| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review the Email Domain Security Plan (EDSP). Determine the anti-virus strategy. Verify the email-aware anti-virus scanner product is Exchange 2016 compatible and DoD approved. If email servers are using an email-aware anti-virus scanner product that is not DoD approved and Exchange 2016 compatible, this is a finding.
Fix Text
Update the EDSP to specify the organization's anti-virus strategy. Install and configure a DoD-approved compatible Exchange 2016 email-aware anti-virus scanner product.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DB-002 | - | 2026-03-06 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
If the DBMS is deployed in an unclassified environment, this is not applicable (NA). If the DBMS is not configured to use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards, this is a finding.
Fix Text
Deploy a DBMS compatible with the use of NSA-approved cryptography. Configure the DBMS and related system components to use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-MicrosoftEdge_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: FDE928504EFDED0862CBBB4DB83E218D9AAFA993 ~~~~~ Microsoft Edge Version: 143.0.3650.80 Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-MicrosoftEdge_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: FDE928504EFDED0862CBBB4DB83E218D9AAFA993 ~~~~~ Microsoft Edge Version: 143.0.3650.80 Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MicrosoftEdge_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8D7A9508CCCA163538DA4C12B9C2AF032E8F3662 ~~~~~ Microsoft Edge Version: 141.0.3537.71 Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MicrosoftEdge_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8D7A9508CCCA163538DA4C12B9C2AF032E8F3662 ~~~~~ Microsoft Edge Version: 141.0.3537.71 Comments |
|||||
Check Text
Cross-reference the build information displayed with the Microsoft Edge site to identify, at minimum, the oldest supported build available. If the installed version of Edge is not supported by Microsoft, this is a finding.
Fix Text
Install a supported version of Edge.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 48551156A5DDF0637531025EE03B12E7D7F6DBEE ~~~~~ No trusts are configured so this requirement is NA. Comments |
|||||
Check Text
1. Refer to the list of identified trusts and the trust documentation provided by the site representative. (Obtained in V-8530) 2. For each of the identified trusts between DoD organizations, compare the classification level (unclassified, confidential, secret, and top secret) of the domain being reviewed with the classification level of the other trust party as noted in the documentation. 3. If the classification level of the domain being reviewed is different than the classification level of any of the entities for which a trust relationship is defined, then this is a finding.
Fix Text
Delete the trust relationship that is defined between entities with resources at different DoD classification levels.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 48551156A5DDF0637531025EE03B12E7D7F6DBEE ~~~~~ No trusts are configured so this requirement is NA. Comments |
|||||
Check Text
1. Refer to the list of identified trusts obtained in a previous check (V8530). 2. For each of the identified trusts, determine if the other trust party is a non-DoD entity. For example, if the fully qualified domain name of the other party does not end in ".mil", the other party is probably not a DoD entity. 3. Review the local documentation approving the external network connection and documentation indicating explicit approval of the trust by the DAA. 4. The external network connection documentation is maintained by the IAO\NSO for compliance with the Network Infrastructure STIG. 5. If any trust is defined with a non-DoD system and there is no documentation indicating approval of the external network connection and explicit DAA approval of the trust, then this is a finding.
Fix Text
Obtain DAA approval and document external, forest, or realm trust relationship. Or obtain documentation of the network connection approval and explicit trust approval by the DAA.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryForest_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D7B79E8932C30F595C990EF4C4AE2F8DF34DF99C ~~~~~ Schema Permissions: Permissions are set to the default for: Administrators - Replicating Directory Changes All Permissions are set to the default for: Administrators - Replicating Directory Changes In Filtered Set Permissions are set to the default for: Administrators - Manage replication topology Permissions are set to the default for: Administrators - Replicating Directory Changes Permissions are set to the default for: Administrators - Replication Synchronization Permissions are set to the default for: Enterprise Read-only Domain Controllers - Replicating Directory Changes In Filtered Set Permissions are set to the default for: Enterprise Read-only Domain Controllers - Replicating Directory Changes Permissions are set to the default for: Enterprise Read-only Domain Controllers - Replicating Directory Changes All Permissions are set to the default for: Schema Admins - Change schema master Permissions are set to the default for: Schema Admins - Special (except Full, Delete, and Delete subtree) Permissions are set to the default for: Authenticated Users - Read Permissions are set to the default for: Enterprise Domain Controllers - Manage replication topology Permissions are set to the default for: Enterprise Domain Controllers - Replicating Directory Changes All Permissions are set to the default for: Enterprise Domain Controllers - Replicating Directory Changes In Filtered Set Permissions are set to the default for: Enterprise Domain Controllers - Replicating Directory Changes Permissions are set to the default for: Enterprise Domain Controllers - Replication Synchronization Permissions are set to the default for: System - Full Control Comments |
|||||
Check Text
Start a Schema management console. (See supplemental notes.) Select and then right-click on the Active Directory Schema entry in the left pane. Select Permissions. If any of the permissions for the Schema object are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the Advanced button, selecting the desired entry, and the Edit button. Authenticated Users: Read Special Permissions The Special permissions for Authenticated Users are List and Read type. If detailed permissions include any additional Permissions or Properties this is a finding. System: Full Control Enterprise Read-only Domain Controllers: Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Schema Admins: Read Write Create all child objects Change schema master Manage replication topology Monitor active directory replication Read only replication secret synchronization Reanimate tombstones Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Replication synchronization Update schema cache Special permissions (Special permissions = all except Full, Delete, and Delete subtree when detailed permissions viewed.) Administrators: Manage replication topology Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Replication Synchronization Enterprise Domain Controllers: Manage replication topology Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Replication Synchronization Supplemental Notes: If the Schema management console has not already been configured on the computer, create a console by using the following: The steps for adding the snap-in may vary depending on the Windows version. Register the required DLL module by typing the following at a command line "regsvr32 schmmgmt.dll". Run "mmc.exe" to start a Microsoft Management Console. Select Add/Remove Snap-in from the File menu. From the Available Standalone Snap-ins list, select Active Directory Schema Select the Add button. Select the OK button. When done using the console, select Exit from the File (or Console) menu. Select the No button to the Save console settings... prompt (unless the SA wishes to retain this console). If the console is retained, the recommended name is schmmgmt.msc and the recommended location is the [systemroot]\system32 directory.
Fix Text
Ensure the access control permissions for the AD Schema object conform to the required permissions as shown below. Authenticated Users: Read Special Permissions The Special permissions for Authenticated Users are List and Read type. If detailed permissions include any additional Permissions or Properties this is a finding. System: Full Control Enterprise Read-only Domain Controllers: Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Schema Admins: Read Write Create all child objects Change schema master Manage replication topology Monitor active directory replication Read only replication secret synchronization Reanimate tombstones Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Replication synchronization Update schema cache Special permissions (Special permissions = all except Full, Delete, and Delete subtree when detailed permissions viewed.) Administrators: Manage replication topology Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Replication Synchronization Enterprise Domain Controllers: Manage replication topology Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes In Filtered Set Replication Synchronization
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html. Review system documentation to determine whether cryptography for classified or sensitive information is required by the information owner. If the system documentation does not specify the type of information hosted on SQL Server as classified, sensitive, and/or unclassified, this is a finding. If neither classified nor sensitive information exists within SQL Server databases or configuration, this is not a finding. Verify that Windows is configured to require the use of FIPS-compliant algorithms. Click "Start", enter "Local Security Policy", and then press "Enter". Expand "Local Policies", select "Security Options", and then locate "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing". If the Security Setting for this option is "Disabled", this is a finding. Note: The list of acceptable algorithms is "AES 256" and "Triple DES". If cryptography is being used by SQL Server, verify that the cryptography is NIST FIPS 140-2 or 140-3 certified by running the following SQL query: SELECT DISTINCT name, algorithm_desc FROM sys.symmetric_keys WHERE key_algorithm NOT IN ('D3','A3') ORDER BY name If any items listed show an uncertified NIST FIPS 140-2 algorithm type, this is a finding.
Fix Text
Configure cryptographic functions to use NSA-approved cryptography compliant algorithms. Use DoD code-signing certificates to create asymmetric keys stored in the database used to encrypt sensitive data stored in the database. Run the following SQL script to create a certificate: USE CREATE CERTIFICATE ENCRYPTION BY PASSWORD = <'password'> FROM FILE = <'path/file_name'> WITH SUBJECT = 'name of person creating key', EXPIRY_DATE = '<'expiration date: yyyymmdd'>' Run the following SQL script to create a symmetric key and assign an existing certificate: USE CREATE SYMMETRIC KEY <'key name'> WITH ALGORITHM = AES_256 ENCRYPTION BY CERTIFICATE For Transparent Data Encryption (TDE): USE master; CREATE MASTER KEY ENCRYPTION BY PASSWORD = ''; CREATE CERTIFICATE . . .; USE ; CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE ; ALTER DATABASE SET ENCRYPTION ON;
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-MozillaFirefox_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 0FCC0348AFE2E97D141B22373B94B72CEE381353 ~~~~~ Apps and Features entries for Firefox: Name: Mozilla Firefox ESR (x64 en-US) Version: 140.6.0 Path: C:\Program Files\Mozilla Firefox Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-MozillaFirefox_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 0FCC0348AFE2E97D141B22373B94B72CEE381353 ~~~~~ Apps and Features entries for Firefox: Name: Mozilla Firefox ESR (x64 en-US) Version: 140.6.0 Path: C:\Program Files\Mozilla Firefox Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MozillaFirefox_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: CDA64C53C50F058D63F08C3F6AD2DAD12183D817 ~~~~~ Apps and Features entries for Firefox: Name: Mozilla Firefox ESR (x64 en-US) Version: 140.4.0 Path: C:\Program Files\Mozilla Firefox Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MozillaFirefox_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: CDA64C53C50F058D63F08C3F6AD2DAD12183D817 ~~~~~ Apps and Features entries for Firefox: Name: Mozilla Firefox ESR (x64 en-US) Version: 140.4.0 Path: C:\Program Files\Mozilla Firefox Comments |
|||||
Check Text
Run Firefox. Click the ellipsis button >> Help >> About Firefox, and view the version number. If the Firefox version is not a supported version, this is a finding.
