| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-GoogleChrome_Checks) found this to be OPEN on 12/17/2025 ResultHash: 0315F4406C97D117822450C5FD984BFED7773393 ~~~~~ 'Settings for DevTools Generative AI Features' is NOT Enabled: (Do not allow DevTools Generative AI Features) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: DevToolsGenAiSettings (Not found) Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-GoogleChrome_Checks) found this to be OPEN on 12/17/2025 ResultHash: 0315F4406C97D117822450C5FD984BFED7773393 ~~~~~ 'Settings for DevTools Generative AI Features' is NOT Enabled: (Do not allow DevTools Generative AI Features) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: DevToolsGenAiSettings (Not found) Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-GoogleChrome_Checks) found this to be OPEN on 10/23/2025 ResultHash: 0315F4406C97D117822450C5FD984BFED7773393 ~~~~~ 'Settings for DevTools Generative AI Features' is NOT Enabled: (Do not allow DevTools Generative AI Features) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: DevToolsGenAiSettings (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-GoogleChrome_Checks) found this to be OPEN on 10/23/2025 ResultHash: 0315F4406C97D117822450C5FD984BFED7773393 ~~~~~ 'Settings for DevTools Generative AI Features' is NOT Enabled: (Do not allow DevTools Generative AI Features) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: DevToolsGenAiSettings (Not found) Comments |
|||||
Check Text
Universal method: 1. In the omnibox (address bar) type "chrome:// policy". 2. If "DevToolsGenAiSettings" is not displayed under the "Policy Name" column or it is not set to "2" under the "Policy Value" column, this is a finding. Windows method: 1. Start "regedit". 2. Navigate to "HKLM\Software\Policies\Google\Chrome\". 3. If the "DevToolsGenAiSettings" value name does not exist or its value data is not set to "2", this is a finding.
Fix Text
Windows group policy: 1. Open the group policy editor tool with gpedit.msc. 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Generative AI Policy Name: Settings for DevTools Generative AI Features Policy State: Enabled Policy Value: Do not allow DevTools Generative AI Features
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-GoogleChrome_Checks) found this to be OPEN on 12/17/2025 ResultHash: AB0429249D5824A95A4B689E7D91D5A20E45FB61 ~~~~~ 'Settings for GenAI local foundational model' is NOT Enabled: (Do not download model) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: GenAILocalFoundationalModelSettings (Not found) Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-GoogleChrome_Checks) found this to be OPEN on 12/17/2025 ResultHash: AB0429249D5824A95A4B689E7D91D5A20E45FB61 ~~~~~ 'Settings for GenAI local foundational model' is NOT Enabled: (Do not download model) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: GenAILocalFoundationalModelSettings (Not found) Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-GoogleChrome_Checks) found this to be OPEN on 10/23/2025 ResultHash: AB0429249D5824A95A4B689E7D91D5A20E45FB61 ~~~~~ 'Settings for GenAI local foundational model' is NOT Enabled: (Do not download model) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: GenAILocalFoundationalModelSettings (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-GoogleChrome_Checks) found this to be OPEN on 10/23/2025 ResultHash: AB0429249D5824A95A4B689E7D91D5A20E45FB61 ~~~~~ 'Settings for GenAI local foundational model' is NOT Enabled: (Do not download model) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: GenAILocalFoundationalModelSettings (Not found) Comments |
|||||
Check Text
Universal method: 1. In the omnibox (address bar) type "chrome:// policy". 2. If "GenAILocalFoundationalModelSettings" is not displayed under the "Policy Name" column or it is not set to "1" under the "Policy Value" column, this is a finding. Windows method: 1. Start "regedit". 2. Navigate to "HKLM\Software\Policies\Google\Chrome\". 3. If the "GenAILocalFoundationalModelSettings" value name does not exist or its value data is not set to "1", this is a finding.
Fix Text
Windows group policy: 1. Open the group policy editor tool with gpedit.msc. 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Generative AI Policy Name: Settings for GenAI local foundational model Policy State: Enabled Policy Value: Do not download model
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-GoogleChrome_Checks) found this to be OPEN on 12/17/2025 ResultHash: 6FBF401494667F427807D389332943ACAEC62015 ~~~~~ 'Settings forSettings for Help Me Write' is NOT Enabled: (Do not allow Help Me Write) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: HelpMeWriteSettings (Not found) Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-GoogleChrome_Checks) found this to be OPEN on 12/17/2025 ResultHash: 6FBF401494667F427807D389332943ACAEC62015 ~~~~~ 'Settings forSettings for Help Me Write' is NOT Enabled: (Do not allow Help Me Write) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: HelpMeWriteSettings (Not found) Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-GoogleChrome_Checks) found this to be OPEN on 10/23/2025 ResultHash: 6FBF401494667F427807D389332943ACAEC62015 ~~~~~ 'Settings forSettings for Help Me Write' is NOT Enabled: (Do not allow Help Me Write) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: HelpMeWriteSettings (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-GoogleChrome_Checks) found this to be OPEN on 10/23/2025 ResultHash: 6FBF401494667F427807D389332943ACAEC62015 ~~~~~ 'Settings forSettings for Help Me Write' is NOT Enabled: (Do not allow Help Me Write) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: HelpMeWriteSettings (Not found) Comments |
|||||
Check Text
Universal method: 1. In the omnibox (address bar) type "chrome:// policy". 2. If "HelpMeWriteSettings" is not displayed under the "Policy Name" column or it is not set to "2" under the "Policy Value" column, this is a finding. Windows method: 1. Start "regedit". 2. Navigate to "HKLM\Software\Policies\Google\Chrome\". 3. If the "HelpMeWriteSettings" value name does not exist or its value data is not set to "2", this is a finding.
Fix Text
Windows group policy: 1. Open the group policy editor tool with gpedit.msc. 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Generative AI Policy Name: Settings forSettings for Help Me Write Policy State: Enabled Policy Value: Do not allow Help Me Write
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-GoogleChrome_Checks) found this to be OPEN on 12/17/2025 ResultHash: 82159A5C7B7BBE8553740194834F08EFBC052DBF ~~~~~ 'Settings for AI-powered History Search' is NOT Enabled: (Do not allow AI History Search) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: HistorySearchSettings (Not found) Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-GoogleChrome_Checks) found this to be OPEN on 12/17/2025 ResultHash: 82159A5C7B7BBE8553740194834F08EFBC052DBF ~~~~~ 'Settings for AI-powered History Search' is NOT Enabled: (Do not allow AI History Search) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: HistorySearchSettings (Not found) Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-GoogleChrome_Checks) found this to be OPEN on 10/23/2025 ResultHash: 82159A5C7B7BBE8553740194834F08EFBC052DBF ~~~~~ 'Settings for AI-powered History Search' is NOT Enabled: (Do not allow AI History Search) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: HistorySearchSettings (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-GoogleChrome_Checks) found this to be OPEN on 10/23/2025 ResultHash: 82159A5C7B7BBE8553740194834F08EFBC052DBF ~~~~~ 'Settings for AI-powered History Search' is NOT Enabled: (Do not allow AI History Search) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: HistorySearchSettings (Not found) Comments |
|||||
Check Text
Universal method: 1. In the omnibox (address bar) type "chrome:// policy". 2. If "HistorySearchSettings" is not displayed under the "Policy Name" column or it is not set to "2" under the "Policy Value" column, this is a finding. Windows method: 1. Start "regedit". 2. Navigate to "HKLM\Software\Policies\Google\Chrome\". 3. If the "HistorySearchSettings" value name does not exist or its value data is not set to "2", this is a finding.
Fix Text
Windows group policy: 1. Open the group policy editor tool with gpedit.msc. 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Generative AI Policy Name: Settings for AI-powered History Search Policy State: Enabled Policy Value: Do not allow AI History Search
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-GoogleChrome_Checks) found this to be OPEN on 12/17/2025 ResultHash: 622EB36F17F9B80BD6A6F35FE7118CC514DB5D40 ~~~~~ 'Tab Compare settings' is NOT Enabled: (Do not allow Tab Compare) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: TabCompareSettings (Not found) Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-GoogleChrome_Checks) found this to be OPEN on 12/17/2025 ResultHash: 622EB36F17F9B80BD6A6F35FE7118CC514DB5D40 ~~~~~ 'Tab Compare settings' is NOT Enabled: (Do not allow Tab Compare) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: TabCompareSettings (Not found) Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-GoogleChrome_Checks) found this to be OPEN on 10/23/2025 ResultHash: 622EB36F17F9B80BD6A6F35FE7118CC514DB5D40 ~~~~~ 'Tab Compare settings' is NOT Enabled: (Do not allow Tab Compare) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: TabCompareSettings (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-GoogleChrome_Checks) found this to be OPEN on 10/23/2025 ResultHash: 622EB36F17F9B80BD6A6F35FE7118CC514DB5D40 ~~~~~ 'Tab Compare settings' is NOT Enabled: (Do not allow Tab Compare) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: TabCompareSettings (Not found) Comments |
|||||
Check Text
Universal method: 1. In the omnibox (address bar) type "chrome:// policy". 2. If "TabCompareSettings" is not displayed under the "Policy Name" column or it is not set to "2" under the "Policy Value" column, this is a finding. Windows method: 1. Start "regedit". 2. Navigate to "HKLM\Software\Policies\Google\Chrome\". 3. If the "TabCompareSettings" value name does not exist or its value data is not set to "2", this is a finding.
Fix Text
Windows group policy: 1. Open the group policy editor tool with gpedit.msc. 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Generative AI Policy Name: Tab Compare settings Policy State: Enabled Policy Value: Do not allow Tab Compare
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-AdobeReaderDCContinuous_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 0953BC0DDDE64D9D7383C59DA5A8B777988C2D35 ~~~~~ 'Enable FIPS' is NOT Enabled Registry Path: HKCU:\SOFTWARE\Adobe\Acrobat Reader\DC\AVGeneral Value Name: bFIPSMode (Not found) Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-AdobeReaderDCContinuous_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 0953BC0DDDE64D9D7383C59DA5A8B777988C2D35 ~~~~~ 'Enable FIPS' is NOT Enabled Registry Path: HKCU:\SOFTWARE\Adobe\Acrobat Reader\DC\AVGeneral Value Name: bFIPSMode (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-AdobeReaderDCContinuous_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 0953BC0DDDE64D9D7383C59DA5A8B777988C2D35 ~~~~~ 'Enable FIPS' is NOT Enabled Registry Path: HKCU:\SOFTWARE\Adobe\Acrobat Reader\DC\AVGeneral Value Name: bFIPSMode (Not found) Comments |
|||||
Check Text
Verify the following registry configuration: Note: The Key Names "bFIPSMode" is not created by default in the Adobe Reader DC install and must be created. Utilizing the Registry Editor, navigate to the following: HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral Value Name: bFIPSMode Type: REG_DWORD Value: 1 If the value for bFIPSMode is not set to “1” and Type configured to REG_DWORD does not exist, then this is a finding.
