USNS MONTFORD POINT - Findings

V-223355 CAT II The Publish to Global Address List (GAL) button must be disa...

4 assets 2 Open 2 Closed Documented Pending Review Microsoft Office 365...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: CEBE73FDC6FC575984344165FB6A5855AEEE410D ~~~~~ 'Do not display 'Publish to GAL' button' is Enabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\security Value Name: publishtogaldisabled Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: CEBE73FDC6FC575984344165FB6A5855AEEE410D ~~~~~ 'Do not display 'Publish to GAL' button' is Enabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\security Value Name: publishtogaldisabled Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: E26BF48A222F223BF6AFE43EE4EFFE8F177588D9 ~~~~~ 'Do not display 'Publish to GAL' button' is NOT Enabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\security Value Name: publishtogaldisabled (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: E26BF48A222F223BF6AFE43EE4EFFE8F177588D9 ~~~~~ 'Do not display 'Publish to GAL' button' is NOT Enabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\security Value Name: publishtogaldisabled (Not found) Comments

Check Text

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Security >> Cryptography >> Do not display 'Publish to GAL' button is set to "Enabled". Use the Windows Registry to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\outlook\security If the value for publishtogaldisabled is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Security >> Cryptography >> Do not display 'Publish to GAL' button to "Enabled".

V-223357 CAT II The warning about invalid digital signatures must be enabled...

4 assets 2 Open 2 Closed Documented Pending Review Microsoft Office 365...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: E2C9F73B190E6B29BBEABEB8CFD74A547C3BDC99 ~~~~~ 'Signature Warning' is Enabled: (Always warn about invalid signatures) Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\security Value Name: warnaboutinvalid Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: E2C9F73B190E6B29BBEABEB8CFD74A547C3BDC99 ~~~~~ 'Signature Warning' is Enabled: (Always warn about invalid signatures) Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\security Value Name: warnaboutinvalid Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 95D1054DF08C3BF8E75C59217FA722AC91F0A403 ~~~~~ 'Signature Warning' is NOT Enabled: (Always warn about invalid signatures) Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\security Value Name: warnaboutinvalid (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 95D1054DF08C3BF8E75C59217FA722AC91F0A403 ~~~~~ 'Signature Warning' is NOT Enabled: (Always warn about invalid signatures) Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\security Value Name: warnaboutinvalid (Not found) Comments

Check Text

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Security >> Cryptography >> Signature Warning is set to "Enabled" "Always warn about invalid signatures". Use the Windows Registry to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\outlook\security If the value for warnaboutinvalid is set to REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Security >> Cryptography >> Signature Warning to "Enabled" "Always warn about invalid signatures".

V-223360 CAT II The ability to demote attachments from Level 2 to Level 1 mu...

4 assets 2 Open 2 Closed Documented Pending Review Microsoft Office 365...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: C9A6531D5B24CFC7619806A6D6E425E1B680E1C0 ~~~~~ 'Allow users to demote attachments to Level 2' is Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\security Value Name: allowuserstolowerattachments Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: C9A6531D5B24CFC7619806A6D6E425E1B680E1C0 ~~~~~ 'Allow users to demote attachments to Level 2' is Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\security Value Name: allowuserstolowerattachments Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: E30E1F7DE03FE7A54A9A427833B2CCFADF8E6974 ~~~~~ 'Allow users to demote attachments to Level 2' is NOT Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\security Value Name: allowuserstolowerattachments (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: E30E1F7DE03FE7A54A9A427833B2CCFADF8E6974 ~~~~~ 'Allow users to demote attachments to Level 2' is NOT Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\outlook\security Value Name: allowuserstolowerattachments (Not found) Comments

Check Text

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Security >> Security Form Settings >> Attachment Security >> Allow users to demote attachments to Level 2 is set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\outlook\security If the value allowuserstolowerattachments is set to REG_DWORD = 0, this is not a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Security >> Security Form Settings >> Attachment Security >> Allow users to demote attachments to Level 2 to "Disabled".

V-223379 CAT II Open/Save of PowerPoint 97-2003 presentations, shows, templa...

4 assets 2 Open 2 Closed Documented Pending Review Microsoft Office 365...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 534BAD649726BDDAAA64EF44A60E4BC01148139E ~~~~~ 'PowerPoint 97-2003 presentations, shows, templates and add-in files' is Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\fileblock Value Name: binaryfiles Value: 0x00000002 (2) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 534BAD649726BDDAAA64EF44A60E4BC01148139E ~~~~~ 'PowerPoint 97-2003 presentations, shows, templates and add-in files' is Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\fileblock Value Name: binaryfiles Value: 0x00000002 (2) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: E2BBDE7FE4B84AB263FDD95940FB06D835BD9DD5 ~~~~~ 'PowerPoint 97-2003 presentations, shows, templates and add-in files' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\fileblock Value Name: binaryfiles (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: E2BBDE7FE4B84AB263FDD95940FB06D835BD9DD5 ~~~~~ 'PowerPoint 97-2003 presentations, shows, templates and add-in files' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\fileblock Value Name: binaryfiles (Not found) Comments

Check Text

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft PowerPoint 2016 >> PowerPoint Options >> Security >> Trust Center >> File Block Settings >> PowerPoint 97-2003 presentations, shows, templates and add-in files is set to "Enabled" "Open/Save blocked, use open policy". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\powerpoint\security\fileblock If the value for binaryfiles is set to REG_DWORD = 2, this is not a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft PowerPoint 2016 >> PowerPoint Options >> Security >> Trust Center >> File Block Settings >> PowerPoint 97-2003 presentations, shows, templates and add-in files to "Enabled" "Open/Save blocked, use open policy".

V-223385 CAT II Files downloaded from the Internet must be opened in Protect...

4 assets 2 Open 2 Closed Documented Pending Review Microsoft Office 365...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: BE55A58B56B838F4B022590398F738F64B293047 ~~~~~ 'Do not open files from the Internet zone in Protected View' is Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\protectedview Value Name: DisableInternetFilesInPV Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: BE55A58B56B838F4B022590398F738F64B293047 ~~~~~ 'Do not open files from the Internet zone in Protected View' is Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\protectedview Value Name: DisableInternetFilesInPV Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 8CC339BB941F870F4489121C0371F5FA383293DD ~~~~~ 'Do not open files from the Internet zone in Protected View' is NOT Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\protectedview Value Name: DisableInternetFilesInPV (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 8CC339BB941F870F4489121C0371F5FA383293DD ~~~~~ 'Do not open files from the Internet zone in Protected View' is NOT Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\protectedview Value Name: DisableInternetFilesInPV (Not found) Comments

Check Text

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft PowerPoint 2016 >> PowerPoint Options >> Security >> Trust Center >> Protected View "Do not open files from the Internet zone in Protected View" is set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\protectedview If the value DisableInternetFilesInPV is REG_DWORD = 0, this is not a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft PowerPoint 2016 >> PowerPoint Options >> Security >> Trust Center >> Protected View "Do not open files from the Internet zone in Protected View" to "Disabled".

V-223387 CAT II Files in unsafe locations must be opened in Protected view i...

4 assets 2 Open 2 Closed Documented Pending Review Microsoft Office 365...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 8391A90CCD9FBCC216AE4267890E8F2461F4A035 ~~~~~ 'Do not open files in unsafe locations in Protected View' is Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\protectedview Value Name: DisableUnsafeLocationsInPV Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 8391A90CCD9FBCC216AE4267890E8F2461F4A035 ~~~~~ 'Do not open files in unsafe locations in Protected View' is Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\protectedview Value Name: DisableUnsafeLocationsInPV Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: C26A9112506C3C5AC758F56F9FB9769EB3309EC6 ~~~~~ 'Do not open files in unsafe locations in Protected View' is NOT Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\protectedview Value Name: DisableUnsafeLocationsInPV (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: C26A9112506C3C5AC758F56F9FB9769EB3309EC6 ~~~~~ 'Do not open files in unsafe locations in Protected View' is NOT Disabled Registry Path: HKCU:\software\policies\microsoft\office\16.0\powerpoint\security\protectedview Value Name: DisableUnsafeLocationsInPV (Not found) Comments

Check Text

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft PowerPoint 2016 >> PowerPoint Options >> Security >> Trust Center >> Protected View "Do not open files in unsafe locations in Protected View" is set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\PowerPoint\security\protectedview If the value DisableUnsafeLocationsInPV is REG_DWORD = 0, this is not a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft PowerPoint 2016 >> PowerPoint Options >> Security >> Trust Center >> Protected View "Do not open files in unsafe locations in Protected View" to "Disabled".

V-223409 CAT II Open/Save of Word 2003 binary documents and templates must b...

4 assets 2 Open 2 Closed Documented Pending Review Microsoft Office 365...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 9B013977DFDFD374D7B76CC5D2E657F3618E1DFB ~~~~~ 'Word 2003 binary documents and templates' is Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word2003files Value: 0x00000002 (2) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 9B013977DFDFD374D7B76CC5D2E657F3618E1DFB ~~~~~ 'Word 2003 binary documents and templates' is Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word2003files Value: 0x00000002 (2) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: A0ADCBF06FD3E6A23DC7487FE033307B7CDD55E8 ~~~~~ 'Word 2003 binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word2003files (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: A0ADCBF06FD3E6A23DC7487FE033307B7CDD55E8 ~~~~~ 'Word 2003 binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word2003files (Not found) Comments

Check Text

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Word 2016 >> Word Options >> Security >> Trust Center >> File Block Settings "Word 2003 binary documents and templates" is set to "Enabled: Open/Save blocked, use open policy". Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\word\security\fileblock If the value word2003files is REG_DWORD = 2, this is not a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft Word 2016 >> Word Options >> Security >> Trust Center >> File Block Settings "Word 2003 binary documents and templates" to "Enabled: Open/Save blocked, use open policy".

