USNS MONTFORD POINT - Findings

V-224926 CAT II Downloading print driver packages over HTTP must be prevente...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 32CBA225876D2C05F8801F707AB4140F0F48A7A7 ~~~~~ 'Turn off downloading of print drivers over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableWebPnPDownload Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 32CBA225876D2C05F8801F707AB4140F0F48A7A7 ~~~~~ 'Turn off downloading of print drivers over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableWebPnPDownload Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 32CBA225876D2C05F8801F707AB4140F0F48A7A7 ~~~~~ 'Turn off downloading of print drivers over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableWebPnPDownload Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 32CBA225876D2C05F8801F707AB4140F0F48A7A7 ~~~~~ 'Turn off downloading of print drivers over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableWebPnPDownload Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 32CBA225876D2C05F8801F707AB4140F0F48A7A7 ~~~~~ 'Turn off downloading of print drivers over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableWebPnPDownload Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 32CBA225876D2C05F8801F707AB4140F0F48A7A7 ~~~~~ 'Turn off downloading of print drivers over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableWebPnPDownload Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 32CBA225876D2C05F8801F707AB4140F0F48A7A7 ~~~~~ 'Turn off downloading of print drivers over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableWebPnPDownload Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 32CBA225876D2C05F8801F707AB4140F0F48A7A7 ~~~~~ 'Turn off downloading of print drivers over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableWebPnPDownload Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableWebPnPDownload Type: REG_DWORD Value: 0x00000001 (1)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off downloading of print drivers over HTTP" to "Enabled".

V-224927 CAT II Printing over HTTP must be prevented.

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7B7637A41B7F21B0A1F1751BFA0D051BF866D05E ~~~~~ 'Turn off printing over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableHTTPPrinting Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7B7637A41B7F21B0A1F1751BFA0D051BF866D05E ~~~~~ 'Turn off printing over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableHTTPPrinting Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7B7637A41B7F21B0A1F1751BFA0D051BF866D05E ~~~~~ 'Turn off printing over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableHTTPPrinting Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7B7637A41B7F21B0A1F1751BFA0D051BF866D05E ~~~~~ 'Turn off printing over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableHTTPPrinting Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7B7637A41B7F21B0A1F1751BFA0D051BF866D05E ~~~~~ 'Turn off printing over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableHTTPPrinting Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7B7637A41B7F21B0A1F1751BFA0D051BF866D05E ~~~~~ 'Turn off printing over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableHTTPPrinting Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7B7637A41B7F21B0A1F1751BFA0D051BF866D05E ~~~~~ 'Turn off printing over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableHTTPPrinting Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7B7637A41B7F21B0A1F1751BFA0D051BF866D05E ~~~~~ 'Turn off printing over HTTP' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableHTTPPrinting Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableHTTPPrinting Type: REG_DWORD Value: 0x00000001 (1)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off printing over HTTP" to "Enabled".

V-224928 CAT II The network selection user interface (UI) must not be displa...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1AE459ACF2E26EC676F7C66BD39065C48B525A12 ~~~~~ 'Do not display network selection UI' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1AE459ACF2E26EC676F7C66BD39065C48B525A12 ~~~~~ 'Do not display network selection UI' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1AE459ACF2E26EC676F7C66BD39065C48B525A12 ~~~~~ 'Do not display network selection UI' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1AE459ACF2E26EC676F7C66BD39065C48B525A12 ~~~~~ 'Do not display network selection UI' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1AE459ACF2E26EC676F7C66BD39065C48B525A12 ~~~~~ 'Do not display network selection UI' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1AE459ACF2E26EC676F7C66BD39065C48B525A12 ~~~~~ 'Do not display network selection UI' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1AE459ACF2E26EC676F7C66BD39065C48B525A12 ~~~~~ 'Do not display network selection UI' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1AE459ACF2E26EC676F7C66BD39065C48B525A12 ~~~~~ 'Do not display network selection UI' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: DontDisplayNetworkSelectionUI Value Type: REG_DWORD Value: 0x00000001 (1)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> "Do not display network selection UI" to "Enabled".

V-224929 CAT II Users must be prompted to authenticate when the system wakes...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1A590DAB7AE78E231C4BA125C070F448CA2B09D0 ~~~~~ 'Require a password when a computer wakes (on battery)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: DCSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1A590DAB7AE78E231C4BA125C070F448CA2B09D0 ~~~~~ 'Require a password when a computer wakes (on battery)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: DCSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1A590DAB7AE78E231C4BA125C070F448CA2B09D0 ~~~~~ 'Require a password when a computer wakes (on battery)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: DCSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1A590DAB7AE78E231C4BA125C070F448CA2B09D0 ~~~~~ 'Require a password when a computer wakes (on battery)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: DCSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1A590DAB7AE78E231C4BA125C070F448CA2B09D0 ~~~~~ 'Require a password when a computer wakes (on battery)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: DCSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1A590DAB7AE78E231C4BA125C070F448CA2B09D0 ~~~~~ 'Require a password when a computer wakes (on battery)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: DCSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1A590DAB7AE78E231C4BA125C070F448CA2B09D0 ~~~~~ 'Require a password when a computer wakes (on battery)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: DCSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1A590DAB7AE78E231C4BA125C070F448CA2B09D0 ~~~~~ 'Require a password when a computer wakes (on battery)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: DCSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: DCSettingIndex Type: REG_DWORD Value: 0x00000001 (1)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (on battery)" to "Enabled".

V-224930 CAT II Users must be prompted to authenticate when the system wakes...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 78DC59725D3EA066501F07139D729AA0ED751AC4 ~~~~~ 'Require a password when a computer wakes (plugged in)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: ACSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 78DC59725D3EA066501F07139D729AA0ED751AC4 ~~~~~ 'Require a password when a computer wakes (plugged in)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: ACSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 78DC59725D3EA066501F07139D729AA0ED751AC4 ~~~~~ 'Require a password when a computer wakes (plugged in)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: ACSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 78DC59725D3EA066501F07139D729AA0ED751AC4 ~~~~~ 'Require a password when a computer wakes (plugged in)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: ACSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 78DC59725D3EA066501F07139D729AA0ED751AC4 ~~~~~ 'Require a password when a computer wakes (plugged in)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: ACSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 78DC59725D3EA066501F07139D729AA0ED751AC4 ~~~~~ 'Require a password when a computer wakes (plugged in)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: ACSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 78DC59725D3EA066501F07139D729AA0ED751AC4 ~~~~~ 'Require a password when a computer wakes (plugged in)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: ACSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 78DC59725D3EA066501F07139D729AA0ED751AC4 ~~~~~ 'Require a password when a computer wakes (plugged in)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: ACSettingIndex Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: ACSettingIndex Type: REG_DWORD Value: 0x00000001 (1)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (plugged in)" to "Enabled".