Fix Text
Upgrade the version of the browser to an approved version by obtaining software from the vendor or other trusted source.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-MozillaFirefox_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 4A1B334B1277709B8C673DCF44E7FB095B1934FF ~~~~~ 'Minimum SSL version enabled' is Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox Name: SSLVersionMin Value: tls1.2 Type: REG_SZ Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-MozillaFirefox_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 4A1B334B1277709B8C673DCF44E7FB095B1934FF ~~~~~ 'Minimum SSL version enabled' is Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox Name: SSLVersionMin Value: tls1.2 Type: REG_SZ Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MozillaFirefox_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4A1B334B1277709B8C673DCF44E7FB095B1934FF ~~~~~ 'Minimum SSL version enabled' is Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox Name: SSLVersionMin Value: tls1.2 Type: REG_SZ Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MozillaFirefox_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4A1B334B1277709B8C673DCF44E7FB095B1934FF ~~~~~ 'Minimum SSL version enabled' is Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox Name: SSLVersionMin Value: tls1.2 Type: REG_SZ Comments |
|||||
Check Text
Type "about:policies" in the browser window. If "SSLVersionMin" is not displayed under Policy Name or the Policy Value is not "tls1.2" or "tls1.3", this is a finding.
Fix Text
Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Minimum SSL version enabled Policy State: Enabled Policy Value: TLS 1.2 (or TLS 1.3) macOS "plist" file: Add the following: <key>SSLVersionMin</key> <string>tls1.2</string> (or <string>tls1.3</string>) Linux "policies.json" file: Add the following in the policies section: "SSLVersionMin": "tls1.2" or ("SSLVersionMin": "tls1.3")
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IE11_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9C4B5762692E4BAE01265CF37571D6925E56B0A8 ~~~~~ Internet Explorer is supported on Microsoft Windows Server 2016 Standard Reference: https://docs.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IE11_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9C4B5762692E4BAE01265CF37571D6925E56B0A8 ~~~~~ Internet Explorer is supported on Microsoft Windows Server 2016 Standard Reference: https://docs.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IE11_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9C4B5762692E4BAE01265CF37571D6925E56B0A8 ~~~~~ Internet Explorer is supported on Microsoft Windows Server 2016 Standard Reference: https://docs.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IE11_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9C4B5762692E4BAE01265CF37571D6925E56B0A8 ~~~~~ Internet Explorer is supported on Microsoft Windows Server 2016 Standard Reference: https://docs.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IE11_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9C4B5762692E4BAE01265CF37571D6925E56B0A8 ~~~~~ Internet Explorer is supported on Microsoft Windows Server 2016 Standard Reference: https://docs.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IE11_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9C4B5762692E4BAE01265CF37571D6925E56B0A8 ~~~~~ Internet Explorer is supported on Microsoft Windows Server 2016 Standard Reference: https://docs.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge Comments |
|||||
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-IE11_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 20084BF752FA10BB981D8B6E81803EB2C45CEE3E ~~~~~ Internet Explorer is supported on Windows 10 Enterprise LTSC 2021 Reference: https://docs.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-IE11_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 20084BF752FA10BB981D8B6E81803EB2C45CEE3E ~~~~~ Internet Explorer is supported on Windows 10 Enterprise LTSC 2021 Reference: https://docs.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IE11_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 706CA921B1BB87A50E66A36A7BDB4BF559619D90 ~~~~~ Internet Explorer is supported on Microsoft Windows Server 2016 Datacenter Reference: https://docs.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IE11_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 706CA921B1BB87A50E66A36A7BDB4BF559619D90 ~~~~~ Internet Explorer is supported on Microsoft Windows Server 2016 Datacenter Reference: https://docs.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge Comments |
|||||
Check Text
Internet Explorer 11 is no longer supported on Windows 10 General Availability Channel. If Internet Explorer 11 is installed and enabled on Windows 10 General Availability Channel, this is a finding. If Internet Explorer 11 is installed and enabled on an unsupported OS, this is a finding.
Fix Text
For Windows 10 General Availability Channel, remove or disable the Internet Explorer 11 application. To disable Internet Explorer 11 as a standalone browser, set the policy value for "Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Disable Internet Explorer 11 as a standalone browser" to "Enabled" with the option value set to "Never" or "Once per user".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Note: Sinkhole name servers host records that are manually added and for which the name server is not authoritative. It is configured and intended to block resolvers from reaching a destination by directing the query to a sinkhole. If the sinkhole name server is not authoritative for any zones and serves only as a caching/forwarding name server, this check is not applicable. The non-Active Directory (AD)-integrated, standalone, caching Windows DNS Server must be configured to be DNSSEC aware. When performing caching and lookups, the caching name server must be able to obtain a zone signing key (ZSK) DNSKEY record and corresponding RRSIG record for the queried record. It will use this information to compute the hash for the hostname being resolved. The caching name server decrypts the RRSIG record for the hostname being resolved with the zone's ZSK to get the RRSIG record hash. The caching name server compares the hashes and ensures they match. If the non-AD-integrated, standalone, caching Windows DNS Server is not configured to be DNSSEC aware, this is a finding.
Fix Text
Implement DNSSEC on all non-AD-integrated, standalone, caching Windows DNS Servers to ensure the caching server validates signed zones when resolving and caching.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Note: This check is not applicable if Windows DNS Server is only serving as a caching server and does not host any zones authoritatively. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the NS records for the zone. Verify each of the name servers, represented by the NS records, is active. At a command prompt on any system, type: nslookup <enter>; At the nslookup prompt, type: server ###.###.###.### <enter>; (where the ###.###.###.### is replaced by the IP of each NS record) Enter a FQDN for a known host record in the zone. If the NS server does not respond at all or responds with a nonauthoritative answer, this is a finding.
Fix Text
If DNS servers are Active Directory (AD) integrated, troubleshoot and remedy the replication problem where the nonresponsive name server is not being updated. If DNS servers are not AD integrated, log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand "Forward Lookup Zones". From the expanded list, click to select the zone. Review the NS records for the zone. Select the NS record for the nonresponsive name server and remove the record.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, click to select each zone. Review the RRs for each zone and verify all of the DNSSEC record types are included for the zone. Note: The DS (Delegation Signer) record should also exist but the requirement for it is validated under WDNS-22-000054. RRSIG (Resource Read Signature) DNSKEY (Public Key) NSEC3 (Next Secure 3) If the zone does not show all the DNSSEC record types, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the DNS server using the Domain Admin or Enterprise Admin account or Local Administrator account. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone", using either approved saved parameters or approved custom parameters.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Once resource records are received by a DNS server via a secure dynamic update, the resource records will automatically become signed by DNSSEC if the zone was originally signed by DNSSEC. Authenticity of query responses for resource records dynamically updated can be validated by querying for whether the zone/record is signed by DNSSEC. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace 131.77.60.235 with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an Expirations, date signed, signer, and signature, similar to the following: Name : www.zonename.mil QueryType : RRSIG TTL : 189 Section : Answer TypeCovered : CNAME Algorithm : 8 LabelCount : 3 OriginalTtl : 300 Expiration : 11/21/2014 10:22:28 PM Signed : 10/22/2014 10:22:28 PM Signer : zonename.mil Signature : {87, 232, 34, 134...} Name : origin-www.zonename.mil QueryType : A TTL : 201 Section : Answer IP4Address : 156.112.108.76 If the results do not show the RRSIG and signature information, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. Once the Server Manager window is initialized, from the left pane, click to select the DNS category. From the right pane, under the "SERVERS" section, right-click the DNS server. From the context menu that appears, click "DNS Manager". In the DNS Manager console tree on the DNS server being validated, navigate to "Forward Lookup Zones". Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServerDNS_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: EBD1CBF9C835BB34171A1BE7AD4ED430C4F56B9D ~~~~~ All Forward Lookup Zones hosted on this server are Active Directory-integrated so this requirement is NA. Comments |
|||||
Check Text
Note: This check is not applicable for Windows DNS Servers that host only Active Directory-integrated zones or for Windows DNS Servers on a classified network. Validate this check from the Windows DNS Server being configured/reviewed. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Determine a valid host in the zone. Open the Windows PowerShell prompt on the Windows DNS Server being configured/reviewed. Issue the following command: (Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows DNS Server hosting the signed zone.) resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> Note: It is important to use the -server switch followed by the DNS server name/IP address. The result should show the "A" record results. In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer, and signature, similar to the following: Name: www.zonename.mil QueryType: RRSIG TTL: 189 Section: Answer TypeCovered: CNAME Algorithm: 8 LabelCount: 3 OriginalTtl: 300 Expiration: 11/21/2014 10:22:28 PM Signed 10/22/2014 10:22:28 PM Signer: zonename.mil Signature: {87, 232, 34, 134...} Name: origin-www.zonename.mil QueryType: A TTL: 201 Section: Answer IP4Address: ###.###.###.### If the results do not show the RRSIG and signature information, this is a finding.
Fix Text
Sign or re-sign the hosted zone(s) on the DNS server being validated. Log on to the Windows DNS Server using the account designated as Administrator or DNS Administrator. Press the Windows key + R and execute "dnsmgmt.msc". On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server and then expand "Forward Lookup Zones". From the expanded list, right-click to select the zone (repeat for each hosted zone), point to DNSSEC, and then click "Sign the Zone" using either approved saved parameters or approved custom parameters.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Certificate templates with the following extended key usages AND that allow a requestor to supply the subject name in the request require manual approval. In the AD CS web server properties, select "VulnerableCertTemplate" properties. Verify that "Subject Name" and "Supply in the request" are selected. If "Subject Name" AND "Supply in the request" are selected and if manual approval is not required, this is a finding. If the "Supply in Request" is NOT selected, and the Enroll Permissions for the template have been limited to a select group of users/administrators, this is not a finding.