V-223410 CAT II Open/Save of Word 2007 and later binary documents and templa...

4 assets 2 Open 2 Closed Documented Pending Review Microsoft Office 365...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: B4F304984F907991205776A823510156A2551FE2 ~~~~~ 'Word 2007 and later binary documents and templates' is Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word2007files Value: 0x00000002 (2) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be NOT A FINDING on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: B4F304984F907991205776A823510156A2551FE2 ~~~~~ 'Word 2007 and later binary documents and templates' is Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word2007files Value: 0x00000002 (2) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: 9301841C7E005CF28AC60D17D27F21CCD22A243C ~~~~~ 'Word 2007 and later binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word2007files (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Office365_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: 9301841C7E005CF28AC60D17D27F21CCD22A243C ~~~~~ 'Word 2007 and later binary documents and templates' is NOT Enabled: (Open/Save blocked, use open policy) Registry Path: HKCU:\software\policies\microsoft\office\16.0\word\security\fileblock Value Name: word2007files (Not found) Comments

Check Text

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Word 2016 >> Word Options >> Security >> Trust Center >> File Block Settings "Word 2007 and later binary documents and templates" is set to "Enabled: Open/Save blocked, use open policy". Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\word\security\fileblock If the value word2007files is REG_DWORD = 2, this is not a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft Word 2016 >> Word Options >> Security >> Trust Center >> File Block Settings "Word 2007 and later binary documents and templates" to "Enabled: Open/Save blocked, use open policy".

V-224838 CAT II Windows Server 2016 accounts must require passwords.

8 assets 2 Open 6 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A8361572FCF4DDE4D6872D094DE902234124BB6E ~~~~~ No enabled accounts found that do not require a password. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A8361572FCF4DDE4D6872D094DE902234124BB6E ~~~~~ No enabled accounts found that do not require a password. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A8361572FCF4DDE4D6872D094DE902234124BB6E ~~~~~ No enabled accounts found that do not require a password. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A8361572FCF4DDE4D6872D094DE902234124BB6E ~~~~~ No enabled accounts found that do not require a password. Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A8361572FCF4DDE4D6872D094DE902234124BB6E ~~~~~ No enabled accounts found that do not require a password. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A8361572FCF4DDE4D6872D094DE902234124BB6E ~~~~~ No enabled accounts found that do not require a password. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 7E4EA29E6AB3D37B00EC100EB5AAF2A1F79908D4 ~~~~~ Failed accounts: --------------------- Name: X_Admin SID: S-1-5-21-4236012249-4164713760-2408648245-500 Enabled: True Password Req: False Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 55B744C718819D40F62B384D9AADDB1BFC4A7C84 ~~~~~ Failed accounts: --------------------- Name: X_Admin SID: S-1-5-21-2502410760-3344595884-382061215-500 Enabled: True Password Req: False Comments

Check Text

Review the password required status for enabled user accounts. Open "PowerShell". Domain Controllers: Enter "Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs). If "Passwordnotrequired" is "True" or blank for any enabled user account, this is a finding. Member servers and standalone or nondomain-joined systems: Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. Exclude disabled accounts (e.g., DefaultAccount, Guest). If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding.

Fix Text

Configure all enabled user accounts to require passwords. The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account.

V-224841 CAT II Non-system-created file shares on a system must limit access...

8 assets 2 Open Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F915C7251A4E90CA60C449A93F6E7915DDC9F180 ~~~~~ The following non-system-created shares have been identified. Verify permissions for each is appropriate: Name: Common (E:\Common) Path: E:\Common --------------------------------------------- Identity Reference: BUILTIN\Administrators File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: Everyone File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: MONTFORD-POINT\D.Admin File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: MONTFORD-POINT\Joshua.J.Jordan File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: MONTFORD-POINT\MONTFORD-POINT CHENG-1-1860720990 File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: MONTFORD-POINT\MONTFORD-POINT CHMATE-1915368927 File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: MONTFORD-POINT\MONTFORD-POINT MASTER-1-1408640001 File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: MONTFORD-POINT\MONTFORD-POINT RADIO-1-199284185 File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: MONTFORD-POINT\Ryan.W.Arnold File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: MONTFORD-POINT\S.Admin File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: MONTFORD-POINT\Steven.Corachan File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: MONTFORD-POINT\Thomas.C.Kozarski File System Rights: ReadAndExecute, Synchronize Inheritance Flags: None Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Name: CRL (E:\CRL) Path: E:\CRL --------------------------------------------- Identity Reference: BUILTIN\Administrators File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: ReadAndExecute, Synchronize Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: AppendData Inheritance Flags: ContainerInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: CreateFiles Inheritance Flags: ContainerInherit Propagation Flags: None Identity Reference: CREATOR OWNER File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: InheritOnly Identity Reference: MONTFORD-POINT\D.Admin File System Rights: FullControl Inheritance Flags: None Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Name: Profiles (E:\Profiles) Path: E:\Profiles --------------------------------------------- Identity Reference: BUILTIN\Administrators File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: Everyone File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: MONTFORD-POINT\D.Admin File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Name: Users (E:\Users) Path: E:\Users --------------------------------------------- Identity Reference: BUILTIN\Administrators File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: Everyone File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: MONTFORD-POINT\D.Admin File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Name: Vol1 (E:\Vol1) Path: E:\Vol1 --------------------------------------------- Identity Reference: BUILTIN\Administrators File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: ReadAndExecute, Synchronize Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: AppendData Inheritance Flags: ContainerInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: CreateFiles Inheritance Flags: ContainerInherit Propagation Flags: None Identity Reference: CREATOR OWNER File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: InheritOnly Identity Reference: MONTFORD-POINT\D.Admin File System Rights: FullControl Inheritance Flags: None Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Comments Documentation
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: FE6E08BCA44D55D33AD47289B0481DA21EA7058A ~~~~~ Only system-created shares exist on this system so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: FE6E08BCA44D55D33AD47289B0481DA21EA7058A ~~~~~ Only system-created shares exist on this system so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: FE6E08BCA44D55D33AD47289B0481DA21EA7058A ~~~~~ Only system-created shares exist on this system so this requirement is NA. Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: FE6E08BCA44D55D33AD47289B0481DA21EA7058A ~~~~~ Only system-created shares exist on this system so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F302F3BFDE7B2B329AD1AFE97E8A74F69D634011 ~~~~~ The following non-system-created shares have been identified. Verify permissions for each is appropriate: Name: address (E:\ExchangeV15\Mailbox\address) Path: E:\ExchangeV15\Mailbox\address --------------------------------------------- Identity Reference: BUILTIN\Administrators File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: MONTFORD-POINT\montford.exchange File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: NT AUTHORITY\Authenticated Users File System Rights: Read, Synchronize Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: None Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Name: CertificateRequests (C:\CertificateRequests) Path: C:\CertificateRequests --------------------------------------------- Identity Reference: BUILTIN\Administrators File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: CreateFiles Inheritance Flags: ContainerInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: ReadAndExecute, Synchronize Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Identity Reference: BUILTIN\Users File System Rights: AppendData Inheritance Flags: ContainerInherit Propagation Flags: None Identity Reference: CREATOR OWNER File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: InheritOnly Identity Reference: MONTFORD-POINT\montford.exchange File System Rights: FullControl Inheritance Flags: None Propagation Flags: None Identity Reference: NT AUTHORITY\SYSTEM File System Rights: FullControl Inheritance Flags: ContainerInherit, ObjectInherit Propagation Flags: None Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: FE6E08BCA44D55D33AD47289B0481DA21EA7058A ~~~~~ Only system-created shares exist on this system so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: FE6E08BCA44D55D33AD47289B0481DA21EA7058A ~~~~~ Only system-created shares exist on this system so this requirement is NA. Comments

Check Text

If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. (System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) Run "Computer Management". Navigate to System Tools >> Shared Folders >> Shares. Right-click any non-system-created shares. Select "Properties". Select the "Share Permissions" tab. If the file shares have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding. Select the "Security" tab. If the permissions have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.

Fix Text

If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. Remove any unnecessary non-system-created shares.

V-224863 CAT II Orphaned security identifiers (SIDs) must be removed from us...