V-224935 CAT II Administrator accounts must not be enumerated during elevati...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7E4F6B9D764BEC43054FB933A76FD46CEFEA5B6C ~~~~~ 'Enumerate administrator accounts on elevation' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI Value Name: EnumerateAdministrators Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7E4F6B9D764BEC43054FB933A76FD46CEFEA5B6C ~~~~~ 'Enumerate administrator accounts on elevation' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI Value Name: EnumerateAdministrators Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7E4F6B9D764BEC43054FB933A76FD46CEFEA5B6C ~~~~~ 'Enumerate administrator accounts on elevation' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI Value Name: EnumerateAdministrators Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7E4F6B9D764BEC43054FB933A76FD46CEFEA5B6C ~~~~~ 'Enumerate administrator accounts on elevation' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI Value Name: EnumerateAdministrators Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7E4F6B9D764BEC43054FB933A76FD46CEFEA5B6C ~~~~~ 'Enumerate administrator accounts on elevation' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI Value Name: EnumerateAdministrators Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7E4F6B9D764BEC43054FB933A76FD46CEFEA5B6C ~~~~~ 'Enumerate administrator accounts on elevation' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI Value Name: EnumerateAdministrators Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7E4F6B9D764BEC43054FB933A76FD46CEFEA5B6C ~~~~~ 'Enumerate administrator accounts on elevation' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI Value Name: EnumerateAdministrators Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7E4F6B9D764BEC43054FB933A76FD46CEFEA5B6C ~~~~~ 'Enumerate administrator accounts on elevation' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI Value Name: EnumerateAdministrators Value: 0x00000000 (0) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ Value Name: EnumerateAdministrators Type: REG_DWORD Value: 0x00000000 (0)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> "Enumerate administrator accounts on elevation" to "Disabled".

V-224936 CAT II Windows Telemetry must be configured to Security or Basic.

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BB3C889EF4AEF35C8EA7E0C87BAB72541A23135 ~~~~~ 'Allow Telemetry' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection\ Value Name: AllowTelemetry Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BB3C889EF4AEF35C8EA7E0C87BAB72541A23135 ~~~~~ 'Allow Telemetry' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection\ Value Name: AllowTelemetry Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BB3C889EF4AEF35C8EA7E0C87BAB72541A23135 ~~~~~ 'Allow Telemetry' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection\ Value Name: AllowTelemetry Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BB3C889EF4AEF35C8EA7E0C87BAB72541A23135 ~~~~~ 'Allow Telemetry' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection\ Value Name: AllowTelemetry Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BB3C889EF4AEF35C8EA7E0C87BAB72541A23135 ~~~~~ 'Allow Telemetry' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection\ Value Name: AllowTelemetry Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BB3C889EF4AEF35C8EA7E0C87BAB72541A23135 ~~~~~ 'Allow Telemetry' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection\ Value Name: AllowTelemetry Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BB3C889EF4AEF35C8EA7E0C87BAB72541A23135 ~~~~~ 'Allow Telemetry' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection\ Value Name: AllowTelemetry Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BB3C889EF4AEF35C8EA7E0C87BAB72541A23135 ~~~~~ 'Allow Telemetry' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection\ Value Name: AllowTelemetry Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DataCollection\ Value Name: AllowTelemetry Type: REG_DWORD Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Data Collection and Preview Builds>> "Allow Telemetry" to "Enabled" with "0 - Security [Enterprise Only]" or "1 - Basic" selected in "Options".

V-224937 CAT II The Application event log size must be configured to 32768 K...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5D0915FC2A9906852D04841C613A85AAD0AFAD4 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5D0915FC2A9906852D04841C613A85AAD0AFAD4 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5D0915FC2A9906852D04841C613A85AAD0AFAD4 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5D0915FC2A9906852D04841C613A85AAD0AFAD4 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5D0915FC2A9906852D04841C613A85AAD0AFAD4 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5D0915FC2A9906852D04841C613A85AAD0AFAD4 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5D0915FC2A9906852D04841C613A85AAD0AFAD4 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E5D0915FC2A9906852D04841C613A85AAD0AFAD4 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments

Check Text

If the system is configured to write events directly to an audit server, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ Value Name: MaxSize Type: REG_DWORD Value: 0x00008000 (32768) (or greater)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Application >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.

V-224938 CAT II The Security event log size must be configured to 196608 KB ...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 202CE7E8F7DCFC453AA44AAEF3A9AB99C44A256F ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ Value Name: MaxSize Value: 0x00030000 (196608) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 202CE7E8F7DCFC453AA44AAEF3A9AB99C44A256F ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ Value Name: MaxSize Value: 0x00030000 (196608) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 202CE7E8F7DCFC453AA44AAEF3A9AB99C44A256F ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ Value Name: MaxSize Value: 0x00030000 (196608) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 202CE7E8F7DCFC453AA44AAEF3A9AB99C44A256F ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ Value Name: MaxSize Value: 0x00030000 (196608) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 202CE7E8F7DCFC453AA44AAEF3A9AB99C44A256F ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ Value Name: MaxSize Value: 0x00030000 (196608) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 202CE7E8F7DCFC453AA44AAEF3A9AB99C44A256F ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ Value Name: MaxSize Value: 0x00030000 (196608) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 202CE7E8F7DCFC453AA44AAEF3A9AB99C44A256F ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ Value Name: MaxSize Value: 0x00030000 (196608) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 202CE7E8F7DCFC453AA44AAEF3A9AB99C44A256F ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ Value Name: MaxSize Value: 0x00030000 (196608) Type: REG_DWORD Comments

Check Text

If the system is configured to write events directly to an audit server, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ Value Name: MaxSize Type: REG_DWORD Value: 0x00030000 (196608) (or greater)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Security >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "196608" or greater.

V-224939 CAT II The System event log size must be configured to 32768 KB or ...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 80DFF18057B3C208B441E0E6B593D20FFF279705 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 80DFF18057B3C208B441E0E6B593D20FFF279705 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 80DFF18057B3C208B441E0E6B593D20FFF279705 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 80DFF18057B3C208B441E0E6B593D20FFF279705 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 80DFF18057B3C208B441E0E6B593D20FFF279705 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 80DFF18057B3C208B441E0E6B593D20FFF279705 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 80DFF18057B3C208B441E0E6B593D20FFF279705 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 80DFF18057B3C208B441E0E6B593D20FFF279705 ~~~~~ 'Specify the maximum log file size (KB)' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ Value Name: MaxSize Value: 0x00008000 (32768) Type: REG_DWORD Comments

Check Text

If the system is configured to write events directly to an audit server, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ Value Name: MaxSize Type: REG_DWORD Value: 0x00008000 (32768) (or greater)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> System >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.

V-224941 CAT II Explorer Data Execution Prevention must be enabled.

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E447D367B5E5B65CAE0FEED0C3F69469094AFC32 ~~~~~ 'Turn off Data Execution Prevention for Explorer' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoDataExecutionPrevention (Not found) Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E447D367B5E5B65CAE0FEED0C3F69469094AFC32 ~~~~~ 'Turn off Data Execution Prevention for Explorer' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoDataExecutionPrevention (Not found) Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E447D367B5E5B65CAE0FEED0C3F69469094AFC32 ~~~~~ 'Turn off Data Execution Prevention for Explorer' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoDataExecutionPrevention (Not found) Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E447D367B5E5B65CAE0FEED0C3F69469094AFC32 ~~~~~ 'Turn off Data Execution Prevention for Explorer' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoDataExecutionPrevention (Not found) Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E447D367B5E5B65CAE0FEED0C3F69469094AFC32 ~~~~~ 'Turn off Data Execution Prevention for Explorer' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoDataExecutionPrevention (Not found) Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E447D367B5E5B65CAE0FEED0C3F69469094AFC32 ~~~~~ 'Turn off Data Execution Prevention for Explorer' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoDataExecutionPrevention (Not found) Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E447D367B5E5B65CAE0FEED0C3F69469094AFC32 ~~~~~ 'Turn off Data Execution Prevention for Explorer' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoDataExecutionPrevention (Not found) Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E447D367B5E5B65CAE0FEED0C3F69469094AFC32 ~~~~~ 'Turn off Data Execution Prevention for Explorer' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoDataExecutionPrevention (Not found) Comments

Check Text

The default behavior is for Data Execution Prevention to be turned on for File Explorer. If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoDataExecutionPrevention Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)

Fix Text

The default behavior is for data execution prevention to be turned on for File Explorer. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off Data Execution Prevention for Explorer" to "Not Configured" or "Disabled".