Fix Text
Configure the following registry value: Note: The Key Names "bFIPSMode" is not created by default in the Adobe Reader DC install and must be created. Registry Hive: HKEY_CURRENT_USER Registry Path: \Software\Adobe\Acrobat Reader\DC\AVGeneral Value Name: bFIPSMode Type: REG_DWORD Value: 1
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 0B44ED3D6039C1A0BDB60FE41477857D9DAB447E ~~~~~ 'File' is the only option selected. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Exchange Back End ResultHash: 0B44ED3D6039C1A0BDB60FE41477857D9DAB447E ~~~~~ 'File' is the only option selected. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 0B44ED3D6039C1A0BDB60FE41477857D9DAB447E ~~~~~ 'File' is the only option selected. Comments |
|||||
Check Text
Note: If this server is hosting WSUS, this requirement is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Click the "Logging" icon. Under Log Event Destination, verify the "Both log file and ETW event" radio button is selected. If the "Both log file and ETW event" radio button is not selected, this is a finding. Note: "Microsoft-IIS-Logging/logs" must be enabled prior to configuring this setting. More configuration information is available at: https://blogs.intelink.gov/blogs/_disairrt/?p=1317
Fix Text
Note: "Microsoft-IIS-Logging/logs" must be enabled prior to configuring this setting. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Click the "Logging" icon. Under Log Event Destination, select the "Both log file and ETW event" radio button. Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 7599E6F84AF0FE02631E378C3BDEFF3AC6CE19D6 ~~~~~ Log format is 'W3C' The 'Request Header >> Connection' custom field is NOT configured. The 'Request Header >> Warning' custom field is NOT configured. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Exchange Back End ResultHash: 7599E6F84AF0FE02631E378C3BDEFF3AC6CE19D6 ~~~~~ Log format is 'W3C' The 'Request Header >> Connection' custom field is NOT configured. The 'Request Header >> Warning' custom field is NOT configured. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 7599E6F84AF0FE02631E378C3BDEFF3AC6CE19D6 ~~~~~ Log format is 'W3C' The 'Request Header >> Connection' custom field is NOT configured. The 'Request Header >> Warning' custom field is NOT configured. Comments |
|||||
Check Text
Note: If this server is hosting WSUS, this requirement is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Select the website being reviewed. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select "Fields". Under "Custom Fields", verify the following fields are selected: Request Header >> Connection Request Header >> Warning If any of the above fields are not selected, this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Select the website being reviewed. Under "IIS", double-click the "Logging" icon. Configure the "Format:" under "Log File" to "W3C". Select "Fields". Under "Custom Fields", select the following fields: Request Header >> Connection Request Header >> Warning Click "OK". Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: C3C26BB04CA1EEAB0A14FFB0A603274C530242F3 ~~~~~ Log format is 'W3C' User Agent, User Name, and Referrer are all logged. The 'Request Header >> Authorization' custom field is NOT configured. The 'Response Header >> Content-Type' custom field is NOT configured. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Exchange Back End ResultHash: C3C26BB04CA1EEAB0A14FFB0A603274C530242F3 ~~~~~ Log format is 'W3C' User Agent, User Name, and Referrer are all logged. The 'Request Header >> Authorization' custom field is NOT configured. The 'Response Header >> Content-Type' custom field is NOT configured. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: C3C26BB04CA1EEAB0A14FFB0A603274C530242F3 ~~~~~ Log format is 'W3C' User Agent, User Name, and Referrer are all logged. The 'Request Header >> Authorization' custom field is NOT configured. The 'Response Header >> Content-Type' custom field is NOT configured. Comments |
|||||
Check Text
Note: If this server is hosting WSUS, this requirement is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 web server IIS 10.0 Manager. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select "Fields". Under "Standard Fields", verify "User Agent", "User Name", and "Referrer" are selected. Under "Custom Fields", verify the following fields have been configured: Request Header >> Authorization Response Header >> Content-Type If any of the above fields are not selected, this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 web server IIS 10.0 Manager. Select the website being reviewed. Under "IIS", double-click the "Logging" icon. Configure the "Format:" under "Log File" to "W3C". Select "Fields". Under "Standard Fields", select "User Agent", "User Name", and "Referrer". Under "Custom Fields", select the following fields: Request Header >> Authorization Response Header >> Content-Type Click "OK". Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 655AA1250F9F447877A75E551AC19473E3E576A5 ~~~~~ WSUS Hosted: False The following invalid MIME types for OS shell program extensions are configured: .exe .dll .csh Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Exchange Back End ResultHash: 655AA1250F9F447877A75E551AC19473E3E576A5 ~~~~~ WSUS Hosted: False The following invalid MIME types for OS shell program extensions are configured: .exe .dll .csh Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 655AA1250F9F447877A75E551AC19473E3E576A5 ~~~~~ WSUS Hosted: False The following invalid MIME types for OS shell program extensions are configured: .exe .dll .csh Comments |
|||||
Check Text
Note: If the server is hosting WSUS, this is not applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click on the IIS 10.0 site. Under IIS, double-click the “MIME Types” icon. From the "Group by:" drop-down list, select "Content Type". From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions: .exe .dll .com .bat .csh If any OS shell MIME types are configured, this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click on the IIS 10.0 site. Under IIS, double-click the “MIME Types” icon. From the "Group by:" drop-down list, select "Content Type". From the list of extensions under "Application", remove MIME types for OS shell program extensions, to include at a minimum, the following extensions: .exe .dll .com .bat .csh Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Default Web Site ResultHash: 964A425E614B45D739FF9628D93B9C7268F1E643 ~~~~~ Access Policy: Read,Script Enabled Handler Mappings: ----------------------------------- Name: TRACEVerbHandler Path: * State: Enabled PathType: Unspecified Handler: ProtocolSupportModule ReqAccess: None Name: OPTIONSVerbHandler Path: * State: Enabled PathType: Unspecified Handler: ProtocolSupportModule ReqAccess: None Name: StaticFile Path: * State: Enabled PathType: File or Folder Handler: StaticFileModule,DefaultDocumentModule,DirectoryListingModule ReqAccess: Read Disabled Handler Mappings: ----------------------------------- Name: ISAPI-dll Path: *.dll State: Disabled PathType: File Handler: IsapiModule ReqAccess: Execute Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Exchange Back End ResultHash: 8356F37642CEDEB903ECD7759F6B764F91491675 ~~~~~ Access Policy: Read,Script Enabled Handler Mappings: ----------------------------------- Name: xamlx-ISAPI-4.0_64bit Path: *.xamlx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: xamlx-ISAPI-4.0_32bit Path: *.xamlx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: xamlx-Integrated-4.0 Path: *.xamlx State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: rules-ISAPI-4.0_64bit Path: *.rules State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: rules-ISAPI-4.0_32bit Path: *.rules State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: rules-Integrated-4.0 Path: *.rules State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: xoml-ISAPI-4.0_64bit Path: *.xoml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: xoml-ISAPI-4.0_32bit Path: *.xoml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: xoml-Integrated-4.0 Path: *.xoml State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: svc-ISAPI-4.0_64bit Path: *.svc State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: svc-ISAPI-4.0_32bit Path: *.svc State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: svc-Integrated-4.0 Path: *.svc State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: AXD-ISAPI-4.0_64bit Path: *.axd State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: PageHandlerFactory-ISAPI-4.0_64bit Path: *.aspx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: SimpleHandlerFactory-ISAPI-4.0_64bit Path: *.ashx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: WebServiceHandlerFactory-ISAPI-4.0_64bit Path: *.asmx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: HttpRemotingHandlerFactory-rem-ISAPI-4.0_64bit Path: *.rem State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: HttpRemotingHandlerFactory-soap-ISAPI-4.0_64bit Path: *.soap State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: aspq-ISAPI-4.0_64bit Path: *.aspq State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: cshtm-ISAPI-4.0_64bit Path: *.cshtm State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: cshtml-ISAPI-4.0_64bit Path: *.cshtml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: vbhtm-ISAPI-4.0_64bit Path: *.vbhtm State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: vbhtml-ISAPI-4.0_64bit Path: *.vbhtml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: TraceHandler-Integrated-4.0 Path: trace.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: WebAdminHandler-Integrated-4.0 Path: WebAdmin.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: AssemblyResourceLoader-Integrated-4.0 Path: WebResource.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: PageHandlerFactory-Integrated-4.0 Path: *.aspx State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: SimpleHandlerFactory-Integrated-4.0 Path: *.ashx State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: WebServiceHandlerFactory-Integrated-4.0 Path: *.asmx State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: HttpRemotingHandlerFactory-rem-Integrated-4.0 Path: *.rem State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: HttpRemotingHandlerFactory-soap-Integrated-4.0 Path: *.soap State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: aspq-Integrated-4.0 Path: *.aspq State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: cshtm-Integrated-4.0 Path: *.cshtm State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: cshtml-Integrated-4.0 Path: *.cshtml State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: vbhtm-Integrated-4.0 Path: *.vbhtm State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: vbhtml-Integrated-4.0 Path: *.vbhtml State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: ScriptHandlerFactoryAppServices-Integrated-4.0 Path: *_AppService.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: ScriptResourceIntegrated-4.0 Path: *ScriptResource.