8 assets 2 Open 6 Closed Documented Pending Review Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 31FA001D95F799B1779974DAE788547F7248BA04 ~~~~~ No unresolved SIDs are assigned any User Right Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 00DB1BF4BA8D6BB55AD9BB46BFE4CF80CC243DE9 ~~~~~ The following User Rights are assigned to orphaned SIDs: SeIncreaseQuotaPrivilege: S-1-5-80-2980902195-1579531004-3011574206-2415361120-2386510705, S-1-5-80-929668618-3423318027-389485234-279070536-4061300613 SeServiceLogonRight: S-1-5-80-2980902195-1579531004-3011574206-2415361120-2386510705, S-1-5-80-929668618-3423318027-389485234-279070536-4061300613 SeAssignPrimaryTokenPrivilege: S-1-5-80-2980902195-1579531004-3011574206-2415361120-2386510705, S-1-5-80-929668618-3423318027-389485234-279070536-4061300613 SeChangeNotifyPrivilege: S-1-5-80-2980902195-1579531004-3011574206-2415361120-2386510705, S-1-5-80-929668618-3423318027-389485234-279070536-4061300613 Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 31FA001D95F799B1779974DAE788547F7248BA04 ~~~~~ No unresolved SIDs are assigned any User Right Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 6C2D5BEB844806AC4BBE37CC47B70EAC29983551 ~~~~~ The following User Rights are assigned to orphaned SIDs: SeSecurityPrivilege: S-1-5-21-1199390858-2101972093-2013113664-1129, S-1-5-21-270843172-1021756428-1876623829-2158 Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 31FA001D95F799B1779974DAE788547F7248BA04 ~~~~~ No unresolved SIDs are assigned any User Right Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 31FA001D95F799B1779974DAE788547F7248BA04 ~~~~~ No unresolved SIDs are assigned any User Right Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 31FA001D95F799B1779974DAE788547F7248BA04 ~~~~~ No unresolved SIDs are assigned any User Right Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 31FA001D95F799B1779974DAE788547F7248BA04 ~~~~~ No unresolved SIDs are assigned any User Right Comments

Check Text

Review the effective User Rights setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. Review each User Right listed for any unresolved SIDs to determine whether they are valid, such as due to being temporarily disconnected from the domain. (Unresolved SIDs have the format of "*S-1-…".) If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding. For server core installations, run the following command: Secedit /export /areas USER_RIGHTS /cfg c:\path\UserRights.txt The results in the file identify user right assignments by SID instead of group name. Review the SIDs for unidentified ones. A list of typical SIDs \ Groups is below, search Microsoft for articles on well-known SIDs for others. If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding. SID - Group S-1-5-11 - Authenticated Users S-1-5-113 - Local account S-1-5-114 - Local account and member of Administrators group S-1-5-19 - Local Service S-1-5-20 - Network Service S-1-5-32-544 - Administrators S-1-5-32-546 - Guests S-1-5-6 - Service S-1-5-9 - Enterprise Domain Controllers S-1-5-domain-512 - Domain Admins S-1-5-root domain-519 - Enterprise Admins S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 - NT Service\WdiServiceHost

Fix Text

Remove any unresolved SIDs found in User Rights assignments and determined to not be for currently valid accounts or groups by removing the accounts or groups from the appropriate group policy.

V-245539 CAT II Session only based cookies must be enabled.

4 assets 2 Open 2 Closed Google Chrome Curren...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-GoogleChrome_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: E363196E99D0B54068C1D0F8236AD12F02B91AAC ~~~~~ 'Default cookies setting' is Enabled: (Keep cookies for the duration of the session) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: DefaultCookiesSetting Value: 0x00000004 (4) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-GoogleChrome_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: E363196E99D0B54068C1D0F8236AD12F02B91AAC ~~~~~ 'Default cookies setting' is Enabled: (Keep cookies for the duration of the session) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: DefaultCookiesSetting Value: 0x00000004 (4) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-GoogleChrome_Checks) found this to be OPEN on 10/23/2025 ResultHash: B42979BE5A28F62E82EA83D59BC26834CCCB8E3B ~~~~~ 'Default cookies setting' is NOT Enabled: (Keep cookies for the duration of the session) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: DefaultCookiesSetting (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-GoogleChrome_Checks) found this to be OPEN on 10/23/2025 ResultHash: B42979BE5A28F62E82EA83D59BC26834CCCB8E3B ~~~~~ 'Default cookies setting' is NOT Enabled: (Keep cookies for the duration of the session) Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome Value Name: DefaultCookiesSetting (Not found) Comments

Check Text

Universal method: 1. In the omnibox (address bar), type chrome://policy 2. If the policy "DefaultCookiesSetting" is not shown or is not set to "4", this is a finding. Windows method: 1. Start regedit. 2. Navigate to HKLM\Software\Policies\Google\Chrome\DefaultCookiesSetting. 3. If this key does not exist, or is not set to "4", this is a finding.

Fix Text

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings. - Policy Name: Default cookies setting - Policy State: Enabled - Policy Value: Keep cookies for the duration of the session

V-251553 CAT II Firefox must be configured to block pop-up windows.

4 assets 2 Open 2 Closed Mozilla Firefox Secu...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-MozillaFirefox_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 79D13E0D5E08D476288AC1ACC76FD0D293699304 ~~~~~ 'Block pop-ups from websites' is Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox\PopupBlocking Name: Default Value: 0x00000001 (1) Type: REG_DWORD ----------------------------------------------------------------------- 'Do not allow preferences to be changed' is Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox\PopupBlocking Name: Locked Value: 0x00000001 (1) Type: REG_DWORD ----------------------------------------------------------------------- Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-MozillaFirefox_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 79D13E0D5E08D476288AC1ACC76FD0D293699304 ~~~~~ 'Block pop-ups from websites' is Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox\PopupBlocking Name: Default Value: 0x00000001 (1) Type: REG_DWORD ----------------------------------------------------------------------- 'Do not allow preferences to be changed' is Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox\PopupBlocking Name: Locked Value: 0x00000001 (1) Type: REG_DWORD ----------------------------------------------------------------------- Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-MozillaFirefox_Checks) found this to be OPEN on 10/23/2025 ResultHash: D7E7F097AAE9B8E85E5D5E6C0ED9A8811FB0F349 ~~~~~ 'Block pop-ups from websites' is Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox\PopupBlocking Name: Default Value: 0x00000001 (1) Type: REG_DWORD ----------------------------------------------------------------------- 'Do not allow preferences to be changed' is NOT Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox\PopupBlocking Name: Locked (Not found) ----------------------------------------------------------------------- Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-MozillaFirefox_Checks) found this to be OPEN on 10/23/2025 ResultHash: D7E7F097AAE9B8E85E5D5E6C0ED9A8811FB0F349 ~~~~~ 'Block pop-ups from websites' is Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox\PopupBlocking Name: Default Value: 0x00000001 (1) Type: REG_DWORD ----------------------------------------------------------------------- 'Do not allow preferences to be changed' is NOT Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox\PopupBlocking Name: Locked (Not found) ----------------------------------------------------------------------- Comments

Check Text

Type "about:policies" in the browser address bar. If "PopupBlocking" is not displayed under Policy Name or the Policy Value is not "Default" "true", this is a finding. If "PopupBlocking" is not displayed under Policy Name or the Policy Value is not "Locked" "true", this is a finding. "PopupBlocking" "Enabled" may be used to specify an allowlist of sites where pop-ups are desired, this is optional.

Fix Text

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\Popups Policy Name: Block pop-ups from websites Policy State: Enabled Policy Name: Do not allow preferences to be changed Policy State: Enabled Optional: Policy Name: Allowed Sites Policy State: Enabled Click "Show..." and enter a list of websites to be allowlisted. macOS "plist" file: Add the following: <key>PopupBlocking</key> <dict> <key>Allow</key> <array> <string>http://example.mil</string> <string>http://example.gov</string> </array> <key>Default</key> <true/> <key>Locked</key> <true/> </dict> Linux "policies.json" file: Add the following in the policies section: "PopupBlocking": { "Allow": ["http://example.mil/", "http://example.gov/"], "Default": true, "Locked": true}

V-252908 CAT II Pocket must be disabled.

4 assets 2 Open 2 Closed Mozilla Firefox Secu...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-MozillaFirefox_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: F92C828111B93EA07EED72C522A9D809585DAF36 ~~~~~ 'Disable Pocket' is Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox Name: DisablePocket Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-MozillaFirefox_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: F92C828111B93EA07EED72C522A9D809585DAF36 ~~~~~ 'Disable Pocket' is Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox Name: DisablePocket Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-MozillaFirefox_Checks) found this to be OPEN on 10/23/2025 ResultHash: 8A867327746B7399E6826DEF306A3880003E8980 ~~~~~ 'Disable Pocket' is NOT Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox Name: DisablePocket (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-MozillaFirefox_Checks) found this to be OPEN on 10/23/2025 ResultHash: 8A867327746B7399E6826DEF306A3880003E8980 ~~~~~ 'Disable Pocket' is NOT Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox Name: DisablePocket (Not found) Comments

Check Text

Type "about:policies" in the browser address bar. If "DisablePocket" is not displayed under Policy Name or the Policy Value does not have a value of "true", this is a finding.

Fix Text

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Disable Pocket Policy State: Enabled macOS "plist" file: <key>DisablePocket</key> <true/> Linux "policies.json" file: Add the following in the policies section: "DisablePocket": true

V-252909 CAT II Firefox Studies must be disabled.

4 assets 2 Open 2 Closed Mozilla Firefox Secu...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-MozillaFirefox_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 89EDCDAB2564CEF1ED1922A37C45AC3CF92771F2 ~~~~~ 'Disable Firefox Studies' is Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox Name: DisableFirefoxStudies Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-MozillaFirefox_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 89EDCDAB2564CEF1ED1922A37C45AC3CF92771F2 ~~~~~ 'Disable Firefox Studies' is Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox Name: DisableFirefoxStudies Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-MozillaFirefox_Checks) found this to be OPEN on 10/23/2025 ResultHash: 0F84BAE3896E8F989A72D47B4804030157ACD493 ~~~~~ 'Disable Firefox Studies' is NOT Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox Name: DisableFirefoxStudies (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-MozillaFirefox_Checks) found this to be OPEN on 10/23/2025 ResultHash: 0F84BAE3896E8F989A72D47B4804030157ACD493 ~~~~~ 'Disable Firefox Studies' is NOT Enabled Path: HKLM:\SOFTWARE\Policies\Mozilla\Firefox Name: DisableFirefoxStudies (Not found) Comments

Check Text

Type "about:policies" in the browser address bar. If "DisableFirefoxStudies" is not displayed under Policy Name or the Policy Value does not have a value of "true", this is a finding.

