| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: E24FAFA899A9EF37673E36B9DA7CDC2E96352FB5 ~~~~~ 'Apply UAC restrictions to local accounts on network logons' is Enabled Registry Path: Value Name: LocalAccountTokenFilterPolicy Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\S.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1105 ResultHash: E24FAFA899A9EF37673E36B9DA7CDC2E96352FB5 ~~~~~ 'Apply UAC restrictions to local accounts on network logons' is Enabled Registry Path: Value Name: LocalAccountTokenFilterPolicy Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\S.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1105 ResultHash: E24FAFA899A9EF37673E36B9DA7CDC2E96352FB5 ~~~~~ 'Apply UAC restrictions to local accounts on network logons' is Enabled Registry Path: Value Name: LocalAccountTokenFilterPolicy Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: E24FAFA899A9EF37673E36B9DA7CDC2E96352FB5 ~~~~~ 'Apply UAC restrictions to local accounts on network logons' is Enabled Registry Path: Value Name: LocalAccountTokenFilterPolicy Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\montford.exchange UserSID: S-1-5-21-1360995287-4027491577-3040029667-1118 ResultHash: E24FAFA899A9EF37673E36B9DA7CDC2E96352FB5 ~~~~~ 'Apply UAC restrictions to local accounts on network logons' is Enabled Registry Path: Value Name: LocalAccountTokenFilterPolicy Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: E24FAFA899A9EF37673E36B9DA7CDC2E96352FB5 ~~~~~ 'Apply UAC restrictions to local accounts on network logons' is Enabled Registry Path: Value Name: LocalAccountTokenFilterPolicy Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: E24FAFA899A9EF37673E36B9DA7CDC2E96352FB5 ~~~~~ 'Apply UAC restrictions to local accounts on network logons' is Enabled Registry Path: Value Name: LocalAccountTokenFilterPolicy Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
This applies to member servers. For domain controllers and standalone or nondomain-joined systems, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: LocalAccountTokenFilterPolicy Type: REG_DWORD Value: 0x00000000 (0) This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to "1" may be required.
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Apply UAC restrictions to local accounts on network logons" to "Enabled". This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: ABC68409B29B6EC49A61BC75D73157070C3C31F0 ~~~~~ 'Enumerate local users on domain-joined computers' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnumerateLocalUsers Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: ABC68409B29B6EC49A61BC75D73157070C3C31F0 ~~~~~ 'Enumerate local users on domain-joined computers' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnumerateLocalUsers Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: ABC68409B29B6EC49A61BC75D73157070C3C31F0 ~~~~~ 'Enumerate local users on domain-joined computers' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnumerateLocalUsers Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: ABC68409B29B6EC49A61BC75D73157070C3C31F0 ~~~~~ 'Enumerate local users on domain-joined computers' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnumerateLocalUsers Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: ABC68409B29B6EC49A61BC75D73157070C3C31F0 ~~~~~ 'Enumerate local users on domain-joined computers' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnumerateLocalUsers Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: ABC68409B29B6EC49A61BC75D73157070C3C31F0 ~~~~~ 'Enumerate local users on domain-joined computers' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnumerateLocalUsers Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: ABC68409B29B6EC49A61BC75D73157070C3C31F0 ~~~~~ 'Enumerate local users on domain-joined computers' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnumerateLocalUsers Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
This applies to member servers. For domain controllers and standalone or nondomain-joined systems, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnumerateLocalUsers Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> "Enumerate local users on domain-joined computers" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 65E5F695A849838CF853B7D32CA2F7CE19D83A67 ~~~~~ 'Restrict Unauthenticated RPC clients' is Enabled with 'Authenticated' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ Value Name: RestrictRemoteClients Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 65E5F695A849838CF853B7D32CA2F7CE19D83A67 ~~~~~ 'Restrict Unauthenticated RPC clients' is Enabled with 'Authenticated' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ Value Name: RestrictRemoteClients Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 65E5F695A849838CF853B7D32CA2F7CE19D83A67 ~~~~~ 'Restrict Unauthenticated RPC clients' is Enabled with 'Authenticated' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ Value Name: RestrictRemoteClients Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 65E5F695A849838CF853B7D32CA2F7CE19D83A67 ~~~~~ 'Restrict Unauthenticated RPC clients' is Enabled with 'Authenticated' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ Value Name: RestrictRemoteClients Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 65E5F695A849838CF853B7D32CA2F7CE19D83A67 ~~~~~ 'Restrict Unauthenticated RPC clients' is Enabled with 'Authenticated' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ Value Name: RestrictRemoteClients Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 65E5F695A849838CF853B7D32CA2F7CE19D83A67 ~~~~~ 'Restrict Unauthenticated RPC clients' is Enabled with 'Authenticated' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ Value Name: RestrictRemoteClients Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 65E5F695A849838CF853B7D32CA2F7CE19D83A67 ~~~~~ 'Restrict Unauthenticated RPC clients' is Enabled with 'Authenticated' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ Value Name: RestrictRemoteClients Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
This applies to member servers and standalone or nondomain-joined systems. It is NA for domain controllers. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ Value Name: RestrictRemoteClients Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Procedure Call >> "Restrict Unauthenticated RPC clients" to "Enabled" with "Authenticated" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 28CC0C728D320C305B66377A1ED8B6C7583DBFE4 ~~~~~ 'Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)' is 4 Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: CachedLogonsCount Value: 4 Type: REG_SZ Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 28CC0C728D320C305B66377A1ED8B6C7583DBFE4 ~~~~~ 'Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)' is 4 Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: CachedLogonsCount Value: 4 Type: REG_SZ Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 28CC0C728D320C305B66377A1ED8B6C7583DBFE4 ~~~~~ 'Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)' is 4 Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: CachedLogonsCount Value: 4 Type: REG_SZ Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 28CC0C728D320C305B66377A1ED8B6C7583DBFE4 ~~~~~ 'Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)' is 4 Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: CachedLogonsCount Value: 4 Type: REG_SZ Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 28CC0C728D320C305B66377A1ED8B6C7583DBFE4 ~~~~~ 'Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)' is 4 Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: CachedLogonsCount Value: 4 Type: REG_SZ Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 28CC0C728D320C305B66377A1ED8B6C7583DBFE4 ~~~~~ 'Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)' is 4 Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: CachedLogonsCount Value: 4 Type: REG_SZ Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 28CC0C728D320C305B66377A1ED8B6C7583DBFE4 ~~~~~ 'Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)' is 4 Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: CachedLogonsCount Value: 4 Type: REG_SZ Comments |
|||||
Check Text
This applies to member servers. For domain controllers and standalone or nondomain-joined systems, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: CachedLogonsCount Value Type: REG_SZ Value: 4 (or less)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)" to "4" logons or less.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 49C6F584D4779A16D797193D1816709E6F574564 ~~~~~ 'Network access: Restrict clients allowed to make remote calls to SAM' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictRemoteSAM Value: O:BAG:BAD:(A;;RC;;;BA) Type: REG_SZ Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 49C6F584D4779A16D797193D1816709E6F574564 ~~~~~ 'Network access: Restrict clients allowed to make remote calls to SAM' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictRemoteSAM Value: O:BAG:BAD:(A;;RC;;;BA) Type: REG_SZ Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 49C6F584D4779A16D797193D1816709E6F574564 ~~~~~ 'Network access: Restrict clients allowed to make remote calls to SAM' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictRemoteSAM Value: O:BAG:BAD:(A;;RC;;;BA) Type: REG_SZ Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 49C6F584D4779A16D797193D1816709E6F574564 ~~~~~ 'Network access: Restrict clients allowed to make remote calls to SAM' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictRemoteSAM Value: O:BAG:BAD:(A;;RC;;;BA) Type: REG_SZ Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 49C6F584D4779A16D797193D1816709E6F574564 ~~~~~ 'Network access: Restrict clients allowed to make remote calls to SAM' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictRemoteSAM Value: O:BAG:BAD:(A;;RC;;;BA) Type: REG_SZ Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 49C6F584D4779A16D797193D1816709E6F574564 ~~~~~ 'Network access: Restrict clients allowed to make remote calls to SAM' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictRemoteSAM Value: O:BAG:BAD:(A;;RC;;;BA) Type: REG_SZ Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 49C6F584D4779A16D797193D1816709E6F574564 ~~~~~ 'Network access: Restrict clients allowed to make remote calls to SAM' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictRemoteSAM Value: O:BAG:BAD:(A;;RC;;;BA) Type: REG_SZ Comments |
|||||
Check Text
This applies to member servers and standalone or nondomain-joined systems. It is NA for domain controllers. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictRemoteSAM Value Type: REG_SZ Value: O:BAG:BAD:(A;;RC;;;BA)
Fix Text