Fix Text
In the AD CS web server properties, select "VulnerableCertTemplate" properties and then select "Subject Name" and "Supply in the request". Certificate templates with the following extended key usages must require manual approval in all cases: i. Smart Card Logon (1.3.6.1.4.1.311.20.2.2). ii. Any Purpose EKU (2.5.29.37.0). iii. No EKU set. i.e., this is a (subordinate) CA certificate. Certificate templates with the following extended key usages AND that allow a requestor to supply the subject name in the request must require manual approval: i. Client Authentication (1.3.6.1.5.5.7.3.2). ii. PKINIT Client Authentication (1.3.6.1.5.2.3.4). iii. Supply in request" setting: VulnerableCertTemplate Properties.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Verify that a site has set aside one or more PAWs for remote management of AD CS. A dedicated AD CS/CA Admin account that is only usable on tier 0 PAW or the ADCS server must be used to manage the certificate authority and approve requests. Review any available site documentation. Verify that any PAW used to manage high-value IT resources of a specific tier are used exclusively for managing high-value IT resources assigned to only one tier. If the site has not set aside one or more PAWs for remote management of AD CS, this is a finding.
Fix Text
Configure and set aside one or more PAWs for configuration and management of AD CS. For AD, multiple configuration items could enable anonymous access. Set aside one or more PAWs for remote management of high-value IT resources assigned to a specific tier. For example, using the Microsoft Tier 0-2 model, each PAW would be assigned to manage Tier 0, Tier 1, or Tier 2 high-value IT resources.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DB-002 | - | 2026-03-06 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Verify the DBMS is a version supported by the vendor. If the DBMS is not a version supported by the vendor, this is a finding.
Fix Text
Upgrade or install a version of the DBMS supported by the vendor.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 23C37571322EA7216F197978D4B3FF97743E9C71 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-NETFramework4_Checks) found this to be OPEN on 12/17/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-NETFramework4_Checks) found this to be OPEN on 12/17/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 23C37571322EA7216F197978D4B3FF97743E9C71 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto". SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2). Check Registry: Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ 1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. 2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system. If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration.
Fix Text
1. SchUseStrongCrypto enabled: Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto. Set SchUseStrongCrypto to a REG_DWORD value of "1". 2. SystemDefaultTlsVersions enabled (.NET Framework >4.6): For 64-bit Windows, create a .reg file with the following content and apply it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 3. Restart the system for changes to take effect.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 02584B707ED8F7A6BBB550AB8007006439022FB2 ~~~~~ Password for the built-in Administrator account (X_Admin) was last changed on 01/14/2021 03:03:50 (1743 days ago) Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 71A62659BD0BD5A65A87B978C8A286286D2E160D ~~~~~ Password for the built-in Administrator account (X_Admin) was last changed on 03/24/2021 16:46:13 (1673 days ago) Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 02584B707ED8F7A6BBB550AB8007006439022FB2 ~~~~~ Password for the built-in Administrator account (X_Admin) was last changed on 01/14/2021 03:03:50 (1743 days ago) Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: F1A30B85277550AD2072CFAC46AEF4298B54F106 ~~~~~ Password for the built-in Administrator account (SHB_Admin) was last changed on 03/24/2021 16:46:13 (1674 days ago) Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 71A62659BD0BD5A65A87B978C8A286286D2E160D ~~~~~ Password for the built-in Administrator account (X_Admin) was last changed on 03/24/2021 16:46:13 (1673 days ago) Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 26572079BCCF907EB437A9106FA6A046FCCE8B31 ~~~~~ Password for the built-in Administrator account (SHB_Admin) was last changed on 03/24/2021 16:46:13 (1673 days ago) Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 72A6144099867FC3CBCFF6B8E32957D3D3A6873C ~~~~~ Password for the built-in Administrator account (X_Admin) was last changed on 05/12/2023 18:00:29 (894 days ago) Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 257887B5F9AFA7F486067185B8DA4FF4953E63BE ~~~~~ Password for the built-in Administrator account (X_Admin) was last changed on 05/12/2023 18:01:24 (894 days ago) Comments |
|||||
Check Text
Review the password last set date for the built-in Administrator account. Domain controllers: Open "PowerShell". Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | Ft Name, SID, PasswordLastSet". If the "PasswordLastSet" date is greater than "60" days old, this is a finding. Member servers and standalone or nondomain-joined systems: Open "Command Prompt". Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account. (The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.) If the "PasswordLastSet" date is greater than "60" days old, this is a finding.
Fix Text
Change the built-in Administrator account password at least every "60" days. It is highly recommended to use Microsoft's LAPS, which may be used on domain-joined member servers to accomplish this. The AO still has the overall authority to use another equivalent capability to accomplish the check.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Determine whether any shared accounts exist. If no shared accounts exist, this is NA. Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. If unapproved shared accounts exist, this is a finding.
Fix Text
Remove unapproved shared accounts from the system. Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 6FF711AFAE14E49C15CD28D71EFFCBA6D6AF6065 ~~~~~ AppLocker is configured but 'Appx' and/or 'Exe' rules are not enabled. Ensure an application allowlisting solution is in place and configured to a deny-all, permit-by-exception policy. AppLocker rules: --------------------------- Rule Type: Appx Enforcement Mode: NotConfigured Rule Type: Dll Enforcement Mode: AuditOnly Rule Type: Exe Enforcement Mode: AuditOnly Rule Type: Msi Enforcement Mode: AuditOnly Rule Type: Script Enforcement Mode: AuditOnly Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 6FF711AFAE14E49C15CD28D71EFFCBA6D6AF6065 ~~~~~ AppLocker is configured but 'Appx' and/or 'Exe' rules are not enabled. Ensure an application allowlisting solution is in place and configured to a deny-all, permit-by-exception policy. AppLocker rules: --------------------------- Rule Type: Appx Enforcement Mode: NotConfigured Rule Type: Dll Enforcement Mode: AuditOnly Rule Type: Exe Enforcement Mode: AuditOnly Rule Type: Msi Enforcement Mode: AuditOnly Rule Type: Script Enforcement Mode: AuditOnly Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 6FF711AFAE14E49C15CD28D71EFFCBA6D6AF6065 ~~~~~ AppLocker is configured but 'Appx' and/or 'Exe' rules are not enabled. Ensure an application allowlisting solution is in place and configured to a deny-all, permit-by-exception policy. AppLocker rules: --------------------------- Rule Type: Appx Enforcement Mode: NotConfigured Rule Type: Dll Enforcement Mode: AuditOnly Rule Type: Exe Enforcement Mode: AuditOnly Rule Type: Msi Enforcement Mode: AuditOnly Rule Type: Script Enforcement Mode: AuditOnly Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 6FF711AFAE14E49C15CD28D71EFFCBA6D6AF6065 ~~~~~ AppLocker is configured but 'Appx' and/or 'Exe' rules are not enabled. Ensure an application allowlisting solution is in place and configured to a deny-all, permit-by-exception policy. AppLocker rules: --------------------------- Rule Type: Appx Enforcement Mode: NotConfigured Rule Type: Dll Enforcement Mode: AuditOnly Rule Type: Exe Enforcement Mode: AuditOnly Rule Type: Msi Enforcement Mode: AuditOnly Rule Type: Script Enforcement Mode: AuditOnly Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 6FF711AFAE14E49C15CD28D71EFFCBA6D6AF6065 ~~~~~ AppLocker is configured but 'Appx' and/or 'Exe' rules are not enabled. Ensure an application allowlisting solution is in place and configured to a deny-all, permit-by-exception policy. AppLocker rules: --------------------------- Rule Type: Appx Enforcement Mode: NotConfigured Rule Type: Dll Enforcement Mode: AuditOnly Rule Type: Exe Enforcement Mode: AuditOnly Rule Type: Msi Enforcement Mode: AuditOnly Rule Type: Script Enforcement Mode: AuditOnly Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 6FF711AFAE14E49C15CD28D71EFFCBA6D6AF6065 ~~~~~ AppLocker is configured but 'Appx' and/or 'Exe' rules are not enabled. Ensure an application allowlisting solution is in place and configured to a deny-all, permit-by-exception policy. AppLocker rules: --------------------------- Rule Type: Appx Enforcement Mode: NotConfigured Rule Type: Dll Enforcement Mode: AuditOnly Rule Type: Exe Enforcement Mode: AuditOnly Rule Type: Msi Enforcement Mode: AuditOnly Rule Type: Script Enforcement Mode: AuditOnly Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 6FF711AFAE14E49C15CD28D71EFFCBA6D6AF6065 ~~~~~ AppLocker is configured but 'Appx' and/or 'Exe' rules are not enabled. Ensure an application allowlisting solution is in place and configured to a deny-all, permit-by-exception policy. AppLocker rules: --------------------------- Rule Type: Appx Enforcement Mode: NotConfigured Rule Type: Dll Enforcement Mode: AuditOnly Rule Type: Exe Enforcement Mode: AuditOnly Rule Type: Msi Enforcement Mode: AuditOnly Rule Type: Script Enforcement Mode: AuditOnly Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 6FF711AFAE14E49C15CD28D71EFFCBA6D6AF6065 ~~~~~ AppLocker is configured but 'Appx' and/or 'Exe' rules are not enabled. Ensure an application allowlisting solution is in place and configured to a deny-all, permit-by-exception policy. AppLocker rules: --------------------------- Rule Type: Appx Enforcement Mode: NotConfigured Rule Type: Dll Enforcement Mode: AuditOnly Rule Type: Exe Enforcement Mode: AuditOnly Rule Type: Msi Enforcement Mode: AuditOnly Rule Type: Script Enforcement Mode: AuditOnly Comments |
|||||
Check Text
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. If an application allowlisting program is not in use on the system, this is a finding. Configuration of allowlisting applications will vary by the program. AppLocker is an allowlisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. If AppLocker is used, perform the following to view the configuration of AppLocker: Open "PowerShell". If the AppLocker PowerShell module has not been imported previously, execute the following first: Import-Module AppLocker Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. Implementation guidance for AppLocker is available at the following link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide
Fix Text
Configure an application allowlisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. Configuration of allowlisting applications will vary by the program. AppLocker is an allowlisting application built into Windows Server. If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker. Implementation guidance for AppLocker is available at the following link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Determine if the system is monitored for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. If system files are not being monitored for unauthorized changes, this is a finding. An approved and properly configured solution will contain both a list of baselines that includes all system file locations and a file comparison task that is scheduled to run at least weekly.