Fix Text

Windows group policy: 1. Open the group policy editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Disable Firefox Studies Policy State: Enabled macOS "plist" file: <key>DisableFirefoxStudies</key> <true/> Linux "policies.json" file: Add the following in the policies section: "DisableFirefoxStudies": true

V-257589 CAT II Windows 10 must have command line process auditing events en...

4 assets 2 Open 2 Closed Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 0AE8978EA0ED5EC0DA9005C2608D05E3ED51FF0C ~~~~~ Process Creation: Success and Failure Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 0AE8978EA0ED5EC0DA9005C2608D05E3ED51FF0C ~~~~~ Process Creation: Success and Failure Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 812B92C97F6B9D7E16F6294B301DF81AC57720AA ~~~~~ Process Creation: Success Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 812B92C97F6B9D7E16F6294B301DF81AC57720AA ~~~~~ Process Creation: Success Comments

Check Text

Ensure Audit Process Creation auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>System Audit Policies >> Detailed Tracking >> Audit Process Creation". If "Audit Process Creation" is not set to "Failure", this is a finding.

Fix Text

Go to Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>System Audit Policies >> Detailed Tracking >> Audit Process Creation is set to "failure".

V-260465 CAT II Visual Search must be disabled.

4 assets 2 Open 2 Closed Microsoft Edge Secur...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 78DBF7703C4344E1C9FEC6958B7770D32210875B ~~~~~ 'Visual search enabled' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: VisualSearchEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 78DBF7703C4344E1C9FEC6958B7770D32210875B ~~~~~ 'Visual search enabled' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: VisualSearchEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-MicrosoftEdge_Checks) found this to be OPEN on 10/23/2025 ResultHash: 53FFA49DD1A712E9210104CD34E9E68189B1C10A ~~~~~ 'Visual search enabled' is NOT Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: VisualSearchEnabled (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-MicrosoftEdge_Checks) found this to be OPEN on 10/23/2025 ResultHash: 53FFA49DD1A712E9210104CD34E9E68189B1C10A ~~~~~ 'Visual search enabled' is NOT Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: VisualSearchEnabled (Not found) Comments

Check Text

Verify the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Visual search enabled" is set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "VisualSearchEnabled" is not set to "REG_DWORD = 0", this is a finding.

Fix Text

Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Visual search enabled" to "Disabled".

V-260466 CAT II Copilot must be disabled.

4 assets 2 Open 2 Closed Microsoft Edge Secur...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: E2685576C3025DD255C16A3C12819DC1828509E9 ~~~~~ 'Show Hubs Sidebar' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: HubsSidebarEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: E2685576C3025DD255C16A3C12819DC1828509E9 ~~~~~ 'Show Hubs Sidebar' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: HubsSidebarEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-MicrosoftEdge_Checks) found this to be OPEN on 10/23/2025 ResultHash: 10BE85D529EF219B88B96043C7D923DA31DC7A06 ~~~~~ 'Show Hubs Sidebar' is NOT Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: HubsSidebarEnabled (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-MicrosoftEdge_Checks) found this to be OPEN on 10/23/2025 ResultHash: 10BE85D529EF219B88B96043C7D923DA31DC7A06 ~~~~~ 'Show Hubs Sidebar' is NOT Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: HubsSidebarEnabled (Not found) Comments

Check Text

Verify the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Show Hubs Sidebar" is set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "HubsSidebarEnabled" is not set to "REG_DWORD = 0", this is a finding.

Fix Text

Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Show Hubs Sidebar" to "Disabled".

V-260467 CAT II Session only-based cookies must be enabled.

4 assets 2 Open 2 Closed Microsoft Edge Secur...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: CC86029292DF41B85ACCCA8CD609A962C4964A04 ~~~~~ 'Configure cookies' is Enabled: (Keep cookies for the duration of the session, except ones listed in 'SaveCookiesOnExit') Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: DefaultCookiesSetting Value: 0x00000004 (4) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: CC86029292DF41B85ACCCA8CD609A962C4964A04 ~~~~~ 'Configure cookies' is Enabled: (Keep cookies for the duration of the session, except ones listed in 'SaveCookiesOnExit') Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: DefaultCookiesSetting Value: 0x00000004 (4) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-MicrosoftEdge_Checks) found this to be OPEN on 10/23/2025 ResultHash: 2E70C5740EF2A6C029713CC109227959D2AC0E3E ~~~~~ 'Configure cookies' is NOT Enabled: (Keep cookies for the duration of the session, except ones listed in 'SaveCookiesOnExit') Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: DefaultCookiesSetting (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-MicrosoftEdge_Checks) found this to be OPEN on 10/23/2025 ResultHash: 2E70C5740EF2A6C029713CC109227959D2AC0E3E ~~~~~ 'Configure cookies' is NOT Enabled: (Keep cookies for the duration of the session, except ones listed in 'SaveCookiesOnExit') Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: DefaultCookiesSetting (Not found) Comments

Check Text

Verify the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Configure cookies" is set to "Enabled" with the option value set to "Keep cookies for the duration of the session, except ones listed in 'SaveCookiesOnExit'". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for “DefaultCookiesSetting” is not set to "REG_DWORD = 4", this is a finding.

Fix Text

Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Configure cookies" to "Enabled" with the option value set to "Keep cookies for the duration of the session, except ones listed in 'SaveCookiesOnExit'".

V-266981 CAT II FriendlyURLs must be disabled.

4 assets 2 Open 2 Closed Microsoft Edge Secur...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: D584CFBF4BC3ECBB5AAA9121E3B5A91B09C02156 ~~~~~ 'Configure the default paste format of URLs copied from Microsoft Edge, and determine if additional formats will be available to users' is Enabled: (The plain URL without any extra information, such as the page's title.) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ConfigureFriendlyURLFormat Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: D584CFBF4BC3ECBB5AAA9121E3B5A91B09C02156 ~~~~~ 'Configure the default paste format of URLs copied from Microsoft Edge, and determine if additional formats will be available to users' is Enabled: (The plain URL without any extra information, such as the page's title.) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ConfigureFriendlyURLFormat Value: 0x00000001 (1) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-MicrosoftEdge_Checks) found this to be OPEN on 10/23/2025 ResultHash: 018E9B28DC88EA36CB7CE50745FE3530B5C33958 ~~~~~ 'Configure the default paste format of URLs copied from Microsoft Edge, and determine if additional formats will be available to users' is NOT Enabled: (The plain URL without any extra information, such as the page's title.) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ConfigureFriendlyURLFormat (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-MicrosoftEdge_Checks) found this to be OPEN on 10/23/2025 ResultHash: 018E9B28DC88EA36CB7CE50745FE3530B5C33958 ~~~~~ 'Configure the default paste format of URLs copied from Microsoft Edge, and determine if additional formats will be available to users' is NOT Enabled: (The plain URL without any extra information, such as the page's title.) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ConfigureFriendlyURLFormat (Not found) Comments

Check Text

The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Configure the default paste format of URLs copied from Microsoft Edge and determine if additional formats will be available to users" must be set to "enabled" with the option value set to "The plain URL without any extra information, such as the page´s title. This is the recommended option when this policy is configured. For more information, see the description.". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ConfigureFriendlyURLFormat" is not set to "REG_DWORD = 1", this is a finding.

Fix Text

Set the policy value for "Computer Configuration/Administrative Templates/Microsoft EdgeConfigure the default paste format of URLs copied from Microsoft Edge, and determine if additional formats will be available to users" to "enabled" and select "The plain URL without any extra information, such as the page´s title. This is the recommended option when this policy is configured. For more information, see the description."

V-268315 CAT II Copilot must be disabled for Windows 10.

4 assets 2 Open 2 Closed Documented Pending Review Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: D106FB820932416BA8165EF9D232122A8ADE4A4B ~~~~~ Microsoft.copilot not found Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: D106FB820932416BA8165EF9D232122A8ADE4A4B ~~~~~ Microsoft.copilot not found Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\D.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1104 ResultHash: F328DBC62269B694F2E1C6B9E5A3E6F8D0405729 ~~~~~ 'Turn off Windows Copilot' is NOT Enabled Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot Value Name: TurnOffWindowsCopilot (Not found) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 Username: MONTFORD-POINT\W.Admin UserSID: S-1-5-21-1360995287-4027491577-3040029667-1106 ResultHash: F328DBC62269B694F2E1C6B9E5A3E6F8D0405729 ~~~~~ 'Turn off Windows Copilot' is NOT Enabled Registry Path: HKCU:\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot Value Name: TurnOffWindowsCopilot (Not found) Comments

Check Text

Run the following PowerShell command as an administrator: Get-AppxPackage -AllUsers | Where-Object { $_.Name -like "*Copilot*" } If Microsoft.Copilot displays, this is a finding.

Fix Text

Open PowerShell as an administrator. Run the following command: Get-AppxPackage -AllUsers *CoPilot* | Remove-AppxPackage -AllUsers

V-268325 CAT II The Request Smuggling filter must be enabled.

2 assets 2 Open Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 10/23/2025 ResultHash: 18651C099BC789081FD9A2C5D9C172C5D0CA5E81 ~~~~~ Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value Name: DisableRequestSmuggling (Not found) Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 10/23/2025 ResultHash: 18651C099BC789081FD9A2C5D9C172C5D0CA5E81 ~~~~~ Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value Name: DisableRequestSmuggling (Not found) Comments

Check Text

Open Registry Editor. Navigate to "HKLM\System\CurrentControlSet\Services\HTTP\Parameters" Verify "DisableRequestSmuggling” is set to "1". If REG_DWORD DisableRequestSmuggling is not set to 1, this is a finding.