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: AXD-ISAPI-4.0_32bit Path: *.axd State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: PageHandlerFactory-ISAPI-4.0_32bit Path: *.aspx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: SimpleHandlerFactory-ISAPI-4.0_32bit Path: *.ashx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: WebServiceHandlerFactory-ISAPI-4.0_32bit Path: *.asmx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: HttpRemotingHandlerFactory-rem-ISAPI-4.0_32bit Path: *.rem State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: HttpRemotingHandlerFactory-soap-ISAPI-4.0_32bit Path: *.soap State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: aspq-ISAPI-4.0_32bit Path: *.aspq State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: cshtm-ISAPI-4.0_32bit Path: *.cshtm State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: cshtml-ISAPI-4.0_32bit Path: *.cshtml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: vbhtm-ISAPI-4.0_32bit Path: *.vbhtm State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: vbhtml-ISAPI-4.0_32bit Path: *.vbhtml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: TRACEVerbHandler Path: * State: Enabled PathType: Unspecified Handler: ProtocolSupportModule ReqAccess: None Name: OPTIONSVerbHandler Path: * State: Enabled PathType: Unspecified Handler: ProtocolSupportModule ReqAccess: None Name: ExtensionlessUrlHandler-ISAPI-4.0_32bit Path: *. State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: ExtensionlessUrlHandler-ISAPI-4.0_64bit Path: *. State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: ExtensionlessUrlHandler-Integrated-4.0 Path: *. State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: StaticFile Path: * State: Enabled PathType: File or Folder Handler: StaticFileModule,DefaultDocumentModule,DirectoryListingModule ReqAccess: Read Disabled Handler Mappings: ----------------------------------- Name: ISAPI-dll Path: *.dll State: Disabled PathType: File Handler: IsapiModule ReqAccess: Execute Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Default Web Site ResultHash: 8356F37642CEDEB903ECD7759F6B764F91491675 ~~~~~ Access Policy: Read,Script Enabled Handler Mappings: ----------------------------------- Name: xamlx-ISAPI-4.0_64bit Path: *.xamlx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: xamlx-ISAPI-4.0_32bit Path: *.xamlx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: xamlx-Integrated-4.0 Path: *.xamlx State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: rules-ISAPI-4.0_64bit Path: *.rules State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: rules-ISAPI-4.0_32bit Path: *.rules State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: rules-Integrated-4.0 Path: *.rules State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: xoml-ISAPI-4.0_64bit Path: *.xoml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: xoml-ISAPI-4.0_32bit Path: *.xoml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: xoml-Integrated-4.0 Path: *.xoml State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: svc-ISAPI-4.0_64bit Path: *.svc State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: svc-ISAPI-4.0_32bit Path: *.svc State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: svc-Integrated-4.0 Path: *.svc State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: AXD-ISAPI-4.0_64bit Path: *.axd State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: PageHandlerFactory-ISAPI-4.0_64bit Path: *.aspx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: SimpleHandlerFactory-ISAPI-4.0_64bit Path: *.ashx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: WebServiceHandlerFactory-ISAPI-4.0_64bit Path: *.asmx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: HttpRemotingHandlerFactory-rem-ISAPI-4.0_64bit Path: *.rem State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: HttpRemotingHandlerFactory-soap-ISAPI-4.0_64bit Path: *.soap State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: aspq-ISAPI-4.0_64bit Path: *.aspq State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: cshtm-ISAPI-4.0_64bit Path: *.cshtm State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: cshtml-ISAPI-4.0_64bit Path: *.cshtml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: vbhtm-ISAPI-4.0_64bit Path: *.vbhtm State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: vbhtml-ISAPI-4.0_64bit Path: *.vbhtml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: TraceHandler-Integrated-4.0 Path: trace.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: WebAdminHandler-Integrated-4.0 Path: WebAdmin.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: AssemblyResourceLoader-Integrated-4.0 Path: WebResource.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: PageHandlerFactory-Integrated-4.0 Path: *.aspx State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: SimpleHandlerFactory-Integrated-4.0 Path: *.ashx State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: WebServiceHandlerFactory-Integrated-4.0 Path: *.asmx State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: HttpRemotingHandlerFactory-rem-Integrated-4.0 Path: *.rem State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: HttpRemotingHandlerFactory-soap-Integrated-4.0 Path: *.soap State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: aspq-Integrated-4.0 Path: *.aspq State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: cshtm-Integrated-4.0 Path: *.cshtm State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: cshtml-Integrated-4.0 Path: *.cshtml State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: vbhtm-Integrated-4.0 Path: *.vbhtm State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: vbhtml-Integrated-4.0 Path: *.vbhtml State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: ScriptHandlerFactoryAppServices-Integrated-4.0 Path: *_AppService.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: ScriptResourceIntegrated-4.0 Path: *ScriptResource.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: AXD-ISAPI-4.0_32bit Path: *.axd State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: PageHandlerFactory-ISAPI-4.0_32bit Path: *.aspx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: SimpleHandlerFactory-ISAPI-4.0_32bit Path: *.ashx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: WebServiceHandlerFactory-ISAPI-4.0_32bit Path: *.asmx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: HttpRemotingHandlerFactory-rem-ISAPI-4.0_32bit Path: *.rem State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: HttpRemotingHandlerFactory-soap-ISAPI-4.0_32bit Path: *.soap State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: aspq-ISAPI-4.0_32bit Path: *.aspq State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: cshtm-ISAPI-4.0_32bit Path: *.cshtm State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: cshtml-ISAPI-4.0_32bit Path: *.cshtml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: vbhtm-ISAPI-4.0_32bit Path: *.vbhtm State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: vbhtml-ISAPI-4.0_32bit Path: *.vbhtml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: TRACEVerbHandler Path: * State: Enabled PathType: Unspecified Handler: ProtocolSupportModule ReqAccess: None Name: OPTIONSVerbHandler Path: * State: Enabled PathType: Unspecified Handler: ProtocolSupportModule ReqAccess: None Name: ExtensionlessUrlHandler-ISAPI-4.0_32bit Path: *. State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: ExtensionlessUrlHandler-ISAPI-4.0_64bit Path: *. State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: ExtensionlessUrlHandler-Integrated-4.0 Path: *. State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: StaticFile Path: * State: Enabled PathType: File or Folder Handler: StaticFileModule,DefaultDocumentModule,DirectoryListingModule ReqAccess: Read Disabled Handler Mappings: ----------------------------------- Name: ISAPI-dll Path: *.dll State: Disabled PathType: File Handler: IsapiModule ReqAccess: Execute Comments |
|||||
Check Text
Note: If the server being reviewed is hosting SharePoint, this is not applicable. For Handler Mappings, the ISSO must document and approve all allowable scripts the website allows (whitelist) and denies (blacklist). The whitelist and blacklist will be compared to the Handler Mappings in IIS 10.0. Handler Mappings at the site level take precedence over Handler Mappings at the server level. Open the IIS 10.0 Manager. Click the site name under review. Double-click "Handler Mappings". If any script file extensions from the blacklist are enabled, this is a finding.
Fix Text
Open the IIS 10.0 Manager. Click the site name under review. Double-click "Handler Mappings". Remove any script file extensions listed on the black list that are enabled. Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: C9147AB75E3FE047BDF3394C860E38FD3A03A4FC ~~~~~ Client Certificates is NOT set to 'Require' Confirm if this this is a public server. If so, mark this finding as Not Applicable. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Exchange Back End ResultHash: C9147AB75E3FE047BDF3394C860E38FD3A03A4FC ~~~~~ Client Certificates is NOT set to 'Require' Confirm if this this is a public server. If so, mark this finding as Not Applicable. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: C9147AB75E3FE047BDF3394C860E38FD3A03A4FC ~~~~~ Client Certificates is NOT set to 'Require' Confirm if this this is a public server. If so, mark this finding as Not Applicable. Comments |
|||||
Check Text
Note: If the server being reviewed is a public IIS 10.0 web server, this is not applicable. Note: If the server being reviewed is hosting SharePoint, this is not applicable. Note: If the server being reviewed is hosting WSUS, this is not applicable. Note: If certificate handling is performed at the Proxy/Load Balancer, this is not applicable. Note: If the server being reviewed is hosting Simple Certificate Enrollment Services (SCEP), this is not applicable. Note: If the server being reviewed is hosting Network Device Enrollment Services (NDES), this is not applicable. Note: If the server is providing OCSP, and not otherwise hosting any content, this requirement is not applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon. Verify the "Clients Certificate Required" check box is selected. If the "Clients Certificate Required" check box is not selected, this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon. Verify the "Clients Certificate Required" check box is selected. Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 035BFA88B4D7B38B2469B08159352EBE676A9570 ~~~~~ Time-out is configured to '00:20:00' Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Exchange Back End ResultHash: 035BFA88B4D7B38B2469B08159352EBE676A9570 ~~~~~ Time-out is configured to '00:20:00' Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 035BFA88B4D7B38B2469B08159352EBE676A9570 ~~~~~ Time-out is configured to '00:20:00' Comments |
|||||
Check Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Verify the "timeout" is set to "00:15:00 or less”. If "timeout" is not set to "00:15:00 or less”, this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Set the "timeout" to "00:15:00 or less”. In the "Actions" pane, click "Apply".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: FE11E6C510BB860B5F598EF635D52AFCEA9CEE15 ~~~~~ RequireSSL is set to 'False' CompressionEnabled is set to 'False' Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Exchange Back End ResultHash: FE11E6C510BB860B5F598EF635D52AFCEA9CEE15 ~~~~~ RequireSSL is set to 'False' CompressionEnabled is set to 'False' Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: FE11E6C510BB860B5F598EF635D52AFCEA9CEE15 ~~~~~ RequireSSL is set to 'False' CompressionEnabled is set to 'False' Comments |
|||||
Check Text
Note: If the server being reviewed is a public IIS 10.0 web server, this is not applicable. Note: If the server being reviewed is hosting SharePoint, this is not applicable. Note: If the server being reviewed is hosting WSUS, this is not applicable. Note: If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 10.0 server, and the IIS 10.0 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server. Note: If the server is providing OCSP, and not otherwise hosting any content, this requirement is not applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 Manager. Under the "Management" section, double-click the "Configuration Editor" icon. From the "Section:" drop-down list, select "system.web/httpCookies". Verify the "require SSL" is set to "True". From the "Section:" drop-down list, select "system.web/sessionState". Verify the "compressionEnabled" is set to "False". If both the "system.web/httpCookies:require SSL" is set to "True" and the "system.web/sessionState:compressionEnabled" is set to "False", this is not a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 Manager. Under "Management" section, double-click the "Configuration Editor" icon. From the "Section:" drop-down list, select "system.web/httpCookies". Set the "require SSL" to "True". From the "Section:" drop-down list, select "system.web/sessionState". Set the "compressionEnabled" to "False". Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Note: This requirement is only applicable for private DOD websites. Note: If the server being reviewed is hosting WSUS, this is not applicable. If a banner is required, the following banner page must be in place: “You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - At any time, the USG may inspect and seize data stored on this IS. - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy. - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” OR If your system cannot meet the character limits to store this amount of text in the banner, the following is another option for the warning banner: "I've read & consent to terms in IS user agreem't." NOTE: While DoDI 8500.01 does not contain a copy of the banner to be used, it does point to the RMF Knowledge Service for a copy of the required text. It is also noted that the banner is to be displayed only once when the individual enters the site and not for each page. If the access-controlled website does not display this banner page before entry, this is a finding.