Navigate to the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict clients allowed to make remote calls to SAM". Select "Edit Security" to configure the "Security descriptor:". Add "Administrators" in "Group or user names:" if it is not already listed (this is the default). Select "Administrators" in "Group or user names:". Select "Allow" for "Remote Access" in "Permissions for "Administrators". Click "OK". The "Security descriptor:" must be populated with "O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 302709A83196FCC3F75108A1CD0F0A4A4BFBD945 ~~~~~ Access this computer from the network: BUILTIN\Administrators NT AUTHORITY\Authenticated Users Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 302709A83196FCC3F75108A1CD0F0A4A4BFBD945 ~~~~~ Access this computer from the network: BUILTIN\Administrators NT AUTHORITY\Authenticated Users Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 302709A83196FCC3F75108A1CD0F0A4A4BFBD945 ~~~~~ Access this computer from the network: BUILTIN\Administrators NT AUTHORITY\Authenticated Users Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 302709A83196FCC3F75108A1CD0F0A4A4BFBD945 ~~~~~ Access this computer from the network: BUILTIN\Administrators NT AUTHORITY\Authenticated Users Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 302709A83196FCC3F75108A1CD0F0A4A4BFBD945 ~~~~~ Access this computer from the network: BUILTIN\Administrators NT AUTHORITY\Authenticated Users Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 302709A83196FCC3F75108A1CD0F0A4A4BFBD945 ~~~~~ Access this computer from the network: BUILTIN\Administrators NT AUTHORITY\Authenticated Users Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 302709A83196FCC3F75108A1CD0F0A4A4BFBD945 ~~~~~ Access this computer from the network: BUILTIN\Administrators NT AUTHORITY\Authenticated Users Comments |
|||||
Check Text
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Access this computer from the network" user right, this is a finding. - Administrators - Authenticated Users For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeNetworkLogonRight" user right, this is a finding. S-1-5-32-544 (Administrators) S-1-5-11 (Authenticated Users) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to include only the following accounts or groups: - Administrators - Authenticated Users
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6386CA45E70EAC022EEE395ACF120AD858947656 ~~~~~ Enable computer and user accounts to be trusted for delegation: No objects assigned to this right. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6386CA45E70EAC022EEE395ACF120AD858947656 ~~~~~ Enable computer and user accounts to be trusted for delegation: No objects assigned to this right. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6386CA45E70EAC022EEE395ACF120AD858947656 ~~~~~ Enable computer and user accounts to be trusted for delegation: No objects assigned to this right. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6386CA45E70EAC022EEE395ACF120AD858947656 ~~~~~ Enable computer and user accounts to be trusted for delegation: No objects assigned to this right. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6386CA45E70EAC022EEE395ACF120AD858947656 ~~~~~ Enable computer and user accounts to be trusted for delegation: No objects assigned to this right. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6386CA45E70EAC022EEE395ACF120AD858947656 ~~~~~ Enable computer and user accounts to be trusted for delegation: No objects assigned to this right. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6386CA45E70EAC022EEE395ACF120AD858947656 ~~~~~ Enable computer and user accounts to be trusted for delegation: No objects assigned to this right. Comments |
|||||
Check Text
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeEnableDelegationPrivilege" user right, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Enable computer and user accounts to be trusted for delegation" to be defined but containing no entries (blank).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1E639BE4EE5A1CDEB45CD6D11961572DC003871E ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Installed: True Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Installed: True Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Installed: True Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF NotAfter: 1/24/2053 Installed: True Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1E639BE4EE5A1CDEB45CD6D11961572DC003871E ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Installed: True Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Installed: True Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Installed: True Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF NotAfter: 1/24/2053 Installed: True Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1E639BE4EE5A1CDEB45CD6D11961572DC003871E ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Installed: True Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Installed: True Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Installed: True Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF NotAfter: 1/24/2053 Installed: True Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1E639BE4EE5A1CDEB45CD6D11961572DC003871E ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Installed: True Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Installed: True Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Installed: True Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF NotAfter: 1/24/2053 Installed: True Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1E639BE4EE5A1CDEB45CD6D11961572DC003871E ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Installed: True Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Installed: True Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Installed: True Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF NotAfter: 1/24/2053 Installed: True Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1E639BE4EE5A1CDEB45CD6D11961572DC003871E ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Installed: True Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Installed: True Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Installed: True Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF NotAfter: 1/24/2053 Installed: True Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1E639BE4EE5A1CDEB45CD6D11961572DC003871E ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Installed: True Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Installed: True Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Installed: True Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF NotAfter: 1/24/2053 Installed: True Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1E639BE4EE5A1CDEB45CD6D11961572DC003871E ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Installed: True Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Installed: True Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Installed: True Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF NotAfter: 1/24/2053 Installed: True Comments |
|||||
Check Text
The certificates and thumbprints referenced below apply to unclassified systems; refer to PKE documentation for other networks. Open "Windows PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF Valid to: Friday, January 24, 2053 Alternately, use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates" and click "Add". Select "Computer account" and click "Next". Select "Local computer: (the computer this console is running on)" and click "Finish". Click "OK". Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". For each of the DoD Root CA certificates noted below: Right-click on the certificate and select "Open". Select the "Details" tab. Scroll to the bottom and select "Thumbprint". If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. DoD Root CA 3 Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB Valid to: Sunday, December 30, 2029 DoD Root CA 4 Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 Valid to: Sunday, July 25, 2032 DoD Root CA 5 Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B Valid to: Friday, June 14, 2041 DoD Root CA 6 Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF Valid to: Friday, January 24, 2053
Fix Text
Install the DoD Root CA certificates: DoD Root CA 3 DoD Root CA 4 DoD Root CA 5 DoD Root CA 6 The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. Certificate bundles published by the PKI can be found at https://crl.gds.disa.mil/.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2EC40048BA7B0A9F2D0A13E537C545D4F6F79D7 ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 NotAfter: 11/16/2024 Installed: True Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2EC40048BA7B0A9F2D0A13E537C545D4F6F79D7 ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 NotAfter: 11/16/2024 Installed: True Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2EC40048BA7B0A9F2D0A13E537C545D4F6F79D7 ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 NotAfter: 11/16/2024 Installed: True Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2EC40048BA7B0A9F2D0A13E537C545D4F6F79D7 ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 NotAfter: 11/16/2024 Installed: True Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2EC40048BA7B0A9F2D0A13E537C545D4F6F79D7 ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 NotAfter: 11/16/2024 Installed: True Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2EC40048BA7B0A9F2D0A13E537C545D4F6F79D7 ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 NotAfter: 11/16/2024 Installed: True Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2EC40048BA7B0A9F2D0A13E537C545D4F6F79D7 ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 NotAfter: 11/16/2024 Installed: True Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A2EC40048BA7B0A9F2D0A13E537C545D4F6F79D7 ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 NotAfter: 11/16/2024 Installed: True Comments |
|||||
Check Text
Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 NotAfter: 11/16/2024 9:57:16 AM Alternately use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to Untrusted Certificates >> Certificates. For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By": Right-click on the certificate and select "Open". Select the "Details" tab. Scroll to the bottom and select "Thumbprint". If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 NotAfter: 11/16/2024 9:57:16 AM
Fix Text