Fix Text

Navigate to "HKLM\System\CurrentControlSet\Services\HTTP\Parameters". Create REG_DWORD "DisableRequestSmuggling” and set it to "1". Note: This can be performed multiple ways; this is an example.

V-278355 CAT II Sending of diagnostic data to Microsoft must be disabled.

2 assets 2 Open Microsoft Office 365...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: FA1B0546362AA5A11841448F5C8094D526A8E3AF ~~~~~ 'Configure the level of client software diagnostic data sent by Office to Microsoft' is NOT Enabled: (Neither) Registry Path: HKCU:\software\policies\Microsoft\office\common\clienttelemetry Value Name: SendTelemetry (Not found) Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: FA1B0546362AA5A11841448F5C8094D526A8E3AF ~~~~~ 'Configure the level of client software diagnostic data sent by Office to Microsoft' is NOT Enabled: (Neither) Registry Path: HKCU:\software\policies\Microsoft\office\common\clienttelemetry Value Name: SendTelemetry (Not found) Comments

Check Text

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Privacy >> Trust Center >> "Configure the level of client software diagnostic data sent by Office to Microsoft" is set to "Enabled", and "Neither" from the Options is selected. Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\common\clienttelemetry If the value "SendTelemetry" is "REG_DWORD = 3", this is not a finding. If the registry key does not exist or is not configured properly, this is a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Privacy >> Trust Center >> "Configure the level of client software diagnostic data sent by Office to Microsoft" to "Enabled" and select "Neither" from the Options.

V-278356 CAT II Connected experiences that analyze content must be disabled.

2 assets 2 Open Microsoft Office 365...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 6F7990F7F777A79D28ABFA2FF2403D19ECB45A07 ~~~~~ 'Allow the use of connected experiences in Office that analyze content' is NOT Disabled Registry Path: HKCU:\software\policies\Microsoft\office\16.0\common\privacy Value Name: UserContentDisabled (Not found) Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 6F7990F7F777A79D28ABFA2FF2403D19ECB45A07 ~~~~~ 'Allow the use of connected experiences in Office that analyze content' is NOT Disabled Registry Path: HKCU:\software\policies\Microsoft\office\16.0\common\privacy Value Name: UserContentDisabled (Not found) Comments

Check Text

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Privacy >> Trust Center >> "Allow the use of connected experiences in Office that analyze content" is set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\common\privacy\ If the value "UserContentDisabled" is "REG_DWORD = 2", this is not a finding. If the registry key does not exist or is not configured properly, this is a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Privacy >> Trust Center >> "Allow the use of connected experiences in Office that analyze content" to "Disabled".

V-278357 CAT II Connected experiences that download online content must be d...

2 assets 2 Open Microsoft Office 365...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 6A7C17AC9A74BA064A69ABF59510B33FE6AA651E ~~~~~ 'Allow the use of connected experiences in Office that download online content' is NOT Disabled Registry Path: HKCU:\software\policies\Microsoft\office\16.0\common\privacy Value Name: DownloadContentDisabled (Not found) Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 6A7C17AC9A74BA064A69ABF59510B33FE6AA651E ~~~~~ 'Allow the use of connected experiences in Office that download online content' is NOT Disabled Registry Path: HKCU:\software\policies\Microsoft\office\16.0\common\privacy Value Name: DownloadContentDisabled (Not found) Comments

Check Text

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Privacy >> Trust Center >> "Allow the use of connected experiences in Office that download online content" is set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\common\privacy\ If the value "DownloadContentDisabled" is "REG_DWORD = 2", this is not a finding. If the registry key does not exist or is not configured properly, this is a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Privacy >> Trust Center >> "Allow the use of connected experiences in Office that download online content" to "Disabled".

V-278358 CAT II Additional optional connected experiences must be disabled.

2 assets 2 Open Microsoft Office 365...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: D027B1C12B50B7C82C964F00BD4DC68577919544 ~~~~~ 'Allow the use of additional optional connected experiences in Office' is NOT Disabled Registry Path: HKCU:\software\policies\Microsoft\office\16.0\common\privacy Value Name: ControllerConnectedServicesEnabled (Not found) Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: D027B1C12B50B7C82C964F00BD4DC68577919544 ~~~~~ 'Allow the use of additional optional connected experiences in Office' is NOT Disabled Registry Path: HKCU:\software\policies\Microsoft\office\16.0\common\privacy Value Name: ControllerConnectedServicesEnabled (Not found) Comments

Check Text

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Privacy >> Trust Center >> "Allow the use of additional optional connected experiences in Office" is set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\common\privacy\ If the value "ControllerConnectedServicesEnabled" is "REG_DWORD = 2", this is not a finding. If the registry key does not exist or is not configured properly, this is a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Privacy >> Trust Center >> "Allow the use of additional optional connected experiences in Office" to "Disabled".

V-278359 CAT II Connected experiences must be disabled.

2 assets 2 Open Microsoft Office 365...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89108\Scan.Admin UserSID: S-1-5-21-4163428051-2768110797-3591193048-1016 ResultHash: 3F3900DA578663031342EA22374109DBF597AA79 ~~~~~ 'Allow the use of connected experiences in Office' is NOT Disabled Registry Path: HKCU:\software\policies\Microsoft\office\16.0\common\privacy Value Name: DisconnectedState (Not found) Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Office365_Checks) found this to be OPEN on 12/17/2025 Username: MONT-SW-89134\dod_admin UserSID: S-1-5-21-4004422625-1934610219-1178763574-1001 ResultHash: 3F3900DA578663031342EA22374109DBF597AA79 ~~~~~ 'Allow the use of connected experiences in Office' is NOT Disabled Registry Path: HKCU:\software\policies\Microsoft\office\16.0\common\privacy Value Name: DisconnectedState (Not found) Comments

Check Text

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Privacy >> Trust Center >> "Allow the use of connected experiences in Office" is set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\common\privacy\ If the value "DisconnectedState" is "REG_DWORD = 2", this is not a finding. If the registry key does not exist or is not configured properly, this is a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Privacy >> Trust Center >> "Allow the use of connected experiences in Office" to "Disabled".

V-278918 CAT II Windows 10 must be configured to audit file system failures.

2 assets 2 Open Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: 986E2AA371EE57C0BE58CB7A9BFDD5C0FC13FA58 ~~~~~ File System: No Auditing Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: 986E2AA371EE57C0BE58CB7A9BFDD5C0FC13FA58 ~~~~~ File System: No Auditing Comments

Check Text

Verify that Audit File System auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System. If "Audit File System" is not set to "Failure", this is a finding.

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit File System" with "Failure" selected.

V-278919 CAT II Windows 10 must be configured to audit file system successes...

2 assets 2 Open Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: 986E2AA371EE57C0BE58CB7A9BFDD5C0FC13FA58 ~~~~~ File System: No Auditing Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: 986E2AA371EE57C0BE58CB7A9BFDD5C0FC13FA58 ~~~~~ File System: No Auditing Comments

Check Text

Verify that Audit File System auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System. If "Audit File System" is not set to "Success", this is a finding.

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit File System" with "Success" selected.

V-278920 CAT II Windows 10 must be configured to audit handle manipulation f...

2 assets 2 Open Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: E3BC58368C7E0501CABAF5E7042609D91BD6A6A9 ~~~~~ Handle Manipulation: No Auditing Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: E3BC58368C7E0501CABAF5E7042609D91BD6A6A9 ~~~~~ Handle Manipulation: No Auditing Comments

Check Text

Verify that Audit Handle Manipulation auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Handle Manipulation. If "Audit Handle Manipulation" is not set to "Failure", this is a finding.

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Handle Manipulation" with "Failure" selected.

V-278921 CAT II Windows 10 must be configured to audit handle manipulation s...

2 assets 2 Open Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: E3BC58368C7E0501CABAF5E7042609D91BD6A6A9 ~~~~~ Handle Manipulation: No Auditing Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: E3BC58368C7E0501CABAF5E7042609D91BD6A6A9 ~~~~~ Handle Manipulation: No Auditing Comments

Check Text

Verify that Audit Handle Manipulation auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Handle Manipulation. If "Audit Handle Manipulation" is not set to "Success", this is a finding.

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Handle Manipulation" with "Success" selected.

V-278922 CAT II Windows 10 must be configured to audit registry successes.

2 assets 2 Open Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: 699C432E6583CB6CD672333388C153C260362A53 ~~~~~ Registry: No Auditing Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: 699C432E6583CB6CD672333388C153C260362A53 ~~~~~ Registry: No Auditing Comments

Check Text

Verify that Audit Registry auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry. If "Audit Registry" is not set to "Success", this is a finding.

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Registry" with "Success" selected.

V-278923 CAT II Windows 10 must be configured to audit registry failures.

2 assets 2 Open Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: 699C432E6583CB6CD672333388C153C260362A53 ~~~~~ Registry: No Auditing Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: 699C432E6583CB6CD672333388C153C260362A53 ~~~~~ Registry: No Auditing Comments

Check Text

Verify that Audit Registry auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry. If "Audit Registry" is not set to "Failure", this is a finding.

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Registry" with "Failure" selected.

V-215807 CAT II The Cisco router must be configured to limit the number of c...