Fix Text
Configure a DoD private website to display the required DoD banner page when authentication is required for user access.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 49A095DC33B1A3DFEEB7EEB6886E1344EBACC16B ~~~~~ AppLocker is configured but 'Appx' and/or 'Exe' rules are not enabled. Ensure an application allowlisting solution is in place and configured to a deny-all, permit-by-exception policy. AppLocker rules: --------------------------- Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 49A095DC33B1A3DFEEB7EEB6886E1344EBACC16B ~~~~~ AppLocker is configured but 'Appx' and/or 'Exe' rules are not enabled. Ensure an application allowlisting solution is in place and configured to a deny-all, permit-by-exception policy. AppLocker rules: --------------------------- Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 49A095DC33B1A3DFEEB7EEB6886E1344EBACC16B ~~~~~ AppLocker is configured but 'Appx' and/or 'Exe' rules are not enabled. Ensure an application allowlisting solution is in place and configured to a deny-all, permit-by-exception policy. AppLocker rules: --------------------------- Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 49A095DC33B1A3DFEEB7EEB6886E1344EBACC16B ~~~~~ AppLocker is configured but 'Appx' and/or 'Exe' rules are not enabled. Ensure an application allowlisting solution is in place and configured to a deny-all, permit-by-exception policy. AppLocker rules: --------------------------- Comments |
|||||
Check Text
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems. If an application allowlisting program is not in use on the system, this is a finding. Configuration of allowlisting applications will vary by the program. AppLocker is an allowlisting application built into Windows 10 Enterprise. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. If AppLocker is used, perform the following to view the configuration of AppLocker: Run "PowerShell". Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. Implementation guidance for AppLocker is available at the following link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide
Fix Text
Configure an application allowlisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. Configuration of allowlisting applications will vary by the program. AppLocker is an allowlisting application built into Windows 10 Enterprise. If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker. Implementation guidance for AppLocker is available at the following link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 03421DBAA63FB77EFDA8438D19174504036DC035 ~~~~~ No enabled accounts found where the password does not expire. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 03421DBAA63FB77EFDA8438D19174504036DC035 ~~~~~ No enabled accounts found where the password does not expire. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 03421DBAA63FB77EFDA8438D19174504036DC035 ~~~~~ No enabled accounts found where the password does not expire. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 5FA70E953F12D3C0AF507422C3B9826225B21F81 ~~~~~ Failed accounts: --------------------- Name: D.Admin SID: S-1-5-21-1360995287-4027491577-3040029667-1104 Enabled: True Password Expires: False Name: S.Admin SID: S-1-5-21-1360995287-4027491577-3040029667-1105 Enabled: True Password Expires: False Name: W.Admin SID: S-1-5-21-1360995287-4027491577-3040029667-1106 Enabled: True Password Expires: False Name: Exchange Admin SID: S-1-5-21-1360995287-4027491577-3040029667-1118 Enabled: True Password Expires: False Name: HealthMailbox03020cb359cd4879a5fd73f010bde991 SID: S-1-5-21-1360995287-4027491577-3040029667-1605 Enabled: True Password Expires: False Name: HealthMailbox3295a98105294ef195ff4f5394ae0e3c SID: S-1-5-21-1360995287-4027491577-3040029667-1606 Enabled: True Password Expires: False Name: HealthMailbox8d8eb4c107e64340876668cde6c1289e SID: S-1-5-21-1360995287-4027491577-3040029667-1607 Enabled: True Password Expires: False Name: HealthMailboxfd82eb3f816c4428bcc7a1706f017682 SID: S-1-5-21-1360995287-4027491577-3040029667-1608 Enabled: True Password Expires: False Name: HealthMailbox4ffeb90d1e3e42808987669877a590dc SID: S-1-5-21-1360995287-4027491577-3040029667-1150 Enabled: True Password Expires: False Name: HealthMailboxa7603ef65a894a7abd37cc7afcd0498f SID: S-1-5-21-1360995287-4027491577-3040029667-1609 Enabled: True Password Expires: False Name: HealthMailbox0045b0edfe864ade8de6332392102884 SID: S-1-5-21-1360995287-4027491577-3040029667-1151 Enabled: True Password Expires: False Name: HealthMailbox2a4e029adc2c45d7a2377f21fc959267 SID: S-1-5-21-1360995287-4027491577-3040029667-1610 Enabled: True Password Expires: False Name: HealthMailboxff1c61cd50724325bd1467262f3ab3f7 SID: S-1-5-21-1360995287-4027491577-3040029667-1611 Enabled: True Password Expires: False Name: HealthMailbox476aa3607f714413bb95f561ccbef1c1 SID: S-1-5-21-1360995287-4027491577-3040029667-1152 Enabled: True Password Expires: False Name: HealthMailboxa75cf849d12c447fb0c70e70b866e36e SID: S-1-5-21-1360995287-4027491577-3040029667-1612 Enabled: True Password Expires: False Name: Backup SID: S-1-5-21-1360995287-4027491577-3040029667-1614 Enabled: True Password Expires: False Name: Scan Admin SID: S-1-5-21-1360995287-4027491577-3040029667-1192 Enabled: True Password Expires: False Name: FIM, ANOC SID: S-1-5-21-1360995287-4027491577-3040029667-1203 Enabled: True Password Expires: False Name: IA ADMIN, JTBegarek SID: S-1-5-21-1360995287-4027491577-3040029667-1212 Enabled: True Password Expires: False Name: user, test SID: S-1-5-21-1360995287-4027491577-3040029667-1230 Enabled: True Password Expires: False Name: Gonzalez, Ian W., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1242 Enabled: True Password Expires: False Name: MSMEODUser SID: S-1-5-21-1360995287-4027491577-3040029667-1243 Enabled: True Password Expires: False Name: User, Test C., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1245 Enabled: True Password Expires: False Name: Jones, Thomas SID: S-1-5-21-1360995287-4027491577-3040029667-1251 Enabled: True Password Expires: False Name: Sanders, James R., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1253 Enabled: True Password Expires: False Name: Muchuslky, Joey SID: S-1-5-21-1360995287-4027491577-3040029667-1254 Enabled: True Password Expires: False Name: Begarek, Justin T., CIV SID: S-1-5-21-1360995287-4027491577-3040029667-1263 Enabled: True Password Expires: False Name: Smith, Josh A., CTR SID: S-1-5-21-1360995287-4027491577-3040029667-1645 Enabled: True Password Expires: False Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 03421DBAA63FB77EFDA8438D19174504036DC035 ~~~~~ No enabled accounts found where the password does not expire. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 03421DBAA63FB77EFDA8438D19174504036DC035 ~~~~~ No enabled accounts found where the password does not expire. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 3D09A3C4DEBAC2BE19C65EFA1252FC4A3C76F126 ~~~~~ Failed accounts: --------------------- Name: dod_admin SID: S-1-5-21-4236012249-4164713760-2408648245-1000 Enabled: True Password Expires: False Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: DBB32C5EBBE5AA7AAF75394A6C8D8B4782E1A1A7 ~~~~~ Failed accounts: --------------------- Name: dod_admin SID: S-1-5-21-2502410760-3344595884-382061215-1000 Enabled: True Password Expires: False Comments |
|||||
Check Text
Review the password never expires status for enabled user accounts. Open "PowerShell". Domain Controllers: Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name, PasswordNeverExpires, Enabled". Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest), and the krbtgt account. If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding. Member servers and standalone or nondomain-joined systems: Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'. Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest). If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding.
Fix Text
Configure all enabled user account passwords to expire. Uncheck "Password never expires" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone or nondomain-joined systems. Document any exceptions with the ISSO.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 2F5A03118F95BE99F7982FCF5690595BB04E2973 ~~~~~ Certificate .p12 and/or .pfx files: --------------------- File: MONTFOR-AP-001.montford-point.navy.mil.p12 Path: E:\SAMM Installers\Tomcat Applications\Backup\SAMM-2018062562431 Created: 06/19/2023 21:59:21 File: Tomcat SAMM Vessel.p12 Path: E:\SAMM Installers\Tomcat Applications\Certificate\Keystore Created: 06/19/2023 21:59:21 File: Tomcat SAMM Vessel.p12 Path: E:\TOMCAT APPLICATIONS\Backup\Keystore-20250319142850 Created: 03/19/2025 14:30:26 File: Tomcat SAMM Vessel.p12 Path: E:\TOMCAT APPLICATIONS\Backup\SAMM-20230621171449 Created: 06/21/2023 17:14:54 File: Tomcat SAMM Vessel.p12 Path: E:\TOMCAT APPLICATIONS\Backup\SAMM-20230621171635 Created: 06/21/2023 17:16:37 File: Tomcat SAMM Vessel.p12 Path: E:\TOMCAT APPLICATIONS\Backup\SAMM-20250319141848 Created: 03/19/2025 14:18:54 File: MONT-AP-002.MONTFORD-POINT.navy.mil.pfx Path: E:\TOMCAT APPLICATIONS\Certificate\DoD Created: 06/21/2023 17:14:55 File: MONT-DB-002.MONTFORD-POINT.navy.mil.pfx Path: E:\TOMCAT APPLICATIONS\Certificate\DoD Created: 06/21/2023 17:16:07 File: Tomcat SAMM Vessel.p12 Path: E:\TOMCAT APPLICATIONS\Certificate\Keystore Created: 05/25/2021 17:03:00 File: emprise.pfx Path: E:\TOMCAT APPLICATIONS\webapps\logbook\WEB-INF\classes\certificates Created: 03/19/2025 14:38:23 File: emprise.pfx Path: E:\TOMCAT APPLICATIONS\webapps\shipslog\WEB-INF\classes\certificates Created: 03/19/2025 14:38:27 File: MONT-AP-002.MONTFORD-POINT.navy.mil.pfx Path: E:\Vol1\SAMM temp staging\Tomcat\Certificate\DoD Created: 03/19/2025 14:22:48 File: MONT-DB-002.MONTFORD-POINT.navy.mil.pfx Path: E:\Vol1\SAMM temp staging\Tomcat\Certificate\DoD Created: 03/19/2025 14:22:48 File: Tomcat SAMM Vessel.p12 Path: E:\Vol1\SAMM temp staging\Tomcat\Certificate\Keystore Created: 03/19/2025 14:22:48 File: intermediate.p12 Path: E:\Vol1\SMIS_APP\Certificates\CA Created: 02/26/2025 18:51:28 Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6D1B1446FB5CC2634D5EADF74C6B8A5903ECB08C ~~~~~ No .p12 or .pfx certificate files found. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 0D40248E7448FCD0ECA615A2881C86BAFE70E90B ~~~~~ Certificate .p12 and/or .pfx files: --------------------- File: MONT-DB-002.montford-point.navy.mil.pfx Path: E:\SQL Anywhere 16\Application Certificate Files\DoD Created: 06/21/2023 15:54:54 File: MONTFOR-DB-001.montford-point.navy.mil.pfx Path: E:\SQL Anywhere 16\Backup\SAMMDatabase-20230620161919\DoD Created: 06/20/2023 16:21:04 File: MONTFOR-DB-001.montford-point.navy.mil.pfx Path: E:\SQL Anywhere 16\Backup\SAMMDatabase-20230620212252\DoD Created: 06/20/2023 21:22:56 File: MONT-DB-002.montford-point.navy.mil.pfx Path: E:\SQL Anywhere 16\Backup\SAMMDatabase-20230621155610\DoD Created: 06/21/2023 15:56:15 File: MONT-DB-002.montford-point.navy.mil.pfx Path: E:\SQL Anywhere 16\Backup\SAMMDatabase-20230621160233\DoD Created: 06/21/2023 16:02:36 File: MONT-DB-002.montford-point.navy.mil.pfx Path: E:\SQL Anywhere 16\Backup\SAMMDatabase-20230621161956\DoD Created: 06/21/2023 16:19:59 Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 1E905A685F637BB40DE0CCC74A42DFE14AD3B097 ~~~~~ Certificate .p12 and/or .pfx files: --------------------- File: MONT-DC-003.pfx Path: C:\Temp Created: 06/13/2023 20:57:19 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6D1B1446FB5CC2634D5EADF74C6B8A5903ECB08C ~~~~~ No .p12 or .pfx certificate files found. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6D1B1446FB5CC2634D5EADF74C6B8A5903ECB08C ~~~~~ No .p12 or .pfx certificate files found. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6D1B1446FB5CC2634D5EADF74C6B8A5903ECB08C ~~~~~ No .p12 or .pfx certificate files found. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6D1B1446FB5CC2634D5EADF74C6B8A5903ECB08C ~~~~~ No .p12 or .pfx certificate files found. Comments |
|||||
Check Text
Search all drives for *.p12 and *.pfx files. If any files with these extensions exist, this is a finding. This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.
Fix Text
Remove any certificate installation files (*.p12 and *.pfx) found on a system. Note: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 10/23/2025 ResultHash: 6A6094447CB8DE66FC6303CBDD8749BE276169CF ~~~~~ File is the only option selected. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 10/23/2025 ResultHash: 6A6094447CB8DE66FC6303CBDD8749BE276169CF ~~~~~ File is the only option selected. Comments |
|||||
Check Text
Note: If the server is hosting WSUS, this is Not Applicable. Open the IIS 10.0 Manager. Click the IIS 10.0 server name. Click the "Logging" icon. Under Log Event Destination, verify the "Both log file and ETW event" radio button is selected. If the "Both log file and ETW event" radio button is not selected, this is a finding.
