feature Name: Fax Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D0C4B866AA7FEEDE82ECD2E8B4A22DEDE2618CF ~~~~~ Feature Name: Fax Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D0C4B866AA7FEEDE82ECD2E8B4A22DEDE2618CF ~~~~~ Feature Name: Fax Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D0C4B866AA7FEEDE82ECD2E8B4A22DEDE2618CF ~~~~~ Feature Name: Fax Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D0C4B866AA7FEEDE82ECD2E8B4A22DEDE2618CF ~~~~~ Feature Name: Fax Expected State: Available, Removed Detected State: Available Comments |
|||||
Check Text
Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq Fax". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix Text
Uninstall the "Fax Server" role. Start "Server Manager". Select the server with the role. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Fax Server" on the "Roles" page. Click "Next" and "Remove" as prompted.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AB08F4114350A4A86D884EB5E8C414772162FB9 ~~~~~ Feature Name: Web-Ftp-Service Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AB08F4114350A4A86D884EB5E8C414772162FB9 ~~~~~ Feature Name: Web-Ftp-Service Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AB08F4114350A4A86D884EB5E8C414772162FB9 ~~~~~ Feature Name: Web-Ftp-Service Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AB08F4114350A4A86D884EB5E8C414772162FB9 ~~~~~ Feature Name: Web-Ftp-Service Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AB08F4114350A4A86D884EB5E8C414772162FB9 ~~~~~ Feature Name: Web-Ftp-Service Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AB08F4114350A4A86D884EB5E8C414772162FB9 ~~~~~ Feature Name: Web-Ftp-Service Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AB08F4114350A4A86D884EB5E8C414772162FB9 ~~~~~ Feature Name: Web-Ftp-Service Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AB08F4114350A4A86D884EB5E8C414772162FB9 ~~~~~ Feature Name: Web-Ftp-Service Expected State: Available, Removed Detected State: Available Comments |
|||||
Check Text
If the server has the role of an FTP server, this is NA. Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq Web-Ftp-Service". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding. If the system has the role of an FTP server, this must be documented with the ISSO.
Fix Text
Uninstall the "FTP Server" role. Start "Server Manager". Select the server with the role. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "FTP Server" under "Web Server (IIS)" on the "Roles" page. Click "Next" and "Remove" as prompted.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E1E83B25E45FCBBBA565EC2D58D12CDBFBB1E7FE ~~~~~ Feature Name: PNRP Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E1E83B25E45FCBBBA565EC2D58D12CDBFBB1E7FE ~~~~~ Feature Name: PNRP Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E1E83B25E45FCBBBA565EC2D58D12CDBFBB1E7FE ~~~~~ Feature Name: PNRP Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E1E83B25E45FCBBBA565EC2D58D12CDBFBB1E7FE ~~~~~ Feature Name: PNRP Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E1E83B25E45FCBBBA565EC2D58D12CDBFBB1E7FE ~~~~~ Feature Name: PNRP Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E1E83B25E45FCBBBA565EC2D58D12CDBFBB1E7FE ~~~~~ Feature Name: PNRP Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E1E83B25E45FCBBBA565EC2D58D12CDBFBB1E7FE ~~~~~ Feature Name: PNRP Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E1E83B25E45FCBBBA565EC2D58D12CDBFBB1E7FE ~~~~~ Feature Name: PNRP Expected State: Available, Removed Detected State: Available Comments |
|||||
Check Text
Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq PNRP". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix Text
Uninstall the "Peer Name Resolution Protocol" feature. Start "Server Manager". Select the server with the feature. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Peer Name Resolution Protocol" on the "Features" page. Click "Next" and "Remove" as prompted.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 40AEBB2BB0A9343573591561E5E7304E61192602 ~~~~~ Feature Name: Simple-TCPIP Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 40AEBB2BB0A9343573591561E5E7304E61192602 ~~~~~ Feature Name: Simple-TCPIP Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 40AEBB2BB0A9343573591561E5E7304E61192602 ~~~~~ Feature Name: Simple-TCPIP Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 40AEBB2BB0A9343573591561E5E7304E61192602 ~~~~~ Feature Name: Simple-TCPIP Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 40AEBB2BB0A9343573591561E5E7304E61192602 ~~~~~ Feature Name: Simple-TCPIP Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 40AEBB2BB0A9343573591561E5E7304E61192602 ~~~~~ Feature Name: Simple-TCPIP Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 40AEBB2BB0A9343573591561E5E7304E61192602 ~~~~~ Feature Name: Simple-TCPIP Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 40AEBB2BB0A9343573591561E5E7304E61192602 ~~~~~ Feature Name: Simple-TCPIP Expected State: Available, Removed Detected State: Available Comments |
|||||
Check Text
Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq Simple-TCPIP". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix Text