Install the DoD Interoperability Root CA cross-certificates on unclassified systems. Issued To - Issued By - Thumbprint DoD Root CA 3 - DoD Interoperability Root CA 2 - 49CBE933151872E17C8EAE7F0ABA97FB610F6477 The certificates can be installed using the InstallRoot tool. The tool and user guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. Certificate bundles published by the PKI can be found at https://crl.gds.disa.mil/.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FB27090B6C20ED7F85E71A0A47B7DBC2EB26A7BD ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 Installed: True Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FB27090B6C20ED7F85E71A0A47B7DBC2EB26A7BD ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 Installed: True Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FB27090B6C20ED7F85E71A0A47B7DBC2EB26A7BD ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 Installed: True Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FB27090B6C20ED7F85E71A0A47B7DBC2EB26A7BD ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 Installed: True Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FB27090B6C20ED7F85E71A0A47B7DBC2EB26A7BD ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 Installed: True Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FB27090B6C20ED7F85E71A0A47B7DBC2EB26A7BD ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 Installed: True Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FB27090B6C20ED7F85E71A0A47B7DBC2EB26A7BD ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 Installed: True Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FB27090B6C20ED7F85E71A0A47B7DBC2EB26A7BD ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 Installed: True Comments |
|||||
Check Text
Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 Alternately use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": Right-click on the certificate and select "Open". Select the "Details" tab. Scroll to the bottom and select "Thumbprint". If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025
Fix Text
Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 The certificates can be installed using the InstallRoot tool. The tool and user guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. Certificate bundles published by the PKI can be found at https://crl.gds.disa.mil/.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B36C634C9C40B0094FF0676E2CD029965645B6F ~~~~~ 'Accounts: Guest account status' is Disabled EnableGuestAccount: 0 Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B36C634C9C40B0094FF0676E2CD029965645B6F ~~~~~ 'Accounts: Guest account status' is Disabled EnableGuestAccount: 0 Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B36C634C9C40B0094FF0676E2CD029965645B6F ~~~~~ 'Accounts: Guest account status' is Disabled EnableGuestAccount: 0 Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B36C634C9C40B0094FF0676E2CD029965645B6F ~~~~~ 'Accounts: Guest account status' is Disabled EnableGuestAccount: 0 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B36C634C9C40B0094FF0676E2CD029965645B6F ~~~~~ 'Accounts: Guest account status' is Disabled EnableGuestAccount: 0 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B36C634C9C40B0094FF0676E2CD029965645B6F ~~~~~ 'Accounts: Guest account status' is Disabled EnableGuestAccount: 0 Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B36C634C9C40B0094FF0676E2CD029965645B6F ~~~~~ 'Accounts: Guest account status' is Disabled EnableGuestAccount: 0 Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4B36C634C9C40B0094FF0676E2CD029965645B6F ~~~~~ 'Accounts: Guest account status' is Disabled EnableGuestAccount: 0 Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "EnableGuestAccount" equals "1" in the file, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Guest account status" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 938B5D59F6EEE4836658D1458955462833BA0985 ~~~~~ 'Accounts: Rename administrator account' is Configured NewAdministratorName: X_Admin Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 938B5D59F6EEE4836658D1458955462833BA0985 ~~~~~ 'Accounts: Rename administrator account' is Configured NewAdministratorName: X_Admin Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 938B5D59F6EEE4836658D1458955462833BA0985 ~~~~~ 'Accounts: Rename administrator account' is Configured NewAdministratorName: X_Admin Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6756A92EE46D75E92A2A70BDAF3356EBF2DD7DAC ~~~~~ 'Accounts: Rename administrator account' is Configured NewAdministratorName: SHB_Admin Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 938B5D59F6EEE4836658D1458955462833BA0985 ~~~~~ 'Accounts: Rename administrator account' is Configured NewAdministratorName: X_Admin Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6756A92EE46D75E92A2A70BDAF3356EBF2DD7DAC ~~~~~ 'Accounts: Rename administrator account' is Configured NewAdministratorName: SHB_Admin Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 938B5D59F6EEE4836658D1458955462833BA0985 ~~~~~ 'Accounts: Rename administrator account' is Configured NewAdministratorName: X_Admin Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 938B5D59F6EEE4836658D1458955462833BA0985 ~~~~~ 'Accounts: Rename administrator account' is Configured NewAdministratorName: X_Admin Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "NewAdministratorName" is not something other than "Administrator" in the file, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename administrator account" to a name other than "Administrator".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 65D963B5E42EA95D69DDA5CE0A378E6B2420D343 ~~~~~ 'Accounts: Rename guest account' is Configured NewGuestName: Visitor Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 65D963B5E42EA95D69DDA5CE0A378E6B2420D343 ~~~~~ 'Accounts: Rename guest account' is Configured NewGuestName: Visitor Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 65D963B5E42EA95D69DDA5CE0A378E6B2420D343 ~~~~~ 'Accounts: Rename guest account' is Configured NewGuestName: Visitor Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3F1CB8648AFBA97D4DAC6E45BD39977D47D8CA26 ~~~~~ 'Accounts: Rename guest account' is Configured NewGuestName: SHB_Visitor Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 65D963B5E42EA95D69DDA5CE0A378E6B2420D343 ~~~~~ 'Accounts: Rename guest account' is Configured NewGuestName: Visitor Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3F1CB8648AFBA97D4DAC6E45BD39977D47D8CA26 ~~~~~ 'Accounts: Rename guest account' is Configured NewGuestName: SHB_Visitor Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 65D963B5E42EA95D69DDA5CE0A378E6B2420D343 ~~~~~ 'Accounts: Rename guest account' is Configured NewGuestName: Visitor Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 65D963B5E42EA95D69DDA5CE0A378E6B2420D343 ~~~~~ 'Accounts: Rename guest account' is Configured NewGuestName: Visitor Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "NewGuestName" is not something other than "Guest" in the file, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename guest account" to a name other than "Guest".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AFC3CE567F252B2BE09FC92C1D55F904F5B444F ~~~~~ 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AFC3CE567F252B2BE09FC92C1D55F904F5B444F ~~~~~ 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AFC3CE567F252B2BE09FC92C1D55F904F5B444F ~~~~~ 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AFC3CE567F252B2BE09FC92C1D55F904F5B444F ~~~~~ 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AFC3CE567F252B2BE09FC92C1D55F904F5B444F ~~~~~ 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AFC3CE567F252B2BE09FC92C1D55F904F5B444F ~~~~~ 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AFC3CE567F252B2BE09FC92C1D55F904F5B444F ~~~~~ 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7AFC3CE567F252B2BE09FC92C1D55F904F5B444F ~~~~~ 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 768851CC97ECEB9EB63B747FCDA75CF7978BB583 ~~~~~ 'Domain member: Digitally encrypt or sign secure channel data (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 768851CC97ECEB9EB63B747FCDA75CF7978BB583 ~~~~~ 'Domain member: Digitally encrypt or sign secure channel data (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 768851CC97ECEB9EB63B747FCDA75CF7978BB583 ~~~~~ 'Domain member: Digitally encrypt or sign secure channel data (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 768851CC97ECEB9EB63B747FCDA75CF7978BB583 ~~~~~ 'Domain member: Digitally encrypt or sign secure channel data (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 768851CC97ECEB9EB63B747FCDA75CF7978BB583 ~~~~~ 'Domain member: Digitally encrypt or sign secure channel data (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 768851CC97ECEB9EB63B747FCDA75CF7978BB583 ~~~~~ 'Domain member: Digitally encrypt or sign secure channel data (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 768851CC97ECEB9EB63B747FCDA75CF7978BB583 ~~~~~ 'Domain member: Digitally encrypt or sign secure channel data (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 768851CC97ECEB9EB63B747FCDA75CF7978BB583 ~~~~~ 'Domain member: Digitally encrypt or sign secure channel data (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt or sign secure channel data (always)" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F343CF439907225DA5621C3F34434F566462DD05 ~~~~~ 'Domain member: Digitally encrypt secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F343CF439907225DA5621C3F34434F566462DD05 ~~~~~ 'Domain member: Digitally encrypt secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F343CF439907225DA5621C3F34434F566462DD05 ~~~~~ 'Domain member: Digitally encrypt secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F343CF439907225DA5621C3F34434F566462DD05 ~~~~~ 'Domain member: Digitally encrypt secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F343CF439907225DA5621C3F34434F566462DD05 ~~~~~ 'Domain member: Digitally encrypt secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F343CF439907225DA5621C3F34434F566462DD05 ~~~~~ 'Domain member: Digitally encrypt secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F343CF439907225DA5621C3F34434F566462DD05 ~~~~~ 'Domain member: Digitally encrypt secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F343CF439907225DA5621C3F34434F566462DD05 ~~~~~ 'Domain member: Digitally encrypt secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt secure channel data (when possible)" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 36BAC351878C6C80896B265F9F8C16749B276082 ~~~~~ 'Domain member: Digitally sign secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 36BAC351878C6C80896B265F9F8C16749B276082 ~~~~~ 'Domain member: Digitally sign secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 36BAC351878C6C80896B265F9F8C16749B276082 ~~~~~ 'Domain member: Digitally sign secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 36BAC351878C6C80896B265F9F8C16749B276082 ~~~~~ 'Domain member: Digitally sign secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 36BAC351878C6C80896B265F9F8C16749B276082 ~~~~~ 'Domain member: Digitally sign secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 36BAC351878C6C80896B265F9F8C16749B276082 ~~~~~ 'Domain member: Digitally sign secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 36BAC351878C6C80896B265F9F8C16749B276082 ~~~~~ 'Domain member: Digitally sign secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 36BAC351878C6C80896B265F9F8C16749B276082 ~~~~~ 'Domain member: Digitally sign secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally sign secure channel data (when possible)" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BB635AA6841E00077B664A8F94678C4D24F2AACE ~~~~~ 'Domain member: Disable machine account password changes' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BB635AA6841E00077B664A8F94678C4D24F2AACE ~~~~~ 'Domain member: Disable machine account password changes' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BB635AA6841E00077B664A8F94678C4D24F2AACE ~~~~~ 'Domain member: Disable machine account password changes' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BB635AA6841E00077B664A8F94678C4D24F2AACE ~~~~~ 'Domain member: Disable machine account password changes' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BB635AA6841E00077B664A8F94678C4D24F2AACE ~~~~~ 'Domain member: Disable machine account password changes' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BB635AA6841E00077B664A8F94678C4D24F2AACE ~~~~~ 'Domain member: Disable machine account password changes' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BB635AA6841E00077B664A8F94678C4D24F2AACE ~~~~~ 'Domain member: Disable machine account password changes' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: BB635AA6841E00077B664A8F94678C4D24F2AACE ~~~~~ 'Domain member: Disable machine account password changes' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Disable machine account password changes" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 580464C51958DB10909965DAC2080AC32447AAF8 ~~~~~ 'Domain member: Maximum machine account password age' is Configured Registry Path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value: 0x0000001e (30) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 580464C51958DB10909965DAC2080AC32447AAF8 ~~~~~ 'Domain member: Maximum machine account password age' is Configured Registry Path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value: 0x0000001e (30) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 580464C51958DB10909965DAC2080AC32447AAF8 ~~~~~ 'Domain member: Maximum machine account password age' is Configured Registry Path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value: 0x0000001e (30) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 580464C51958DB10909965DAC2080AC32447AAF8 ~~~~~ 'Domain member: Maximum machine account password age' is Configured Registry Path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value: 0x0000001e (30) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 580464C51958DB10909965DAC2080AC32447AAF8 ~~~~~ 'Domain member: Maximum machine account password age' is Configured Registry Path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value: 0x0000001e (30) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 580464C51958DB10909965DAC2080AC32447AAF8 ~~~~~ 'Domain member: Maximum machine account password age' is Configured Registry Path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value: 0x0000001e (30) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 580464C51958DB10909965DAC2080AC32447AAF8 ~~~~~ 'Domain member: Maximum machine account password age' is Configured Registry Path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value: 0x0000001e (30) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 580464C51958DB10909965DAC2080AC32447AAF8 ~~~~~ 'Domain member: Maximum machine account password age' is Configured Registry Path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value: 0x0000001e (30) Type: REG_DWORD Comments |
|||||
Check Text
This is the default configuration for this setting (30 days). If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value Type: REG_DWORD Value: 0x0000001e (30) (or less, but not 0)
Fix Text
This is the default configuration for this setting (30 days). Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Maximum machine account password age" to "30" or less (excluding "0", which is unacceptable).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7A8877B1B464B449B4A82D21A20FE09800FBA1D8 ~~~~~ 'Domain member: Require strong (Windows 2000 or Later) session key' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7A8877B1B464B449B4A82D21A20FE09800FBA1D8 ~~~~~ 'Domain member: Require strong (Windows 2000 or Later) session key' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7A8877B1B464B449B4A82D21A20FE09800FBA1D8 ~~~~~ 'Domain member: Require strong (Windows 2000 or Later) session key' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7A8877B1B464B449B4A82D21A20FE09800FBA1D8 ~~~~~ 'Domain member: Require strong (Windows 2000 or Later) session key' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7A8877B1B464B449B4A82D21A20FE09800FBA1D8 ~~~~~ 'Domain member: Require strong (Windows 2000 or Later) session key' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7A8877B1B464B449B4A82D21A20FE09800FBA1D8 ~~~~~ 'Domain member: Require strong (Windows 2000 or Later) session key' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7A8877B1B464B449B4A82D21A20FE09800FBA1D8 ~~~~~ 'Domain member: Require strong (Windows 2000 or Later) session key' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 7A8877B1B464B449B4A82D21A20FE09800FBA1D8 ~~~~~ 'Domain member: Require strong (Windows 2000 or Later) session key' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 0x00000001 (1) This setting may prevent a system from being joined to a domain if not configured consistently between systems.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Require strong (Windows 2000 or Later) session key" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 19BA087C9A5747886DD6AD505184EC0073FE83F0 ~~~~~ 'Interactive logon: Machine inactivity limit' is Configured Registry Path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value: 0x00000384 (900) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 19BA087C9A5747886DD6AD505184EC0073FE83F0 ~~~~~ 'Interactive logon: Machine inactivity limit' is Configured Registry Path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value: 0x00000384 (900) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 19BA087C9A5747886DD6AD505184EC0073FE83F0 ~~~~~ 'Interactive logon: Machine inactivity limit' is Configured Registry Path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value: 0x00000384 (900) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 19BA087C9A5747886DD6AD505184EC0073FE83F0 ~~~~~ 'Interactive logon: Machine inactivity limit' is Configured Registry Path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value: 0x00000384 (900) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 19BA087C9A5747886DD6AD505184EC0073FE83F0 ~~~~~ 'Interactive logon: Machine inactivity limit' is Configured Registry Path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value: 0x00000384 (900) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 19BA087C9A5747886DD6AD505184EC0073FE83F0 ~~~~~ 'Interactive logon: Machine inactivity limit' is Configured Registry Path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value: 0x00000384 (900) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 19BA087C9A5747886DD6AD505184EC0073FE83F0 ~~~~~ 'Interactive logon: Machine inactivity limit' is Configured Registry Path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value: 0x00000384 (900) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 19BA087C9A5747886DD6AD505184EC0073FE83F0 ~~~~~ 'Interactive logon: Machine inactivity limit' is Configured Registry Path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value: 0x00000384 (900) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value Type: REG_DWORD Value: 0x00000384 (900) (or less, excluding "0" which is effectively disabled)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Machine inactivity limit" to "900" seconds or less, excluding "0" which is effectively disabled.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E8B54A53D42E7E78768CD8651A8875ECA26F3615 ~~~~~ 'Interactive logon: Message text for users attempting to log on' is Configured Properly Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: LegalNoticeText Value: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Type: REG_SZ Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E8B54A53D42E7E78768CD8651A8875ECA26F3615 ~~~~~ 'Interactive logon: Message text for users attempting to log on' is Configured Properly Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: LegalNoticeText Value: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Type: REG_SZ Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E8B54A53D42E7E78768CD8651A8875ECA26F3615 ~~~~~ 'Interactive logon: Message text for users attempting to log on' is Configured Properly Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: LegalNoticeText Value: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Type: REG_SZ Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E8B54A53D42E7E78768CD8651A8875ECA26F3615 ~~~~~ 'Interactive logon: Message text for users attempting to log on' is Configured Properly Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: LegalNoticeText Value: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Type: REG_SZ Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E8B54A53D42E7E78768CD8651A8875ECA26F3615 ~~~~~ 'Interactive logon: Message text for users attempting to log on' is Configured Properly Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: LegalNoticeText Value: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Type: REG_SZ Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E8B54A53D42E7E78768CD8651A8875ECA26F3615 ~~~~~ 'Interactive logon: Message text for users attempting to log on' is Configured Properly Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: LegalNoticeText Value: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Type: REG_SZ Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E8B54A53D42E7E78768CD8651A8875ECA26F3615 ~~~~~ 'Interactive logon: Message text for users attempting to log on' is Configured Properly Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: LegalNoticeText Value: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Type: REG_SZ Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E8B54A53D42E7E78768CD8651A8875ECA26F3615 ~~~~~ 'Interactive logon: Message text for users attempting to log on' is Configured Properly Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: LegalNoticeText Value: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Type: REG_SZ Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText Value Type: REG_SZ Value: See message text below You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message text for users attempting to log on" to the following: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1699DDC3437525C1B4302CC3B76F6DCC746ED96E ~~~~~ 'Interactive logon: Smart card removal behavior' is Lock Workstation with 'Force Logoff' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: scremoveoption Value: 1 Type: REG_SZ Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1699DDC3437525C1B4302CC3B76F6DCC746ED96E ~~~~~ 'Interactive logon: Smart card removal behavior' is Lock Workstation with 'Force Logoff' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: scremoveoption Value: 1 Type: REG_SZ Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1699DDC3437525C1B4302CC3B76F6DCC746ED96E ~~~~~ 'Interactive logon: Smart card removal behavior' is Lock Workstation with 'Force Logoff' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: scremoveoption Value: 1 Type: REG_SZ Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1699DDC3437525C1B4302CC3B76F6DCC746ED96E ~~~~~ 'Interactive logon: Smart card removal behavior' is Lock Workstation with 'Force Logoff' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: scremoveoption Value: 1 Type: REG_SZ Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1699DDC3437525C1B4302CC3B76F6DCC746ED96E ~~~~~ 'Interactive logon: Smart card removal behavior' is Lock Workstation with 'Force Logoff' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: scremoveoption Value: 1 Type: REG_SZ Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1699DDC3437525C1B4302CC3B76F6DCC746ED96E ~~~~~ 'Interactive logon: Smart card removal behavior' is Lock Workstation with 'Force Logoff' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: scremoveoption Value: 1 Type: REG_SZ Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1699DDC3437525C1B4302CC3B76F6DCC746ED96E ~~~~~ 'Interactive logon: Smart card removal behavior' is Lock Workstation with 'Force Logoff' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: scremoveoption Value: 1 Type: REG_SZ Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1699DDC3437525C1B4302CC3B76F6DCC746ED96E ~~~~~ 'Interactive logon: Smart card removal behavior' is Lock Workstation with 'Force Logoff' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: scremoveoption Value: 1 Type: REG_SZ Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: scremoveoption Value Type: REG_SZ Value: 1 (Lock Workstation) or 2 (Force Logoff) If configuring this on servers causes issues, such as terminating users' remote sessions, and the organization has a policy in place that any other sessions on the servers, such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Smart card removal behavior" to "Lock Workstation" or "Force Logoff".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F3C1E8E33099B45BDB212B0519A2F33B9B2B5171 ~~~~~ 'Microsoft network client: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F3C1E8E33099B45BDB212B0519A2F33B9B2B5171 ~~~~~ 'Microsoft network client: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F3C1E8E33099B45BDB212B0519A2F33B9B2B5171 ~~~~~ 'Microsoft network client: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F3C1E8E33099B45BDB212B0519A2F33B9B2B5171 ~~~~~ 'Microsoft network client: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F3C1E8E33099B45BDB212B0519A2F33B9B2B5171 ~~~~~ 'Microsoft network client: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F3C1E8E33099B45BDB212B0519A2F33B9B2B5171 ~~~~~ 'Microsoft network client: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F3C1E8E33099B45BDB212B0519A2F33B9B2B5171 ~~~~~ 'Microsoft network client: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F3C1E8E33099B45BDB212B0519A2F33B9B2B5171 ~~~~~ 'Microsoft network client: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (always)" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AE5A1136C75ABE6423313D703CC15C146488D7A ~~~~~ 'Microsoft network client: Digitally sign communications (if server agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AE5A1136C75ABE6423313D703CC15C146488D7A ~~~~~ 'Microsoft network client: Digitally sign communications (if server agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AE5A1136C75ABE6423313D703CC15C146488D7A ~~~~~ 'Microsoft network client: Digitally sign communications (if server agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AE5A1136C75ABE6423313D703CC15C146488D7A ~~~~~ 'Microsoft network client: Digitally sign communications (if server agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AE5A1136C75ABE6423313D703CC15C146488D7A ~~~~~ 'Microsoft network client: Digitally sign communications (if server agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AE5A1136C75ABE6423313D703CC15C146488D7A ~~~~~ 'Microsoft network client: Digitally sign communications (if server agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AE5A1136C75ABE6423313D703CC15C146488D7A ~~~~~ 'Microsoft network client: Digitally sign communications (if server agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 8AE5A1136C75ABE6423313D703CC15C146488D7A ~~~~~ 'Microsoft network client: Digitally sign communications (if server agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (if server agrees)" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D6A4C224ED5457C6DAF9850BB9D0BC40612C173A ~~~~~ 'Microsoft Network Client: Send unencrypted password to third-party SMB servers' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D6A4C224ED5457C6DAF9850BB9D0BC40612C173A ~~~~~ 'Microsoft Network Client: Send unencrypted password to third-party SMB servers' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D6A4C224ED5457C6DAF9850BB9D0BC40612C173A ~~~~~ 'Microsoft Network Client: Send unencrypted password to third-party SMB servers' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D6A4C224ED5457C6DAF9850BB9D0BC40612C173A ~~~~~ 'Microsoft Network Client: Send unencrypted password to third-party SMB servers' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D6A4C224ED5457C6DAF9850BB9D0BC40612C173A ~~~~~ 'Microsoft Network Client: Send unencrypted password to third-party SMB servers' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D6A4C224ED5457C6DAF9850BB9D0BC40612C173A ~~~~~ 'Microsoft Network Client: Send unencrypted password to third-party SMB servers' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D6A4C224ED5457C6DAF9850BB9D0BC40612C173A ~~~~~ 'Microsoft Network Client: Send unencrypted password to third-party SMB servers' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: D6A4C224ED5457C6DAF9850BB9D0BC40612C173A ~~~~~ 'Microsoft Network Client: Send unencrypted password to third-party SMB servers' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft Network Client: Send unencrypted password to third-party SMB servers" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 899E5D4268B8FD2F2EB44326E2D59EE9E6C50F76 ~~~~~ 'Microsoft network server: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 899E5D4268B8FD2F2EB44326E2D59EE9E6C50F76 ~~~~~ 'Microsoft network server: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 899E5D4268B8FD2F2EB44326E2D59EE9E6C50F76 ~~~~~ 'Microsoft network server: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 899E5D4268B8FD2F2EB44326E2D59EE9E6C50F76 ~~~~~ 'Microsoft network server: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 899E5D4268B8FD2F2EB44326E2D59EE9E6C50F76 ~~~~~ 'Microsoft network server: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 899E5D4268B8FD2F2EB44326E2D59EE9E6C50F76 ~~~~~ 'Microsoft network server: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 899E5D4268B8FD2F2EB44326E2D59EE9E6C50F76 ~~~~~ 'Microsoft network server: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 899E5D4268B8FD2F2EB44326E2D59EE9E6C50F76 ~~~~~ 'Microsoft network server: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (always)" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FD8E0D554726CFB8905B2B726A4944CC4D7ACE69 ~~~~~ 'Microsoft network server: Digitally sign communications (if client agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FD8E0D554726CFB8905B2B726A4944CC4D7ACE69 ~~~~~ 'Microsoft network server: Digitally sign communications (if client agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FD8E0D554726CFB8905B2B726A4944CC4D7ACE69 ~~~~~ 'Microsoft network server: Digitally sign communications (if client agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FD8E0D554726CFB8905B2B726A4944CC4D7ACE69 ~~~~~ 'Microsoft network server: Digitally sign communications (if client agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FD8E0D554726CFB8905B2B726A4944CC4D7ACE69 ~~~~~ 'Microsoft network server: Digitally sign communications (if client agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FD8E0D554726CFB8905B2B726A4944CC4D7ACE69 ~~~~~ 'Microsoft network server: Digitally sign communications (if client agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FD8E0D554726CFB8905B2B726A4944CC4D7ACE69 ~~~~~ 'Microsoft network server: Digitally sign communications (if client agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FD8E0D554726CFB8905B2B726A4944CC4D7ACE69 ~~~~~ 'Microsoft network server: Digitally sign communications (if client agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (if client agrees)" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9DBCD40493E0515A9A5835525FAD1CE66566D615 ~~~~~ 'Network access: Let everyone permissions apply to anonymous users' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9DBCD40493E0515A9A5835525FAD1CE66566D615 ~~~~~ 'Network access: Let everyone permissions apply to anonymous users' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9DBCD40493E0515A9A5835525FAD1CE66566D615 ~~~~~ 'Network access: Let everyone permissions apply to anonymous users' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9DBCD40493E0515A9A5835525FAD1CE66566D615 ~~~~~ 'Network access: Let everyone permissions apply to anonymous users' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9DBCD40493E0515A9A5835525FAD1CE66566D615 ~~~~~ 'Network access: Let everyone permissions apply to anonymous users' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9DBCD40493E0515A9A5835525FAD1CE66566D615 ~~~~~ 'Network access: Let everyone permissions apply to anonymous users' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9DBCD40493E0515A9A5835525FAD1CE66566D615 ~~~~~ 'Network access: Let everyone permissions apply to anonymous users' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9DBCD40493E0515A9A5835525FAD1CE66566D615 ~~~~~ 'Network access: Let everyone permissions apply to anonymous users' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Let everyone permissions apply to anonymous users" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 164DB84D831559475134E000319130634298EA3B ~~~~~ 'Network security: Allow Local System to use computer identity for NTLM' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 164DB84D831559475134E000319130634298EA3B ~~~~~ 'Network security: Allow Local System to use computer identity for NTLM' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 164DB84D831559475134E000319130634298EA3B ~~~~~ 'Network security: Allow Local System to use computer identity for NTLM' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 164DB84D831559475134E000319130634298EA3B ~~~~~ 'Network security: Allow Local System to use computer identity for NTLM' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 164DB84D831559475134E000319130634298EA3B ~~~~~ 'Network security: Allow Local System to use computer identity for NTLM' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 164DB84D831559475134E000319130634298EA3B ~~~~~ 'Network security: Allow Local System to use computer identity for NTLM' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 164DB84D831559475134E000319130634298EA3B ~~~~~ 'Network security: Allow Local System to use computer identity for NTLM' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 164DB84D831559475134E000319130634298EA3B ~~~~~ 'Network security: Allow Local System to use computer identity for NTLM' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow Local System to use computer identity for NTLM" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5D6C0BC2C8171041F930D845BE80EE2BD8659E12 ~~~~~ 'Network security: Allow LocalSystem NULL session fallback' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5D6C0BC2C8171041F930D845BE80EE2BD8659E12 ~~~~~ 'Network security: Allow LocalSystem NULL session fallback' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5D6C0BC2C8171041F930D845BE80EE2BD8659E12 ~~~~~ 'Network security: Allow LocalSystem NULL session fallback' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5D6C0BC2C8171041F930D845BE80EE2BD8659E12 ~~~~~ 'Network security: Allow LocalSystem NULL session fallback' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5D6C0BC2C8171041F930D845BE80EE2BD8659E12 ~~~~~ 'Network security: Allow LocalSystem NULL session fallback' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5D6C0BC2C8171041F930D845BE80EE2BD8659E12 ~~~~~ 'Network security: Allow LocalSystem NULL session fallback' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5D6C0BC2C8171041F930D845BE80EE2BD8659E12 ~~~~~ 'Network security: Allow LocalSystem NULL session fallback' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5D6C0BC2C8171041F930D845BE80EE2BD8659E12 ~~~~~ 'Network security: Allow LocalSystem NULL session fallback' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow LocalSystem NULL session fallback" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EAB0D07DEDC065B44229C9732CF27E1EE69C9BC7 ~~~~~ 'Network security: Allow PKU2U authentication requests to this computer to use online identities' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EAB0D07DEDC065B44229C9732CF27E1EE69C9BC7 ~~~~~ 'Network security: Allow PKU2U authentication requests to this computer to use online identities' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EAB0D07DEDC065B44229C9732CF27E1EE69C9BC7 ~~~~~ 'Network security: Allow PKU2U authentication requests to this computer to use online identities' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EAB0D07DEDC065B44229C9732CF27E1EE69C9BC7 ~~~~~ 'Network security: Allow PKU2U authentication requests to this computer to use online identities' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EAB0D07DEDC065B44229C9732CF27E1EE69C9BC7 ~~~~~ 'Network security: Allow PKU2U authentication requests to this computer to use online identities' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EAB0D07DEDC065B44229C9732CF27E1EE69C9BC7 ~~~~~ 'Network security: Allow PKU2U authentication requests to this computer to use online identities' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EAB0D07DEDC065B44229C9732CF27E1EE69C9BC7 ~~~~~ 'Network security: Allow PKU2U authentication requests to this computer to use online identities' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EAB0D07DEDC065B44229C9732CF27E1EE69C9BC7 ~~~~~ 'Network security: Allow PKU2U authentication requests to this computer to use online identities' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow PKU2U authentication requests to this computer to use online identities" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EB2E1C21CBD2C88EBB89CDF510B713F7A18E062B ~~~~~ 'Network security: Configure encryption types allowed for Kerberos' is Enabled with 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, and Future encryption types' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value: 0x7ffffff8 (2147483640) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EB2E1C21CBD2C88EBB89CDF510B713F7A18E062B ~~~~~ 'Network security: Configure encryption types allowed for Kerberos' is Enabled with 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, and Future encryption types' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value: 0x7ffffff8 (2147483640) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EB2E1C21CBD2C88EBB89CDF510B713F7A18E062B ~~~~~ 'Network security: Configure encryption types allowed for Kerberos' is Enabled with 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, and Future encryption types' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value: 0x7ffffff8 (2147483640) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EB2E1C21CBD2C88EBB89CDF510B713F7A18E062B ~~~~~ 'Network security: Configure encryption types allowed for Kerberos' is Enabled with 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, and Future encryption types' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value: 0x7ffffff8 (2147483640) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EB2E1C21CBD2C88EBB89CDF510B713F7A18E062B ~~~~~ 'Network security: Configure encryption types allowed for Kerberos' is Enabled with 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, and Future encryption types' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value: 0x7ffffff8 (2147483640) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EB2E1C21CBD2C88EBB89CDF510B713F7A18E062B ~~~~~ 'Network security: Configure encryption types allowed for Kerberos' is Enabled with 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, and Future encryption types' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value: 0x7ffffff8 (2147483640) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EB2E1C21CBD2C88EBB89CDF510B713F7A18E062B ~~~~~ 'Network security: Configure encryption types allowed for Kerberos' is Enabled with 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, and Future encryption types' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value: 0x7ffffff8 (2147483640) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: EB2E1C21CBD2C88EBB89CDF510B713F7A18E062B ~~~~~ 'Network security: Configure encryption types allowed for Kerberos' is Enabled with 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, and Future encryption types' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value: 0x7ffffff8 (2147483640) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value Type: REG_DWORD Value: 0x7ffffff8 (2147483640)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: AES128_HMAC_SHA1 AES256_HMAC_SHA1 Future encryption types Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting "The other domain supports Kerberos AES Encryption" on domain trusts, may be required to allow client communication across the trust relationship.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5ECC405E9B3A4A3308ECF2F58D1C890BD6B4B50A ~~~~~ 'Network security: LDAP client signing requirements' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5ECC405E9B3A4A3308ECF2F58D1C890BD6B4B50A ~~~~~ 'Network security: LDAP client signing requirements' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5ECC405E9B3A4A3308ECF2F58D1C890BD6B4B50A ~~~~~ 'Network security: LDAP client signing requirements' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5ECC405E9B3A4A3308ECF2F58D1C890BD6B4B50A ~~~~~ 'Network security: LDAP client signing requirements' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5ECC405E9B3A4A3308ECF2F58D1C890BD6B4B50A ~~~~~ 'Network security: LDAP client signing requirements' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5ECC405E9B3A4A3308ECF2F58D1C890BD6B4B50A ~~~~~ 'Network security: LDAP client signing requirements' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5ECC405E9B3A4A3308ECF2F58D1C890BD6B4B50A ~~~~~ 'Network security: LDAP client signing requirements' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 5ECC405E9B3A4A3308ECF2F58D1C890BD6B4B50A ~~~~~ 'Network security: LDAP client signing requirements' is Configured Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LDAP client signing requirements" to "Negotiate signing" at a minimum.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2C98ED8B1D3400660554D835EB63964F19C5D096 ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2C98ED8B1D3400660554D835EB63964F19C5D096 ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2C98ED8B1D3400660554D835EB63964F19C5D096 ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2C98ED8B1D3400660554D835EB63964F19C5D096 ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2C98ED8B1D3400660554D835EB63964F19C5D096 ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2C98ED8B1D3400660554D835EB63964F19C5D096 ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2C98ED8B1D3400660554D835EB63964F19C5D096 ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 2C98ED8B1D3400660554D835EB63964F19C5D096 ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value Type: REG_DWORD Value: 0x20080000 (537395200)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 99141E6D7A424C6C0F78C27835C1F81087A1EACD ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 99141E6D7A424C6C0F78C27835C1F81087A1EACD ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 99141E6D7A424C6C0F78C27835C1F81087A1EACD ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 99141E6D7A424C6C0F78C27835C1F81087A1EACD ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 99141E6D7A424C6C0F78C27835C1F81087A1EACD ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 99141E6D7A424C6C0F78C27835C1F81087A1EACD ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 99141E6D7A424C6C0F78C27835C1F81087A1EACD ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 99141E6D7A424C6C0F78C27835C1F81087A1EACD ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is Require NTLMv2 session security with 'Require 128-bit encryption' Registry Path: HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value Type: REG_DWORD Value: 0x20080000 (537395200)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E10C5B4F863FA065AD5387F2743A222FA15AA5E8 ~~~~~ 'System cryptography: Force strong key protection for user keys stored on the computer' is Configured Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\ Value Name: ForceKeyProtection Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E10C5B4F863FA065AD5387F2743A222FA15AA5E8 ~~~~~ 'System cryptography: Force strong key protection for user keys stored on the computer' is Configured Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\ Value Name: ForceKeyProtection Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E10C5B4F863FA065AD5387F2743A222FA15AA5E8 ~~~~~ 'System cryptography: Force strong key protection for user keys stored on the computer' is Configured Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\ Value Name: ForceKeyProtection Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E10C5B4F863FA065AD5387F2743A222FA15AA5E8 ~~~~~ 'System cryptography: Force strong key protection for user keys stored on the computer' is Configured Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\ Value Name: ForceKeyProtection Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E10C5B4F863FA065AD5387F2743A222FA15AA5E8 ~~~~~ 'System cryptography: Force strong key protection for user keys stored on the computer' is Configured Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\ Value Name: ForceKeyProtection Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E10C5B4F863FA065AD5387F2743A222FA15AA5E8 ~~~~~ 'System cryptography: Force strong key protection for user keys stored on the computer' is Configured Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\ Value Name: ForceKeyProtection Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E10C5B4F863FA065AD5387F2743A222FA15AA5E8 ~~~~~ 'System cryptography: Force strong key protection for user keys stored on the computer' is Configured Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\ Value Name: ForceKeyProtection Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: E10C5B4F863FA065AD5387F2743A222FA15AA5E8 ~~~~~ 'System cryptography: Force strong key protection for user keys stored on the computer' is Configured Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\ Value Name: ForceKeyProtection Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\ Value Name: ForceKeyProtection Type: REG_DWORD Value: 0x00000002 (2)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Force strong key protection for user keys stored on the computer" to "User must enter a password each time they use a key".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 578FC3916E0B120A53A8FEE87983CE61ED19852F ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value Type: REG_DWORD Value: 0x00000001 (1) Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise. the browser will not be able to connect to a secure site.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 70E59D3D7BCF2AFB0B1B2813244D3E2B6DE68BD5 ~~~~~ 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 70E59D3D7BCF2AFB0B1B2813244D3E2B6DE68BD5 ~~~~~ 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 70E59D3D7BCF2AFB0B1B2813244D3E2B6DE68BD5 ~~~~~ 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 70E59D3D7BCF2AFB0B1B2813244D3E2B6DE68BD5 ~~~~~ 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 70E59D3D7BCF2AFB0B1B2813244D3E2B6DE68BD5 ~~~~~ 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 70E59D3D7BCF2AFB0B1B2813244D3E2B6DE68BD5 ~~~~~ 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 70E59D3D7BCF2AFB0B1B2813244D3E2B6DE68BD5 ~~~~~ 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 70E59D3D7BCF2AFB0B1B2813244D3E2B6DE68BD5 ~~~~~ 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Admin Approval Mode for the Built-in Administrator account" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3EB1B083F7DF5FA8446DC810CB471A52F4C7F8A5 ~~~~~ 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3EB1B083F7DF5FA8446DC810CB471A52F4C7F8A5 ~~~~~ 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3EB1B083F7DF5FA8446DC810CB471A52F4C7F8A5 ~~~~~ 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3EB1B083F7DF5FA8446DC810CB471A52F4C7F8A5 ~~~~~ 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3EB1B083F7DF5FA8446DC810CB471A52F4C7F8A5 ~~~~~ 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3EB1B083F7DF5FA8446DC810CB471A52F4C7F8A5 ~~~~~ 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3EB1B083F7DF5FA8446DC810CB471A52F4C7F8A5 ~~~~~ 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3EB1B083F7DF5FA8446DC810CB471A52F4C7F8A5 ~~~~~ 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle Value Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1DED330A39AA7F6CAC7DF413BA95D334BDB7FCD9 ~~~~~ 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is Configured Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1DED330A39AA7F6CAC7DF413BA95D334BDB7FCD9 ~~~~~ 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is Configured Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1DED330A39AA7F6CAC7DF413BA95D334BDB7FCD9 ~~~~~ 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is Configured Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1DED330A39AA7F6CAC7DF413BA95D334BDB7FCD9 ~~~~~ 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is Configured Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1DED330A39AA7F6CAC7DF413BA95D334BDB7FCD9 ~~~~~ 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is Configured Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1DED330A39AA7F6CAC7DF413BA95D334BDB7FCD9 ~~~~~ 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is Configured Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1DED330A39AA7F6CAC7DF413BA95D334BDB7FCD9 ~~~~~ 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is Configured Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1DED330A39AA7F6CAC7DF413BA95D334BDB7FCD9 ~~~~~ 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is Configured Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value Type: REG_DWORD Value: 0x00000002 (2) (Prompt for consent on the secure desktop) 0x00000001 (1) (Prompt for credentials on the secure desktop)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Prompt for consent on the secure desktop". The more secure option for this setting, "Prompt for credentials on the secure desktop", would also be acceptable.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 77467A7B902F8632B33C8A79576A2F4833BEF4B4 ~~~~~ 'User Account Control: Behavior of the elevation prompt for standard users' is Automatically deny elevation requests Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 77467A7B902F8632B33C8A79576A2F4833BEF4B4 ~~~~~ 'User Account Control: Behavior of the elevation prompt for standard users' is Automatically deny elevation requests Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 77467A7B902F8632B33C8A79576A2F4833BEF4B4 ~~~~~ 'User Account Control: Behavior of the elevation prompt for standard users' is Automatically deny elevation requests Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 77467A7B902F8632B33C8A79576A2F4833BEF4B4 ~~~~~ 'User Account Control: Behavior of the elevation prompt for standard users' is Automatically deny elevation requests Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 77467A7B902F8632B33C8A79576A2F4833BEF4B4 ~~~~~ 'User Account Control: Behavior of the elevation prompt for standard users' is Automatically deny elevation requests Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 77467A7B902F8632B33C8A79576A2F4833BEF4B4 ~~~~~ 'User Account Control: Behavior of the elevation prompt for standard users' is Automatically deny elevation requests Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 77467A7B902F8632B33C8A79576A2F4833BEF4B4 ~~~~~ 'User Account Control: Behavior of the elevation prompt for standard users' is Automatically deny elevation requests Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 77467A7B902F8632B33C8A79576A2F4833BEF4B4 ~~~~~ 'User Account Control: Behavior of the elevation prompt for standard users' is Automatically deny elevation requests Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for standard users" to "Automatically deny elevation requests".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C5D7BBC45FF654CBF4E175605BDC5FD7B063BBDB ~~~~~ 'User Account Control: Detect application installations and prompt for elevation' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C5D7BBC45FF654CBF4E175605BDC5FD7B063BBDB ~~~~~ 'User Account Control: Detect application installations and prompt for elevation' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C5D7BBC45FF654CBF4E175605BDC5FD7B063BBDB ~~~~~ 'User Account Control: Detect application installations and prompt for elevation' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C5D7BBC45FF654CBF4E175605BDC5FD7B063BBDB ~~~~~ 'User Account Control: Detect application installations and prompt for elevation' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C5D7BBC45FF654CBF4E175605BDC5FD7B063BBDB ~~~~~ 'User Account Control: Detect application installations and prompt for elevation' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C5D7BBC45FF654CBF4E175605BDC5FD7B063BBDB ~~~~~ 'User Account Control: Detect application installations and prompt for elevation' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C5D7BBC45FF654CBF4E175605BDC5FD7B063BBDB ~~~~~ 'User Account Control: Detect application installations and prompt for elevation' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: C5D7BBC45FF654CBF4E175605BDC5FD7B063BBDB ~~~~~ 'User Account Control: Detect application installations and prompt for elevation' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Detect application installations and prompt for elevation" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06A665D592B4B23BCFB8A09B17AFF2A0D38F7E7D ~~~~~ 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06A665D592B4B23BCFB8A09B17AFF2A0D38F7E7D ~~~~~ 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06A665D592B4B23BCFB8A09B17AFF2A0D38F7E7D ~~~~~ 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06A665D592B4B23BCFB8A09B17AFF2A0D38F7E7D ~~~~~ 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06A665D592B4B23BCFB8A09B17AFF2A0D38F7E7D ~~~~~ 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06A665D592B4B23BCFB8A09B17AFF2A0D38F7E7D ~~~~~ 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06A665D592B4B23BCFB8A09B17AFF2A0D38F7E7D ~~~~~ 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 06A665D592B4B23BCFB8A09B17AFF2A0D38F7E7D ~~~~~ 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Only elevate UIAccess applications that are installed in secure locations" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F41953B69D7862D03F223B081083D27D83BD07EF ~~~~~ 'User Account Control: Run all administrators in Admin Approval Mode' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F41953B69D7862D03F223B081083D27D83BD07EF ~~~~~ 'User Account Control: Run all administrators in Admin Approval Mode' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F41953B69D7862D03F223B081083D27D83BD07EF ~~~~~ 'User Account Control: Run all administrators in Admin Approval Mode' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F41953B69D7862D03F223B081083D27D83BD07EF ~~~~~ 'User Account Control: Run all administrators in Admin Approval Mode' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F41953B69D7862D03F223B081083D27D83BD07EF ~~~~~ 'User Account Control: Run all administrators in Admin Approval Mode' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F41953B69D7862D03F223B081083D27D83BD07EF ~~~~~ 'User Account Control: Run all administrators in Admin Approval Mode' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F41953B69D7862D03F223B081083D27D83BD07EF ~~~~~ 'User Account Control: Run all administrators in Admin Approval Mode' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F41953B69D7862D03F223B081083D27D83BD07EF ~~~~~ 'User Account Control: Run all administrators in Admin Approval Mode' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Run all administrators in Admin Approval Mode" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3F065E81CCABC3C5F47A5BAE70F17477E17BB4EA ~~~~~ 'User Account Control: Virtualize file and registry write failures to per-user locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3F065E81CCABC3C5F47A5BAE70F17477E17BB4EA ~~~~~ 'User Account Control: Virtualize file and registry write failures to per-user locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3F065E81CCABC3C5F47A5BAE70F17477E17BB4EA ~~~~~ 'User Account Control: Virtualize file and registry write failures to per-user locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3F065E81CCABC3C5F47A5BAE70F17477E17BB4EA ~~~~~ 'User Account Control: Virtualize file and registry write failures to per-user locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3F065E81CCABC3C5F47A5BAE70F17477E17BB4EA ~~~~~ 'User Account Control: Virtualize file and registry write failures to per-user locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3F065E81CCABC3C5F47A5BAE70F17477E17BB4EA ~~~~~ 'User Account Control: Virtualize file and registry write failures to per-user locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3F065E81CCABC3C5F47A5BAE70F17477E17BB4EA ~~~~~ 'User Account Control: Virtualize file and registry write failures to per-user locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3F065E81CCABC3C5F47A5BAE70F17477E17BB4EA ~~~~~ 'User Account Control: Virtualize file and registry write failures to per-user locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Virtualize file and registry write failures to per-user locations" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: E1E8733E0EB898F9D2EF428AC96620439C92F3E6 ~~~~~ 'Do not preserve zone information in file attachments' is Not Configured in group policy which is acceptable per the STIG. Registry Path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments Value Name: SaveZoneInformation (Not found) Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\S.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1105 ResultHash: E1E8733E0EB898F9D2EF428AC96620439C92F3E6 ~~~~~ 'Do not preserve zone information in file attachments' is Not Configured in group policy which is acceptable per the STIG. Registry Path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments Value Name: SaveZoneInformation (Not found) Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\S.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1105 ResultHash: E1E8733E0EB898F9D2EF428AC96620439C92F3E6 ~~~~~ 'Do not preserve zone information in file attachments' is Not Configured in group policy which is acceptable per the STIG. Registry Path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments Value Name: SaveZoneInformation (Not found) Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\d.admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: E1E8733E0EB898F9D2EF428AC96620439C92F3E6 ~~~~~ 'Do not preserve zone information in file attachments' is Not Configured in group policy which is acceptable per the STIG. Registry Path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments Value Name: SaveZoneInformation (Not found) Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: E1E8733E0EB898F9D2EF428AC96620439C92F3E6 ~~~~~ 'Do not preserve zone information in file attachments' is Not Configured in group policy which is acceptable per the STIG. Registry Path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments Value Name: SaveZoneInformation (Not found) Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\montford.exchange UserSID: S-1-5-21-1360995287-4027491577-3040029667-1118 ResultHash: E1E8733E0EB898F9D2EF428AC96620439C92F3E6 ~~~~~ 'Do not preserve zone information in file attachments' is Not Configured in group policy which is acceptable per the STIG. Registry Path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments Value Name: SaveZoneInformation (Not found) Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: E1E8733E0EB898F9D2EF428AC96620439C92F3E6 ~~~~~ 'Do not preserve zone information in file attachments' is Not Configured in group policy which is acceptable per the STIG. Registry Path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments Value Name: SaveZoneInformation (Not found) Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: E1E8733E0EB898F9D2EF428AC96620439C92F3E6 ~~~~~ 'Do not preserve zone information in file attachments' is Not Configured in group policy which is acceptable per the STIG. Registry Path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments Value Name: SaveZoneInformation (Not found) Comments |
|||||
Check Text
The default behavior is for Windows to mark file attachments with their zone information. If the registry Value Name below does not exist, this is not a finding. If it exists and is configured with a value of "2", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_CURRENT_USER Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ Value Name: SaveZoneInformation Value Type: REG_DWORD Value: 0x00000002 (2) (or if the Value Name does not exist)
Fix Text
The default behavior is for Windows to mark file attachments with their zone information. If this needs to be corrected, configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> Attachment Manager >> "Do not preserve zone information in file attachments" to "Not Configured" or "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 87F79F66720D9E2E7AA2D4F0BD4E49B75FB81A54 ~~~~~ Access Credential Manager as a trusted caller: No objects assigned to this right. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 87F79F66720D9E2E7AA2D4F0BD4E49B75FB81A54 ~~~~~ Access Credential Manager as a trusted caller: No objects assigned to this right. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 87F79F66720D9E2E7AA2D4F0BD4E49B75FB81A54 ~~~~~ Access Credential Manager as a trusted caller: No objects assigned to this right. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 87F79F66720D9E2E7AA2D4F0BD4E49B75FB81A54 ~~~~~ Access Credential Manager as a trusted caller: No objects assigned to this right. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 87F79F66720D9E2E7AA2D4F0BD4E49B75FB81A54 ~~~~~ Access Credential Manager as a trusted caller: No objects assigned to this right. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 87F79F66720D9E2E7AA2D4F0BD4E49B75FB81A54 ~~~~~ Access Credential Manager as a trusted caller: No objects assigned to this right. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 87F79F66720D9E2E7AA2D4F0BD4E49B75FB81A54 ~~~~~ Access Credential Manager as a trusted caller: No objects assigned to this right. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 87F79F66720D9E2E7AA2D4F0BD4E49B75FB81A54 ~~~~~ Access Credential Manager as a trusted caller: No objects assigned to this right. Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeTrustedCredManAccessPrivilege" user right, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access Credential Manager as a trusted caller" to be defined but containing no entries (blank).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 392F23BFEA1FFA843FBED2A87296251BF545F4E6 ~~~~~ Create a pagefile: BUILTIN\Administrators Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 392F23BFEA1FFA843FBED2A87296251BF545F4E6 ~~~~~ Create a pagefile: BUILTIN\Administrators Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 392F23BFEA1FFA843FBED2A87296251BF545F4E6 ~~~~~ Create a pagefile: BUILTIN\Administrators Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 392F23BFEA1FFA843FBED2A87296251BF545F4E6 ~~~~~ Create a pagefile: BUILTIN\Administrators Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 392F23BFEA1FFA843FBED2A87296251BF545F4E6 ~~~~~ Create a pagefile: BUILTIN\Administrators Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 392F23BFEA1FFA843FBED2A87296251BF545F4E6 ~~~~~ Create a pagefile: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 392F23BFEA1FFA843FBED2A87296251BF545F4E6 ~~~~~ Create a pagefile: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 392F23BFEA1FFA843FBED2A87296251BF545F4E6 ~~~~~ Create a pagefile: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeCreatePagefilePrivilege" user right, this is a finding. S-1-5-32-544 (Administrators)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a pagefile" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1B5B4C099509D3018C425654D2D4FB7E1B14B154 ~~~~~ Create global objects: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1B5B4C099509D3018C425654D2D4FB7E1B14B154 ~~~~~ Create global objects: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1B5B4C099509D3018C425654D2D4FB7E1B14B154 ~~~~~ Create global objects: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1B5B4C099509D3018C425654D2D4FB7E1B14B154 ~~~~~ Create global objects: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1B5B4C099509D3018C425654D2D4FB7E1B14B154 ~~~~~ Create global objects: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1B5B4C099509D3018C425654D2D4FB7E1B14B154 ~~~~~ Create global objects: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1B5B4C099509D3018C425654D2D4FB7E1B14B154 ~~~~~ Create global objects: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1B5B4C099509D3018C425654D2D4FB7E1B14B154 ~~~~~ Create global objects: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding. - Administrators - Service - Local Service - Network Service For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeCreateGlobalPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators) S-1-5-6 (Service) S-1-5-19 (Local Service) S-1-5-20 (Network Service) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create global objects" to include only the following accounts or groups: - Administrators - Service - Local Service - Network Service