Fix Text
Open the IIS 10.0 Manager. Click the IIS 10.0 server name. Click the "Logging" icon. Under Log Event Destination, select the "Both log file and ETW event" radio button. Under the "Actions" pane, click "Apply".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 10/23/2025 ResultHash: 7599E6F84AF0FE02631E378C3BDEFF3AC6CE19D6 ~~~~~ Log format is 'W3C' The 'Request Header >> Connection' custom field is NOT configured. The 'Request Header >> Warning' custom field is NOT configured. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 10/23/2025 ResultHash: 7599E6F84AF0FE02631E378C3BDEFF3AC6CE19D6 ~~~~~ Log format is 'W3C' The 'Request Header >> Connection' custom field is NOT configured. The 'Request Header >> Warning' custom field is NOT configured. Comments |
|||||
Check Text
Note: If the server is hosting WSUS, this is Not Applicable. Access the IIS 10.0 web server IIS Manager. Click the IIS 10.0 web server name. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select "Fields". Under "Custom Fields", verify the following fields have been configured: Request Header >> Connection. Request Header >> Warning. If any of the above fields are not selected, this is a finding.
Fix Text
Access the IIS 10.0 web server IIS Manager. Click the IIS 10.0 web server name. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select "Fields". Under "Custom Fields", click "Add Field...". For each field being added, give a name unique to what the field is capturing. Click on the "Source Type" drop-down list and select "Request Header". Click the "Source" drop-down list, and select "Connection". Click "OK" to add. Click the "Source Type" drop-down list, and select "Request Header". Click the "Source" drop-down list, and select "Warning". Click "OK" to add. Click "Apply" under the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 10/23/2025 ResultHash: C3C26BB04CA1EEAB0A14FFB0A603274C530242F3 ~~~~~ Log format is 'W3C' User Agent, User Name, and Referrer are all logged. The 'Request Header >> Authorization' custom field is NOT configured. The 'Response Header >> Content-Type' custom field is NOT configured. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 10/23/2025 ResultHash: C3C26BB04CA1EEAB0A14FFB0A603274C530242F3 ~~~~~ Log format is 'W3C' User Agent, User Name, and Referrer are all logged. The 'Request Header >> Authorization' custom field is NOT configured. The 'Response Header >> Content-Type' custom field is NOT configured. Comments |
|||||
Check Text
Note: If the server is hosting WSUS, this is Not Applicable. Access the IIS 10.0 web server IIS Manager. Click the IIS 10.0 web server name. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select "Fields". Under "Standard Fields", verify "User Agent", "User Name", and "Referrer" are selected. Under "Custom Fields", verify the following field has been configured: Request Header >> Authorization. Response Header >> Content-Type. If any of the above fields are not selected, this is a finding.
Fix Text
Access the IIS 10.0 web server IIS Manager. Click the IIS 10.0 web server name. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select "Fields". Under "Standard Fields", select "User Agent", "User Name", and "Referrer". Under "Custom Fields", select the following fields: Click the "Source Type" drop-down list, and select "Request Header". Click on "Source" drop-down, list and select "Authorization". Click "OK" to add. Click the "Source" drop-down list, and select "Content-Type". Click the "Source Type" drop-down list, and select "Response Header". Click "OK" to add. Click "OK". Click "Apply" under the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 31CECBEB8262E8E4353409216F2627EBB61EFD36 ~~~~~ Current ACL of C:\inetpub\logs\LogFiles is: FileSystemRights : FullControl AccessControlType : Allow IdentityReference : NT SERVICE\TrustedInstaller IsInherited : True InheritanceFlags : None PropagationFlags : None FileSystemRights : 268435456 AccessControlType : Allow IdentityReference : NT SERVICE\TrustedInstaller IsInherited : True InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : InheritOnly FileSystemRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : True InheritanceFlags : None PropagationFlags : None FileSystemRights : 268435456 AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : True InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : InheritOnly FileSystemRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : True InheritanceFlags : None PropagationFlags : None FileSystemRights : 268435456 AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : True InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : InheritOnly FileSystemRights : 268435456 AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : True InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : InheritOnly Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 133CC07CD4DEAF3EF5D33421D4F29B3AF54E3FA2 ~~~~~ Current ACL of D:\inetpub\logs\LogFiles is: FileSystemRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : None PropagationFlags : None FileSystemRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : True InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : None FileSystemRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM IsInherited : True InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : None FileSystemRights : 268435456 AccessControlType : Allow IdentityReference : CREATOR OWNER IsInherited : True InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : InheritOnly FileSystemRights : ReadAndExecute, Synchronize AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : True InheritanceFlags : ContainerInherit, ObjectInherit PropagationFlags : None FileSystemRights : AppendData AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : True InheritanceFlags : ContainerInherit PropagationFlags : None FileSystemRights : CreateFiles AccessControlType : Allow IdentityReference : BUILTIN\Users IsInherited : True InheritanceFlags : ContainerInherit PropagationFlags : None Comments |
|||||
Check Text
This check does not apply to service account IDs utilized by automated services necessary to process, manage, and store log files. Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Click the "Logging" icon. Click "Browse" and navigate to the directory where the log files are stored. Right-click the log file directory to review. Click "Properties". Click the "Security" tab. Verify log file access is restricted as follows. Otherwise, this is a finding. SYSTEM - Full Control, This folder, subfolders and files Administrators - Full Control, This folder, subfolders and files Note: A "Web Administrators", etc., type group that is an approved group of administrators is also allowed, and must be given "Full Control, This folder, subfolders and files" permissions.
Fix Text
Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Click the "Logging" icon. Click "Browse" and navigate to the directory where the log files are stored. Right-click the log file directory to review and click "Properties". Click the "Security" tab. Set the log file permissions for the appropriate group(s). Click "OK". Select "Apply" in the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 76962F0DD58B62702CD4E14318F6671588F2664D ~~~~~ Software installed on this system: ActivID ActivClient x64 Axway Desktop Validator CRLAutoCache DoD Secure Host Baseline Server InstallRoot Microsoft NetBanner Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.42.34433 Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.42.34433 Trellix Agent Trellix Data Loss Prevention - Endpoint Trellix Endpoint Security Firewall Trellix Endpoint Security Platform Trellix Endpoint Security Threat Prevention Trellix Policy Auditor Agent Trellix Solidifier Veritas Backup Exec Remote Agent for Windows WinZip 27.0 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 26B56AA4890034FEFE642B4B70A10F246553B7EA ~~~~~ Software installed on this system: ActivID ActivClient x64 Axway Desktop Validator CRLAutoCache DoD Secure Host Baseline Server IIS URL Rewrite Module 2 InstallRoot Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Lync Server 2013, Bootstrapper Prerequisites Installer Package Microsoft NetBanner Microsoft Server Speech Platform Runtime (x64) Microsoft Speech Platform VXML Runtime (x64) Microsoft Unified Communications Managed API 4.0, Runtime Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33130 Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.38.33130 Trellix Agent Trellix Data Loss Prevention - Endpoint Trellix Endpoint Security Firewall Trellix Endpoint Security Platform Trellix Endpoint Security Threat Prevention Trellix Policy Auditor Agent Trellix Security for Microsoft Exchange Trellix Solidifier Veritas Backup Exec Remote Agent for Windows WinZip 27.0 Comments |
|||||
Check Text
Click “Start”. Open Control Panel. Click “Programs”. Click “Programs and Features”. Review the installed programs. If any programs are installed other than those required for the IIS 10.0 web services, this is a finding. Note: If additional software is needed, supporting documentation must be signed by the ISSO.
Fix Text
Remove all unapproved programs and roles from the production IIS 10.0 web server.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 774CC3055B80C5163C0500736DC8B27D15DDBC89 ~~~~~ The following Windows features are installed: BITS BITS-IIS-Ext FileAndStorage-Services File-Services FS-FileServer NET-Framework-45-Core NET-Framework-45-Features NET-WCF-Services45 NET-WCF-TCP-PortSharing45 PowerShell PowerShell-ISE PowerShellRoot RDC RSAT RSAT-Bits-Server RSAT-Feature-Tools Storage-Services Web-App-Dev Web-Common-Http Web-Default-Doc Web-Dir-Browsing Web-Filtering Web-Health Web-Http-Errors Web-Http-Logging Web-Http-Redirect Web-Http-Tracing Web-ISAPI-Ext Web-Log-Libraries Web-Metabase Web-Mgmt-Compat Web-Mgmt-Console Web-Mgmt-Tools Web-Performance Web-Request-Monitor Web-Security Web-Server Web-Stat-Compression Web-Static-Content Web-WebServer WoW64-Support Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 64C688BC1C9B1982AFFD18FC23E02FDD4F322D99 ~~~~~ The following Windows features are installed: FileAndStorage-Services File-Services FS-FileServer MSMQ MSMQ-Server MSMQ-Services NET-Framework-45-ASPNET NET-Framework-45-Core NET-Framework-45-Features NET-WCF-HTTP-Activation45 NET-WCF-MSMQ-Activation45 NET-WCF-Pipe-Activation45 NET-WCF-Services45 NET-WCF-TCP-Activation45 NET-WCF-TCP-PortSharing45 PowerShell PowerShell-ISE PowerShellRoot RPC-over-HTTP-Proxy RSAT RSAT-ADDS RSAT-ADDS-Tools RSAT-AD-Tools RSAT-Clustering RSAT-Clustering-CmdInterface RSAT-Clustering-Mgmt RSAT-Clustering-PowerShell RSAT-Feature-Tools RSAT-Role-Tools Server-Media-Foundation Storage-Services WAS WAS-Config-APIs WAS-Process-Model Web-App-Dev Web-Asp-Net45 Web-Basic-Auth Web-Client-Auth Web-Common-Http Web-Default-Doc Web-Digest-Auth Web-Dir-Browsing Web-Dyn-Compression Web-Filtering Web-Health Web-Http-Errors Web-Http-Logging Web-Http-Redirect Web-Http-Tracing Web-ISAPI-Ext Web-ISAPI-Filter Web-Lgcy-Mgmt-Console Web-Log-Libraries Web-Metabase Web-Mgmt-Compat Web-Mgmt-Console Web-Mgmt-Service Web-Mgmt-Tools Web-Net-Ext45 Web-Performance Web-Request-Monitor Web-Security Web-Server Web-Stat-Compression Web-Static-Content Web-WebServer Web-Windows-Auth Web-WMI Windows-Identity-Foundation WoW64-Support Comments |
|||||
Check Text
Consult with the System Administrator and review all of the IIS 10.0 and Operating System features installed. Determine if any features installed are no longer necessary for operation. If any utility programs, features, or modules are installed which are not necessary for operation, this is a finding. If any unnecessary Operating System features are installed, this is a finding.