V-224943 CAT II File Explorer shell protocol must run in protected mode.

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D218036D12DF5DA18FEFB8A43B3C3EC6179035F ~~~~~ 'Turn off shell protocol protected mode' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior (Not found) Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D218036D12DF5DA18FEFB8A43B3C3EC6179035F ~~~~~ 'Turn off shell protocol protected mode' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior (Not found) Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D218036D12DF5DA18FEFB8A43B3C3EC6179035F ~~~~~ 'Turn off shell protocol protected mode' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior (Not found) Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D218036D12DF5DA18FEFB8A43B3C3EC6179035F ~~~~~ 'Turn off shell protocol protected mode' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior (Not found) Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D218036D12DF5DA18FEFB8A43B3C3EC6179035F ~~~~~ 'Turn off shell protocol protected mode' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior (Not found) Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D218036D12DF5DA18FEFB8A43B3C3EC6179035F ~~~~~ 'Turn off shell protocol protected mode' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior (Not found) Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D218036D12DF5DA18FEFB8A43B3C3EC6179035F ~~~~~ 'Turn off shell protocol protected mode' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior (Not found) Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4D218036D12DF5DA18FEFB8A43B3C3EC6179035F ~~~~~ 'Turn off shell protocol protected mode' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior (Not found) Comments

Check Text

The default behavior is for shell protected mode to be turned on for File Explorer. If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)

Fix Text

The default behavior is for shell protected mode to be turned on for File Explorer. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off shell protocol protected mode" to "Not Configured" or "Disabled".

V-224944 CAT II Passwords must not be saved in the Remote Desktop Client.

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8A6F308A68898593F9FAE33E2F2B747F8F8D3C67 ~~~~~ 'Do not allow passwords to be saved' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DisablePasswordSaving Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8A6F308A68898593F9FAE33E2F2B747F8F8D3C67 ~~~~~ 'Do not allow passwords to be saved' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DisablePasswordSaving Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8A6F308A68898593F9FAE33E2F2B747F8F8D3C67 ~~~~~ 'Do not allow passwords to be saved' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DisablePasswordSaving Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8A6F308A68898593F9FAE33E2F2B747F8F8D3C67 ~~~~~ 'Do not allow passwords to be saved' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DisablePasswordSaving Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8A6F308A68898593F9FAE33E2F2B747F8F8D3C67 ~~~~~ 'Do not allow passwords to be saved' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DisablePasswordSaving Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8A6F308A68898593F9FAE33E2F2B747F8F8D3C67 ~~~~~ 'Do not allow passwords to be saved' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DisablePasswordSaving Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8A6F308A68898593F9FAE33E2F2B747F8F8D3C67 ~~~~~ 'Do not allow passwords to be saved' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DisablePasswordSaving Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8A6F308A68898593F9FAE33E2F2B747F8F8D3C67 ~~~~~ 'Do not allow passwords to be saved' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DisablePasswordSaving Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DisablePasswordSaving Type: REG_DWORD Value: 0x00000001 (1)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Connection Client >> "Do not allow passwords to be saved" to "Enabled".

V-224945 CAT II Local drives must be prevented from sharing with Remote Desk...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B60AF67D4B1D9F699B75CA09365CD481E215BDB7 ~~~~~ 'Do not allow drive redirection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCdm Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B60AF67D4B1D9F699B75CA09365CD481E215BDB7 ~~~~~ 'Do not allow drive redirection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCdm Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B60AF67D4B1D9F699B75CA09365CD481E215BDB7 ~~~~~ 'Do not allow drive redirection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCdm Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B60AF67D4B1D9F699B75CA09365CD481E215BDB7 ~~~~~ 'Do not allow drive redirection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCdm Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B60AF67D4B1D9F699B75CA09365CD481E215BDB7 ~~~~~ 'Do not allow drive redirection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCdm Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B60AF67D4B1D9F699B75CA09365CD481E215BDB7 ~~~~~ 'Do not allow drive redirection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCdm Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B60AF67D4B1D9F699B75CA09365CD481E215BDB7 ~~~~~ 'Do not allow drive redirection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCdm Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B60AF67D4B1D9F699B75CA09365CD481E215BDB7 ~~~~~ 'Do not allow drive redirection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCdm Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCdm Type: REG_DWORD Value: 0x00000001 (1)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection >> "Do not allow drive redirection" to "Enabled".

V-224946 CAT II Remote Desktop Services must always prompt a client for pass...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0116030C4DA6A19D0E24E009C368077FB935D0E1 ~~~~~ 'Always prompt for password upon connection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fPromptForPassword Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0116030C4DA6A19D0E24E009C368077FB935D0E1 ~~~~~ 'Always prompt for password upon connection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fPromptForPassword Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0116030C4DA6A19D0E24E009C368077FB935D0E1 ~~~~~ 'Always prompt for password upon connection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fPromptForPassword Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0116030C4DA6A19D0E24E009C368077FB935D0E1 ~~~~~ 'Always prompt for password upon connection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fPromptForPassword Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0116030C4DA6A19D0E24E009C368077FB935D0E1 ~~~~~ 'Always prompt for password upon connection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fPromptForPassword Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0116030C4DA6A19D0E24E009C368077FB935D0E1 ~~~~~ 'Always prompt for password upon connection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fPromptForPassword Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0116030C4DA6A19D0E24E009C368077FB935D0E1 ~~~~~ 'Always prompt for password upon connection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fPromptForPassword Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0116030C4DA6A19D0E24E009C368077FB935D0E1 ~~~~~ 'Always prompt for password upon connection' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fPromptForPassword Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fPromptForPassword Type: REG_DWORD Value: 0x00000001 (1)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Always prompt for password upon connection" to "Enabled".

V-224947 CAT II The Remote Desktop Session Host must require secure Remote P...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D92475D9562B764F7346D35A421DD406D94DCD75 ~~~~~ 'Require secure RPC communication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEncryptRPCTraffic Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D92475D9562B764F7346D35A421DD406D94DCD75 ~~~~~ 'Require secure RPC communication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEncryptRPCTraffic Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D92475D9562B764F7346D35A421DD406D94DCD75 ~~~~~ 'Require secure RPC communication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEncryptRPCTraffic Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D92475D9562B764F7346D35A421DD406D94DCD75 ~~~~~ 'Require secure RPC communication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEncryptRPCTraffic Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D92475D9562B764F7346D35A421DD406D94DCD75 ~~~~~ 'Require secure RPC communication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEncryptRPCTraffic Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D92475D9562B764F7346D35A421DD406D94DCD75 ~~~~~ 'Require secure RPC communication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEncryptRPCTraffic Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D92475D9562B764F7346D35A421DD406D94DCD75 ~~~~~ 'Require secure RPC communication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEncryptRPCTraffic Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D92475D9562B764F7346D35A421DD406D94DCD75 ~~~~~ 'Require secure RPC communication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEncryptRPCTraffic Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEncryptRPCTraffic Type: REG_DWORD Value: 0x00000001 (1)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Require secure RPC communication" to "Enabled".