1 asset 1 Open Cisco IOS XE Router ...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONTPOINTGTWYRTR	10.10.10.1			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: B8F2A604E2162488415B37981572E5251E977016 ~~~~~ IP Http Server Settings: http\https servers are disabled, https requirements are not applicable no ip http server no ip http secure-server line vty 0 4 transport input ssh session-limit 3 Comments

Check Text

Note: This requirement is not applicable to file transfer actions such as FTP, SCP, and SFTP. Review the router configuration to determine if concurrent management sessions are limited as shown in the example below: ip http secure-server ip http max-connections 2 … … … For platforms that support the session-limit command: line vty 0 4 session-limit 2 transport input ssh For those platforms that do not support the session-limit command, the sessions can also be limited by reducing the number of active vty lines as shown in the example below. line vty 0 1 transport input ssh line vty 2 4 transport input none If the router is not configured to limit the number of concurrent management sessions, this is a finding.

Fix Text

Configure the router to limit the number of concurrent management sessions to an organization-defined number as shown in the example below. R4(config)#ip http max-connections 2 R4(config)#line vty 0 1 R4(config-line)#transport input ssh R4(config-line)#exit R4(config)#line vty 2 4 R4(config-line)# transport input none R4(config-line)#end To configure session limiting, use the example below. R4(config)#line vty 0 4 R4(config-line)#session-limit 2 R4(config-line)#transport input ssh

V-215814 CAT II The Cisco router must be configured to display the Standard ...

1 asset 1 Open Cisco IOS XE Router ...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONTPOINTGTWYRTR	10.10.10.1			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: B1893061C5DDD560F8FECD36FB3416E58526B729 ~~~~~ Configured login banner DOES NOT match Standard Mandatory DoD Notice and Consent Banner as identified in STIG. Configured login banner: ##### Military Sealift Command (MSC) ##### ##### MSC Corporate Data Center(MCDC) ##### -------------------------------------------------------------------------------------- DOD WARNING BANNER -------------------------------------------------------------------------------------- You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ------------------------------------------------------------------------- DOD WARNING BANNER ------------------------------------------------------------------------- Comments

Check Text

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. banner login ^C You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ^C If the Cisco router is not configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device, this is a finding.

Fix Text

Configure the Cisco router to display the Standard Mandatory DoD Notice and Consent Banner before granting access as shown in the following example: R1(config)#banner login # Enter TEXT message. End with the character '#'. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. # R1(config)#end

V-215824 CAT II The Cisco router must be configured with only one local acco...

1 asset 1 Open Cisco IOS XE Router ...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONTPOINTGTWYRTR	10.10.10.1			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: F317A8608580E65A7FD848FF078AE7B20D6F8440 ~~~~~ Accounts username emer-access privilege 0 secret 9 <pwd removed> Verify that a local account for last resort has been configured with a privilege level that will enable the administrator to troubleshoot connectivity to the authentication server. AAA Login Method: aaa authentication login default group ISE group AR21-Radius local Comments

Check Text

Step 1: Review the Cisco router configuration to verify that a local account for last resort has been configured. username xxxxxxxxxxx privilege nn common-criteria-policy PASSWORD_POLICY password xxxxxxxxxx Note: The configured Common Criteria policy must be used when creating or changing the local account password as shown in the example above. Step 2: Verify that local is defined after radius or tacas+ in the authentication order as shown in the example below. aaa authentication login default group tacacs+ local If the Cisco router is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.

Fix Text

Step 1: Configure a local account as shown in the example below. R2(config)#username xxxxxxxxx privilege nn secret xxxxxxx Step 2: Configure the authentication order to use the local account if the authentication server is not reachable as shown in the following example: R2(config)#aaa authentication login default group tacacs+ local

V-215836 CAT II The Cisco router must be configured to allocate audit record...

1 asset 1 Open Cisco IOS XE Router ...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONTPOINTGTWYRTR	10.10.10.1			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: 5F8368BFC68F3878D80F5B9647E5D732EB331313 ~~~~~ 'logging buffered' is not configured Comments

Check Text

Verify that the Cisco router is configured with a logging buffer size. The configuration should look like the example below: logging buffered xxxxxxxx informational If a logging buffer size is not configured, this is a finding. If the Cisco router is not configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements, this is a finding.

Fix Text

Configure the buffer size for logging as shown in the example below. R2(config)#logging buffered xxxxxxxx informational

V-215855 CAT II The Cisco router must be configured to back up the configura...

1 asset 1 Open Documented Pending Review Cisco IOS XE Router ...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONTPOINTGTWYRTR	10.10.10.1			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: 887A831BD26D733D8E7BF0EFA917C4970FFE1B26 ~~~~~ Cisco router is not configured to conduct backups of the configuration when changes occur Comments

Check Text

Review the Cisco router configuration to verify that it is compliant with this requirement. The example configuration below will send the configuration to a SCP server when a configuration change occurs. event manager applet BACKUP_CONFIG event syslog pattern "%SYS-5-CONFIG_I" action 1 info type routername action 2 cli command "enable" action 3 cli command "copy run scp" pattern "remote host" action 4 cli command "x.x.x.x" pattern "filename" action 5 cli command "$_info_routername-config" action 6 syslog priority informational msg "Configuration backup was executed" If the Cisco router is not configured to conduct backups of the configuration when changes occur, this is a finding.

Fix Text

Configure the Cisco router to send the configuration to a SCP server when a configuration change occurs as shown in the example below. R4(config)#event manager applet BACKUP_CONFIG R4(config-applet)#event syslog pattern "%SYS-5-CONFIG_I" R4(config-applet)#action 1 cli command "enable" R4(config-applet)#action 2 info type routername R4(config-applet)#action 3 cli command "copy run scp" pattern "remote host" R4(config-applet)#action 4 cli command "x.x.x.x" pattern "filename" R4(config-applet)#action 5 cli command "$_info_routername-config" R4(config-applet)#action 6 syslog priority informational msg "Configuration backup was executed" R4(config-applet)#end

V-215856 CAT II The Cisco router must be configured to obtain its public key...

1 asset 1 Open Cisco IOS XE Router ...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONTPOINTGTWYRTR	10.10.10.1			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: 173712CE30761257E28758267267A6B72D8F12F1 ~~~~~ crypto pki trustpoint TP-self-signed-1964743403 is not configured for url enrollment crypto pki trustpoint TP-self-signed-1964743403 enrollment selfsigned crypto pki trustpoint SLA-TrustPoint is not configured for url enrollment crypto pki trustpoint SLA-TrustPoint enrollment pkcs12 crypto pki trustpoint TP-self-signed-941045115 is not configured for url enrollment crypto pki trustpoint TP-self-signed-941045115 enrollment selfsigned Comments

Check Text

Review the router configuration to determine if a CA trust point has been configured. The CA trust point will contain the URL of the CA in which the router has enrolled with. Verify this is a DOD or DOD-approved CA. This will ensure the router has enrolled and received a certificate from a trusted CA. The CA trust point configuration would look similar to the example below. crypto pki trustpoint CA_X enrollment url http://trustpoint1.example.com Note: A remote end-point's certificate will always be validated by the router by verifying the signature of the CA on the certificate using the CA's public key, which is contained in the router's certificate it received at enrollment. Note: This requirement is not applicable if the router does not have any public key certificates. If the Cisco router is not configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.

Fix Text

Configure the router to obtain its public key certificates from an appropriate certificate policy through an approved service provider as shown in the example below. R2(config)# crypto pki trustpoint CA_X R2(ca-trustpoint)#enrollment url http://trustpoint1.example.com

V-218737 CAT II A private IIS 10.0 website must only accept Secure Socket La...

3 assets 1 Open 2 Closed Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Default Web Site ResultHash: 1F8B0BF251048DDF52481451B9AA669A5C254D2B ~~~~~ Require SSL is NOT enabled Comments Find out: If MECM applies to this: If the server is hosting WSUS, this is Not Applicable.
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Exchange Back End ResultHash: 17B78AD55656672A7E76179F07EDCDD767389185 ~~~~~ Require SSL is enabled Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Default Web Site ResultHash: 17B78AD55656672A7E76179F07EDCDD767389185 ~~~~~ Require SSL is enabled Comments

Check Text

Note: If the server being reviewed is a public IIS 10.0 web server, this is Not Applicable. Note: If the server is hosting SharePoint, this is Not Applicable. Note: If the server is hosting WSUS, this is Not Applicable. Note: If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 10.0 server, and the IIS 10.0 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server and is Not Applicable in this STIG. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Double-click the "SSL Settings" icon. Verify "Require SSL" check box is selected. If the "Require SSL" check box is not selected, this is a finding.

Fix Text

Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Double-click the "SSL Settings" icon. Select "Require SSL" check box. Select "Apply" from the "Actions" pane.

V-218738 CAT II A public IIS 10.0 website must only accept Secure Socket Lay...

3 assets 1 Open 2 Closed Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Default Web Site ResultHash: 1F8B0BF251048DDF52481451B9AA669A5C254D2B ~~~~~ Require SSL is NOT enabled Comments If the server is hosting WSUS, this is Not Applicable.
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Exchange Back End ResultHash: 17B78AD55656672A7E76179F07EDCDD767389185 ~~~~~ Require SSL is enabled Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Default Web Site ResultHash: 17B78AD55656672A7E76179F07EDCDD767389185 ~~~~~ Require SSL is enabled Comments

Check Text

Note: If the server being reviewed is a private IIS 10.0 web server, this is Not Applicable. Note: If the server being reviewed is a public IIS 10.0 web server not requiring authentication, this is Not Applicable. Note: If the server being reviewed is hosting SharePoint, this is Not Applicable. Note: If the server being reviewed is hosting WSUS, this is Not Applicable. Note: If the server being reviewed is hosting Simple Certificate Enrollment Services (SCEP), this is Not Applicable. Note: If the server being reviewed is hosting Network Device Enrollment Services (NDES), this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Double-click the "SSL Settings" icon. Verify "Require SSL" check box is selected. If the "Require SSL" check box is not selected, this is a finding.

Fix Text

Note: If the server being reviewed is a private IIS 10.0 web server, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Double-click the "SSL Settings" icon. Select "Require SSL" check box. Select "Apply" from the "Actions" pane.

V-218745 CAT II The IIS 10.0 website must have resource mappings set to disa...

3 assets 1 Open 2 Closed Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Default Web Site ResultHash: AFF99CDFF730E9E82458BBFE44EC307E573D7F90 ~~~~~ Denied file extensions: ----------------------------------- None Allowed file extensions: ----------------------------------- None Comments documentation
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Exchange Back End ResultHash: 2F23BA53ABD5080AF448F9773A244BEC788276EC ~~~~~ Denied file extensions: ----------------------------------- FileExtension: .asax Allowed: False FileExtension: .ascx Allowed: False FileExtension: .master Allowed: False FileExtension: .skin Allowed: False FileExtension: .browser Allowed: False FileExtension: .sitemap Allowed: False FileExtension: .config Allowed: False FileExtension: .cs Allowed: False FileExtension: .csproj Allowed: False FileExtension: .vb Allowed: False FileExtension: .vbproj Allowed: False FileExtension: .webinfo Allowed: False FileExtension: .licx Allowed: False FileExtension: .resx Allowed: False FileExtension: .resources Allowed: False FileExtension: .mdb Allowed: False FileExtension: .vjsproj Allowed: False FileExtension: .java Allowed: False FileExtension: .jsl Allowed: False FileExtension: .ldb Allowed: False FileExtension: .dsdgm Allowed: False FileExtension: .ssdgm Allowed: False FileExtension: .lsad Allowed: False FileExtension: .ssmap Allowed: False FileExtension: .cd Allowed: False FileExtension: .dsprototype Allowed: False FileExtension: .lsaprototype Allowed: False FileExtension: .sdm Allowed: False FileExtension: .sdmDocument Allowed: False FileExtension: .mdf Allowed: False FileExtension: .ldf Allowed: False FileExtension: .ad Allowed: False FileExtension: .dd Allowed: False FileExtension: .ldd Allowed: False FileExtension: .sd Allowed: False FileExtension: .adprototype Allowed: False FileExtension: .lddprototype Allowed: False FileExtension: .exclude Allowed: False FileExtension: .refresh Allowed: False FileExtension: .compiled Allowed: False FileExtension: .msgx Allowed: False FileExtension: .vsdisco Allowed: False FileExtension: .rules Allowed: False Allowed file extensions: ----------------------------------- None Comments None are allowed, do we still need documentation?
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Default Web Site ResultHash: 2F23BA53ABD5080AF448F9773A244BEC788276EC ~~~~~ Denied file extensions: ----------------------------------- FileExtension: .asax Allowed: False FileExtension: .ascx Allowed: False FileExtension: .master Allowed: False FileExtension: .skin Allowed: False FileExtension: .browser Allowed: False FileExtension: .sitemap Allowed: False FileExtension: .config Allowed: False FileExtension: .cs Allowed: False FileExtension: .csproj Allowed: False FileExtension: .vb Allowed: False FileExtension: .vbproj Allowed: False FileExtension: .webinfo Allowed: False FileExtension: .licx Allowed: False FileExtension: .resx Allowed: False FileExtension: .resources Allowed: False FileExtension: .mdb Allowed: False FileExtension: .vjsproj Allowed: False FileExtension: .java Allowed: False FileExtension: .jsl Allowed: False FileExtension: .ldb Allowed: False FileExtension: .dsdgm Allowed: False FileExtension: .ssdgm Allowed: False FileExtension: .lsad Allowed: False FileExtension: .ssmap Allowed: False FileExtension: .cd Allowed: False FileExtension: .dsprototype Allowed: False FileExtension: .lsaprototype Allowed: False FileExtension: .sdm Allowed: False FileExtension: .sdmDocument Allowed: False FileExtension: .mdf Allowed: False FileExtension: .ldf Allowed: False FileExtension: .ad Allowed: False FileExtension: .dd Allowed: False FileExtension: .ldd Allowed: False FileExtension: .sd Allowed: False FileExtension: .adprototype Allowed: False FileExtension: .lddprototype Allowed: False FileExtension: .exclude Allowed: False FileExtension: .refresh Allowed: False FileExtension: .compiled Allowed: False FileExtension: .msgx Allowed: False FileExtension: .vsdisco Allowed: False FileExtension: .rules Allowed: False Allowed file extensions: ----------------------------------- None Comments None are allowed.

Check Text

Note: If the server being reviewed is hosting SharePoint, this is Not Applicable. For Request Filtering, the ISSO must document and approve all allowable scripts the website allows (white list) and denies (black list). The white list and black list will be compared to the Request Filtering in IIS 10.0. Request Filtering at the site level take precedence over Request Filtering at the server level. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name to review. Double-click Request Filtering->File Name Extensions Tab. If any script file extensions from the black list are not denied, this is a finding.

Fix Text

Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name to review. Double-click Request Filtering->File Name Extensions Tab->Deny File Name Extension. Add any script file extensions listed on the black list that are not listed. Select "Apply" from the "Actions" pane.

V-218748 CAT II Each IIS 10.0 website must be assigned a default host header...

3 assets 1 Open Documented Pending Review Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 8E8482E042BD27CE6D91B327DB52B5325B740854 ~~~~~ The site is NOT bound to a specific host header on port 80 Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Exchange Back End ResultHash: C4AC55E057470F8E3BE8026C2E97039D7E1B552C ~~~~~ Exchange service detected. If this server only hosts Microsoft Exchange, mark this check as NA. Service: MSExchangeServiceHost Status: Running Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Default Web Site ResultHash: C4AC55E057470F8E3BE8026C2E97039D7E1B552C ~~~~~ Exchange service detected. If this server only hosts Microsoft Exchange, mark this check as NA. Service: MSExchangeServiceHost Status: Running Comments

Check Text

Note: If the server being reviewed is hosting SharePoint, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Right-click on the site name under review. Select "Edit Bindings". Verify there are hostname entries and unique IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used. If both hostname entries and unique IP addresses are not configured to port 80 for HTTP and port 443 for HTTPS (or other approved and documented port), this is a finding. Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding. Note: If HTTP/Port 80 is not being used, and is not configured as above, this is not a finding. Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable.

Fix Text

Note: If the server being reviewed is hosting SharePoint, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Right-click on the site name under review. Select "Edit Bindings". Assign hostname entries and unique IP addresses to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used. Click "OK". Select "Apply" from the "Actions" pane.

V-218752 CAT II The IIS 10.0 website document directory must be in a separat...

3 assets 1 Open Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 82833DC68D5FCB33EF4976B85E80237A71D613C3 ~~~~~ Both the OS and the web site are installed on C: Comments If the server is hosting WSUS, this is Not Applicable.
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Exchange Back End ResultHash: C4AC55E057470F8E3BE8026C2E97039D7E1B552C ~~~~~ Exchange service detected. If this server only hosts Microsoft Exchange, mark this check as NA. Service: MSExchangeServiceHost Status: Running Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Default Web Site ResultHash: C4AC55E057470F8E3BE8026C2E97039D7E1B552C ~~~~~ Exchange service detected. If this server only hosts Microsoft Exchange, mark this check as NA. Service: MSExchangeServiceHost Status: Running Comments

Check Text

Note: If this server is hosting WSUS, this requirement is not applicable. Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is not applicable. Note: If this server is hosting the SharePoint Web Services site, this requirement is not applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name under review. Click the "Advanced Settings" from the "Actions" pane. Review the Physical Path. If the Path is on the same partition as the OS, this is a finding.

Fix Text

Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name under review. Click the "Advanced Settings" from the "Actions" pane. Change the Physical Path to the new partition and directory location.

V-218756 CAT II Non-ASCII characters in URLs must be prohibited by any IIS 1...

3 assets 1 Open Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 545E96FB53E421DBB94A039FB5D6FBC26514D6A0 ~~~~~ AllowHighBitCharacters is Enabled Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Exchange Back End ResultHash: C4AC55E057470F8E3BE8026C2E97039D7E1B552C ~~~~~ Exchange service detected. If this server only hosts Microsoft Exchange, mark this check as NA. Service: MSExchangeServiceHost Status: Running Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Default Web Site ResultHash: C4AC55E057470F8E3BE8026C2E97039D7E1B552C ~~~~~ Exchange service detected. If this server only hosts Microsoft Exchange, mark this check as NA. Service: MSExchangeServiceHost Status: Running Comments

Check Text

Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Double-click the "Request Filtering" icon. Click "Edit Feature Settings" in the "Actions" pane. If the "Allow high-bit characters" check box is checked, this is a finding. Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable.

Fix Text

Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name under review. Double-click the "Request Filtering" icon. Click "Edit Feature Settings" in the "Actions" pane. Uncheck the "Allow high-bit characters" check box.

V-218758 CAT II Unlisted file extensions in URL requests must be filtered by...

3 assets 1 Open Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: B5726175B8459E9B878193D0B97D55FA98562ED9 ~~~~~ AllowUnlisted is Enabled Comments If the server is hosting WSUS, this is Not Applicable.
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Exchange Back End ResultHash: C4AC55E057470F8E3BE8026C2E97039D7E1B552C ~~~~~ Exchange service detected. If this server only hosts Microsoft Exchange, mark this check as NA. Service: MSExchangeServiceHost Status: Running Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Default Web Site ResultHash: C4AC55E057470F8E3BE8026C2E97039D7E1B552C ~~~~~ Exchange service detected. If this server only hosts Microsoft Exchange, mark this check as NA. Service: MSExchangeServiceHost Status: Running Comments

Check Text

Note: If the server being reviewed is hosting SharePoint, this is Not Applicable. Note: If the server being reviewed is hosting Network Device Enrollment Services (NDES), this is Not Applicable. Note: If the server being reviewed is hosting Azure DevOps (ADO), this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Double-click the "Request Filtering" icon. Click "Edit Feature Settings" in the "Actions" pane. If the "Allow unlisted file name extensions" check box is checked, this is a finding. Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable. Note: If this IIS 10.0 installation is supporting Splunk, this requirement is Not Applicable. Note: If this IIS 10.0 installation is supporting WSUS, this requirement is Not Applicable.

Fix Text

Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name under review. Double-click the "Request Filtering" icon. Click "Edit Feature Settings" in the "Actions" pane. Uncheck the "Allow unlisted file extensions" check box.

V-218767 CAT II The IIS 10.0 website must only accept client certificates is...

3 assets 1 Open 2 Closed Documented Pending Review Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 7B47C3FC645686A5BBF0E23296FB14E0C58713A2 ~~~~~ There are no HTTPS bindings on this site. Comments If the server is hosting WSUS, this is Not Applicable.
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Exchange Back End ResultHash: DE4BDEFF1B095675E4F6E9807E0E20D0AF504FA9 ~~~~~ Binding: https (*:444:) =========================== Compliant Certificates: --------------------------- Subject: CN=mont-mb-002.montford-point.navy.mil, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US CertStore: Issuer: CN=DOD SW CA-67, OU=PKI, OU=DoD, O=U.S. Government, C=US FriendlyName: MONT-MB-002.MONTFORD-POINT.navy.mil NotAfter: 06/08/2026 18:52:58 Thumbprint: 76C9C9B1E8EECDDD4A3ECB0107EF19938933B161 ApprovedChain: True CertificationPath... (0) - DoD Root CA 3 (1) - DOD SW CA-67 (2) - MONT-MB-002.MONTFORD-POINT.navy.mil Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Default Web Site ResultHash: 471A5CDB79F232E23D07A98B8CA8221023074E71 ~~~~~ Binding: https (*:443:) =========================== Compliant Certificates: --------------------------- Subject: CN=mont-mb-002.montford-point.navy.mil, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US CertStore: Issuer: CN=DOD SW CA-67, OU=PKI, OU=DoD, O=U.S. Government, C=US FriendlyName: MONT-MB-002.MONTFORD-POINT.navy.mil NotAfter: 06/08/2026 18:52:58 Thumbprint: 76C9C9B1E8EECDDD4A3ECB0107EF19938933B161 ApprovedChain: True CertificationPath... (0) - DoD Root CA 3 (1) - DOD SW CA-67 (2) - MONT-MB-002.MONTFORD-POINT.navy.mil Binding: https (127.0.0.1:443:) =========================== Compliant Certificates: --------------------------- Subject: CN=mont-mb-002.montford-point.navy.mil, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US CertStore: Issuer: CN=DOD SW CA-67, OU=PKI, OU=DoD, O=U.S. Government, C=US FriendlyName: MONT-MB-002.MONTFORD-POINT.navy.mil NotAfter: 06/08/2026 18:52:58 Thumbprint: 76C9C9B1E8EECDDD4A3ECB0107EF19938933B161 ApprovedChain: True CertificationPath... (0) - DoD Root CA 3 (1) - DOD SW CA-67 (2) - MONT-MB-002.MONTFORD-POINT.navy.mil Comments

Check Text

Note: If the server being reviewed is hosting WSUS, this is not applicable. Note: If the server is providing OCSP, and not otherwise hosting any content, this requirement is not applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name under review. Click "Bindings" in the "Action" Pane. Click the "HTTPS type" from the box. Click "Edit". Click "View" and then review and verify the certificate path. If the list of CAs in the trust hierarchy does not lead to the DOD PKI Root CA, DOD-approved external certificate authority (ECA), or DOD-approved external partner, this is a finding. If HTTPS is not an available type under site bindings, this is a finding. If HTTPS is not an available type under site bindings, and the Web Server ONLY communicates directly with a load balancer/proxy server with IP address and Domain Restrictions in place, this is not a finding.

Fix Text

To add DOD Certificates to the Server, if not already present: Open the IIS 10.0 Manager. Click the Server name. Double-click "Server Certificates". Click "Import" under the "Actions" pane. Browse to the DOD certificate location, select it, and click "OK". Remove any non-DOD certificates if present. Follow the procedures below for each site hosted on the IIS 10.0 web server to bind the certificates to the site: Click on the site needing the certificate. Select "Bindings" under the "Actions" pane. Click on the binding needing a certificate and select "Edit", or add a site binding for HTTPS. Assign the certificate to the website by choosing it under the "SSL Certificate" drop-down and clicking "OK".

V-218772 CAT II The maximum number of requests an application pool can proce...

3 assets 1 Open Documented Pending Review Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Default Web Site ResultHash: BAF2D3EE1F61FFA9175D4DB32DB811AA28139C00 ~~~~~ Application Pool: DefaultAppPool Request Limit: 0 Comments If the server is hosting WSUS, this is Not Applicable.
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Exchange Back End ResultHash: C4AC55E057470F8E3BE8026C2E97039D7E1B552C ~~~~~ Exchange service detected. If this server only hosts Microsoft Exchange, mark this check as NA. Service: MSExchangeServiceHost Status: Running Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Site: Default Web Site ResultHash: C4AC55E057470F8E3BE8026C2E97039D7E1B552C ~~~~~ Exchange service detected. If this server only hosts Microsoft Exchange, mark this check as NA. Service: MSExchangeServiceHost Status: Running Comments

Check Text

Note: If the IIS Application Pool is hosting Microsoft SharePoint, this is Not Applicable. Note: If this server is hosting WSUS, this requirement is Not Applicable. Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable. Open the IIS 10.0 Manager. Perform for each Application Pool. Click "Application Pools". Highlight an Application Pool and click "Advanced Settings" in the "Action" Pane. Scroll down to the "Recycling section" and verify the value for "Request Limit" is set to a value other than "0". If the "Request Limit" is set to a value of "0", this is a finding. If the system must require "Request Limit" to be set to "0", it is documented and approved by the ISSO, this is not a finding.

Fix Text

Open the IIS 10.0 Manager. Click "Application Pools". Highlight an Application Pool and click "Advanced Settings" in the "Action" Pane. Scroll down to the "Recycling section" and set the value for "Request Limit" to greater than "0". Click "OK".

V-218805 CAT II The IIS 10.0 web server must accept only system-generated se...

2 assets 1 Open Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 2DD143332C0C53AB5EB35B604B56FEEE445E829C ~~~~~ ASP.NET is not installed so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 10/23/2025 ResultHash: B549245916D0E77086396C32318EC3F1682F7329 ~~~~~ Cookie Settings Mode is configured to 'UseCookies' Time-out is configured to '00:20:00' Comments

Check Text

Note: If ASP.NET is not installed, this is Not Applicable. Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Under the "ASP.NET" section, select "Session State". Under "Cookie Settings", verify the "Use Cookies" mode is selected from the "Mode:" drop-down list. Under "Time-out (in minutes)", verify a maximum of 15 minutes is entered. If the "Use Cookies" mode is selected and Time-out (in minutes) is configured for "15 minutes" (or less), this is not a finding. Alternative method: Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Verify the "cookieless" is set to "UseCookies". If the "cookieless" is not set to "UseCookies", this is a finding. Note: If IIS 10.0 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable.

Fix Text

Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Under the "ASP.NET" section, select "Session State". Under "Cookie Settings", select the "Use Cookies" mode from the "Mode:" drop-down list. Under "Time-out (in minutes)", enter a value of "15 or less".

V-218812 CAT II The IIS 10.0 web server must restrict inbound connections fr...

2 assets 1 Open Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: 69339D5EDE3A1D594FB554D39E84CA77B3304C98 ~~~~~ The remote management feature of IIS is not installed so this check is Not Applicable. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 2C4D6AC55F21BBA8083FAD2A326A1D2AA75FE15A ~~~~~ The Web Management service is installed and active. This means that remote administration of IIS is possible. Verify only known, secure IP ranges are configured as 'Allow'. Comments No IP Address Restrictions are configured.

Check Text

Note: This requirement applies to the Web Management Service. If the Web Management Service is not installed, this is Not Applicable. Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Under "Management", double-click "Management Service". If "Enable remote connections" is not selected, this is Not Applicable. If "Enable remote connections" is selected, review the entries under "IP Address Restrictions". Verify only known, secure IP ranges are configured as "Allow". If "IP Address Restrictions" are not configured or IP ranges configured to "Allow" are not restrictive enough to prevent connections from nonsecure zones, this is a finding.

Fix Text

Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Under "Management", double-click "Management Service". Stop the Web Management Service under the "Actions" pane. Configure only known, secure IP ranges as "Allow". Select "Apply" in "Actions" pane. Restart the Web Management Service under the "Actions" pane.

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text