Fix Text
Remove all utility programs, Operating System features, or modules installed that are not necessary for web server operation.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 10/23/2025 ResultHash: 47C2C311101A88836E6EF2E986BC87A38AC57B63 ~~~~~ The following invalid MIME types for OS shell program extensions are configured: .exe .dll .csh Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 10/23/2025 ResultHash: 47C2C311101A88836E6EF2E986BC87A38AC57B63 ~~~~~ The following invalid MIME types for OS shell program extensions are configured: .exe .dll .csh Comments |
|||||
Check Text
Note: If the server is hosting WSUS, this is not applicable. Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Under IIS, double-click the "MIME Types" icon. From the "Group by:" drop-down list, select "Content Type". From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions: .exe .dll .com .bat .csh If any OS shell MIME types are configured, this is a finding.
Fix Text
Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Under IIS, double-click the "MIME Types" icon. From the "Group by:" drop-down list, select "Content Type". From the list of extensions under "Application", remove MIME types for OS shell program extensions, to include at a minimum, the following extensions: .exe .dll .com .bat .csh Under the "Actions" pane, click "Apply".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Interview the System Administrator for the IIS 10.0 web server. Ask for documentation on the disaster recovery methods tested and planned for the IIS 10.0 web server in the event of the necessity for rollback. If documentation for a disaster recovery has not been established, this is a finding.
Fix Text
Prepare documentation for disaster recovery methods for the IIS 10.0 web server in the event of the necessity for rollback. Document and test the disaster recovery methods designed.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 76962F0DD58B62702CD4E14318F6671588F2664D ~~~~~ Software installed on this system: ActivID ActivClient x64 Axway Desktop Validator CRLAutoCache DoD Secure Host Baseline Server InstallRoot Microsoft NetBanner Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.42.34433 Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.42.34433 Trellix Agent Trellix Data Loss Prevention - Endpoint Trellix Endpoint Security Firewall Trellix Endpoint Security Platform Trellix Endpoint Security Threat Prevention Trellix Policy Auditor Agent Trellix Solidifier Veritas Backup Exec Remote Agent for Windows WinZip 27.0 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 26B56AA4890034FEFE642B4B70A10F246553B7EA ~~~~~ Software installed on this system: ActivID ActivClient x64 Axway Desktop Validator CRLAutoCache DoD Secure Host Baseline Server IIS URL Rewrite Module 2 InstallRoot Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Lync Server 2013, Bootstrapper Prerequisites Installer Package Microsoft NetBanner Microsoft Server Speech Platform Runtime (x64) Microsoft Speech Platform VXML Runtime (x64) Microsoft Unified Communications Managed API 4.0, Runtime Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33130 Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.38.33130 Trellix Agent Trellix Data Loss Prevention - Endpoint Trellix Endpoint Security Firewall Trellix Endpoint Security Platform Trellix Endpoint Security Threat Prevention Trellix Policy Auditor Agent Trellix Security for Microsoft Exchange Trellix Solidifier Veritas Backup Exec Remote Agent for Windows WinZip 27.0 Comments |
|||||
Check Text
Review programs installed on the OS. Open Control Panel. Open Programs and Features. The following programs may be installed without any additional documentation: Administration Pack for IIS IIS Search Engine Optimization Toolkit Microsoft .NET Framework version 3.5 SP1 or greater Microsoft Web Platform Installer version 3.x or greater Virtual Machine Additions Review the installed programs, if any programs are installed other than those listed above, this is a finding. Note: If additional software is needed and has supporting documentation signed by the ISSO, this is not a finding.
Fix Text
Remove all unapproved programs and roles from the production web server.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 10/23/2025 ResultHash: DD43BE6E6EC7E41669939F366F6D00C612855AF1 ~~~~~ Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value Name: URIEnableCache (NotFound) [Finding] Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value Name: UriMaxUriBytes (NotFound) [Finding] Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value Name: UriScavengerPeriod (NotFound) [Finding] Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 10/23/2025 ResultHash: DD43BE6E6EC7E41669939F366F6D00C612855AF1 ~~~~~ Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value Name: URIEnableCache (NotFound) [Finding] Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value Name: UriMaxUriBytes (NotFound) [Finding] Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value Name: UriScavengerPeriod (NotFound) [Finding] Comments |
|||||
Check Text
If the IIS 10.0 web server is not hosting any applications, this is Not Applicable. If the IIS 10.0 web server is hosting applications, consult with the system administrator to determine risk analysis performed when the application was written and deployed to the IIS 10.0 web server. Obtain documentation on the configuration. Verify, at a minimum, the following tuning settings in the registry. Access the IIS 10.0 web server registry. Verify the following keys are present and configured. The required setting depends upon the requirements of the application. Recommended settings are not provided as these settings must be explicitly configured to show a conscientious tuning has been made. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\ REG_DWORD "URIEnableCache" REG_DWORD "UriMaxUriBytes" REG_DWORD "UriScavengerPeriod" If explicit settings are not configured for "URIEnableCache", "UriMaxUriBytes" and "UriScavengerPeriod", this is a finding.
Fix Text
Access the IIS 10.0 web server registry. Verify the following keys are present and configured. The required setting depends upon the requirements of the application. These settings must be explicitly configured to show a conscientious tuning has been made. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\ Configure the following registry keys to levels to accommodate the hosted applications. Create REG_DWORD "URIEnableCache" Create REG_DWORD "UriMaxUriBytes" Create REG_DWORD "UriScavengerPeriod"
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 12/17/2025 ResultHash: 131C51BE43E61BFBB569FDD5F046ADBBCD65A458 ~~~~~ This is a classified system so this requirement is NA. Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 12/17/2025 ResultHash: 131C51BE43E61BFBB569FDD5F046ADBBCD65A458 ~~~~~ This is a classified system so this requirement is NA. Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 40CCA0704784DC82647DD021A5BABBF4C9FBA509 ~~~~~ 'Configure Windows Defender SmartScreen' is NOT Enabled: (Warn and prevent bypass) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System Value Name: EnableSmartScreen Value: 0x00000000 (0) [Expected 1] Type: REG_DWORD Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System Value Name: ShellSmartScreenLevel Value: Block Type: REG_SZ Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 40CCA0704784DC82647DD021A5BABBF4C9FBA509 ~~~~~ 'Configure Windows Defender SmartScreen' is NOT Enabled: (Warn and prevent bypass) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System Value Name: EnableSmartScreen Value: 0x00000000 (0) [Expected 1] Type: REG_DWORD Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System Value Name: ShellSmartScreenLevel Value: Block Type: REG_SZ Comments |
|||||
Check Text
This is applicable to unclassified systems, for other systems this is NA. If the following registry values do not exist or are not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value Type: REG_DWORD Value: 0x00000001 (1) And Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: ShellSmartScreenLevel Value Type: REG_SZ Value: Block v1607 LTSB: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value Type: REG_DWORD Value: 0x00000001 (1) v1507 LTSB: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value Type: REG_DWORD Value: 0x00000002 (2)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows Defender SmartScreen" to "Enabled" with "Warn and prevent bypass" selected. Windows 10 includes duplicate policies for this setting. It can also be configured under Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender SmartScreen >> Explorer. v1607 LTSB: Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows SmartScreen" to "Enabled". (Selection options are not available.) v1507 LTSB: Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows SmartScreen" to "Enabled" with "Require approval from an administrator before running downloaded unknown software" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: E98EF1C3AADF7AF43B5A4A99EEC37235E343282B ~~~~~ Access this computer from the network: BUILTIN\Administrators BUILTIN\Remote Desktop Users Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: E98EF1C3AADF7AF43B5A4A99EEC37235E343282B ~~~~~ Access this computer from the network: BUILTIN\Administrators BUILTIN\Remote Desktop Users Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 961150F7A1487BB48A2013DFE7393D8B57787B43 ~~~~~ Access this computer from the network: BUILTIN\Administrators BUILTIN\Remote Desktop Users MONTFORD-POINT\Domain Users Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 961150F7A1487BB48A2013DFE7393D8B57787B43 ~~~~~ Access this computer from the network: BUILTIN\Administrators BUILTIN\Remote Desktop Users MONTFORD-POINT\Domain Users Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Access this computer from the network" user right, this is a finding: Administrators Remote Desktop Users If a domain application account such as for a management tool requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account, managed at the domain level, must meet requirements for application account passwords, such as length and frequency of changes as defined in the Windows server STIGs.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to only include the following groups or accounts: Administrators Remote Desktop Users
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 8968392459B797835F9CDB0E84E61A2D858F67D2 ~~~~~ Deny access to this computer from the network: BUILTIN\Guests Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 8968392459B797835F9CDB0E84E61A2D858F67D2 ~~~~~ Deny access to this computer from the network: BUILTIN\Guests Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: B00433ABC682620256EEA18A128316CDE1BC2030 ~~~~~ Deny access to this computer from the network: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: B00433ABC682620256EEA18A128316CDE1BC2030 ~~~~~ Deny access to this computer from the network: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following groups or accounts are not defined for the "Deny access to this computer from the network" right, this is a finding: Domain Systems Only: Enterprise Admins group Domain Admins group Local account (see Note below) All Systems: Guests group Privileged Access Workstations (PAWs) dedicated to the management of Active Directory are exempt from denying the Enterprise Admins and Domain Admins groups. (See the Windows Privileged Access Workstation STIG for PAW requirements.) Note: "Local account" is a built-in security group used to assign user rights and permissions to all local accounts.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny access to this computer from the network" to include the following. Domain Systems Only: Enterprise Admins group Domain Admins group Local account (see Note below) All Systems: Guests group Privileged Access Workstations (PAWs) dedicated to the management of Active Directory are exempt from denying the Enterprise Admins and Domain Admins groups. (See the Windows Privileged Access Workstation STIG for PAW requirements.) Note: "Local account" is a built-in security group used to assign user rights and permissions to all local accounts.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 12/17/2025 ResultHash: 35876C8966B85EC1E2B626A04F1F3A7173B7D72A ~~~~~ System is a 'Standalone Workstation' so this requirement is NA. Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT APPLICABLE on 12/17/2025 ResultHash: 35876C8966B85EC1E2B626A04F1F3A7173B7D72A ~~~~~ System is a 'Standalone Workstation' so this requirement is NA. Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 853C0CE81C1C24F05FBE2ADC24FBC18BB9DC2A41 ~~~~~ Deny log on as a service: No objects assigned to this right. Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 853C0CE81C1C24F05FBE2ADC24FBC18BB9DC2A41 ~~~~~ Deny log on as a service: No objects assigned to this right. Comments |
|||||
Check Text
This requirement is applicable to domain-joined systems. For standalone or nondomain-joined systems, this is NA. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following groups or accounts are not defined for the "Deny log on as a service" right , this is a finding. Domain Systems Only: Enterprise Admins Group Domain Admins Group
Fix Text
This requirement is applicable to domain-joined systems. For standalone or nondomain-joined systems, this is NA. Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a service" to include the following: Domain Systems Only: Enterprise Admins Group Domain Admins Group
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: D42DF0ECC417CB415089564874B6907BEB79128C ~~~~~ Deny log on locally: BUILTIN\Guests Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: D42DF0ECC417CB415089564874B6907BEB79128C ~~~~~ Deny log on locally: BUILTIN\Guests Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: D42DF0ECC417CB415089564874B6907BEB79128C ~~~~~ Deny log on locally: BUILTIN\Guests Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: D42DF0ECC417CB415089564874B6907BEB79128C ~~~~~ Deny log on locally: BUILTIN\Guests Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following groups or accounts are not defined for the "Deny log on locally" right, this is a finding. Domain Systems Only: Enterprise Admins Group Domain Admins Group Privileged Access Workstations (PAWs) dedicated to the management of Active Directory are exempt from denying the Enterprise Admins and Domain Admins groups. (See the Windows Privileged Access Workstation STIG for PAW requirements.) All Systems: Guests Group
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on locally" to include the following. Domain Systems Only: Enterprise Admins Group Domain Admins Group Privileged Access Workstations (PAWs) dedicated to the management of Active Directory are exempt from denying the Enterprise Admins and Domain Admins groups. (See the Windows Privileged Access Workstation STIG for PAW requirements.) All Systems: Guests Group
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 9710F86B1963CAAA2C9429B687B5B8F0CFCE9509 ~~~~~ Deny log on through Remote Desktop Services: BUILTIN\Guests Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 9710F86B1963CAAA2C9429B687B5B8F0CFCE9509 ~~~~~ Deny log on through Remote Desktop Services: BUILTIN\Guests Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 5957234601D7C7E797928456B308E65804C7D53F ~~~~~ Deny log on through Remote Desktop Services: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 5957234601D7C7E797928456B308E65804C7D53F ~~~~~ Deny log on through Remote Desktop Services: BUILTIN\Guests NT AUTHORITY\Local account Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following groups or accounts are not defined for the "Deny log on through Remote Desktop Services" right, this is a finding: If Remote Desktop Services is not used by the organization, the "Everyone" group can replace all of the groups listed below. Domain Systems Only: Enterprise Admins group Domain Admins group Local account (see Note below) All Systems: Guests group Privileged Access Workstations (PAWs) dedicated to the management of Active Directory are exempt from denying the Enterprise Admins and Domain Admins groups. (See the Windows Privileged Access Workstation STIG for PAW requirements.) Note: "Local account" is a built-in security group used to assign user rights and permissions to all local accounts.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on through Remote Desktop Services" to include the following. If Remote Desktop Services is not used by the organization, assign the Everyone group this right to prevent all access. Domain Systems Only: Enterprise Admins group Domain Admins group Local account (see Note below) All Systems: Guests group Privileged Access Workstations (PAWs) dedicated to the management of Active Directory are exempt from denying the Enterprise Admins and Domain Admins groups. (See the Windows Privileged Access Workstation STIG for PAW requirements.) Note: "Local account" is a built-in security group used to assign user rights and permissions to all local accounts.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: AB82DA94F817279F4C1E1EE501914F339AF03BC7 ~~~~~ 'Block macros from running in Office files from the Internet' is NOT Enabled Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\access\security Value Name: blockcontentexecutionfrominternet (Not found) Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: AB82DA94F817279F4C1E1EE501914F339AF03BC7 ~~~~~ 'Block macros from running in Office files from the Internet' is NOT Enabled Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\access\security Value Name: blockcontentexecutionfrominternet (Not found) Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 48067347C7A76ADFF02F273DAFA024366DD667FD ~~~~~ Access is not installed so this requirement is NA per the STIG Overview. Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 48067347C7A76ADFF02F273DAFA024366DD667FD ~~~~~ Access is not installed so this requirement is NA per the STIG Overview. Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Access 2016 >> Application Settings >> Security >> Trust Center "Block macros from running in Office files from the Internet" is set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\access\security If the value blockcontentexecutionfrominternet is REG_DWORD = 1, this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Access 2016 >> Application Settings >> Security >> Trust Center "Block macros from running in Office files from the Internet" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 768CBCFE1F018055B3389A766B3AF7F113FA43CC ~~~~~ 'Macro Runtime Scan Scope' is Enabled: (Enable for all documents) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\security Value Name: macroruntimescanscope Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 768CBCFE1F018055B3389A766B3AF7F113FA43CC ~~~~~ 'Macro Runtime Scan Scope' is Enabled: (Enable for all documents) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\security Value Name: macroruntimescanscope Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: CD29181397F2AB43C4CCB0FEEC184B9FA25E48FF ~~~~~ 'Macro Runtime Scan Scope' is NOT Enabled: (Enable for all documents) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\security Value Name: macroruntimescanscope (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: CD29181397F2AB43C4CCB0FEEC184B9FA25E48FF ~~~~~ 'Macro Runtime Scan Scope' is NOT Enabled: (Enable for all documents) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\security Value Name: macroruntimescanscope (Not found) Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016>> Security Settings "Macro Runtime Scan Scope" is set to "Enable for all documents". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\common\security If the value for macroruntimescanscope is REG_DWORD = 2, this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016>> Security Settings "Macro Runtime Scan Scope" to "Enable for all documents".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: B95BF163F165A17CDF6801AB61F6271A2B2BFEE6 ~~~~~ 'Disable the Office client from polling the SharePoint Server for published links' is Enabled Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\portal Value Name: linkpublishingdisabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: B95BF163F165A17CDF6801AB61F6271A2B2BFEE6 ~~~~~ 'Disable the Office client from polling the SharePoint Server for published links' is Enabled Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\portal Value Name: linkpublishingdisabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 96CDC01572877ED081B14F7FA86B9AD03B070EC5 ~~~~~ 'Disable the Office client from polling the SharePoint Server for published links' is NOT Enabled Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\portal Value Name: linkpublishingdisabled (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 96CDC01572877ED081B14F7FA86B9AD03B070EC5 ~~~~~ 'Disable the Office client from polling the SharePoint Server for published links' is NOT Enabled Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\portal Value Name: linkpublishingdisabled (Not found) Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Server Settings >> Disable the Office client from polling the SharePoint Server for published links is set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\common\portal If the value for linkpublishingdisabled is REG_DWORD = "1", this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Server Settings >> Disable the Office client from polling the SharePoint Server for published links to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 784F7F3F487B6D1C548011727F63550D6130E993 ~~~~~ 'Disable UI extending from documents and templates' is Enabled: (Disallow in Word; Excel; PowerPoint; Access; Outlook; Publisher; Project; Visio; InfoPath) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\access Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\excel Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\infopath Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\outlook Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\powerpoint Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\project Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\publisher Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\visio Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\word Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 784F7F3F487B6D1C548011727F63550D6130E993 ~~~~~ 'Disable UI extending from documents and templates' is Enabled: (Disallow in Word; Excel; PowerPoint; Access; Outlook; Publisher; Project; Visio; InfoPath) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\access Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\excel Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\infopath Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\outlook Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\powerpoint Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\project Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\publisher Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\visio Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\word Value Name: noextensibilitycustomizationfromdocument Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: D7A3C2FCBB825CA5C98C3FDDD47E431EFA116602 ~~~~~ 'Disable UI extending from documents and templates' is NOT Enabled: (Disallow in Word; Excel; PowerPoint; Access; Outlook; Publisher; Project; Visio; InfoPath) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\access Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\excel Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\infopath Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\outlook Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\powerpoint Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\project Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\publisher Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\visio Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\word Value Name: noextensibilitycustomizationfromdocument (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: D7A3C2FCBB825CA5C98C3FDDD47E431EFA116602 ~~~~~ 'Disable UI extending from documents and templates' is NOT Enabled: (Disallow in Word; Excel; PowerPoint; Access; Outlook; Publisher; Project; Visio; InfoPath) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\access Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\excel Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\infopath Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\outlook Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\powerpoint Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\project Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\publisher Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\visio Value Name: noextensibilitycustomizationfromdocument (Not found) Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Office\16.0\common\toolbars\word Value Name: noextensibilitycustomizationfromdocument (Not found) Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Global Options >> Customize >> Disable UI extending from documents and templates is set to Enabled: Disallow in Word; Excel; PowerPoint; Access; Outlook; Publisher; Project; Visio; InfoPath Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\common\toolbars If the value noextensibilitycustomizationfromdocument is REG_DWORD = 1 for all installed Office programs, this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Global Options >> Customize >> Disable UI extending from documents and templates to Enabled: Disallow in Word; Excel; PowerPoint; Access; Outlook; Publisher; Project; Visio; InfoPath.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 171AC734BEDB5475F871E568C292B1F50A6972C4 ~~~~~ 'Block Flash activation in Office documents' is Enabled: (Block all activation) Registry Path: HKLM:\SOFTWARE\Microsoft\Office\Common\COM Compatibility Value Name: COMMENT Value: Block all Flash activation Type: REG_SZ Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 171AC734BEDB5475F871E568C292B1F50A6972C4 ~~~~~ 'Block Flash activation in Office documents' is Enabled: (Block all activation) Registry Path: HKLM:\SOFTWARE\Microsoft\Office\Common\COM Compatibility Value Name: COMMENT Value: Block all Flash activation Type: REG_SZ Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 ResultHash: 4DE737C1BFDFBC891A7FC39E7105A8B39446DF88 ~~~~~ 'Block Flash activation in Office documents' is NOT Enabled: (Block all activation) Registry Path: HKLM:\SOFTWARE\Microsoft\Office\Common\COM Compatibility Value Name: COMMENT (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 ResultHash: 4DE737C1BFDFBC891A7FC39E7105A8B39446DF88 ~~~~~ 'Block Flash activation in Office documents' is NOT Enabled: (Block all activation) Registry Path: HKLM:\SOFTWARE\Microsoft\Office\Common\COM Compatibility Value Name: COMMENT (Not found) Comments |
|||||
Check Text
Verify the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> Block Flash activation in Office documents >> Enabled >> Block all activation is set to "Enabled" Block all activation. Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility If the value for COMMENT is REG_SZ = Block all Flash activation, this is not a finding.
Fix Text
Set the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> Block Flash activation in Office documents >> Enabled >> Block all activation to "Enabled" (Block all activation).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 7E5731CF8FADBD0CC47863F2C22FB5DF1D2C87AA ~~~~~ 'Don't allow Dynamic Data Exchange (DDE) server launch in Excel' is Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\external content Value Name: disableddeserverlaunch Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 7E5731CF8FADBD0CC47863F2C22FB5DF1D2C87AA ~~~~~ 'Don't allow Dynamic Data Exchange (DDE) server launch in Excel' is Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\external content Value Name: disableddeserverlaunch Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: BBA5A336D17B95566A0BD1AB5AC8D265C75A0172 ~~~~~ 'Don't allow Dynamic Data Exchange (DDE) server launch in Excel' is NOT Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\external content Value Name: disableddeserverlaunch (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: BBA5A336D17B95566A0BD1AB5AC8D265C75A0172 ~~~~~ 'Don't allow Dynamic Data Exchange (DDE) server launch in Excel' is NOT Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\external content Value Name: disableddeserverlaunch (Not found) Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> External Content >> Don't allow Dynamic Data Exchange (DDE) server launch in Excel is set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\excel\security\external content If the value for "disableddeserverlaunch" is REG_DWORD = 1, this is not a finding.
Fix Text
Set policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> External Content >> Don't allow Dynamic Data Exchange (DDE) server launch in Excel to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: BE57798F42D253F153AD001AB441542E642D655C ~~~~~ 'Don't allow Dynamic Data Exchange (DDE) server lookup in Excel' is Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\external content Value Name: disableddeserverlookup Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: BE57798F42D253F153AD001AB441542E642D655C ~~~~~ 'Don't allow Dynamic Data Exchange (DDE) server lookup in Excel' is Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\external content Value Name: disableddeserverlookup Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: A09F08C180B9EFDCD3A3332CDC901B2838A136F6 ~~~~~ 'Don't allow Dynamic Data Exchange (DDE) server lookup in Excel' is NOT Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\external content Value Name: disableddeserverlookup (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: A09F08C180B9EFDCD3A3332CDC901B2838A136F6 ~~~~~ 'Don't allow Dynamic Data Exchange (DDE) server lookup in Excel' is NOT Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\external content Value Name: disableddeserverlookup (Not found) Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> External Content >> Don't allow Dynamic Data Exchange (DDE) server lookup in Excel is set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\excel\security\external content If the value for "disableddeserverlookup" is REG_DWORD = 1, this is not a finding.