V-224948 CAT II Remote Desktop Services must be configured with the client c...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9BB0D90CD86171E36FA3CD54874EC7BFE2008BEA ~~~~~ 'Set client connection encryption level' is Enabled with 'High Level' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: MinEncryptionLevel Value: 0x00000003 (3) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9BB0D90CD86171E36FA3CD54874EC7BFE2008BEA ~~~~~ 'Set client connection encryption level' is Enabled with 'High Level' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: MinEncryptionLevel Value: 0x00000003 (3) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9BB0D90CD86171E36FA3CD54874EC7BFE2008BEA ~~~~~ 'Set client connection encryption level' is Enabled with 'High Level' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: MinEncryptionLevel Value: 0x00000003 (3) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9BB0D90CD86171E36FA3CD54874EC7BFE2008BEA ~~~~~ 'Set client connection encryption level' is Enabled with 'High Level' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: MinEncryptionLevel Value: 0x00000003 (3) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9BB0D90CD86171E36FA3CD54874EC7BFE2008BEA ~~~~~ 'Set client connection encryption level' is Enabled with 'High Level' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: MinEncryptionLevel Value: 0x00000003 (3) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9BB0D90CD86171E36FA3CD54874EC7BFE2008BEA ~~~~~ 'Set client connection encryption level' is Enabled with 'High Level' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: MinEncryptionLevel Value: 0x00000003 (3) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9BB0D90CD86171E36FA3CD54874EC7BFE2008BEA ~~~~~ 'Set client connection encryption level' is Enabled with 'High Level' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: MinEncryptionLevel Value: 0x00000003 (3) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9BB0D90CD86171E36FA3CD54874EC7BFE2008BEA ~~~~~ 'Set client connection encryption level' is Enabled with 'High Level' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: MinEncryptionLevel Value: 0x00000003 (3) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: MinEncryptionLevel Type: REG_DWORD Value: 0x00000003 (3)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Set client connection encryption level" to "Enabled" with "High Level" selected.

V-224949 CAT II Attachments must be prevented from being downloaded from RSS...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0FA3BC5EFAAA7A686C34DDAE591C63015D264CF2 ~~~~~ 'Prevent downloading of enclosures' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: DisableEnclosureDownload Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0FA3BC5EFAAA7A686C34DDAE591C63015D264CF2 ~~~~~ 'Prevent downloading of enclosures' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: DisableEnclosureDownload Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0FA3BC5EFAAA7A686C34DDAE591C63015D264CF2 ~~~~~ 'Prevent downloading of enclosures' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: DisableEnclosureDownload Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0FA3BC5EFAAA7A686C34DDAE591C63015D264CF2 ~~~~~ 'Prevent downloading of enclosures' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: DisableEnclosureDownload Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0FA3BC5EFAAA7A686C34DDAE591C63015D264CF2 ~~~~~ 'Prevent downloading of enclosures' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: DisableEnclosureDownload Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0FA3BC5EFAAA7A686C34DDAE591C63015D264CF2 ~~~~~ 'Prevent downloading of enclosures' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: DisableEnclosureDownload Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0FA3BC5EFAAA7A686C34DDAE591C63015D264CF2 ~~~~~ 'Prevent downloading of enclosures' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: DisableEnclosureDownload Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 0FA3BC5EFAAA7A686C34DDAE591C63015D264CF2 ~~~~~ 'Prevent downloading of enclosures' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: DisableEnclosureDownload Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: DisableEnclosureDownload Type: REG_DWORD Value: 0x00000001 (1)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Prevent downloading of enclosures" to "Enabled".

V-224951 CAT II Basic authentication for RSS feeds over HTTP must not be use...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CD8B608EBC12FB1B70BA56A5ADAEA232E75BC4B5 ~~~~~ 'Turn on Basic feed authentication over HTTP' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: AllowBasicAuthInClear (Not found) Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CD8B608EBC12FB1B70BA56A5ADAEA232E75BC4B5 ~~~~~ 'Turn on Basic feed authentication over HTTP' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: AllowBasicAuthInClear (Not found) Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CD8B608EBC12FB1B70BA56A5ADAEA232E75BC4B5 ~~~~~ 'Turn on Basic feed authentication over HTTP' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: AllowBasicAuthInClear (Not found) Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CD8B608EBC12FB1B70BA56A5ADAEA232E75BC4B5 ~~~~~ 'Turn on Basic feed authentication over HTTP' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: AllowBasicAuthInClear (Not found) Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CD8B608EBC12FB1B70BA56A5ADAEA232E75BC4B5 ~~~~~ 'Turn on Basic feed authentication over HTTP' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: AllowBasicAuthInClear (Not found) Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CD8B608EBC12FB1B70BA56A5ADAEA232E75BC4B5 ~~~~~ 'Turn on Basic feed authentication over HTTP' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: AllowBasicAuthInClear (Not found) Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CD8B608EBC12FB1B70BA56A5ADAEA232E75BC4B5 ~~~~~ 'Turn on Basic feed authentication over HTTP' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: AllowBasicAuthInClear (Not found) Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CD8B608EBC12FB1B70BA56A5ADAEA232E75BC4B5 ~~~~~ 'Turn on Basic feed authentication over HTTP' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: AllowBasicAuthInClear (Not found) Comments

Check Text

The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: AllowBasicAuthInClear Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)

Fix Text

The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Turn on Basic feed authentication over HTTP" to "Not Configured" or "Disabled".

V-224952 CAT II Indexing of encrypted files must be turned off.

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 90894DA38F8EC2761B825073AE30CB6514CE3091 ~~~~~ 'Allow indexing of encrypted files' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search\ Value Name: AllowIndexingEncryptedStoresOrItems Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 90894DA38F8EC2761B825073AE30CB6514CE3091 ~~~~~ 'Allow indexing of encrypted files' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search\ Value Name: AllowIndexingEncryptedStoresOrItems Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 90894DA38F8EC2761B825073AE30CB6514CE3091 ~~~~~ 'Allow indexing of encrypted files' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search\ Value Name: AllowIndexingEncryptedStoresOrItems Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 90894DA38F8EC2761B825073AE30CB6514CE3091 ~~~~~ 'Allow indexing of encrypted files' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search\ Value Name: AllowIndexingEncryptedStoresOrItems Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 90894DA38F8EC2761B825073AE30CB6514CE3091 ~~~~~ 'Allow indexing of encrypted files' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search\ Value Name: AllowIndexingEncryptedStoresOrItems Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 90894DA38F8EC2761B825073AE30CB6514CE3091 ~~~~~ 'Allow indexing of encrypted files' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search\ Value Name: AllowIndexingEncryptedStoresOrItems Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 90894DA38F8EC2761B825073AE30CB6514CE3091 ~~~~~ 'Allow indexing of encrypted files' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search\ Value Name: AllowIndexingEncryptedStoresOrItems Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 90894DA38F8EC2761B825073AE30CB6514CE3091 ~~~~~ 'Allow indexing of encrypted files' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search\ Value Name: AllowIndexingEncryptedStoresOrItems Value: 0x00000000 (0) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Windows Search\ Value Name: AllowIndexingEncryptedStoresOrItems Value Type: REG_DWORD Value: 0x00000000 (0)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Search >> "Allow indexing of encrypted files" to "Disabled".