Uninstall the "Simple TCP/IP Services" feature. Start "Server Manager". Select the server with the feature. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Simple TCP/IP Services" on the "Features" page. Click "Next" and "Remove" as prompted.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BE5328321458F35B80D9546AF49C8D20D0895613 ~~~~~ Feature Name: Telnet-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BE5328321458F35B80D9546AF49C8D20D0895613 ~~~~~ Feature Name: Telnet-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BE5328321458F35B80D9546AF49C8D20D0895613 ~~~~~ Feature Name: Telnet-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BE5328321458F35B80D9546AF49C8D20D0895613 ~~~~~ Feature Name: Telnet-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BE5328321458F35B80D9546AF49C8D20D0895613 ~~~~~ Feature Name: Telnet-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BE5328321458F35B80D9546AF49C8D20D0895613 ~~~~~ Feature Name: Telnet-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BE5328321458F35B80D9546AF49C8D20D0895613 ~~~~~ Feature Name: Telnet-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BE5328321458F35B80D9546AF49C8D20D0895613 ~~~~~ Feature Name: Telnet-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
Check Text
Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq Telnet-Client". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix Text
Uninstall the "Telnet Client" feature. Start "Server Manager". Select the server with the feature. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Telnet Client" on the "Features" page. Click "Next" and "Remove" as prompted.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FBD7E7D6321CD55D5EFD1C45DD60F9D0AAF741E0 ~~~~~ Feature Name: TFTP-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FBD7E7D6321CD55D5EFD1C45DD60F9D0AAF741E0 ~~~~~ Feature Name: TFTP-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FBD7E7D6321CD55D5EFD1C45DD60F9D0AAF741E0 ~~~~~ Feature Name: TFTP-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FBD7E7D6321CD55D5EFD1C45DD60F9D0AAF741E0 ~~~~~ Feature Name: TFTP-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FBD7E7D6321CD55D5EFD1C45DD60F9D0AAF741E0 ~~~~~ Feature Name: TFTP-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FBD7E7D6321CD55D5EFD1C45DD60F9D0AAF741E0 ~~~~~ Feature Name: TFTP-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FBD7E7D6321CD55D5EFD1C45DD60F9D0AAF741E0 ~~~~~ Feature Name: TFTP-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FBD7E7D6321CD55D5EFD1C45DD60F9D0AAF741E0 ~~~~~ Feature Name: TFTP-Client Expected State: Available, Removed Detected State: Available Comments |
|||||
Check Text
Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq TFTP-Client". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix Text
Uninstall the "TFTP Client" feature. Start "Server Manager". Select the server with the feature. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "TFTP Client" on the "Features" page. Click "Next" and "Remove" as prompted.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 89C59932D73F94F028707A00C6DF6452922F914B ~~~~~ The Windows Feature 'FS-SMB1' is Available Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 89C59932D73F94F028707A00C6DF6452922F914B ~~~~~ The Windows Feature 'FS-SMB1' is Available Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 89C59932D73F94F028707A00C6DF6452922F914B ~~~~~ The Windows Feature 'FS-SMB1' is Available Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 89C59932D73F94F028707A00C6DF6452922F914B ~~~~~ The Windows Feature 'FS-SMB1' is Available Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 89C59932D73F94F028707A00C6DF6452922F914B ~~~~~ The Windows Feature 'FS-SMB1' is Available Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 89C59932D73F94F028707A00C6DF6452922F914B ~~~~~ The Windows Feature 'FS-SMB1' is Available Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 89C59932D73F94F028707A00C6DF6452922F914B ~~~~~ The Windows Feature 'FS-SMB1' is Available Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 89C59932D73F94F028707A00C6DF6452922F914B ~~~~~ The Windows Feature 'FS-SMB1' is Available Comments |
|||||
Check Text
Different methods are available to disable SMBv1 on Windows 2016. This is the preferred method, however if V-78123 and V-78125 are configured, this is NA. Open "Windows PowerShell" with elevated privileges (run as administrator). Enter "Get-WindowsFeature -Name FS-SMB1". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix Text
Uninstall the SMBv1 protocol. Open "Windows PowerShell" with elevated privileges (run as administrator). Enter "Uninstall-WindowsFeature -Name FS-SMB1 -Restart". (Omit the Restart parameter if an immediate restart of the system cannot be done.) Alternately: Start "Server Manager". Select the server with the feature. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "SMB 1.0/CIFS File Sharing Support" on the "Features" page. Click "Next" and "Remove" as prompted.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
Check Text
Different methods are available to disable SMBv1 on Windows 2016, if V-73299 is configured, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ Value Name: SMB1 Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 Server" to "Disabled". The system must be restarted for the change to take effect. This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: CE59049B4F593765AEE97768CFD61242065C89F6 ~~~~~ V-224856 is configured so this requirement is NA. Comments |