Fix Text
Set policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> External Content >> Don't allow Dynamic Data Exchange (DDE) server lookup in Excel to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 4B807D2DE77E281652EE437DD97B6BAC3A7A158A ~~~~~ 'Ask to update automatic links' is Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\options\binaryoptions Value Name: fupdateext_78_1 Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 4B807D2DE77E281652EE437DD97B6BAC3A7A158A ~~~~~ 'Ask to update automatic links' is Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\options\binaryoptions Value Name: fupdateext_78_1 Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 6B1D21A6B62673251DABECE80D96C11C72692567 ~~~~~ 'Ask to update automatic links' is NOT Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\options\binaryoptions Value Name: fupdateext_78_1 (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 6B1D21A6B62673251DABECE80D96C11C72692567 ~~~~~ 'Ask to update automatic links' is NOT Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\options\binaryoptions Value Name: fupdateext_78_1 (Not found) Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Advanced >> Ask to update automatic links is set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\excel\options\binaryoptions If the value for fupdateext_78_1 is REG_DWORD = 0, this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Advanced >> Ask to update automatic links to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: DF3BF350535AB271E12CE9517D7CA34A856BB161 ~~~~~ 'Load pictures from Web pages not created in Excel' is Disabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\internet Value Name: donotloadpictures Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: DF3BF350535AB271E12CE9517D7CA34A856BB161 ~~~~~ 'Load pictures from Web pages not created in Excel' is Disabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\internet Value Name: donotloadpictures Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 7C060C55DCEC0645DCF8620A7C398851A3B4DE19 ~~~~~ 'Load pictures from Web pages not created in Excel' is NOT Disabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\internet Value Name: donotloadpictures (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 7C060C55DCEC0645DCF8620A7C398851A3B4DE19 ~~~~~ 'Load pictures from Web pages not created in Excel' is NOT Disabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\internet Value Name: donotloadpictures (Not found) Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Advanced >> Web Options... >> General. Load pictures from Web pages not created in Excel is set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\excel\internet If the value for donotloadpictures is REG_DWORD = 1, this is not a finding.
Fix Text
Set policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Advanced >> Web Options... >> General >> Load pictures from Web pages not created in Excel to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: E7D7F44EC3B02F0E69B6E9C88667CDF23EFFCC52 ~~~~~ 'Disable AutoRepublish' is Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\options Value Name: disableautorepublish Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: E7D7F44EC3B02F0E69B6E9C88667CDF23EFFCC52 ~~~~~ 'Disable AutoRepublish' is Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\options Value Name: disableautorepublish Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: CF624D913092478981CB1E7B067607F0273F2B4E ~~~~~ 'Disable AutoRepublish' is NOT Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\options Value Name: disableautorepublish (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: CF624D913092478981CB1E7B067607F0273F2B4E ~~~~~ 'Disable AutoRepublish' is NOT Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\options Value Name: disableautorepublish (Not found) Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Save >> Disable AutoRepublish is to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\excel\options If the value for disableautorepublish is REG_DWORD = 1, this is not a finding.
Fix Text
Set policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Save >> Disable AutoRepublish to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 178EC8CC5CA91EFBA47AE02DCC74772127C42918 ~~~~~ 'Do not show AutoRepublish warning alert' is Disabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\options Value Name: disableautorepublishwarning Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 178EC8CC5CA91EFBA47AE02DCC74772127C42918 ~~~~~ 'Do not show AutoRepublish warning alert' is Disabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\options Value Name: disableautorepublishwarning Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: E4583DFC58A25B096D6AA7DB788706549210B44B ~~~~~ 'Do not show AutoRepublish warning alert' is NOT Disabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\options Value Name: disableautorepublishwarning (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: E4583DFC58A25B096D6AA7DB788706549210B44B ~~~~~ 'Do not show AutoRepublish warning alert' is NOT Disabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\options Value Name: disableautorepublishwarning (Not found) Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Save >> Do not show AutoRepublish warning alert is set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\excel\options If value for disableautorepublishwarning is REG_DWORD = 0, this is not a finding.
Fix Text
Set policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Save >> Do not show AutoRepublish warning alert to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 8143E19ADF5341F6856B7357273757628C5DBBD7 ~~~~~ 'Force file extension to match file type' is Enabled: (Always match file type) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security Value Name: extensionhardening Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 8143E19ADF5341F6856B7357273757628C5DBBD7 ~~~~~ 'Force file extension to match file type' is Enabled: (Always match file type) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security Value Name: extensionhardening Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 8C79D425D53FDF90DC546882F8D817A99E441BCB ~~~~~ 'Force file extension to match file type' is NOT Enabled: (Always match file type) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security Value Name: extensionhardening (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 8C79D425D53FDF90DC546882F8D817A99E441BCB ~~~~~ 'Force file extension to match file type' is NOT Enabled: (Always match file type) Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security Value Name: extensionhardening (Not found) Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Force file extension to match file type is set to "Always match file type". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\excel\security If value for extensionhardening is REG_DWORD = 2, this is not a finding.
Fix Text
Set policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Force file extension to match file type to "Enabled" and select the option "Always match file type".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 465D4554F71A21FF379FD446BE2CE014BBF89B24 ~~~~~ 'Always prevent untrusted Microsoft Query files from opening' is Enabled Registry Path: HKCU:\Software\Policies\Microsoft\office\16.0\excel\security\external content Value Name: enableblockunsecurequeryfiles Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 465D4554F71A21FF379FD446BE2CE014BBF89B24 ~~~~~ 'Always prevent untrusted Microsoft Query files from opening' is Enabled Registry Path: HKCU:\Software\Policies\Microsoft\office\16.0\excel\security\external content Value Name: enableblockunsecurequeryfiles Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 82D7D3AF6527645A597B5902655CF02075B86448 ~~~~~ 'Always prevent untrusted Microsoft Query files from opening' is NOT Enabled Registry Path: HKCU:\Software\Policies\Microsoft\office\16.0\excel\security\external content Value Name: enableblockunsecurequeryfiles (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 82D7D3AF6527645A597B5902655CF02075B86448 ~~~~~ 'Always prevent untrusted Microsoft Query files from opening' is NOT Enabled Registry Path: HKCU:\Software\Policies\Microsoft\office\16.0\excel\security\external content Value Name: enableblockunsecurequeryfiles (Not found) Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> External Content >> Always prevent untrusted Microsoft Query files from opening is set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\excel\security\external content. Value for enableblockunsecurequeryfiles should be REG_DWORD = 1 If the value for enableblockunsecurequeryfiles is Reg_DWORD = 1, this is not a finding.
Fix Text
Set policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> External Content >> Always prevent untrusted Microsoft Query files from opening to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 451A8A8DE1883B7E90DDA37CFD83733B657FC7CA ~~~~~ 'Always open untrusted database files in Protected View' is Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\protectedview Value Name: enabledatabasefileprotectedview Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 451A8A8DE1883B7E90DDA37CFD83733B657FC7CA ~~~~~ 'Always open untrusted database files in Protected View' is Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\protectedview Value Name: enabledatabasefileprotectedview Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 0CDB19168E8808FE2E627541B6B3C8867E646865 ~~~~~ 'Always open untrusted database files in Protected View' is NOT Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\protectedview Value Name: enabledatabasefileprotectedview (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 0CDB19168E8808FE2E627541B6B3C8867E646865 ~~~~~ 'Always open untrusted database files in Protected View' is NOT Enabled Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\excel\security\protectedview Value Name: enabledatabasefileprotectedview (Not found) Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> Protected View >> Always open untrusted database files in Protected View is set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\excel\security\protectedview If the value for enabledatabasefileprotectedview is REG_DWORD = 1, this is not a finding.
Fix Text
Set policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> Protected View >> Always open untrusted database files in Protected View to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 242B02494150CC39BF63097E5D403F333F085943 ~~~~~ 'Use Unicode format when dragging e-mail message to file system' is Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\options\general Value Name: msgformat Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 242B02494150CC39BF63097E5D403F333F085943 ~~~~~ 'Use Unicode format when dragging e-mail message to file system' is Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\options\general Value Name: msgformat Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 5CC6371388F754400CE2259E6BBC0F88571031CC ~~~~~ 'Use Unicode format when dragging e-mail message to file system' is NOT Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\options\general Value Name: msgformat (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 5CC6371388F754400CE2259E6BBC0F88571031CC ~~~~~ 'Use Unicode format when dragging e-mail message to file system' is NOT Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\options\general Value Name: msgformat (Not found) Comments |
|||||
Check Text
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Outlook Options >> Other >> Advanced >> Use Unicode format when dragging e-mail message to file system is set to "Disabled". Use the Windows Registry to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\outlook\options\general If the value for msgformat is set to REG_DWORD = 0, this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Outlook Options >> Other >> Advanced >> Use Unicode format when dragging e-mail message to file system to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 4ECDFC11B01678DA255D83E3F9F6252837EE5E3B ~~~~~ 'Junk E-mail protection level' is Configured Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\options\mail Value Name: junkmailprotection Value: 0x00000003 (3) Type: REG_DWORD Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Office365_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 4ECDFC11B01678DA255D83E3F9F6252837EE5E3B ~~~~~ 'Junk E-mail protection level' is Configured Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\options\mail Value Name: junkmailprotection Value: 0x00000003 (3) Type: REG_DWORD Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: B559D6629C7F0F5A167B784C458B03694ECDC8F1 ~~~~~ 'Junk E-mail protection level' is NOT Configured Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\options\mail Value Name: junkmailprotection (Not found) Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: B559D6629C7F0F5A167B784C458B03694ECDC8F1 ~~~~~ 'Junk E-mail protection level' is NOT Configured Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\options\mail Value Name: junkmailprotection (Not found) Comments |
|||||
Check Text
Note: If the Outlook client application is not used to access Office 365 email (i.e., email is only accessed via Outlook Web Access [OWA]), this is not applicable. Verify Outlook Junk E-mail protection is set to "No Automatic Filtering". In Outlook, click Home tab >> Delete group >> Junk >> Junk E-mail Options. Verify Junk E-mail protection is set to "No Automatic Filtering". If the system being inspected is not behind EEMSG, CBII, or O365 EOP, the Junk E-mail protection level must be set to "High". Otherwise, "Low" is acceptable. If Junk E-mail protection is not set to "No Automatic Filtering", this is a finding. If the system is not behind enterprise-level capabilities such as EEMSG, CBII, or O365 EOP and the Junk E-mail protection is not set to "High", this is a finding. If the system is behind enterprise-level capabilities such as EEMSG, CBII, or O365 EOP, and the Junk E-mail protection is not at least "Low", this is a finding.
Fix Text
In Outlook, click Home tab >> Delete group >> Junk >> Junk E-mail Options. Set the Junk E-mail protection level to "No Automatic Filtering".