V-224953 CAT II Users must be prevented from changing installation options.

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BBBA6D48AAA246FAB71C6A830B701F777624C085 ~~~~~ 'Allow user control over installs' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: EnableUserControl Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BBBA6D48AAA246FAB71C6A830B701F777624C085 ~~~~~ 'Allow user control over installs' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: EnableUserControl Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BBBA6D48AAA246FAB71C6A830B701F777624C085 ~~~~~ 'Allow user control over installs' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: EnableUserControl Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BBBA6D48AAA246FAB71C6A830B701F777624C085 ~~~~~ 'Allow user control over installs' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: EnableUserControl Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BBBA6D48AAA246FAB71C6A830B701F777624C085 ~~~~~ 'Allow user control over installs' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: EnableUserControl Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BBBA6D48AAA246FAB71C6A830B701F777624C085 ~~~~~ 'Allow user control over installs' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: EnableUserControl Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BBBA6D48AAA246FAB71C6A830B701F777624C085 ~~~~~ 'Allow user control over installs' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: EnableUserControl Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BBBA6D48AAA246FAB71C6A830B701F777624C085 ~~~~~ 'Allow user control over installs' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: EnableUserControl Value: 0x00000000 (0) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: EnableUserControl Type: REG_DWORD Value: 0x00000000 (0)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Allow user control over installs" to "Disabled".

V-224955 CAT II Users must be notified if a web-based program attempts to in...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2C22446713CC1F2BA35C8809C947EAA2AA51710 ~~~~~ 'Prevent Internet Explorer security prompt for Windows Installer scripts' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: SafeForScripting (Not found) Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2C22446713CC1F2BA35C8809C947EAA2AA51710 ~~~~~ 'Prevent Internet Explorer security prompt for Windows Installer scripts' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: SafeForScripting (Not found) Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2C22446713CC1F2BA35C8809C947EAA2AA51710 ~~~~~ 'Prevent Internet Explorer security prompt for Windows Installer scripts' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: SafeForScripting (Not found) Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2C22446713CC1F2BA35C8809C947EAA2AA51710 ~~~~~ 'Prevent Internet Explorer security prompt for Windows Installer scripts' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: SafeForScripting (Not found) Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2C22446713CC1F2BA35C8809C947EAA2AA51710 ~~~~~ 'Prevent Internet Explorer security prompt for Windows Installer scripts' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: SafeForScripting (Not found) Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2C22446713CC1F2BA35C8809C947EAA2AA51710 ~~~~~ 'Prevent Internet Explorer security prompt for Windows Installer scripts' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: SafeForScripting (Not found) Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2C22446713CC1F2BA35C8809C947EAA2AA51710 ~~~~~ 'Prevent Internet Explorer security prompt for Windows Installer scripts' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: SafeForScripting (Not found) Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2C22446713CC1F2BA35C8809C947EAA2AA51710 ~~~~~ 'Prevent Internet Explorer security prompt for Windows Installer scripts' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: SafeForScripting (Not found) Comments

Check Text

The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. If the registry value name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: SafeForScripting Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)

Fix Text

The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Prevent Internet Explorer security prompt for Windows Installer scripts" to "Not Configured" or "Disabled".

V-224956 CAT II Automatically signing in the last interactive user after a s...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 218FBFEB0FDC27DE759F73E5D5DA97E040455853 ~~~~~ 'Sign-in last interactive user automatically after a system-initiated restart' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 218FBFEB0FDC27DE759F73E5D5DA97E040455853 ~~~~~ 'Sign-in last interactive user automatically after a system-initiated restart' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 218FBFEB0FDC27DE759F73E5D5DA97E040455853 ~~~~~ 'Sign-in last interactive user automatically after a system-initiated restart' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 218FBFEB0FDC27DE759F73E5D5DA97E040455853 ~~~~~ 'Sign-in last interactive user automatically after a system-initiated restart' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 218FBFEB0FDC27DE759F73E5D5DA97E040455853 ~~~~~ 'Sign-in last interactive user automatically after a system-initiated restart' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 218FBFEB0FDC27DE759F73E5D5DA97E040455853 ~~~~~ 'Sign-in last interactive user automatically after a system-initiated restart' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 218FBFEB0FDC27DE759F73E5D5DA97E040455853 ~~~~~ 'Sign-in last interactive user automatically after a system-initiated restart' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 218FBFEB0FDC27DE759F73E5D5DA97E040455853 ~~~~~ 'Sign-in last interactive user automatically after a system-initiated restart' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableAutomaticRestartSignOn Value Type: REG_DWORD Value: 0x00000001 (1)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Logon Options >> "Sign-in last interactive user automatically after a system-initiated restart" to "Disabled".

V-224957 CAT II PowerShell script block logging must be enabled.

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8077ADB516152411C7CDFF49D6CBB9D72C0C9EA8 ~~~~~ 'Turn on PowerShell Script Block Logging' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8077ADB516152411C7CDFF49D6CBB9D72C0C9EA8 ~~~~~ 'Turn on PowerShell Script Block Logging' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8077ADB516152411C7CDFF49D6CBB9D72C0C9EA8 ~~~~~ 'Turn on PowerShell Script Block Logging' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8077ADB516152411C7CDFF49D6CBB9D72C0C9EA8 ~~~~~ 'Turn on PowerShell Script Block Logging' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8077ADB516152411C7CDFF49D6CBB9D72C0C9EA8 ~~~~~ 'Turn on PowerShell Script Block Logging' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8077ADB516152411C7CDFF49D6CBB9D72C0C9EA8 ~~~~~ 'Turn on PowerShell Script Block Logging' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8077ADB516152411C7CDFF49D6CBB9D72C0C9EA8 ~~~~~ 'Turn on PowerShell Script Block Logging' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8077ADB516152411C7CDFF49D6CBB9D72C0C9EA8 ~~~~~ 'Turn on PowerShell Script Block Logging' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ Value Name: EnableScriptBlockLogging Value Type: REG_DWORD Value: 0x00000001 (1)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Script Block Logging" to "Enabled".

V-224959 CAT II The Windows Remote Management (WinRM) client must not allow ...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 263B3F3ADEFEEB444D7DB7C6A09E407E73BBA08C ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 263B3F3ADEFEEB444D7DB7C6A09E407E73BBA08C ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 263B3F3ADEFEEB444D7DB7C6A09E407E73BBA08C ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 263B3F3ADEFEEB444D7DB7C6A09E407E73BBA08C ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 263B3F3ADEFEEB444D7DB7C6A09E407E73BBA08C ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 263B3F3ADEFEEB444D7DB7C6A09E407E73BBA08C ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 263B3F3ADEFEEB444D7DB7C6A09E407E73BBA08C ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 263B3F3ADEFEEB444D7DB7C6A09E407E73BBA08C ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowUnencryptedTraffic Type: REG_DWORD Value: 0x00000000 (0)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow unencrypted traffic" to "Disabled".