Fix Text
Monitor the system for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. This can be done with the use of various monitoring tools.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Determine if a process to back up log data to a different system or media than the system being audited has been implemented. If it has not, this is a finding.
Fix Text
Establish and implement a process for backing up log data to another system or media other than the system being audited.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Verify the audit records, at a minimum, are offloaded for interconnected systems in real time and offloaded for standalone or nondomain-joined systems weekly. If they are not, this is a finding.
Fix Text
Configure the system to, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 053B5D828EEAF46570CDDCE5C77DBC62D21E42D7 ~~~~~ 'Turn on PowerShell Transcription' is NOT Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\ Value Name: EnableTranscripting (Not found) Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 053B5D828EEAF46570CDDCE5C77DBC62D21E42D7 ~~~~~ 'Turn on PowerShell Transcription' is NOT Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\ Value Name: EnableTranscripting (Not found) Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 053B5D828EEAF46570CDDCE5C77DBC62D21E42D7 ~~~~~ 'Turn on PowerShell Transcription' is NOT Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\ Value Name: EnableTranscripting (Not found) Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 053B5D828EEAF46570CDDCE5C77DBC62D21E42D7 ~~~~~ 'Turn on PowerShell Transcription' is NOT Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\ Value Name: EnableTranscripting (Not found) Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 053B5D828EEAF46570CDDCE5C77DBC62D21E42D7 ~~~~~ 'Turn on PowerShell Transcription' is NOT Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\ Value Name: EnableTranscripting (Not found) Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 053B5D828EEAF46570CDDCE5C77DBC62D21E42D7 ~~~~~ 'Turn on PowerShell Transcription' is NOT Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\ Value Name: EnableTranscripting (Not found) Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 053B5D828EEAF46570CDDCE5C77DBC62D21E42D7 ~~~~~ 'Turn on PowerShell Transcription' is NOT Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\ Value Name: EnableTranscripting (Not found) Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 053B5D828EEAF46570CDDCE5C77DBC62D21E42D7 ~~~~~ 'Turn on PowerShell Transcription' is NOT Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\ Value Name: EnableTranscripting (Not found) Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\ Value Name: EnableTranscripting Value Type: REG_DWORD Value: 1
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Transcription" to "Enabled". Specify the Transcript output directory to point to a Central Log Server or another secure location to prevent user access.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: BE7C19DDE65138A644FC9087711F70D0C7FDDD1C ~~~~~ Installed Roles: --------------------- File and Storage Services Installed Role Services: --------------------- File and iSCSI Services File Server Storage Services Installed Features: --------------------- .NET Framework 4.6 Features .NET Framework 4.6 WCF Services TCP Port Sharing Windows PowerShell Windows PowerShell 5.1 Windows PowerShell ISE WoW64 Support Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: D8478AC2FD162193D66BF534C4869D3538EB1F15 ~~~~~ Installed Roles: --------------------- File and Storage Services Installed Role Services: --------------------- Storage Services Installed Features: --------------------- .NET Framework 4.6 Features .NET Framework 4.6 WCF Services TCP Port Sharing Windows PowerShell Windows PowerShell 5.1 Windows PowerShell ISE WoW64 Support Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: BE7C19DDE65138A644FC9087711F70D0C7FDDD1C ~~~~~ Installed Roles: --------------------- File and Storage Services Installed Role Services: --------------------- File and iSCSI Services File Server Storage Services Installed Features: --------------------- .NET Framework 4.6 Features .NET Framework 4.6 WCF Services TCP Port Sharing Windows PowerShell Windows PowerShell 5.1 Windows PowerShell ISE WoW64 Support Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: A5A792923F838BAD0506209E17CDD23EF6D8A091 ~~~~~ Installed Roles: --------------------- Active Directory Domain Services DHCP Server DNS Server File and Storage Services Network Policy and Access Services Installed Role Services: --------------------- File and iSCSI Services File Server Storage Services Installed Features: --------------------- .NET Framework 4.6 Features .NET Framework 4.6 WCF Services TCP Port Sharing BitLocker Drive Encryption Enhanced Storage Group Policy Management Remote Server Administration Tools Feature Administration Tools BitLocker Drive Encryption Administration Utilities BitLocker Drive Encryption Tools BitLocker Recovery Password Viewer Role Administration Tools AD DS and AD LDS Tools Active Directory module for Windows PowerShell AD DS Tools Active Directory Administrative Center AD DS Snap-Ins and Command-Line Tools Active Directory Certificate Services Tools Certification Authority Management Tools DHCP Server Tools DNS Server Tools Network Policy and Access Services Tools Windows PowerShell Windows PowerShell 5.1 Windows PowerShell ISE WoW64 Support Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 7824D0431791E6B62B9758C503519101F503256D ~~~~~ Installed Roles: --------------------- File and Storage Services Web Server (IIS) Installed Role Services: --------------------- File and iSCSI Services File Server Storage Services Web Server Common HTTP Features Default Document Directory Browsing HTTP Errors Static Content HTTP Redirection Health and Diagnostics HTTP Logging Logging Tools Request Monitor Tracing Performance Static Content Compression Security Request Filtering Application Development ISAPI Extensions Management Tools IIS Management Console IIS 6 Management Compatibility IIS 6 Metabase Compatibility Installed Features: --------------------- .NET Framework 4.6 Features .NET Framework 4.6 WCF Services TCP Port Sharing Background Intelligent Transfer Service (BITS) IIS Server Extension Remote Differential Compression Remote Server Administration Tools Feature Administration Tools BITS Server Extensions Tools Windows PowerShell Windows PowerShell 5.1 Windows PowerShell ISE WoW64 Support Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 07E552EDB99739489FC1F2A1156B524187533262 ~~~~~ Installed Roles: --------------------- File and Storage Services Web Server (IIS) Installed Role Services: --------------------- File and iSCSI Services File Server Storage Services Web Server Common HTTP Features Default Document Directory Browsing HTTP Errors Static Content HTTP Redirection Health and Diagnostics HTTP Logging Logging Tools Request Monitor Tracing Performance Static Content Compression Dynamic Content Compression Security Request Filtering Basic Authentication Client Certificate Mapping Authentication Digest Authentication Windows Authentication Application Development .NET Extensibility 4.6 ASP.NET 4.6 ISAPI Extensions ISAPI Filters Management Tools IIS Management Console IIS 6 Management Compatibility IIS 6 Metabase Compatibility IIS 6 Management Console IIS 6 WMI Compatibility Management Service Installed Features: --------------------- .NET Framework 4.6 Features .NET Framework 4.6 ASP.NET 4.6 WCF Services HTTP Activation Message Queuing (MSMQ) Activation Named Pipe Activation TCP Activation TCP Port Sharing Media Foundation Message Queuing Message Queuing Services Message Queuing Server Remote Server Administration Tools Feature Administration Tools Failover Clustering Tools Failover Cluster Management Tools Failover Cluster Module for Windows PowerShell Failover Cluster Command Interface Role Administration Tools AD DS and AD LDS Tools AD DS Tools AD DS Snap-Ins and Command-Line Tools RPC over HTTP Proxy Windows Identity Foundation 3.5 Windows PowerShell Windows PowerShell 5.1 Windows PowerShell ISE Windows Process Activation Service Process Model Configuration APIs WoW64 Support Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8B6B0E7B29F63DCE6A1F8CA5BA16AADD4BF2ACD3 ~~~~~ Installed Roles: --------------------- File and Storage Services Hyper-V Installed Role Services: --------------------- File and iSCSI Services File Server Storage Services Installed Features: --------------------- .NET Framework 4.6 Features .NET Framework 4.6 WCF Services TCP Port Sharing Remote Server Administration Tools Role Administration Tools Hyper-V Management Tools Hyper-V GUI Management Tools Hyper-V Module for Windows PowerShell Windows PowerShell Windows PowerShell 5.1 Windows PowerShell ISE WoW64 Support Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8B6B0E7B29F63DCE6A1F8CA5BA16AADD4BF2ACD3 ~~~~~ Installed Roles: --------------------- File and Storage Services Hyper-V Installed Role Services: --------------------- File and iSCSI Services File Server Storage Services Installed Features: --------------------- .NET Framework 4.6 Features .NET Framework 4.6 WCF Services TCP Port Sharing Remote Server Administration Tools Role Administration Tools Hyper-V Management Tools Hyper-V GUI Management Tools Hyper-V Module for Windows PowerShell Windows PowerShell Windows PowerShell 5.1 Windows PowerShell ISE WoW64 Support Comments |
|||||
Check Text
Required roles and features will vary based on the function of the individual system. Roles and features specifically required to be disabled per the STIG are identified in separate requirements. If the organization has not documented the roles and features required for the system(s), this is a finding. The PowerShell command "Get-WindowsFeature" will list all roles and features with an "Install State".