|||||
Check Text
Different methods are available to disable SMBv1 on Windows 2016, if V-73299 is configured, this is NA. If the following registry value is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ Value Name: Start Type: REG_DWORD Value: 0x00000004 (4)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 client driver" to "Enabled" with "Disable driver (recommended)" selected for "Configure MrxSmb10 driver". The system must be restarted for the changes to take effect. This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0BFB975652099AC78A9E2F9F60247AFF7E3F2EDF ~~~~~ Feature Name: PowerShell-v2 Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7D2DA0F0555C472B5100FC1A4E414D6EF6BA8995 ~~~~~ Feature Name: PowerShell-v2 Expected State: Available, Removed Detected State: Removed Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0BFB975652099AC78A9E2F9F60247AFF7E3F2EDF ~~~~~ Feature Name: PowerShell-v2 Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0BFB975652099AC78A9E2F9F60247AFF7E3F2EDF ~~~~~ Feature Name: PowerShell-v2 Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0BFB975652099AC78A9E2F9F60247AFF7E3F2EDF ~~~~~ Feature Name: PowerShell-v2 Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0BFB975652099AC78A9E2F9F60247AFF7E3F2EDF ~~~~~ Feature Name: PowerShell-v2 Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0BFB975652099AC78A9E2F9F60247AFF7E3F2EDF ~~~~~ Feature Name: PowerShell-v2 Expected State: Available, Removed Detected State: Available Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0BFB975652099AC78A9E2F9F60247AFF7E3F2EDF ~~~~~ Feature Name: PowerShell-v2 Expected State: Available, Removed Detected State: Available Comments |
|||||
Check Text
Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq PowerShell-v2". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix Text
Uninstall the "Windows PowerShell 2.0 Engine". Start "Server Manager". Select the server with the feature. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Windows PowerShell 2.0 Engine" under "Windows PowerShell" on the "Features" page. Click "Next" and "Remove" as prompted.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
Check Text
If FTP is not installed on the system, this is NA. Open "Internet Information Services (IIS) Manager". Select the server. Double-click "FTP Authentication". If the "Anonymous Authentication" status is "Enabled", this is a finding.
Fix Text
Configure the FTP service to prevent anonymous logons. Open "Internet Information Services (IIS) Manager". Select the server. Double-click "FTP Authentication". Select "Anonymous Authentication". Select "Disabled" under "Actions".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F9DCDC8F14F142B02A2D30638861413223405760 ~~~~~ Web-Ftp-Server is not installed on this system. Confirm if 3rd-party FTP is installed and if it is, verify configuration is compliant per STIG. If no 3rd-party FTP is installed, mark this as Not Applicable. Comments |
|||||
Check Text
If FTP is not installed on the system, this is NA. Open "Internet Information Services (IIS) Manager". Select "Sites" under the server name. For any sites with a Binding that lists FTP, right-click the site and select "Explore". If the site is not defined to a specific folder for shared FTP resources, this is a finding. If the site includes any system areas such as root of the drive, Program Files, or Windows directories, this is a finding.
Fix Text
Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 45DDCAF75C302AFBAF4F0083BDF37443F28A83CC ~~~~~ 'Reset account lockout counter after' is Configured LockoutDuration: 15 Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 45DDCAF75C302AFBAF4F0083BDF37443F28A83CC ~~~~~ 'Reset account lockout counter after' is Configured LockoutDuration: 15 Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 45DDCAF75C302AFBAF4F0083BDF37443F28A83CC ~~~~~ 'Reset account lockout counter after' is Configured LockoutDuration: 15 Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E81822B0048B9BEAC107AD442FB42E51F115EDAB ~~~~~ 'Reset account lockout counter after' is Configured LockoutDuration: 0 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 45DDCAF75C302AFBAF4F0083BDF37443F28A83CC ~~~~~ 'Reset account lockout counter after' is Configured LockoutDuration: 15 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E81822B0048B9BEAC107AD442FB42E51F115EDAB ~~~~~ 'Reset account lockout counter after' is Configured LockoutDuration: 0 Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 45DDCAF75C302AFBAF4F0083BDF37443F28A83CC ~~~~~ 'Reset account lockout counter after' is Configured LockoutDuration: 15 Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 45DDCAF75C302AFBAF4F0083BDF37443F28A83CC ~~~~~ 'Reset account lockout counter after' is Configured LockoutDuration: 15 Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "LockoutDuration" is less than "15" (excluding "0") in the file, this is a finding. Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout duration" to "15" minutes or greater. A value of "0" is also acceptable, requiring an administrator to unlock the account.