V-224960 CAT II The Windows Remote Management (WinRM) client must not use Di...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BEC0AEE0C273F63E101B2083185E0AEF60BA726 ~~~~~ 'Disallow Digest authentication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowDigest Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BEC0AEE0C273F63E101B2083185E0AEF60BA726 ~~~~~ 'Disallow Digest authentication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowDigest Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BEC0AEE0C273F63E101B2083185E0AEF60BA726 ~~~~~ 'Disallow Digest authentication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowDigest Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BEC0AEE0C273F63E101B2083185E0AEF60BA726 ~~~~~ 'Disallow Digest authentication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowDigest Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BEC0AEE0C273F63E101B2083185E0AEF60BA726 ~~~~~ 'Disallow Digest authentication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowDigest Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BEC0AEE0C273F63E101B2083185E0AEF60BA726 ~~~~~ 'Disallow Digest authentication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowDigest Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BEC0AEE0C273F63E101B2083185E0AEF60BA726 ~~~~~ 'Disallow Digest authentication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowDigest Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2BEC0AEE0C273F63E101B2083185E0AEF60BA726 ~~~~~ 'Disallow Digest authentication' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowDigest Value: 0x00000000 (0) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowDigest Type: REG_DWORD Value: 0x00000000 (0)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Disallow Digest authentication" to "Enabled".

V-224962 CAT II The Windows Remote Management (WinRM) service must not allow...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 357A463A54C8BD409FB2CBE12890A8584E4AF139 ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 357A463A54C8BD409FB2CBE12890A8584E4AF139 ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 357A463A54C8BD409FB2CBE12890A8584E4AF139 ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 357A463A54C8BD409FB2CBE12890A8584E4AF139 ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 357A463A54C8BD409FB2CBE12890A8584E4AF139 ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 357A463A54C8BD409FB2CBE12890A8584E4AF139 ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 357A463A54C8BD409FB2CBE12890A8584E4AF139 ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 357A463A54C8BD409FB2CBE12890A8584E4AF139 ~~~~~ 'Allow unencrypted traffic' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowUnencryptedTraffic Value: 0x00000000 (0) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowUnencryptedTraffic Type: REG_DWORD Value: 0x00000000 (0)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow unencrypted traffic" to "Disabled".

V-224963 CAT II The Windows Remote Management (WinRM) service must not store...

8 assets 8 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7EB2124D3D256F0132552100281506BAD4398825 ~~~~~ 'Disallow WinRM from storing RunAs credentials' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: DisableRunAs Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7EB2124D3D256F0132552100281506BAD4398825 ~~~~~ 'Disallow WinRM from storing RunAs credentials' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: DisableRunAs Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7EB2124D3D256F0132552100281506BAD4398825 ~~~~~ 'Disallow WinRM from storing RunAs credentials' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: DisableRunAs Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7EB2124D3D256F0132552100281506BAD4398825 ~~~~~ 'Disallow WinRM from storing RunAs credentials' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: DisableRunAs Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7EB2124D3D256F0132552100281506BAD4398825 ~~~~~ 'Disallow WinRM from storing RunAs credentials' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: DisableRunAs Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7EB2124D3D256F0132552100281506BAD4398825 ~~~~~ 'Disallow WinRM from storing RunAs credentials' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: DisableRunAs Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7EB2124D3D256F0132552100281506BAD4398825 ~~~~~ 'Disallow WinRM from storing RunAs credentials' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: DisableRunAs Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7EB2124D3D256F0132552100281506BAD4398825 ~~~~~ 'Disallow WinRM from storing RunAs credentials' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: DisableRunAs Value: 0x00000001 (1) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: DisableRunAs Type: REG_DWORD Value: 0x00000001 (1)

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Disallow WinRM from storing RunAs credentials" to "Enabled".

V-224965 CAT II Kerberos user logon restrictions must be enforced.

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: DC0DD1172DDB62545189A23C183E1B9AAA6B3B45 ~~~~~ 'Enforce user logon restrictions' is Enabled GPO Path: Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy Value Name: TicketValidateClient Value: True Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding.

Fix Text

Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Enforce user logon restrictions" to "Enabled".

V-224966 CAT II The Kerberos service ticket maximum lifetime must be limited...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D520F2178328249628ED4ADAF1D900C51527D89C ~~~~~ 'Maximum lifetime for service ticket' is Configured GPO Path: Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy Value Name: MaxServiceAge Value: 600 Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the value for "Maximum lifetime for service ticket" is "0" or greater than "600" minutes, this is a finding.

Fix Text

Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for service ticket" to a maximum of "600" minutes, but not "0", which equates to "Ticket doesn't expire".

V-224967 CAT II The Kerberos user ticket lifetime must be limited to 10 hour...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 45DD0D563EE35E12DB6C8570E08C7D4C8036E0F7 ~~~~~ 'Maximum lifetime for user ticket' is Configured GPO Path: Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy Value Name: MaxTicketAge Value: 10 Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the value for "Maximum lifetime for user ticket" is "0" or greater than "10" hours, this is a finding.

Fix Text

Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for user ticket" to a maximum of "10" hours but not "0", which equates to "Ticket doesn't expire".

V-224968 CAT II The Kerberos policy user ticket renewal maximum lifetime mus...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F1A5AAD3C90C7844E8740DA2287C4BDAEADAE4E4 ~~~~~ 'Maximum lifetime for user ticket renewal' is Configured GPO Path: Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy Value Name: MaxRenewAge Value: 7 Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the "Maximum lifetime for user ticket renewal" is greater than "7" days, this is a finding.

Fix Text

Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for user ticket renewal" to a maximum of "7" days or less.

V-224969 CAT II The computer clock synchronization tolerance must be limited...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D6FECCCB6DF2C36DE9FC8887E0D33696937057EF ~~~~~ 'Maximum tolerance for computer clock synchronization' is Configured GPO Path: Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy Value Name: MaxClockSkew Value: 5 Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the "Maximum tolerance for computer clock synchronization" is greater than "5" minutes, this is a finding.

Fix Text

Configure the policy value in the Default Domain Policy for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum tolerance for computer clock synchronization" to a maximum of "5" minutes or less.

V-224975 CAT II Data files owned by users must be on a different logical par...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 38220628467C34D44A83106502D1AB33FFC4BF3D ~~~~~ Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters Registry Value: E:\Database\ntds.dit Only system-created shares exist on this system. Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. Run "Regedit". Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters". Note the directory locations in the values for "DSA Database file". Open "Command Prompt". Enter "net share". Note the logical drive(s) or file system partition for any organization-created data shares. Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored. If user shares are located on the same logical partition as the directory server data files, this is a finding.

Fix Text

Move shares used to store files owned by users to a different logical partition than the directory server data files.

V-224977 CAT II Separate, NSA-approved (Type 1) cryptography must be used to...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details No details recorded. Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. Review the organization network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted. Determine the classification level of the Windows domain controller. If the classification level of the Windows domain controller is higher than the level of the networks, review the organization network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic. If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding.

Fix Text

Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfer replication data through a network cleared to a lower level than the data.

V-224980 CAT II Active Directory Group Policy objects must be configured wit...