Fix Text
Document the roles and features required for the system to operate. Uninstall any that are not required.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: B00433ABC682620256EEA18A128316CDE1BC2030 ~~~~~ Deny access to this computer from the network: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: B00433ABC682620256EEA18A128316CDE1BC2030 ~~~~~ Deny access to this computer from the network: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: B00433ABC682620256EEA18A128316CDE1BC2030 ~~~~~ Deny access to this computer from the network: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: B00433ABC682620256EEA18A128316CDE1BC2030 ~~~~~ Deny access to this computer from the network: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: B00433ABC682620256EEA18A128316CDE1BC2030 ~~~~~ Deny access to this computer from the network: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: B00433ABC682620256EEA18A128316CDE1BC2030 ~~~~~ Deny access to this computer from the network: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: B00433ABC682620256EEA18A128316CDE1BC2030 ~~~~~ Deny access to this computer from the network: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
Check Text
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding. Domain Systems Only: - Enterprise Admins group - Domain Admins group - "Local account and member of Administrators group" or "Local account" (see Note below) All Systems: - Guests group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the "SeDenyNetworkLogonRight" user right, this is a finding. Domain Systems Only: S-1-5-root domain-519 (Enterprise Admins) S-1-5-domain-512 (Domain Admins) S-1-5-114 ("Local account and member of Administrators group") or S-1-5-113 ("Local account") All Systems: S-1-5-32-546 (Guests) Note: These are built-in security groups. "Local account" is more restrictive but may cause issues on servers such as systems that provide failover clustering.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny access to this computer from the network" to include the following: Domain Systems Only: - Enterprise Admins group - Domain Admins group - "Local account and member of Administrators group" or "Local account" (see Note below) All Systems: - Guests group Note: These are built-in security groups. "Local account" is more restrictive but may cause issues on servers such as systems that provide failover clustering.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 853C0CE81C1C24F05FBE2ADC24FBC18BB9DC2A41 ~~~~~ Deny log on as a service: No objects assigned to this right. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 853C0CE81C1C24F05FBE2ADC24FBC18BB9DC2A41 ~~~~~ Deny log on as a service: No objects assigned to this right. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 853C0CE81C1C24F05FBE2ADC24FBC18BB9DC2A41 ~~~~~ Deny log on as a service: No objects assigned to this right. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 853C0CE81C1C24F05FBE2ADC24FBC18BB9DC2A41 ~~~~~ Deny log on as a service: No objects assigned to this right. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 853C0CE81C1C24F05FBE2ADC24FBC18BB9DC2A41 ~~~~~ Deny log on as a service: No objects assigned to this right. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 853C0CE81C1C24F05FBE2ADC24FBC18BB9DC2A41 ~~~~~ Deny log on as a service: No objects assigned to this right. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 853C0CE81C1C24F05FBE2ADC24FBC18BB9DC2A41 ~~~~~ Deny log on as a service: No objects assigned to this right. Comments |
|||||
Check Text
This applies to member servers. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on as a service" user right on domain-joined systems, this is a finding. - Enterprise Admins Group - Domain Admins Group If any accounts or groups are defined for the "Deny log on as a service" user right on nondomain-joined systems, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the "SeDenyServiceLogonRight" user right on domain-joined systems, this is a finding. S-1-5-root domain-519 (Enterprise Admins) S-1-5-domain-512 (Domain Admins)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a service" to include the following: Domain systems: - Enterprise Admins Group - Domain Admins Group
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: D42DF0ECC417CB415089564874B6907BEB79128C ~~~~~ Deny log on locally: BUILTIN\Guests Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: D42DF0ECC417CB415089564874B6907BEB79128C ~~~~~ Deny log on locally: BUILTIN\Guests Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: D42DF0ECC417CB415089564874B6907BEB79128C ~~~~~ Deny log on locally: BUILTIN\Guests Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: D42DF0ECC417CB415089564874B6907BEB79128C ~~~~~ Deny log on locally: BUILTIN\Guests Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: D42DF0ECC417CB415089564874B6907BEB79128C ~~~~~ Deny log on locally: BUILTIN\Guests Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: D42DF0ECC417CB415089564874B6907BEB79128C ~~~~~ Deny log on locally: BUILTIN\Guests Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: D42DF0ECC417CB415089564874B6907BEB79128C ~~~~~ Deny log on locally: BUILTIN\Guests Comments |
|||||
Check Text
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding. Domain Systems Only: - Enterprise Admins Group - Domain Admins Group All Systems: - Guests Group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the "SeDenyInteractiveLogonRight" user right, this is a finding. Domain Systems Only: S-1-5-root domain-519 (Enterprise Admins) S-1-5-domain-512 (Domain Admins) All Systems: S-1-5-32-546 (Guests)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on locally" to include the following: Domain Systems Only: - Enterprise Admins Group - Domain Admins Group All Systems: - Guests Group
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 5957234601D7C7E797928456B308E65804C7D53F ~~~~~ Deny log on through Remote Desktop Services: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 5957234601D7C7E797928456B308E65804C7D53F ~~~~~ Deny log on through Remote Desktop Services: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 5957234601D7C7E797928456B308E65804C7D53F ~~~~~ Deny log on through Remote Desktop Services: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 5957234601D7C7E797928456B308E65804C7D53F ~~~~~ Deny log on through Remote Desktop Services: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 5957234601D7C7E797928456B308E65804C7D53F ~~~~~ Deny log on through Remote Desktop Services: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 5957234601D7C7E797928456B308E65804C7D53F ~~~~~ Deny log on through Remote Desktop Services: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 5957234601D7C7E797928456B308E65804C7D53F ~~~~~ Deny log on through Remote Desktop Services: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
Check Text
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding. Domain Systems Only: - Enterprise Admins group - Domain Admins group - Local account (see Note below) All Systems: - Guests group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the "SeDenyRemoteInteractiveLogonRight" user right, this is a finding. Domain Systems Only: S-1-5-root domain-519 (Enterprise Admins) S-1-5-domain-512 (Domain Admins) S-1-5-113 ("Local account") All Systems: S-1-5-32-546 (Guests) Note: "Local account" is referring to the Windows built-in security group.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on through Remote Desktop Services" to include the following: Domain Systems Only: - Enterprise Admins group - Domain Admins group - Local account (see Note below) All Systems: - Guests group Note: "Local account" is referring to the Windows built-in security group.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 263DA351D2894952BBF8189FB6715621065B0A7F ~~~~~ Failed accounts: --------------------- Name: DOD_Admin SID: S-1-5-21-3515710802-3801378020-2101878990-1000 Enabled: True Last Logon: 07/06/2023 06:31:47 [840 days] Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: FC31BBFC2CEB692BBFEF878BCFB3A77AD691415D ~~~~~ Failed accounts: --------------------- Name: DOD_Admin SID: S-1-5-21-2559903909-3818771750-2130456036-1000 Enabled: True Last Logon: 07/06/2023 06:02:50 [840 days] Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 11F54D137F8E9EEA8782F3EBBEC2DCD07E124714 ~~~~~ Failed accounts: --------------------- Name: DOD_Admin SID: S-1-5-21-3489894170-526094123-3548415114-1000 Enabled: True Last Logon: 07/06/2023 06:13:35 [840 days] Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 1C7B892F561A2193CB86D61FA0145F6304D2D90B ~~~~~ Ignored Accounts: --------------------- Name: SHB_Admin SID: S-1-5-21-1360995287-4027491577-3040029667-500 Enabled: True Last Logon: Never Failed accounts: --------------------- Name: DOD_Admin SID: S-1-5-21-1360995287-4027491577-3040029667-1000 Enabled: True Last Logon: 06/24/2025 19:14:22 [120 days] Name: HealthMailbox3295a98105294ef195ff4f5394ae0e3c SID: S-1-5-21-1360995287-4027491577-3040029667-1606 Enabled: True Last Logon: Never Name: HealthMailbox8d8eb4c107e64340876668cde6c1289e SID: S-1-5-21-1360995287-4027491577-3040029667-1607 Enabled: True Last Logon: Never Name: HealthMailboxfd82eb3f816c4428bcc7a1706f017682 SID: S-1-5-21-1360995287-4027491577-3040029667-1608 Enabled: True Last Logon: Never Name: HealthMailbox4ffeb90d1e3e42808987669877a590dc SID: S-1-5-21-1360995287-4027491577-3040029667-1150 Enabled: True Last Logon: Never Name: HealthMailboxa7603ef65a894a7abd37cc7afcd0498f SID: S-1-5-21-1360995287-4027491577-3040029667-1609 Enabled: True Last Logon: Never Name: HealthMailbox0045b0edfe864ade8de6332392102884 SID: S-1-5-21-1360995287-4027491577-3040029667-1151 Enabled: True Last Logon: Never Name: HealthMailbox2a4e029adc2c45d7a2377f21fc959267 SID: S-1-5-21-1360995287-4027491577-3040029667-1610 Enabled: True Last Logon: Never Name: HealthMailboxff1c61cd50724325bd1467262f3ab3f7 SID: S-1-5-21-1360995287-4027491577-3040029667-1611 Enabled: True Last Logon: Never Name: HealthMailbox476aa3607f714413bb95f561ccbef1c1 SID: S-1-5-21-1360995287-4027491577-3040029667-1152 Enabled: True Last Logon: Never Name: MONT-EM-NAA SID: S-1-5-21-1360995287-4027491577-3040029667-1154 Enabled: True Last Logon: Never Name: MONT-EM-SVRCP SID: S-1-5-21-1360995287-4027491577-3040029667-1155 Enabled: True Last Logon: Never Name: MONT-EM-WKSCP SID: S-1-5-21-1360995287-4027491577-3040029667-1156 Enabled: True Last Logon: Never Name: Perl, Alexandra M., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1160 Enabled: True Last Logon: 02/03/2025 10:53:32 [262 days] Name: Davis, Jason T., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1161 Enabled: True Last Logon: 01/28/2025 12:09:11 [268 days] Name: Long, Michael D., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1165 Enabled: True Last Logon: 08/18/2025 11:14:26 [66 days] Name: Arnold, Ryan W., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1172 Enabled: True Last Logon: 07/28/2025 00:23:29 [87 days] Name: Corachan, Steven, CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1173 Enabled: True Last Logon: 06/28/2025 15:04:47 [117 days] Name: user, test SID: S-1-5-21-1360995287-4027491577-3040029667-1230 Enabled: True Last Logon: 11/20/2024 15:06:00 [337 days] Name: Spain, Lance C., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1232 Enabled: True Last Logon: 04/25/2025 09:45:30 [181 days] Name: MSMEODUser SID: S-1-5-21-1360995287-4027491577-3040029667-1243 Enabled: True Last Logon: Never Name: User, Test C., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1245 Enabled: True Last Logon: 11/20/2024 15:17:52 [337 days] Name: Wright, Hayden V., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1248 Enabled: True Last Logon: 06/09/2025 18:13:25 [135 days] Name: Smith, Alexander D., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1249 Enabled: True Last Logon: 03/19/2025 13:41:00 [218 days] Name: Jones, Thomas L., Admin SID: S-1-5-21-1360995287-4027491577-3040029667-1250 Enabled: True Last Logon: Never Name: Jones, Thomas SID: S-1-5-21-1360995287-4027491577-3040029667-1251 Enabled: True Last Logon: Never Name: Sanders, James R., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1253 Enabled: True Last Logon: 06/04/2025 14:16:14 [141 days] Name: Muchuslky, Joey SID: S-1-5-21-1360995287-4027491577-3040029667-1254 Enabled: True Last Logon: 06/04/2025 14:15:29 [141 days] Name: Monks, Paul J., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1255 Enabled: True Last Logon: 08/01/2025 19:55:03 [82 days] Name: Hershock, Patricia SID: S-1-5-21-1360995287-4027491577-3040029667-1256 Enabled: True Last Logon: 06/20/2025 11:05:07 [125 days] Name: Simon, Anthony E., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1260 Enabled: True Last Logon: 08/30/2025 12:53:38 [54 days] Name: Smith, Josh A., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1645 Enabled: True Last Logon: Never Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 4F0BBD6955A59F27ED6785FAFC2242904D0B130A ~~~~~ Failed accounts: --------------------- Name: DOD_Admin SID: S-1-5-21-388225469-2825430915-2362864043-1000 Enabled: True Last Logon: 07/06/2023 06:02:53 [840 days] Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 091107231BDF2B3FD0B0E6F7E2EAB14E64D0DD9B ~~~~~ Failed accounts: --------------------- Name: DOD_Admin SID: S-1-5-21-3803552116-1809661109-1744339665-1000 Enabled: True Last Logon: 07/06/2023 06:02:49 [840 days] Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 94F81021CDE825A1A3D3D13E015DFD394B0EC37F ~~~~~ Ignored Accounts: --------------------- Name: X_Admin SID: S-1-5-21-4236012249-4164713760-2408648245-500 Enabled: True Last Logon: 05/12/2023 18:09:57 [894 days] No enabled accounts found that have not logged on within 35 days. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 864633688EF6E0F6669405CBD952738333EC0C8A ~~~~~ Ignored Accounts: --------------------- Name: X_Admin SID: S-1-5-21-2502410760-3344595884-382061215-500 Enabled: True Last Logon: 07/12/2023 16:38:51 [833 days] No enabled accounts found that have not logged on within 35 days. Comments |
|||||
Check Text
Open "Windows PowerShell". Domain Controllers: Enter "Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. Member servers and standalone or nondomain-joined systems: Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) "([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { $user = ([ADSI]$_.Path) $lastLogin = $user.Properties.LastLogin.Value $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 if ($lastLogin -eq $null) { $lastLogin = 'Never' } Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). For example: User1 10/31/2015 5:49:56 AM True Review the list of accounts returned by the above queries to determine the finding validity for each account reported. Exclude the following accounts: - Built-in administrator account (Renamed, SID ending in 500) - Built-in guest account (Renamed, Disabled, SID ending in 501) - Built-in default account (Renamed, Disabled, SID ending in 503) - Application accounts If any enabled accounts have not been logged on to within the past 35 days, this is a finding. Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.
Fix Text
Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: 255E0BDD11AA634945AC3859AB2C801D998EC7B4 ~~~~~ Failed accounts: --------------------- Name: dod_admin SID: S-1-5-21-4163428051-2768110797-3591193048-1001 Enabled: True Password Expires: False Name: jtbegarek.iaadmin SID: S-1-5-21-4163428051-2768110797-3591193048-1024 Enabled: True Password Expires: False Name: Scan.Admin SID: S-1-5-21-4163428051-2768110797-3591193048-1016 Enabled: True Password Expires: False Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: A947E0D7F2C22454457CBDE851D5C0765A04775B ~~~~~ Failed accounts: --------------------- Name: dod_admin SID: S-1-5-21-4004422625-1934610219-1178763574-1001 Enabled: True Password Expires: False Name: jtbegarek.iaadmin SID: S-1-5-21-4004422625-1934610219-1178763574-1026 Enabled: True Password Expires: False Name: scan.admin SID: S-1-5-21-4004422625-1934610219-1178763574-1022 Enabled: True Password Expires: False Name: Thomas.L.Jones SID: S-1-5-21-4004422625-1934610219-1178763574-1020 Enabled: True Password Expires: False Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 0BE924075B715F960E7887792E08CB5AF764565D ~~~~~ Failed accounts: --------------------- Name: dod_admin SID: S-1-5-21-2586659569-2484290388-2027984285-1001 Enabled: True Password Expires: False Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: A4E59D05CF6C07665553DADEA818FA5C10C02969 ~~~~~ Failed accounts: --------------------- Name: dod_admin SID: S-1-5-21-3703204072-2228436765-3422267048-1001 Enabled: True Password Expires: False Comments |
|||||
Check Text
Run "Computer Management". Navigate to System Tools >> Local Users and Groups >> Users. Double-click each active account. If "Password never expires" is selected for any account, this is a finding.
Fix Text
Configure all passwords to expire. Run "Computer Management". Navigate to System Tools >> Local Users and Groups >> Users. Double-click each active account. Ensure "Password never expires" is not checked on all active accounts.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: AC0D171FAF15B3E83FED29B6E76237F554D99095 ~~~~~ Enabled local administrator accounts with a password older than 60 days: --------------------------- Account: AMPerl.IAAdmin SID: S-1-5-21-4163428051-2768110797-3591193048-1018 Enabled: True Password Last Set: 06/08/2023 23:58:46 (922 days ago) Account: dod_admin SID: S-1-5-21-4163428051-2768110797-3591193048-1001 Enabled: True Password Last Set: 01/27/2022 19:37:24 (1420 days ago) Account: jtbegarek.iaadmin SID: S-1-5-21-4163428051-2768110797-3591193048-1024 Enabled: True Password Last Set: 08/20/2025 14:40:01 (119 days ago) Account: Scan.Admin SID: S-1-5-21-4163428051-2768110797-3591193048-1016 Enabled: True Password Last Set: 03/05/2024 16:43:42 (652 days ago) Account: tljones.iaadmin SID: S-1-5-21-4163428051-2768110797-3591193048-1023 Enabled: True Password Last Set: 04/17/2025 19:19:53 (244 days ago) LAPS Configuration: --------------------------- Policy Name: Password Settings | Password Complexity Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordComplexity Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings | Password Length Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordLength Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings | PasswordAge (Days) Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordAgeDays Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: A274B6C9BF0D9AD4F7001AD178081F1387B781F3 ~~~~~ Enabled local administrator accounts with a password older than 60 days: --------------------------- Account: AMPerl.IAAdmin SID: S-1-5-21-4004422625-1934610219-1178763574-1021 Enabled: True Password Last Set: 08/13/2023 16:24:18 (857 days ago) Account: dod_admin SID: S-1-5-21-4004422625-1934610219-1178763574-1001 Enabled: True Password Last Set: 01/27/2022 19:37:24 (1420 days ago) Account: jtbegarek.iaadmin SID: S-1-5-21-4004422625-1934610219-1178763574-1026 Enabled: True Password Last Set: 08/20/2025 14:07:02 (119 days ago) Account: scan.admin SID: S-1-5-21-4004422625-1934610219-1178763574-1022 Enabled: True Password Last Set: 03/05/2024 16:39:13 (652 days ago) Account: tljones.iaadmin SID: S-1-5-21-4004422625-1934610219-1178763574-1024 Enabled: True Password Last Set: 08/08/2024 02:24:09 (496 days ago) LAPS Configuration: --------------------------- Policy Name: Password Settings | Password Complexity Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordComplexity Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings | Password Length Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordLength Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings | PasswordAge (Days) Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordAgeDays Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 8A0A1AAA89816304B9C0B250AA84277B68DB7534 ~~~~~ Enabled local administrator accounts with a password older than 60 days: --------------------------- Account: dod_admin SID: S-1-5-21-2586659569-2484290388-2027984285-1001 Enabled: True Password Last Set: 01/27/2022 19:47:48 (1364 days ago) LAPS Configuration: --------------------------- Policy Name: Password Settings | Password Complexity Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordComplexity Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings | Password Length Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordLength Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings | PasswordAge (Days) Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordAgeDays Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: C5C559038CF7763753A9CF7C4030B47AAC8FE4CB ~~~~~ Enabled local administrator accounts with a password older than 60 days: --------------------------- Account: dod_admin SID: S-1-5-21-3703204072-2228436765-3422267048-1001 Enabled: True Password Last Set: 01/27/2022 19:47:48 (1364 days ago) LAPS Configuration: --------------------------- Policy Name: Password Settings | Password Complexity Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordComplexity Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings | Password Length Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordLength Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings | PasswordAge (Days) Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordAgeDays Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Comments |
|||||
Check Text
If there are no enabled local Administrator accounts, this is Not Applicable. Review the password last set date for the enabled local Administrator account. On the standalone or domain-joined workstation: Open "PowerShell". Enter "Get-LocalUser -Name * | Select-Object *". If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding. Verify LAPS is configured and operational. Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is a finding. Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding.
Fix Text
Change the enabled local Administrator account password at least every 60 days. Windows LAPS must be used to change the built-in Administrator account password. Domain-joined systems can configure this to occur more frequently. LAPS will change the password every 30 days by default. More information is available at: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747 https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 ResultHash: 9DDB186572ED15640793DAEE033F73ADAAA60FCF ~~~~~ Installed Programs: Access, Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: msaccess.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: excel.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: outlook.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: powerpnt.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: winword.exe Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 ResultHash: 9DDB186572ED15640793DAEE033F73ADAAA60FCF ~~~~~ Installed Programs: Access, Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: msaccess.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: excel.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: outlook.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: powerpnt.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: winword.exe Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 ResultHash: FC94CFDB01489BB3DCBE54E95CC9BCDE68B30EF8 ~~~~~ Installed Programs: Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: excel.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: outlook.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: powerpnt.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: winword.exe (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 ResultHash: FC94CFDB01489BB3DCBE54E95CC9BCDE68B30EF8 ~~~~~ Installed Programs: Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: excel.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: outlook.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: powerpnt.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Value Name: winword.exe (Not found) Comments |
|||||
Check Text
Verify the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2016 (Machine) >> Security Settings >> IE Security >> Consistent Mime Handling is set to "Enabled" and the check box is selected for every installed Office program. Use the Windows Registry Editor to navigate to the following key: HKLM\software\microsoft\internet explorer\main\featurecontrol\feature_mime_handling If the value for all installed Office programs is set to is REG_DWORD=1, this is not a finding.
Fix Text
Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2016 (Machine) >> Security Settings >> IE Security "Consistent Mime Handling" to "Enabled" and select the check boxes for all installed Office programs.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 ResultHash: 4F2A67597F5495206BAE91A6C0B5B94BD2A9352E ~~~~~ Installed Programs: Access, Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: msaccess.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: excel.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: outlook.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: powerpnt.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: winword.exe Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 ResultHash: 4F2A67597F5495206BAE91A6C0B5B94BD2A9352E ~~~~~ Installed Programs: Access, Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: msaccess.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: excel.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: outlook.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: powerpnt.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: winword.exe Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 ResultHash: B346E2707A18C4CEAC7F7CC8F68FF239A9FFF94F ~~~~~ Installed Programs: Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: excel.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: outlook.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: powerpnt.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: winword.exe (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 ResultHash: B346E2707A18C4CEAC7F7CC8F68FF239A9FFF94F ~~~~~ Installed Programs: Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: excel.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: outlook.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: powerpnt.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Value Name: winword.exe (Not found) Comments |
|||||
Check Text
Verify the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2016 (Machine) >> Security Settings >> IE Security >> Information Bar is set to "Enabled" and the check box is selected for every installed Office program. Use the Windows Registry Editor to navigate to the following key: HKLM\software\microsoft\internet explorer\main\featurecontrol\feature_securityband If the value for all installed programs is REG_DWORD = 1, this is not a finding.
Fix Text
Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2016 (Machine) >> Security Settings >> IE Security >> Information Bar to "Enabled" and select the check boxes for all installed Office programs.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 ResultHash: 96CDC116ACA736DBD380B669AABB2561979B8AC4 ~~~~~ Installed Programs: Access, Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: msaccess.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: excel.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: outlook.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: powerpnt.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: winword.exe Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 ResultHash: 96CDC116ACA736DBD380B669AABB2561979B8AC4 ~~~~~ Installed Programs: Access, Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: msaccess.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: excel.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: outlook.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: powerpnt.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: winword.exe Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 ResultHash: 034BAD73C1935D5E39A3D9EED467087D11FA518A ~~~~~ Installed Programs: Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: excel.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: outlook.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: powerpnt.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: winword.exe (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 ResultHash: 034BAD73C1935D5E39A3D9EED467087D11FA518A ~~~~~ Installed Programs: Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: excel.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: outlook.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: powerpnt.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Value Name: winword.exe (Not found) Comments |
|||||
Check Text
Verify the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2016 (Machine) >> Security Settings >> IE Security >> Local Machine Zone Lockdown Security is set to "Enabled" and the check box is selected for every installed Office program. Use the Windows Registry Editor to navigate to the following key: HKLM\software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown If the value for all installed Office programs is REG_DWORD = 1, this is not a finding.
Fix Text
Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2016 (Machine) >> Security Settings >> IE Security >> Local Machine Zone Lockdown to "Enabled" and select the check boxes for all installed Office programs.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 ResultHash: B0007D250E40573F072AC78311ACB6CD5E94AC60 ~~~~~ Installed Programs: Access, Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: msaccess.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: excel.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: outlook.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: powerpnt.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: winword.exe Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 ResultHash: B0007D250E40573F072AC78311ACB6CD5E94AC60 ~~~~~ Installed Programs: Access, Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: msaccess.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: excel.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: outlook.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: powerpnt.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: winword.exe Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 ResultHash: CFCC40024D675A58F96279F54C4DA9512ACD98C5 ~~~~~ Installed Programs: Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: excel.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: outlook.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: powerpnt.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: winword.exe (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 ResultHash: CFCC40024D675A58F96279F54C4DA9512ACD98C5 ~~~~~ Installed Programs: Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: excel.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: outlook.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: powerpnt.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Value Name: winword.exe (Not found) Comments |
|||||
Check Text
Verify the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2016 (Machine) >> Security Settings >> IE Security >> Mime Sniffing Safety Feature is set to "Enabled" and the check box is selected for every installed Office program. Use the Windows Registry Editor to navigate to the following key: HKLM\software\microsoft\internet explorer\main\featurecontrol\feature_mime_sniffing If the value for all installed Office Programs is REG_DWORD = 1, this is not a finding.
Fix Text
Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2016 (Machine) >> Security Settings >> IE Security >> Mime Sniffing Safety Feature to "Enabled" for all installed Office programs.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 ResultHash: 9F013CA112A1AF3FF737F41658DE97D384A23B93 ~~~~~ Installed Programs: Access, Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: msaccess.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: excel.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: outlook.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: powerpnt.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: winword.exe Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 ResultHash: 9F013CA112A1AF3FF737F41658DE97D384A23B93 ~~~~~ Installed Programs: Access, Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: msaccess.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: excel.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: outlook.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: powerpnt.exe Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: winword.exe Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 ResultHash: FA0C41E4C183B574FB75BD7F0DAA29210C8FD9C1 ~~~~~ Installed Programs: Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: excel.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: outlook.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: powerpnt.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: winword.exe (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 ResultHash: FA0C41E4C183B574FB75BD7F0DAA29210C8FD9C1 ~~~~~ Installed Programs: Excel, Outlook, PowerPoint, Word Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: excel.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: outlook.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: powerpnt.exe (Not found) Registry Path: HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING Value Name: winword.exe (Not found) Comments |
|||||
Check Text
Verify the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2016 (Machine) >> Security Settings >> IE Security >> Object Caching Protection is set to "Enabled" and the check box is selected for every installed Office program. Use the Windows Registry Editor to navigate to the following key: HKLM\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching If the value for all installed programs is REG_DWORD = 1, this is not a finding.
Fix Text
Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2016 (Machine) >> Security Settings >> IE Security >> Object Caching Protection to "Enabled" and select the check boxes for all installed Office programs.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 48A820BC171F3156C77314E945A7A64A74F38DF5 ~~~~~ 'VBA macro Notification Settings' is NOT Enabled: (Disable all except digitally signed macros) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security Value Name: vbawarnings Value: 0x00000002 (2) [Expected 3 or 4] Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 48A820BC171F3156C77314E945A7A64A74F38DF5 ~~~~~ 'VBA macro Notification Settings' is NOT Enabled: (Disable all except digitally signed macros) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security Value Name: vbawarnings Value: 0x00000002 (2) [Expected 3 or 4] Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 48A820BC171F3156C77314E945A7A64A74F38DF5 ~~~~~ 'VBA macro Notification Settings' is NOT Enabled: (Disable all except digitally signed macros) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security Value Name: vbawarnings Value: 0x00000002 (2) [Expected 3 or 4] Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 48A820BC171F3156C77314E945A7A64A74F38DF5 ~~~~~ 'VBA macro Notification Settings' is NOT Enabled: (Disable all except digitally signed macros) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security Value Name: vbawarnings Value: 0x00000002 (2) [Expected 3 or 4] Type: REG_DWORD Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> "Macro Notification Settings" is set to "Enabled" and "Disable VBA macros except digitally signed macros" from the Options is selected. Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\excel\security If the value vbawarnings is REG_DWORD = 3, this is not a finding. A value of REG_DWORD = 4 is also acceptable. If the registry key does not exist or is not configured properly, this is a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> "Macro Notification Settings" is set to "Enabled" and select "Disable VBA macros except digitally signed macros" from the Options.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: D77698ED1B5C3707DA52B927D395C22DB9837D59 ~~~~~ 'File Block Settings 'Excel 95 workbooks'' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock Value Name: xl95workbooks Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: D77698ED1B5C3707DA52B927D395C22DB9837D59 ~~~~~ 'File Block Settings 'Excel 95 workbooks'' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock Value Name: xl95workbooks Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: D77698ED1B5C3707DA52B927D395C22DB9837D59 ~~~~~ 'File Block Settings 'Excel 95 workbooks'' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock Value Name: xl95workbooks Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: D77698ED1B5C3707DA52B927D395C22DB9837D59 ~~~~~ 'File Block Settings 'Excel 95 workbooks'' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock Value Name: xl95workbooks Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> File Block Settings >> Excel 95 workbooks is set to "Open/Save blocked, use open policy". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\excel\security\fileblock If the value for xl95workbooks is REG_DWORD = 2, this is not a finding.
Fix Text
Set policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> File Block Settings >> Excel 95 workbooks to "Open/Save blocked, use open policy".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 5EDA40DF7442F8EE58DD271634EBB6778E874824 ~~~~~ 'File Block Settings 'Excel 95-97 workbooks and templates'' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock Value Name: XL9597WorkbooksandTemplates Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 5EDA40DF7442F8EE58DD271634EBB6778E874824 ~~~~~ 'File Block Settings 'Excel 95-97 workbooks and templates'' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock Value Name: XL9597WorkbooksandTemplates Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 5EDA40DF7442F8EE58DD271634EBB6778E874824 ~~~~~ 'File Block Settings 'Excel 95-97 workbooks and templates'' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock Value Name: XL9597WorkbooksandTemplates Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 5EDA40DF7442F8EE58DD271634EBB6778E874824 ~~~~~ 'File Block Settings 'Excel 95-97 workbooks and templates'' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock Value Name: XL9597WorkbooksandTemplates Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> File Block Settings "Excel 95-97 workbooks and templates" is set to "Open/Save blocked, use open policy". Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\office\16.0\excel\security\fileblock If the value XL9597WorkbooksandTemplates is REG_DWORD = 2, this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> File Block Settings "Excel 95-97 workbooks and templates" to "Open/Save blocked, use open policy".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 695C01367D613236A11E98AF3F14EBE486C3A0E3 ~~~~~ 'VBA Macro Notification Settings' is NOT Enabled: (Disable all except digitally signed macros) Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security Value Name: vbawarnings Value: 0x00000002 (2) [Expected 3 or 4] Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 695C01367D613236A11E98AF3F14EBE486C3A0E3 ~~~~~ 'VBA Macro Notification Settings' is NOT Enabled: (Disable all except digitally signed macros) Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security Value Name: vbawarnings Value: 0x00000002 (2) [Expected 3 or 4] Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 695C01367D613236A11E98AF3F14EBE486C3A0E3 ~~~~~ 'VBA Macro Notification Settings' is NOT Enabled: (Disable all except digitally signed macros) Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security Value Name: vbawarnings Value: 0x00000002 (2) [Expected 3 or 4] Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 695C01367D613236A11E98AF3F14EBE486C3A0E3 ~~~~~ 'VBA Macro Notification Settings' is NOT Enabled: (Disable all except digitally signed macros) Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security Value Name: vbawarnings Value: 0x00000002 (2) [Expected 3 or 4] Type: REG_DWORD Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft PowerPoint 2016 >> PowerPoint Options >> Security >> Trust Center >> VBA Macro Notification Settings is set to "Enabled" "Disable all except digitally signed macros". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\powerpoint\security If the value for vbawarnings is REG_DWORD = 3 this is not a finding. A value of REG_DWORD = 4 is also acceptable. If the registry key does not exist or is not configured properly, this is a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft PowerPoint 2016 >> PowerPoint Options >> Security >> Trust Center >> VBA Macro Notification Settings to "Enabled" "Disable all except digitally signed macros".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 3E1FC09E630C472154972BE5932D3282C4DE9338 ~~~~~ 'Word 2000 binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: Word2000Files Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 3E1FC09E630C472154972BE5932D3282C4DE9338 ~~~~~ 'Word 2000 binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: Word2000Files Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 3E1FC09E630C472154972BE5932D3282C4DE9338 ~~~~~ 'Word 2000 binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: Word2000Files Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 3E1FC09E630C472154972BE5932D3282C4DE9338 ~~~~~ 'Word 2000 binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: Word2000Files Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Word 2016 >> Word Options >> Security >> Trust Center >> File Block Settings "Word 2000 binary documents and templates" is set to "Enabled: Open/Save blocked, use open policy". Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\word\security\fileblock If the value Word2000Files is REG_DWORD = 2, this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Word 2016 >> Word Options >> Security >> Trust Center >> File Block Settings "Word 2000 binary documents and templates" to "Enabled: Open/Save blocked, use open policy".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: BE33D318390B449985D2AA79FB456B94ED9E1FF6 ~~~~~ 'Word 95 binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word95files Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: BE33D318390B449985D2AA79FB456B94ED9E1FF6 ~~~~~ 'Word 95 binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word95files Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: BE33D318390B449985D2AA79FB456B94ED9E1FF6 ~~~~~ 'Word 95 binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word95files Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: BE33D318390B449985D2AA79FB456B94ED9E1FF6 ~~~~~ 'Word 95 binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word95files Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Word 2016 >> Word Options >> Security >> Trust Center >> File Block Settings "Word 95 binary documents and templates" is set to "Enabled: Open/Save blocked, use open policy". Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\word\security\fileblock If the value word95files is REG_DWORD = 2, this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Word 2016 >> Word Options >> Security >> Trust Center >> File Block Settings "Word 95 binary documents and templates" to "Enabled: Open/Save blocked, use open policy".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: E784D1DA5F97CBA1EE0BDA63B7D555DEAE2A907A ~~~~~ 'Word 97 binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word97files Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: E784D1DA5F97CBA1EE0BDA63B7D555DEAE2A907A ~~~~~ 'Word 97 binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word97files Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: E784D1DA5F97CBA1EE0BDA63B7D555DEAE2A907A ~~~~~ 'Word 97 binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word97files Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: E784D1DA5F97CBA1EE0BDA63B7D555DEAE2A907A ~~~~~ 'Word 97 binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word97files Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Word 2016 >> Word Options >> Security >> Trust Center >> File Block Settings "Word 97 binary documents and templates" is set to "Enabled: Open/Save blocked, use open policy". Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\word\security\fileblock If the value word97files is REG_DWORD = 2, this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Word 2016 >> Word Options >> Security >> Trust Center >> File Block Settings "Word 97 binary documents and templates" to "Enabled: Open/Save blocked, use open policy".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 80D92FA19465440D3073030D51C998AEF52B5FF7 ~~~~~ 'Word XP binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: wordxpfiles Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 80D92FA19465440D3073030D51C998AEF52B5FF7 ~~~~~ 'Word XP binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: wordxpfiles Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 80D92FA19465440D3073030D51C998AEF52B5FF7 ~~~~~ 'Word XP binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: wordxpfiles Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 80D92FA19465440D3073030D51C998AEF52B5FF7 ~~~~~ 'Word XP binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: wordxpfiles Value: 0x00000005 (5) [Expected 2] Type: REG_DWORD Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Word 2016 >> Word Options >> Security >> Trust Center >> File Block Settings "Word XP binary documents and templates" is set to "Enabled: Open/Save blocked, use open policy". Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\word\security\fileblock If the value wordxpfiles is REG_DWORD = 2, this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Word 2016 >> Word Options >> Security >> Trust Center >> File Block Settings "Word XP binary documents and templates" to "Enabled: Open/Save blocked, use open policy".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 1EC453ABE6D5138768991EAE2D9DFC645C0DCD2C ~~~~~ 'VBA macro Notification Settings' is NOT Enabled: (Disable all except digitally signed macros) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security Value Name: vbawarnings Value: 0x00000002 (2) [Expected 3 or 4] Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 1EC453ABE6D5138768991EAE2D9DFC645C0DCD2C ~~~~~ 'VBA macro Notification Settings' is NOT Enabled: (Disable all except digitally signed macros) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security Value Name: vbawarnings Value: 0x00000002 (2) [Expected 3 or 4] Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 1EC453ABE6D5138768991EAE2D9DFC645C0DCD2C ~~~~~ 'VBA macro Notification Settings' is NOT Enabled: (Disable all except digitally signed macros) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security Value Name: vbawarnings Value: 0x00000002 (2) [Expected 3 or 4] Type: REG_DWORD Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 1EC453ABE6D5138768991EAE2D9DFC645C0DCD2C ~~~~~ 'VBA macro Notification Settings' is NOT Enabled: (Disable all except digitally signed macros) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security Value Name: vbawarnings Value: 0x00000002 (2) [Expected 3 or 4] Type: REG_DWORD Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Word 2016 >> Security >> Trust Center >> "VBA macro Notification Settings" is set to "Enabled" and "Disable all except digitally signed macros" from the Options. Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\word\security If the value vbawarnings is REG_DWORD = 3, this is not a finding. A value of REG_DWORD = 4 is also acceptable. If the registry key does not exist or is not configured properly, this is a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Word 2016 >> Security >> Trust Center >> "VBA macro Notification Settings" to "Enabled" and "Disable all except digitally signed macros" from the Options.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Determine if manually managed application/service accounts exist. If none exist, this is NA. If passwords for manually managed application/service accounts are not changed at least annually or when an administrator with knowledge of the password leaves the organization, this is a finding. Identify manually managed application/service accounts. To determine the date a password was last changed: Domain controllers: Open "PowerShell". Enter "Get-AdUser -Identity [application account name] -Properties PasswordLastSet | FT Name, PasswordLastSet", where [application account name] is the name of the manually managed application/service account. If the "PasswordLastSet" date is more than one year old, this is a finding. Member servers and standalone or nondomain-joined systems: Open "Command Prompt". Enter 'Net User [application account name] | Find /i "Password Last Set"', where [application account name] is the name of the manually managed application/service account. If the "Password Last Set" date is more than one year old, this is a finding.
Fix Text
Change passwords for manually managed application/service accounts at least annually or when an administrator with knowledge of the password leaves the organization. It is recommended that system-managed service accounts be used whenever possible.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-GoogleChrome_Checks) found this to be OPEN on 12/17/2025 ResultHash: 030095F2C704F9953395356EDF1505802B21545B ~~~~~ 'Generative AI' is NOT Enabled: (Do not allow Create Themes) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: CreateThemesSettings (Not found) Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-GoogleChrome_Checks) found this to be OPEN on 12/17/2025 ResultHash: 030095F2C704F9953395356EDF1505802B21545B ~~~~~ 'Generative AI' is NOT Enabled: (Do not allow Create Themes) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: CreateThemesSettings (Not found) Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-GoogleChrome_Checks) found this to be OPEN on 10/23/2025 ResultHash: 030095F2C704F9953395356EDF1505802B21545B ~~~~~ 'Generative AI' is NOT Enabled: (Do not allow Create Themes) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: CreateThemesSettings (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-GoogleChrome_Checks) found this to be OPEN on 10/23/2025 ResultHash: 030095F2C704F9953395356EDF1505802B21545B ~~~~~ 'Generative AI' is NOT Enabled: (Do not allow Create Themes) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: CreateThemesSettings (Not found) Comments |
|||||
Check Text
Universal method: 1. In the omnibox (address bar) type "chrome:// policy". 2. If "CreateThemesSettings" is not displayed under the "Policy Name" column or it is not set to "2" under the "Policy Value" column, this is a finding. Windows method: 1. Start "regedit". 2. Navigate to "HKLM\Software\Policies\Google\Chrome\". 3. If the "CreateThemesSettings" value name does not exist or its value data is not set to "2", this is a finding.
Fix Text
Windows group policy: 1. Open the group policy editor tool with gpedit.msc. 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Generative AI Policy Name: Settings for Create Themes with AI Policy State: Enabled Policy Value: Do not allow Create Themes