8 assets Documented Pending Review Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8D32877A8D5F1013203836ACB5293727D0EF11E5 ~~~~~ GPO Name: AR21 - Edge FIX FEB2022 GPO GUID: 003a4b00-8a6c-4430-82c7-eb242f312734 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Internet Explorer 11 V1R19 - User GPO GUID: 009ff87d-d932-441b-a2f6-3ba585dc8949 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Domain User Pol Adds 04-22 GPO GUID: 0ab94efd-80cb-4182-8be0-4d5c77808fad --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Microsoft Edge v1r1 Computer GPO GUID: 0df1b468-68c7-4e60-bd66-971fbbabb95a --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: DotNet4 Fix 04-22 GPO GUID: 114ae059-841b-429a-aa8a-cea9346c4aa4 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - BitLocker Backup to Active Directory GPO GUID: 13cf8084-13ec-427b-9cab-f3243723b027 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: V-236000 Preview pane 02-22 GPO GUID: 18de13be-ce1c-4e53-9612-e440386ed806 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Microsoft Office 2016 - Outlook V2R1 User GPO GUID: 1adacc11-67f9-42e9-be04-f32b3799dcc6 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Firefox 04-22 GPO GUID: 202579c9-9c90-480b-a706-cd206212448b --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Server Event Log Backup GPO GUID: 211d022b-3225-4167-99e4-0c48f09f6567 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Adobe Reader DC Continuous V1R2 User GPO GUID: 2401b4fb-1b36-42a9-84c3-4340dc2e7502 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Microsoft Office 2016 - PowerPoint V1R1 User GPO GUID: 27a66feb-16c8-4d31-85c6-38bd47c8fd20 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Server Event Logs GPO GUID: 2e1d00fc-0115-4b8b-8c28-f17f7cc47ed4 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Default Domain Policy GPO GUID: 31b2f340-016d-11d2-945f-00c04fb984f9 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows 10 FIX FEB2022 GPO GUID: 330cdbf2-c03b-4b9c-b9ec-b6b872dde8db --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Disable Sleep/Hibernate GPO GUID: 35d3d931-a7dc-4b8b-9be0-a67cfbd6268d --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Adobe Add-In Removal GPO GUID: 3a0de786-3214-4547-b689-920a1783dd34 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Support Users Drive Mapping GPO GUID: 3c0b7467-8063-47b4-844e-2b1db72234f6 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Internet Explorer 11 V1R19 - Computer GPO GUID: 3c3c67e4-a139-4561-af7b-d5ac7cae2ad1 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Google Chrome FIX FEB2022 GPO GUID: 4077a504-b830-4b59-868a-35847b93e9c6 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR 2.1 - LAPS Configuration Policy GPO GUID: 446e9640-684e-4528-a16f-a72f31b95b67 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Google Chrome V2R1 - Computer GPO GUID: 466a3169-b8b0-4e46-bc61-6ca031284f5e --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: V-2244896 V-224897 Audits 02-22 GPO GUID: 5101821e-891e-495e-ad1b-05150a0fb41c --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Mozilla Firefox FIX FEB2022 GPO GUID: 5464ea36-f45c-4be0-89e6-a0043741fa96 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Map CAC GPO GUID: 54f949d4-864c-40fc-9756-59a367edaf66 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Disable print spooler inbound GPO GUID: 57995639-3cc1-481e-871d-b60d68b54f2a --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - OneNote and OneDrive STIGs GPO GUID: 57db8f1d-cf8e-45dd-afb2-4747c1fa02e8 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Add Server Admins to Local Administrators GPO GUID: 59e937c0-585e-4d7a-b2bc-17f943583d35 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Microsoft Office 2016 - Office System V1R1 Computer GPO GUID: 5ad817c7-2bbb-40fa-b6ce-ad8ac845a998 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: User Pol 4 Exchange 5-22 GPO GUID: 5ce6ea3f-55a6-49f0-bf68-18a8bcc32bfb --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows 10 v2r1 Computer GPO GUID: 633bf66a-4f82-4562-a78f-eefa83686f95 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Default Domain Controllers Policy GPO GUID: 6ac1786c-016f-11d2-945f-00c04fb984f9 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Axway Enterprise Configuration GPO GUID: 6c45f92c-56f0-46e4-a921-2ffbdc92a92a --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows 10 v2r1 User GPO GUID: 6f85b0d1-36d3-491e-91c4-c6ba3cef6d91 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Adobe Disable FIPS GPO GUID: 6faf5e3a-caf7-4ac5-a9b3-201db0ca8011 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Adobe Reader DC Continuous protected view MAR2022 GPO GUID: 73fb4c08-5e4e-4613-9c92-a1935473c0b8 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Microsoft Office 2016 - Word V1R1 User GPO GUID: 795e8ed2-6ce5-4658-a2c3-d52595e7c6e3 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Microsoft Office 2016 - Office System V1R1 User GPO GUID: 7cf27d8d-3025-453a-a598-1c52df19feba --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Adobe Reader DC Continuous V1R2 Computer GPO GUID: 80340fc8-26a3-4c92-a327-dea83f1ed6d6 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows Server 2016 V2R1 - DC - Computer GPO GUID: 816b5f36-4efa-4a32-82c0-a88cf0cecbf3 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - RBAC GPO GUID: 88602f3d-3a9f-4447-934a-2dde7e6ac06d --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Axway Configuration GPO GUID: 9a2e7ffb-86b0-4c62-bfc8-6e7ac786a1ed --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: V-224921 Hardened UNC 02-22 GPO GUID: 9f2930fd-254e-4f1b-ae4d-722bb9f35b41 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: DoD Adobe Acrobat Pro DC Continuous STIG Computer V1R2 GPO GUID: a1c7ddff-5f74-49b9-9ac2-f92d1735189a --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Drive Mapping GPO GUID: a5fcab78-2b37-4b84-8487-bcd275a129a6 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: DoD Adobe Acrobat Pro DC Continuous STIG User V1R2 GPO GUID: a97a2258-64f7-43c8-a1f4-cfaa5eea748a --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Workstation Admins - Add Local GPO GUID: a9ec0f9b-d4f9-46ec-921d-9172267d8c09 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Deny log in FIX MAR2022 GPO GUID: a9f4d156-1c9e-42d0-8e7b-78b559953f05 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Outlook 2016 FIX FEB2022 GPO GUID: b89f8bf2-9285-408f-9827-30714a8bf255 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows 10 V1R22 - Users GPO GUID: bc42462a-8dc6-4693-b2eb-bd7152273354 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR2.1-Disable SmartScreen GPO CRQ#200000 GPO GUID: bdcf3db0-ed6b-4cfd-a3de-a0ee39cff553 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows Server 2016 V2R1 - MS - User GPO GUID: c09f48fa-c03a-4fb2-b5bc-bda9e3d15eba --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Time Service 5-22 GPO GUID: c692edd4-18d1-4698-afe9-226c60ef20d2 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - KDC Smart Card Fix CRQ195530 GPO GUID: c7c1449f-8ad7-4901-967d-fe3d50593ca1 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Event Logs 5-22 GPO GUID: ccbb3d99-e1c0-472c-a67a-61d8470c1d01 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Firefox 4-22A GPO GUID: d67e0f1c-6313-4a2e-bfaf-35bf893763ac --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Member Server Admins - Add Local GPO GUID: d8bbfb6f-ae1c-4cac-acbc-098d77e707c8 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows Server 2016 V2R2 - MS - Computer GPO GUID: e3110a28-cdd2-4091-b703-e3947ffe804f --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - PDC Timeservers 5-22 GPO GUID: e3cfb6e6-c5f0-4eae-9dc7-8d02431cf0ed --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows 10 V1R22 - Computer GPO GUID: e430bd69-f153-4db6-b566-ddfab9967afd --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows Server 2016 V2R1 - DC - User GPO GUID: ef7dc0bc-3268-41c3-9181-f6c56fd27f6a --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Microsoft Office 2016 - Excel V1R2 User GPO GUID: f17fdb9c-2ad0-47f0-a5eb-6693e16651a5 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: IE11 STIG V2R1 4-22 GPO GUID: ff4cf530-57bd-4651-8020-451cf511bf99 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Exchange usr rights 5-22 GPO GUID: ffa4f8e2-fa9a-4162-99c7-1439aae19de0 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. Review the auditing configuration for all Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select the "Advanced" button again and then the "Auditing" tab. If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects

Fix Text

Configure the audit settings for Group Policy objects to include the following. This can be done at the Policy level in Active Directory to apply to all group policies. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" from the "View" Menu. Navigate to [Domain] >> System >> Policies in the left panel. Right click "Policies", select "Properties". Select the "Security" tab. Select the "Advanced" button. Select the "Auditing" tab. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects

V-224986 CAT II Windows Server 2016 must be configured to audit Account Mana...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 487FF87B531F4E9922E9FE848EB2A4160CECFDD1 ~~~~~ Computer Account Management: Success Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. Account Management >> Computer Account Management - Success

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Computer Account Management" with "Success" selected.

V-224987 CAT II Windows Server 2016 must be configured to audit DS Access - ...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9725973125A3C25628DD865C4D342CFE535BB8C1 ~~~~~ Directory Service Access: Success and Failure Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. DS Access >> Directory Service Access - Success

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Access" with "Success" selected.

V-224988 CAT II Windows Server 2016 must be configured to audit DS Access - ...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9725973125A3C25628DD865C4D342CFE535BB8C1 ~~~~~ Directory Service Access: Success and Failure Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. DS Access >> Directory Service Access - Failure

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Access" with "Failure" selected.

V-224989 CAT II Windows Server 2016 must be configured to audit DS Access - ...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8B318287B116BD5C0FC915358050BCD94D36E770 ~~~~~ Directory Service Changes: Success and Failure Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. Use the AuditPol tool to review the current Audit Policy configuration: Open an elevated "Command Prompt" (run as administrator). Enter "AuditPol /get /category:*". Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. DS Access >> Directory Service Changes - Success

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Changes" with "Success" selected.

V-224991 CAT II Domain controllers must have a PKI server certificate.

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8386EA2E5A2C0D012755A6C9F7B6F39D61D29F2F ~~~~~ Certificates found at 'Cert:\LocalMachine\My' FriendlyName : MONT-DC-003.MONTFORD-POINT.navy.mil IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName Subject : CN=MONT-DC-003.MONTFORD-POINT.navy.mil, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane and click the "Add >" button. Select "Computer Account" and click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". Click "OK". Select and expand the Certificates (Local Computer) entry in the left pane. Select and expand the Personal entry in the left pane. Select the Certificates entry in the left pane. If no certificate for the domain controller exists in the right pane, this is a finding.

Fix Text

Obtain a server certificate for the domain controller.

V-224996 CAT II Domain controllers must be configured to allow reset of mach...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9FE3732F0EFFFE6240DFD23D6396F5FA0FADC80C ~~~~~ 'Domain controller: Refuse machine account password changes' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RefusePasswordChange Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RefusePasswordChange Value Type: REG_DWORD Value: 0x00000000 (0)

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain controller: Refuse machine account password changes" to "Disabled".

V-224999 CAT II The Allow log on through Remote Desktop Services user right ...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1858769144B79710BECCDD1B260E058E76B738E9 ~~~~~ Allow log on through Remote Desktop Services: BUILTIN\Administrators Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers, it is NA for other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeRemoteInteractiveLogonRight" user right, this is a finding. S-1-5-32-544 (Administrators)

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on through Remote Desktop Services" to include only the following accounts or groups: - Administrators

V-225000 CAT II The Deny access to this computer from the network user right...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8968392459B797835F9CDB0E84E61A2D858F67D2 ~~~~~ Deny access to this computer from the network: BUILTIN\Guests Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding. - Guests Group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the "SeDenyNetworkLogonRight" user right, this is a finding. S-1-5-32-546 (Guests)

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny access to this computer from the network" to include the following: - Guests Group

V-225001 CAT II The Deny log on as a batch job user right on domain controll...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E719DE9AE81DFE3B722F6884328A5AF9192E5A68 ~~~~~ Deny log on as a batch job: BUILTIN\Guests Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding. - Guests Group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SID(s) are not defined for the "SeDenyBatchLogonRight" user right, this is a finding. S-1-5-32-546 (Guests)

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a batch job" to include the following: - Guests Group

V-225002 CAT II The Deny log on as a service user right must be configured t...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 853C0CE81C1C24F05FBE2ADC24FBC18BB9DC2A41 ~~~~~ Deny log on as a service: No objects assigned to this right. Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are defined for the "Deny log on as a service" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeDenyServiceLogonRight" user right, this is a finding.

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a service" to include no entries (blank).

V-225003 CAT II The Deny log on locally user right on domain controllers mus...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D42DF0ECC417CB415089564874B6907BEB79128C ~~~~~ Deny log on locally: BUILTIN\Guests Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding. - Guests Group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SID(s) are not defined for the "SeDenyInteractiveLogonRight" user right, this is a finding. S-1-5-32-546 (Guests)

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on locally" to include the following: - Guests Group

V-225004 CAT II The Deny log on through Remote Desktop Services user right o...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9710F86B1963CAAA2C9429B687B5B8F0CFCE9509 ~~~~~ Deny log on through Remote Desktop Services: BUILTIN\Guests Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding. - Guests Group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SID(s) are not defined for the "SeDenyRemoteInteractiveLogonRight" user right, this is a finding. S-1-5-32-546 (Guests)

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on through Remote Desktop Services" to include the following: - Guests Group

V-225005 CAT II The Enable computer and user accounts to be trusted for dele...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2C86C8ECDE6B5E7D84AFECB650DBB5A26158126B ~~~~~ Enable computer and user accounts to be trusted for delegation: BUILTIN\Administrators Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeEnableDelegationPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators)

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Enable computer and user accounts to be trusted for delegation" to include only the following accounts or groups: - Administrators

V-225006 CAT II The password for the krbtgt account on a domain must be rese...

8 assets 1 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A1B26E1C537A3E85A12A28DA9FDE737C46F6408D ~~~~~ Name: krbtgt SID: S-1-5-21-1360995287-4027491577-3040029667-502 PasswordLastSet: 10/16/2025 18:22:14 (6 days) Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This requirement is applicable to domain controllers; it is NA for other systems. Open "Windows PowerShell". Enter "Get-ADUser krbtgt -Property PasswordLastSet". If the "PasswordLastSet" date is more than 180 days old, this is a finding.

Fix Text

Reset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. PowerShell scripts are available to accomplish this such as at the following link: https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Users" node. Right click on the krbtgt account and select "Reset password". Enter a password that meets password complexity requirements. Clear the "User must change password at next logon" check box. The system will automatically change this to a system generated complex password.

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments