| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: BBAC88C8AB01CF95104CC45D880159B2968EBA9F ~~~~~ Installed NSS Root Certificates: Subject: CN=NSS Root CA 4, OU=Certification Authorities, OU=NSS, O=U.S. Government, C=US Thumbprint: D753369F16C2CF15A9647AAE4F6E2B40E4A28242 NotAfter: 10/11/2041 13:47:15 Subject: CN=NSS Root CA 1, OU=Certification Authorities, OU=NSS, O=U.S. Government, C=US Thumbprint: 4D96A58E74C1D5EC06C018459C3DDE71C0DBEF41 NotAfter: 11/28/2029 22:06:38 Subject: CN=NSS Root CA 2, OU=Certification Authorities, OU=NSS, O=U.S. Government, C=US Thumbprint: 3CEE89598C90AA6F5A3B75FB03E94E111D75B5D9 NotAfter: 10/20/2030 13:29:50 Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 393EAA13FC13924073C463182B1C5D260DE26571 ~~~~~ Installed NSS Root Certificates: Subject: CN=NSS Root CA 4, OU=Certification Authorities, OU=NSS, O=U.S. Government, C=US Thumbprint: D753369F16C2CF15A9647AAE4F6E2B40E4A28242 NotAfter: 10/11/2041 13:47:15 Subject: CN=NSS Root CA 5, OU=Certification Authorities, OU=NSS, O=U.S. Government, C=US Thumbprint: 7232A47EB4B80CE23A2A3C3799CCAE0D67B0F143 NotAfter: 09/25/2048 15:12:12 Subject: CN=NSS Root CA 1, OU=Certification Authorities, OU=NSS, O=U.S. Government, C=US Thumbprint: 4D96A58E74C1D5EC06C018459C3DDE71C0DBEF41 NotAfter: 11/28/2029 22:06:38 Subject: CN=NSS Root CA 2, OU=Certification Authorities, OU=NSS, O=U.S. Government, C=US Thumbprint: 3CEE89598C90AA6F5A3B75FB03E94E111D75B5D9 NotAfter: 10/20/2030 13:29:50 Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1E639BE4EE5A1CDEB45CD6D11961572DC003871E ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Installed: True Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Installed: True Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Installed: True Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF NotAfter: 1/24/2053 Installed: True Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 1E639BE4EE5A1CDEB45CD6D11961572DC003871E ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Installed: True Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Installed: True Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Installed: True Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF NotAfter: 1/24/2053 Installed: True Comments |
|||||
Check Text
Verify the DoD Root CA certificates are installed as Trusted Root Certification Authorities. The certificates and thumbprints referenced below apply to unclassified systems; refer to PKE documentation for other networks. Run "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint : D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF NotAfter: 1/24/2053 Alternately, use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates", click "Add". Select "Computer account", click "Next". Select "Local computer: (the computer this console is running on)", click "Finish". Click "OK". Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". For each of the DoD Root CA certificates noted below: Right-click on the certificate and select "Open". Select the "Details" tab. Scroll to the bottom and select "Thumbprint". If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. DoD Root CA 3 Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB Valid to: Sunday, December 30, 2029 DoD Root CA 4 Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 Valid to: Sunday, July 25, 2032 DoD Root CA 5 Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B Valid to: Friday, June 14, 2041 DoD Root CA 6 Thumbprint : D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF Valid to: Friday, January 24, 2053
Fix Text
Install the DoD Root CA certificates: DoD Root CA 3 DoD Root CA 4 DoD Root CA 5 DoD Root CA 6 The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. Certificate bundles published by the PKI can be found at https://crl.gds.disa.mil/.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A35F1C37518BA5BE7F9CEF7DDAAE6530ED947399 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 2 Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A35F1C37518BA5BE7F9CEF7DDAAE6530ED947399 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 2 Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A35F1C37518BA5BE7F9CEF7DDAAE6530ED947399 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 2 Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A35F1C37518BA5BE7F9CEF7DDAAE6530ED947399 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 2 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A35F1C37518BA5BE7F9CEF7DDAAE6530ED947399 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 2 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 5A95DCD6553036523AF8C7763AD372FDE3799CA2 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 1 Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A35F1C37518BA5BE7F9CEF7DDAAE6530ED947399 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 2 Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: A35F1C37518BA5BE7F9CEF7DDAAE6530ED947399 ~~~~~ RequiredSecurityProperties: 1, 2 VirtualizationBasedSecurityStatus: 2 Comments |
|||||
Check Text
For standalone or nondomain-joined systems, this is NA. Open "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "RequiredSecurityProperties" does not include a value of "2" indicating "Secure Boot" (e.g., "{1, 2}"), this is a finding. If "Secure Boot and DMA Protection" is configured, "3" will also be displayed in the results (e.g., "{1, 2, 3}"). If "VirtualizationBasedSecurityStatus" is not a value of "2" indicating "Running", this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Device Guard Virtualization based security" does not display "Running", this is a finding. If "Device Guard Required Security Properties" does not display "Base Virtualization Support, Secure Boot", this is a finding. If "Secure Boot and DMA Protection" is configured, "DMA Protection" will also be displayed (e.g., "Base Virtualization Support, Secure Boot, DMA Protection"). The policy settings referenced in the Fix section will configure the following registry values. However, due to hardware requirements, the registry values alone do not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: EnableVirtualizationBasedSecurity Value Type: REG_DWORD Value: 0x00000001 (1) Value Name: RequirePlatformSecurityFeatures Value Type: REG_DWORD Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and DMA Protection) A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Secure Boot" or "Secure Boot and DMA Protection" selected. A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CB204EC43075AD6A99D572BAF19EAEA87325DC6C ~~~~~ 'Configure Windows SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CB204EC43075AD6A99D572BAF19EAEA87325DC6C ~~~~~ 'Configure Windows SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CB204EC43075AD6A99D572BAF19EAEA87325DC6C ~~~~~ 'Configure Windows SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 98C5AA677C378D823FFF089EBE87265FA619F43F ~~~~~ 'Configure Windows SmartScreen' is NOT Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000000 (0) [Expected 1] Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CB204EC43075AD6A99D572BAF19EAEA87325DC6C ~~~~~ 'Configure Windows SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CB204EC43075AD6A99D572BAF19EAEA87325DC6C ~~~~~ 'Configure Windows SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CB204EC43075AD6A99D572BAF19EAEA87325DC6C ~~~~~ 'Configure Windows SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: CB204EC43075AD6A99D572BAF19EAEA87325DC6C ~~~~~ 'Configure Windows SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
This is applicable to unclassified systems; for other systems, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ Value Name: EnableSmartScreen Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows SmartScreen" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: E0BDF45798C79C9D7292EC79FDB5523BD31F5459 ~~~~~ Non-compliant roles installed: --------------------- DHCP Server Network Policy and Access Services Compliant roles installed: --------------------- Active Directory Domain Services DNS Server File and Storage Services Installed software: --------------------- ActivID ActivClient x64 Axway Desktop Validator CRLAutoCache DoD Secure Host Baseline Server InstallRoot Microsoft NetBanner Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33130 Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.38.33130 Trellix Agent Trellix Data Loss Prevention - Endpoint Trellix Endpoint Security Firewall Trellix Endpoint Security Platform Trellix Endpoint Security Threat Prevention Trellix Policy Auditor Agent Trellix Solidifier Veritas Backup Exec Remote Agent for Windows Windows Resource Kit Tools WinZip 27.0 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers, It is NA for other systems. Review the installed roles the domain controller is supporting. Start "Server Manager". Select "AD DS" in the left pane and the server name under "Servers" to the right. Select "Add (or Remove) Roles and Features" from "Tasks" in the "Roles and Features" section. (Cancel before any changes are made.) Determine if any additional server roles are installed. A basic domain controller setup will include the following: - Active Directory Domain Services - DNS Server - File and Storage Services If any roles not requiring installation on a domain controller are installed, this is a finding. A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. Run "Programs and Features". Review installed applications. If any applications are installed that are not required for the domain controller, this is a finding.
Fix Text
Remove additional roles or applications such as web, database, and email from the domain controller.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 19746D1E477B8F7DA30F943E64E42D2E57BA187F ~~~~~ Object Name: MONTFORD-POINT Object DN: DC=MONTFORD-POINT,DC=navy,DC=mil Object Class: domainDNS --------------------- AuditFlags : Success IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : ExtendedRight IsInherited : False InheritanceType : None AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : False InheritanceType : All AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner IsInherited : False InheritanceType : None AuditFlags : Success IdentityReference : MONTFORD-POINT\Domain Users ActiveDirectoryRights : ExtendedRight IsInherited : False InheritanceType : None --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for the Domain object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the domain being reviewed in the left pane. Right-click the domain name and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the Domain object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - None Applies to - Special Type - Success Principal - Domain Users Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Administrators Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: Write all properties, Modify permissions, Modify owner)
Fix Text
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the domain being reviewed in the left pane. Right-click the domain name and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for Domain object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - None Applies to - Special Type - Success Principal - Domain Users Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Administrators Access - All extended rights Inherited from - None Applies to - This object only Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: Write all properties, Modify permissions, Modify owner.)
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 910E0557232C81D7B2E612D54715A1B79B1AC045 ~~~~~ Object Name: Infrastructure Object DN: CN=Infrastructure,DC=MONTFORD-POINT,DC=navy,DC=mil Object Class: infrastructureUpdate --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, ExtendedRight IsInherited : False InheritanceType : None --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for Infrastructure object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the domain being reviewed in the left pane. Right-click the "Infrastructure" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the Infrastructure object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
Fix Text
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the domain being reviewed in the left pane. Right-click the "Infrastructure" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for Infrastructure object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: A9A635A5963F6C60BDED8092F28CCE6E36D2C153 ~~~~~ Object Name: Domain Controllers Object DN: OU=Domain Controllers,DC=MONTFORD-POINT,DC=navy,DC=mil Object Class: organizationalUnit --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : All AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : CreateChild, DeleteChild, DeleteTree, Delete, WriteDacl, WriteOwner IsInherited : False InheritanceType : None --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for the Domain Controller OU object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the "Domain Controllers OU" under the domain being reviewed in the left pane. Right-click the "Domain Controllers OU" object and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the Domain Controllers OU object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object and all descendant objects The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: all create, delete and modify permissions) Type - Success Principal - Everyone Access - Write all properties Inherited from - None Applies to - This object and all descendant objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
Fix Text
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select the "Domain Controllers OU" under the domain being reviewed in the left pane. Right-click the "Domain Controllers OU" object and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for Domain Controllers OU object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Permissions: all create, delete and modify permissions) Type - Success Principal - Everyone Access - Write all properties Inherited from - None Applies to - This object and all descendant objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 85D03424A16D29FC0BFB271FD90C04F70F183AD8 ~~~~~ Object Name: AdminSDHolder Object DN: CN=AdminSDHolder,CN=System,DC=MONTFORD-POINT,DC=navy,DC=mil Object Class: container --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner IsInherited : False InheritanceType : None --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for the "AdminSDHolder" object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select "System" under the domain being reviewed in the left pane. Right-click the "AdminSDHolder" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the "AdminSDHolder" object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Write all properties, Modify permissions, Modify owner) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
Fix Text
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select "System" under the domain being reviewed in the left pane. Right-click the "AdminSDHolder" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for AdminSDHolder object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None Applies to - This object only The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None Applies to - This object only (Access - Special = Write all properties, Modify permissions, Modify owner) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain) Applies to - Descendant Organizational Unit objects
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 6F9F8BF32EFEA4B816B61252C0673C259CD504E9 ~~~~~ Object Name: RID Manager$ Object DN: CN=RID Manager$,CN=System,DC=MONTFORD-POINT,DC=navy,DC=mil Object Class: rIDManager --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, ExtendedRight IsInherited : False InheritanceType : None --------------------- Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the auditing configuration for the "RID Manager$" object. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select "System" under the domain being reviewed in the left pane. Right-click the "RID Manager$" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. If the audit settings on the "RID Manager$" object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Write all properties, All extended rights, Change RID master) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
Fix Text
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. Select "System" under the domain being reviewed in the left pane. Right-click the "RID Manager$" object in the right pane and select "Properties". Select the "Security" tab. Select the "Advanced" button and then the "Auditing" tab. Configure the audit settings for RID Manager$ object to include the following. Type - Fail Principal - Everyone Access - Full Control Inherited from - None The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Type - Success Principal - Everyone Access - Special Inherited from - None (Access - Special = Write all properties, All extended rights, Change RID master) Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - (blank) Inherited from - (CN of domain)
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8321877B1939868783133E67C0DB12AC4A135F79 ~~~~~ The following accounts are enabled without requiring a smart card. Account Name: SHB_Admin Account Enabled: True Smart card Required: False Account Name: DOD_Admin Account Enabled: True Smart card Required: False Account Name: D.Admin Account Enabled: True Smart card Required: False Account Name: S.Admin Account Enabled: True Smart card Required: False Account Name: W.Admin Account Enabled: True Smart card Required: False Account Name: N.Admin Account Enabled: True Smart card Required: False Account Name: Exchange Admin Account Enabled: True Smart card Required: False Account Name: HealthMailbox03020cb359cd4879a5fd73f010bde991 Account Enabled: True Smart card Required: False Account Name: HealthMailbox3295a98105294ef195ff4f5394ae0e3c Account Enabled: True Smart card Required: False Account Name: HealthMailbox8d8eb4c107e64340876668cde6c1289e Account Enabled: True Smart card Required: False Account Name: HealthMailboxfd82eb3f816c4428bcc7a1706f017682 Account Enabled: True Smart card Required: False Account Name: HealthMailbox4ffeb90d1e3e42808987669877a590dc Account Enabled: True Smart card Required: False Account Name: HealthMailboxa7603ef65a894a7abd37cc7afcd0498f Account Enabled: True Smart card Required: False Account Name: HealthMailbox0045b0edfe864ade8de6332392102884 Account Enabled: True Smart card Required: False Account Name: HealthMailbox2a4e029adc2c45d7a2377f21fc959267 Account Enabled: True Smart card Required: False Account Name: HealthMailboxff1c61cd50724325bd1467262f3ab3f7 Account Enabled: True Smart card Required: False Account Name: HealthMailbox476aa3607f714413bb95f561ccbef1c1 Account Enabled: True Smart card Required: False Account Name: HealthMailboxa75cf849d12c447fb0c70e70b866e36e Account Enabled: True Smart card Required: False Account Name: MONT-EM-NAA Account Enabled: True Smart card Required: False Account Name: MONT-EM-SVRCP Account Enabled: True Smart card Required: False Account Name: MONT-EM-WKSCP Account Enabled: True Smart card Required: False Account Name: MONT-EM-Admin Account Enabled: True Smart card Required: False Account Name: Backup Account Enabled: True Smart card Required: False Account Name: Walton, Nicole E., CTR Account Enabled: True Smart card Required: False Account Name: Scan Admin Account Enabled: True Smart card Required: False Account Name: FIM, ANOC Account Enabled: True Smart card Required: False Account Name: IA ADMIN, JTBegarek Account Enabled: True Smart card Required: False Account Name: user, test Account Enabled: True Smart card Required: False Account Name: Gonzalez, Ian W., CTR Account Enabled: True Smart card Required: False Account Name: MSMEODUser Account Enabled: True Smart card Required: False Account Name: User, Test C., CTR Account Enabled: True Smart card Required: False Account Name: Smith, Alexander D., CTR Account Enabled: True Smart card Required: False Account Name: Jones, Thomas L., Admin Account Enabled: True Smart card Required: False Account Name: Jones, Thomas Account Enabled: True Smart card Required: False Account Name: Green, Fred D., CTR Account Enabled: True Smart card Required: False Account Name: Sanders, James R., CTR Account Enabled: True Smart card Required: False Account Name: Muchuslky, Joey Account Enabled: True Smart card Required: False Account Name: Simon, Anthony E., CTR Account Enabled: True Smart card Required: False Account Name: Begarek, Justin T., CIV Account Enabled: True Smart card Required: False Account Name: Smith, Josh A., CTR Account Enabled: True Smart card Required: False Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Open "PowerShell". Enter the following: "Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name" ("DistinguishedName" may be substituted for "Name" for more detailed output.) If any user accounts, including administrators, are listed, this is a finding. Alternately: To view sample accounts in "Active Directory Users and Computers" (available from various menus or run "dsa.msc"): Select the Organizational Unit (OU) where the user accounts are located. (By default, this is the Users node; however, accounts may be under other organization-defined OUs.) Right-click the sample user account and select "Properties". Select the "Account" tab. If any user accounts, including administrators, do not have "Smart card is required for interactive logon" checked in the "Account Options" area, this is a finding.
Fix Text
Configure all user accounts, including administrator accounts, in Active Directory to enable the option "Smart card is required for interactive logon". Run "Active Directory Users and Computers" (available from various menus or run "dsa.msc"): Select the OU where the user accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.) Right-click the user account and select "Properties". Select the "Account" tab. Check "Smart card is required for interactive logon" in the "Account Options" area.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: F7AD9B106F09B1E5992AFB251D89A3E532494619 ~~~~~ 'Domain controller: LDAP server signing requirements' is NOT Require signing Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ Value Name: LDAPServerIntegrity Value: 0x00000001 (1) [Expected 2] Type: REG_DWORD Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ Value Name: LDAPServerIntegrity Value Type: REG_DWORD Value: 0x00000002 (2)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain controller: LDAP server signing requirements" to "Require signing".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: E5B8DE6F5B9AB5EF925507653B31D7770DEA4089 ~~~~~ SeNetworkLogonRight: BUILTIN\Administrators BUILTIN\Pre-Windows 2000 Compatible Access Everyone NT AUTHORITY\Authenticated Users NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding. - Administrators - Authenticated Users - Enterprise Domain Controllers For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeNetworkLogonRight" user right, this is a finding. S-1-5-32-544 (Administrators) S-1-5-11 (Authenticated Users) S-1-5-9 (Enterprise Domain Controllers) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to include only the following accounts or groups: - Administrators - Authenticated Users - Enterprise Domain Controllers
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 3306581CC2A5040D88182FF80C3D4D63A9960E69 ~~~~~ SeMachineAccountPrivilege: BUILTIN\Administrators NT AUTHORITY\Authenticated Users Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Add workstations to domain" right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeMachineAccountPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Add workstations to domain" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3269727D2232F7C9C8B33EADB868AEDDB9E50831 ~~~~~ Deny log on as a batch job: BUILTIN\Guests MONTFORD-POINT\Domain Admins MONTFORD-POINT\Enterprise Admins Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3269727D2232F7C9C8B33EADB868AEDDB9E50831 ~~~~~ Deny log on as a batch job: BUILTIN\Guests MONTFORD-POINT\Domain Admins MONTFORD-POINT\Enterprise Admins Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3269727D2232F7C9C8B33EADB868AEDDB9E50831 ~~~~~ Deny log on as a batch job: BUILTIN\Guests MONTFORD-POINT\Domain Admins MONTFORD-POINT\Enterprise Admins Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3269727D2232F7C9C8B33EADB868AEDDB9E50831 ~~~~~ Deny log on as a batch job: BUILTIN\Guests MONTFORD-POINT\Domain Admins MONTFORD-POINT\Enterprise Admins Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: E719DE9AE81DFE3B722F6884328A5AF9192E5A68 ~~~~~ Deny log on as a batch job: BUILTIN\Guests Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3269727D2232F7C9C8B33EADB868AEDDB9E50831 ~~~~~ Deny log on as a batch job: BUILTIN\Guests MONTFORD-POINT\Domain Admins MONTFORD-POINT\Enterprise Admins Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3269727D2232F7C9C8B33EADB868AEDDB9E50831 ~~~~~ Deny log on as a batch job: BUILTIN\Guests MONTFORD-POINT\Domain Admins MONTFORD-POINT\Enterprise Admins Comments |
|||||
Check Text
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding. Domain Systems Only: - Enterprise Admins Group - Domain Admins Group All Systems: - Guests Group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the "SeDenyBatchLogonRight" user right, this is a finding. Domain Systems Only: S-1-5-root domain-519 (Enterprise Admins) S-1-5-domain-512 (Domain Admins) All Systems: S-1-5-32-546 (Guests)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a batch job" to include the following: Domain Systems Only: - Enterprise Admins Group - Domain Admins Group All Systems: - Guests Group
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: D200BCD671BA155A1AD2AADCC3F00DA00CCEC9A4 ~~~~~ Allow log on locally: BUILTIN\Account Operators BUILTIN\Administrators BUILTIN\Backup Operators BUILTIN\Print Operators BUILTIN\Server Operators NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeInteractiveLogonRight" user right, this is a finding. S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 66B9CC04EDA273C9465066EEB8F5B51DCB20665F ~~~~~ Back up files and directories: BUILTIN\Administrators BUILTIN\Backup Operators BUILTIN\Server Operators Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeBackupPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Back up files and directories" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 150B29A1ABAE9F69632BC9C91BD3932B9BA7386E ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators BUILTIN\Server Operators Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeRemoteShutdownPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 5BC21D57FBD511471E1BD90139EDF70B7AE5455A ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators BUILTIN\IIS_IUSRS NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding. - Administrators - Service - Local Service - Network Service For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeImpersonatePrivilege" user right, this is a finding. S-1-5-32-544 (Administrators) S-1-5-6 (Service) S-1-5-19 (Local Service) S-1-5-20 (Network Service) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Impersonate a client after authentication" to include only the following accounts or groups: - Administrators - Service - Local Service - Network Service
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 35ACECBB96E5CA1C13A0ACC365FA8728B3EFA5D1 ~~~~~ Load and unload device drivers: BUILTIN\Administrators BUILTIN\Print Operators Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeLoadDriverPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Load and unload device drivers" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 69373A71D638B53717ED5715BFFAE3EDDB82633A ~~~~~ Manage auditing and security log: BUILTIN\Administrators Exchange Servers S-1-5-21-1199390858-2101972093-2013113664-1129 S-1-5-21-270843172-1021756428-1876623829-2158 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeSecurityPrivilege" user right, this is a finding. S-1-5-32-544 (Administrators) If the organization has an Auditors group, the assignment of this group to the user right would not be a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Manage auditing and security log" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 8615B5BE092ADB083D1714DF2DE2B96AF77C0968 ~~~~~ Restore files and directories: BUILTIN\Administrators BUILTIN\Backup Operators BUILTIN\Server Operators Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeRestorePrivilege" user right, this is a finding. S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Restore files and directories" to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 76CBF5A7C87686EA51FA77410808A92FDB3A947F ~~~~~ All user profiles have State configured to 0x00023c00 Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 76CBF5A7C87686EA51FA77410808A92FDB3A947F ~~~~~ All user profiles have State configured to 0x00023c00 Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 76CBF5A7C87686EA51FA77410808A92FDB3A947F ~~~~~ All user profiles have State configured to 0x00023c00 Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 76CBF5A7C87686EA51FA77410808A92FDB3A947F ~~~~~ All user profiles have State configured to 0x00023c00 Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 76CBF5A7C87686EA51FA77410808A92FDB3A947F ~~~~~ All user profiles have State configured to 0x00023c00 Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: DF18BE85941E7EB1E368A5225EB42298CD0B88C1 ~~~~~ Username: MONTFORD-POINT\d.admin User SID: S-1-5-21-1360995287-4027491577-3040029667-1104 Profile Path: C:\Users\d.admin Value Name: State Value: 0x00023e00 [expected '0x00023c00'] Type: REG_DWORD Comments |
|||||
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-NETFramework4_Checks) found this to be NOT APPLICABLE on 12/17/2025 ResultHash: 131C51BE43E61BFBB569FDD5F046ADBBCD65A458 ~~~~~ This is a classified system so this requirement is NA. Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-NETFramework4_Checks) found this to be NOT APPLICABLE on 12/17/2025 ResultHash: 131C51BE43E61BFBB569FDD5F046ADBBCD65A458 ~~~~~ This is a classified system so this requirement is NA. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 76CBF5A7C87686EA51FA77410808A92FDB3A947F ~~~~~ All user profiles have State configured to 0x00023c00 Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 76CBF5A7C87686EA51FA77410808A92FDB3A947F ~~~~~ All user profiles have State configured to 0x00023c00 Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 76CBF5A7C87686EA51FA77410808A92FDB3A947F ~~~~~ All user profiles have State configured to 0x00023c00 Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 76CBF5A7C87686EA51FA77410808A92FDB3A947F ~~~~~ All user profiles have State configured to 0x00023c00 Comments |
|||||
Check Text
If the system or application being reviewed is SIPR based, this finding is NA. This check must be performed for each user on the system. Use regedit to locate "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State". If the State value for any user is not set to the hexadecimal value of 0x23C00, this is a finding.
Fix Text
This fix must be performed for each user on the system. Using regedit, change the hexadecimal value of the "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State" registry key to 0x23C00.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6CC95A95DACFD9A95160D8D82AE7400D383C1A8D ~~~~~ No *.exe.config files found with 'loadFromRemoteSources enabled=true'. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6CC95A95DACFD9A95160D8D82AE7400D383C1A8D ~~~~~ No *.exe.config files found with 'loadFromRemoteSources enabled=true'. Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6CC95A95DACFD9A95160D8D82AE7400D383C1A8D ~~~~~ No *.exe.config files found with 'loadFromRemoteSources enabled=true'. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6CC95A95DACFD9A95160D8D82AE7400D383C1A8D ~~~~~ No *.exe.config files found with 'loadFromRemoteSources enabled=true'. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6CC95A95DACFD9A95160D8D82AE7400D383C1A8D ~~~~~ No *.exe.config files found with 'loadFromRemoteSources enabled=true'. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8AD60F176ED8D404166D414B3D9C42C9CD3F422D ~~~~~ C:\Windows\Installer\$PatchCache$\Managed\442189DC8B9EA5040962A6BED9EC1F1F\15.1.2507\SetupUI.exe.config Name: loadFromRemoteSources Enabled: true C:\Windows\Temp\ExchangeSetup\SetupUI.exe.config Name: loadFromRemoteSources Enabled: true E:\ExchangeV15\Bin\SetupUI.exe.config Name: loadFromRemoteSources Enabled: true Comments |
|||||
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 6CC95A95DACFD9A95160D8D82AE7400D383C1A8D ~~~~~ No *.exe.config files found with 'loadFromRemoteSources enabled=true'. Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 6CC95A95DACFD9A95160D8D82AE7400D383C1A8D ~~~~~ No *.exe.config files found with 'loadFromRemoteSources enabled=true'. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6CC95A95DACFD9A95160D8D82AE7400D383C1A8D ~~~~~ No *.exe.config files found with 'loadFromRemoteSources enabled=true'. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6CC95A95DACFD9A95160D8D82AE7400D383C1A8D ~~~~~ No *.exe.config files found with 'loadFromRemoteSources enabled=true'. Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6CC95A95DACFD9A95160D8D82AE7400D383C1A8D ~~~~~ No *.exe.config files found with 'loadFromRemoteSources enabled=true'. Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6CC95A95DACFD9A95160D8D82AE7400D383C1A8D ~~~~~ No *.exe.config files found with 'loadFromRemoteSources enabled=true'. Comments |
|||||
Check Text
Open Windows explorer and search for *.exe.config. Search each config file found for the "loadFromRemoteSources" element. If the loadFromRemoteSources element is enabled ("loadFromRemoteSources enabled = true"), and the remotely loaded application is not run in a sandboxed environment, or if OS based software controls, such as AppLocker or Software Security Policies, are not utilized, this is a finding.
Fix Text
.Net application code loaded from a remote source must be run in a controlled environment. A controlled environment consists of a sandbox, such as running in an Internet Explorer host environment or employing OS based software access controls, such as AppLocker or Software Security Policies, when application design permits. Obtain documented IAO approvals for all remotely loaded code.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-AP-002 | 164.231.187.39 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4E9D9F9778F6BF1402126A5E6E14400D9AF77B9C ~~~~~ No applications found requiring .NET 4.0 specifically. Comments |
|||||
| MONT-BE-002 | 164.231.187.37 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 1E5FAD6C7F6E6F796EB6A2FA1A9D4975C326A325 ~~~~~ C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\SQL2017\x64\FixSqlRegistryKey_x64.exe Net4Runtimes: 4.0 C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\SQL2017\x64\FixSqlRegistryKey_x86.exe Net4Runtimes: 4.0 C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\SQL2017\x64\LandingPage.exe Net4Runtimes: 4.0 C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\SQL2017\x64\ScenarioEngine.exe Net4Runtimes: 4.0 C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\SQL2017\x64\SetupARP.exe Net4Runtimes: 4.0 C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\Update Cache\KB5063760\GDR\x64\fixsqlregistrykey_x64.exe Net4Runtimes: 4.0 C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\Update Cache\KB5063760\GDR\x64\fixsqlregistrykey_x86.exe Net4Runtimes: 4.0 C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\Update Cache\KB5063760\GDR\x64\landingpage.exe Net4Runtimes: 4.0 C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\Update Cache\KB5063760\GDR\x64\scenarioengine.exe Net4Runtimes: 4.0 C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\Update Cache\KB5065224\GDR\x64\fixsqlregistrykey_x64.exe Net4Runtimes: 4.0 C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\Update Cache\KB5065224\GDR\x64\fixsqlregistrykey_x86.exe Net4Runtimes: 4.0 C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\Update Cache\KB5065224\GDR\x64\landingpage.exe Net4Runtimes: 4.0 C:\Program Files\Microsoft SQL Server\140\Setup Bootstrap\Update Cache\KB5065224\GDR\x64\scenarioengine.exe Net4Runtimes: 4.0 C:\Program Files\Microsoft SQL Server\140\Tools\Binn\SqlLogShip.exe Net4Runtimes: 4.0 C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\SQLPS.exe Net4Runtimes: 4.0 C:\Users\montford.backup\AppData\Local\Temp\MSSQL_BKUPEXEC64\x64\FIXSQLREGISTRYKEY_X64.EXE Net4Runtimes: 4.0 C:\Users\montford.backup\AppData\Local\Temp\MSSQL_BKUPEXEC64\x64\FIXSQLREGISTRYKEY_X86.EXE Net4Runtimes: 4.0 C:\Users\montford.backup\AppData\Local\Temp\MSSQL_BKUPEXEC64\x64\LANDINGPAGE.EXE Net4Runtimes: 4.0 C:\Users\montford.backup\AppData\Local\Temp\MSSQL_BKUPEXEC64\x64\SCENARIOENGINE.EXE Net4Runtimes: 4.0 Comments |
|||||
| MONT-DB-002 | 164.231.187.38 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4E9D9F9778F6BF1402126A5E6E14400D9AF77B9C ~~~~~ No applications found requiring .NET 4.0 specifically. Comments |
|||||
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4E9D9F9778F6BF1402126A5E6E14400D9AF77B9C ~~~~~ No applications found requiring .NET 4.0 specifically. Comments |
|||||
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4E9D9F9778F6BF1402126A5E6E14400D9AF77B9C ~~~~~ No applications found requiring .NET 4.0 specifically. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4E9D9F9778F6BF1402126A5E6E14400D9AF77B9C ~~~~~ No applications found requiring .NET 4.0 specifically. Comments |
|||||
| MONT-SW-89108 | 22.19.120.22 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 4E9D9F9778F6BF1402126A5E6E14400D9AF77B9C ~~~~~ No applications found requiring .NET 4.0 specifically. Comments |
|||||
| MONT-SW-89134 | 22.19.120.21 | 2026-03-04 | |||
Finding DetailsEvaluate-STIG 1.2510.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 4E9D9F9778F6BF1402126A5E6E14400D9AF77B9C ~~~~~ No applications found requiring .NET 4.0 specifically. Comments |
|||||
| MONT-VSF-003 | 164.231.187.42 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4E9D9F9778F6BF1402126A5E6E14400D9AF77B9C ~~~~~ No applications found requiring .NET 4.0 specifically. Comments |
|||||
| MONT-VSF-004 | 164.231.187.43 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4E9D9F9778F6BF1402126A5E6E14400D9AF77B9C ~~~~~ No applications found requiring .NET 4.0 specifically. Comments |
|||||
| MONT-WS-92010 | 164.231.187.45 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4E9D9F9778F6BF1402126A5E6E14400D9AF77B9C ~~~~~ No applications found requiring .NET 4.0 specifically. Comments |
|||||
| MONT-WS-92040 | 164.231.187.72 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 4E9D9F9778F6BF1402126A5E6E14400D9AF77B9C ~~~~~ No applications found requiring .NET 4.0 specifically. Comments |
|||||
Check Text
This requirement does not apply to the "caspol.exe" assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB). Ask the system administrator to provide documentation that identifies: - Each .Net 4.0 application run on the system. - The .Net runtime host that invokes the application. - The security measures employed to control application access to system resources or user access to application. For additional insight run: tasklist /fi "modules eq mscoree.dll" If all .Net applications, runtime hosts and security protections have been documented or if there are no .Net 4.0 applications existing on the system, this is not a finding. If there is no documentation that identifies the existence of .NET 4.0 applications or the lack thereof, this is a finding. If the runtime hosts have not been identified, this is a finding. If the security protections have not been identified, this is a finding.
Fix Text
Document the existence of all .Net 4.0 applications that are not provided by the host Windows OS or the Windows Secure Host Baseline (SHB). Document the corresponding runtime hosts that are used to invoke the applications. Document the applications security control requirements (restricting application access to resources or user access to the application).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: E93B95A4ADD9CAD25899E809C74CFE6B9B22C253 ~~~~~ CertificateDomains: MONT-MB-002.MONTFORD-POINT.navy.mil Subject: CN=MONT-MB-002.MONTFORD-POINT.navy.mil, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DOD SW CA-67, OU=PKI, OU=DoD, O=U.S. Government, C=US Services: IMAP, POP NotAfter: 06/12/2026 18:24:02 Thumbprint: 4474E394A46CBB595F7C2A2CF85C3E59BD4C84E6 CertificateDomains: mont-mb-002.montford-point.navy.mil, MONT-MB-002.MONTFORD-POINT.navy Subject: CN=mont-mb-002.montford-point.navy.mil, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DOD SW CA-67, OU=PKI, OU=DoD, O=U.S. Government, C=US Services: IMAP, POP, IIS, SMTP NotAfter: 06/08/2026 18:52:58 Thumbprint: 76C9C9B1E8EECDDD4A3ECB0107EF19938933B161 CertificateDomains: Subject: CN=Microsoft Exchange Server Auth Certificate Issuer: CN=Microsoft Exchange Server Auth Certificate [Not DoD issued] Services: SMTP NotAfter: 04/22/2028 17:52:30 Thumbprint: 0E3F5680CCC5915CC6B67F86BEE0307E0B7C0DA2 CertificateDomains: MONT-MB-002, MONT-MB-002.MONTFORD-POINT.navy.mil Subject: CN=MONT-MB-002 Issuer: CN=MONT-MB-002 [Not DoD issued] Services: IMAP, POP, SMTP NotAfter: 05/19/2028 17:51:07 Thumbprint: 3789117E46E20EB76C5406B7D0BCAE3C307F6BC3 CertificateDomains: WMSvc-SHA2-MONT-MB-002 Subject: CN=WMSvc-SHA2-MONT-MB-002 Issuer: CN=WMSvc-SHA2-MONT-MB-002 [Not DoD issued] Services: None NotAfter: 05/16/2033 17:33:20 Thumbprint: DF9858A0D9DDF8AEF88B8D4DFAC2C6EAB81DE294 Comments |
|||||
Check Text
Open the Exchange Management Shell and enter the following command: Get-ExchangeCertificate | Select CertificateDomains, issuer If the value of "CertificateDomains" does not indicate it is issued by the DoD, this is a finding.
Fix Text
Remove the non-DoD certificate and import the correct DoD certificates.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: FE246760DF11AD630D46674989CAFFBEDC086407 ~~~~~ MSExchange ADAccess\Topology EventLevel: Low [Expected Lowest] MSExchange ADAccess\Validation EventLevel: Low [Expected Lowest] MSExchange BackEndRehydration\Configuration EventLevel: Low [Expected Lowest] MSExchange BackEndRehydration\Server EventLevel: 2 [Expected Lowest] MSExchange OAuth\Configuration EventLevel: Low [Expected Lowest] MSExchange OAuth\Server EventLevel: 2 [Expected Lowest] MSExchange RBAC\RBAC EventLevel: Low [Expected Lowest] MSExchangeADTopology\Topology EventLevel: Low [Expected Lowest] Comments |
|||||
Check Text
Open the Exchange Management Shell and enter the following command: Get-EventLogLevel If the Diagnostic of any EventLevel is not set to "Lowest", this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: Set-EventLogLevel -Identity <'IdentityName\EventlogName'> -Level Lowest Note: The <IdentityName\EventlogName> value must be in single quotes.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: F788ADA2BEF7B785F4958C7948B5FA274C586D53 ~~~~~ MONT-MB-002 MessageTrackingLogSubjectLoggingEnabled: True [Expected False] Comments |
|||||
Check Text
Open the Exchange Management Shell and enter the following command: Get-TransportService | Select Name, Identity, MessageTrackingLogSubjectLoggingEnabled If the value of “MessageTrackingLogSubjectLoggingEnabled” is not set to “False”, this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: Set-Transportservice -MessageTrackingLogSubjectLoggingEnabled $False
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Note: If a third-party application is performing monitoring functions, the reviewer should verify the application is monitoring correctly and mark the vulnerability not applicable (NA). Open the Exchange Management Shell and enter the following command: perfmon Get-MonitoringItemHelp -Identity <String> -Server <ServerIdParameter> If no sets are defined or queues are not being monitored, this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: perfmon In the left pane, navigate to and select Performance >> Data Collector Sets >> User Defined. Right-click on, navigate to, and configure User Defined >> New >> Data Collector Sets and configure the system to use the data collection set for monitoring the queues.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: 106B138DC57F06622496D2E5B78A68E885DD998E ~~~~~ ExecutionPolicy: Bypass [Expected RemoteSigned] Comments |
|||||
Check Text
Open the Exchange Management Shell and enter the following command: Get-ExecutionPolicy If the value returned is not "RemoteSigned", this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: Set-ExecutionPolicy RemoteSigned
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: 871D7FE5CA5CD09DE879D1100B6E9FE608C8A9D8 ~~~~~ Service: MSExchangeIMAP4 StartType: Manual [Expected Disabled] Comments |
|||||
Check Text
Note: This requirement applies to IMAP4. IMAP Secure is not restricted and does not apply to this requirement. Open the Windows Power Shell and enter the following command: Get-ItemProperty 'hklm:\system\currentcontrolset\services\MSExchangeIMAP4' | Select Start Note: The hklm:\system\currentcontrolset\services\MSExchangeIMAP4 value must be in single quotes. If the value of "Start" is not set to "4", this is a finding.
Fix Text
Open the Windows Power Shell and enter the following command: services.msc Navigate to and double-click on "Microsoft Exchange IMAP4". Click on the "General" tab. In the "Startup Type" dropdown, select "Disabled". Click the "OK" button.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: 9408EB38DC8342BC3CD643D6A56F6277ADE40B99 ~~~~~ Service: MSExchangePOP3 StartType: Manual [Expected Disabled] Comments |
|||||
Check Text
Open the Windows Power Shell and enter the following command: Get-ItemProperty 'hklm:\system\currentcontrolset\services\MSExchangePOP3' | Select Start Note: The hklm:\system\currentcontrolset\services\MSExchangePOP3 value must be in single quotes. If the value of "Start" is not set to "4", this is a finding.
Fix Text
Open the Windows Power Shell and enter the following command: services.msc Navigate to and double-click on "Microsoft Exchange POP3 Backend". Click on the "General" tab. In the "Startup Type" dropdown, select "Disabled". Click the "OK" button.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: 47638C11304A80A28FB7481682A9AA980FABBF25 ~~~~~ MB-002-DefaultDB RetainDeletedItemsUntilBackup: False [Expected True] Comments |
|||||
Check Text
Open the Exchange Management Shell and enter the following command: Get-MailboxDatabase| Select Name, Identity, RetainDeletedItemsUntilBackup If the value of "RetainDeletedItemsUntilBackup" is not set to "True", this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: Set-MailboxDatabase -Identity <'IdentityName'> -RetainDeletedItemsUntilBackup $true Note: The <IdentityName> value must be in single quotes.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: 89AEDB6D61782F30776435FEE7E9E99978D0AF04 ~~~~~ Default MONT-MB-002 PermissionGroups: ExchangeLegacyServers Client Proxy MONT-MB-002 PermissionGroups: ExchangeServers Default Frontend MONT-MB-002 PermissionGroups: AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers [Found AnonymousUsers] Outbound Proxy Frontend MONT-MB-002 PermissionGroups: ExchangeServers Client Frontend MONT-MB-002 PermissionGroups: ExchangeUsers Comments |
|||||
Check Text
NOTE: In some instances, AnonymousUsers may be necessary for organization-specific operations. In such cases, allowing AnonymousUsers must be paired with restricting to specific lists of servers allowed to access. In addition, the risk must be documented and accepted by the ISSO, ISSM, or AO. Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, PermissionGroups For each Receive connector, if the value of "PermissionGroups" is "AnonymousUsers" for any receive connector, this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -PermissionGroups and enter a valid value user group. Note: The <IdentityName> value must be in single quotes. Example: Set-ReceiveConnector -Identity <'IdentityName'> -PermissionGroups ExchangeUsers Repeat the procedures for each Receive connector.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: 6EBBBF0E17F15D624AAD5431B53223AB6A7428F1 ~~~~~ Default DomainName: * AllowedOOFType: External [Expected InternalLegacy] Comments |
|||||
Check Text
Open the Exchange Management Shell and enter the following command: Get-RemoteDomain | Select Name, DomainName, Identity, AllowedOOFType If the value of "AllowedOOFType" is not set to "InternalLegacy", this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: Set-RemoteDomain -Identity <'IdentityName'> -AllowedOOFType 'InternalLegacy' Note: The <IdentityName> and InternalLegacy values must be in single quotes.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review the Email Domain Security Plan (EDSP). Determine whether the site monitors system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. If software files are not monitored for unauthorized changes, this is a finding.
Fix Text
Update the EDSP to specify that the organization monitors system files on servers for unauthorized changes against a baseline on a weekly basis or verify that this information is documented by the organization. Monitor the software files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on Exchange servers for unauthorized changes against a baseline on a weekly basis. Note: This can be done with the use of various monitoring tools.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: 5FDC7A99194B45A2F4E960CE93A99C76465240AE ~~~~~ MONT-MB-002\Rpc (Default Web Site) InternalClientAuthenticationMethod: Ntlm ExternalClientAuthenticationMethod: Negotiate [Expected Ntlm] Comments |
|||||
Check Text
Open the Exchange Management Shell and enter the following command: Get-OutlookAnywhere Get-OutlookAnywhere | Select Name, Identity, InternalClientAuthenticationMethod, ExternalClientAuthenticationMethod If the value of "InternalClientAuthenticationMethod" and the value of "ExternalClientAuthenticationMethod" are not set to NTLM, this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: For InternalClientAuthenticationMethod: Set-OutlookAnywhere -Identity '<IdentityName'> -InternalClientAuthenticationMethod NTLM For ExternalClientAuthenticationMethod: Set-OutlookAnywhere -Identity '<IdentityName'> -ExternalClientAuthenticationMethod NTLM
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: DB9256765798EA82100E404D1BDD26FCF8546E66 ~~~~~ Default DomainName: * DeliveryReportEnabled: True [Expected False] Comments |
|||||
Check Text
Open the Exchange Management Shell and enter the following command: Get-RemoteDomain | Select Identity, DeliveryReportEnabled If the value of "DeliveryReportEnabled" is not set to "False", this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: Set-RemoteDomain -Identity <'IdentityName'> -DeliveryReportEnabled $false Note: The <IdentityName> value must be in single quotes.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: BF6C18D61258522F266F50CFBBD9CA3CAFD4B33E ~~~~~ Default DomainName: * NDREnabled: True [Expected False] Comments |
|||||
Check Text
NOTE: For the purpose of this requirement, “remote” refers to those domains external to the DoDIN, whether classified or unclassified. NDRs between DoDIN networks is permitted. Open the Exchange Management Shell and enter the following command: Get-RemoteDomain | Select Name, Identity, NDREnabled If the value of "NDREnabled" is not set to "False", this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: Set-RemoteDomain -Identity <'IdentityName'> -NDREnabled $false Note: The <IdentityName> value must be in single quotes.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: A84891728C801098787292FDEBFD425C856D0E44 ~~~~~ Default MONT-MB-002 Banner: [Expected 220 SMTP Server Ready] Client Proxy MONT-MB-002 Banner: [Expected 220 SMTP Server Ready] Default Frontend MONT-MB-002 Banner: [Expected 220 SMTP Server Ready] Outbound Proxy Frontend MONT-MB-002 Banner: [Expected 220 SMTP Server Ready] Client Frontend MONT-MB-002 Banner: [Expected 220 SMTP Server Ready] Comments |
|||||
Check Text
Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, Banner For each Receive connector, if the value of "Banner" is not set to "220 SMTP Server Ready", this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -Banner '220 SMTP Server Ready' Note: The <IdentityName> and 220 SMTP Server Ready values must be in single quotes. Repeat the procedures for each Receive connector.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding Details[PS] C:\windows\system32>Get-SendConnector | Select Name, Identity, TlsAuthLevel Name Identity TlsAuthLevel ---- -------- ------------ MONTFORD MNOC-MAIL MONTFORD MNOC-MAIL Comments |
|||||
Check Text
Open the Exchange Management Shell and enter the following command: Get-SendConnector | Select Name, Identity, TlsAuthLevel For each Send connector, if the value of "TlsAuthLevel" is not set to "DomainValidation", this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: Set-SendConnector -Identity <'IdentityName'> -TlsAuthLevel DomainValidation Note: The <IdentityName> value must be in single quotes. Repeat the procedure for each Send connector.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 46AE9BF4D3752039AF3EC8466DB7C6EF44F699D8 ~~~~~ No Database Availability Groups are configured. Comments |
|||||
Check Text
Review the Email Domain Security Plan (EDSP). Determine if the Exchange Mailbox databases are using redundancy. Open the Exchange Management Shell. Enter the following command: Get-DatabaseAvailabilityGroup <DAGName> | Format-List If the DAG is not displayed, this is a finding.
Fix Text
Update the EDSP to specify how Exchange Mailbox databases use redundancy. Access the Exchange Management Shell and add new Database Availability Groups based upon the EDSP using the following command: New-DatabaseAvailabilityGroup See the following documentation for options when creating a DAG: https://docs.microsoft.com/en-us/exchange/high-availability/manage-ha/create-dags?view=exchserver-2019.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: 4EA59F616166BD941B5943C6CD5AE4C5B913F7ED ~~~~~ MONT-MB-002 FormsAuthentication: True [Expected False] Comments |
|||||
Check Text
Open the Exchange Management Shell and enter the following command: Get-OwaVirtualDirectory | Select ServerName, Name, Identity, FormsAuthentication If the value of "FormsAuthentication" is not set to "False", this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: Set-OwaVirtualDirectory -Identity <'IdentityName'> -FormsAuthentication $false Note: <IdentityName> must be in single quotes. Example for the Identity Name: <ServerName>\owa (Default website) Restart the ISS service.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-MSExchange2016MB_Checks) found this to be OPEN on 10/23/2025 ResultHash: 8BFE4669A6229F6E578599A2EB753E7E7EF5EF8C ~~~~~ MONT-MB-002 WindowsAuthentication: False [Expected True] Comments |
|||||
Check Text
Open the Exchange Management Shell and enter the following command: Get-OwaVirtualDirectory | Select ServerName, Name, Identity,*Authentication If the value of "WindowsAuthentication" is not set to "True", this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: Set-OwaVirtualDirectory -Identity '<IdentityName>' -WindowsAuthentication $true Note: The <IdentityName> value must be in single quotes. Example for the Identity Name: <ServerName>\owa (Default website)
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DP-001 | 164.231.187.44 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 3B7C7319D6AEB5A130CFDA357A0A502827AB79ED ~~~~~ SMTP-Server Feature: Available System is not listening on port 25. Confirm there are no SMTP relays using a custom port. If no SMTP relays exist, this may be marked as 'Not Applicable'. Comments |
|||||
| MONT-MB-002 | 164.231.187.36 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 3A0AF990A1B13432BBD3700E404DA9F3AC962BAC ~~~~~ SMTP-Server Feature: Available Process found on port 25. Confirm if it is SMTP and if so, that it's configured per STIG. LocalPort: 25 State :Listen ProcessName: MSExchangeFrontendTransport LocalPort: 25 State :Listen ProcessName: MSExchangeFrontendTransport Comments |
|||||
Check Text
Interview the System Administrator about the role of the IIS 10.0 web server. If the IIS 10.0 web server is running SMTP relay services, have the SA provide supporting documentation on how the server is hardened. A DoD-issued certificate, and specific allowed IP address should be configured. If the IIS web server is not running SMTP relay services, this is Not Applicable. If the IIS web server running SMTP relay services without TLS enabled, this is a finding. If the IIS web server running SMTP relay services is not configured to only allow a specific IP address, from the same network as the relay, this is a finding.
Fix Text
Configure the relay server with a specific allowed IP address, from the same network as the relay, and implement TLS.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review the membership groups in Active Directory Users and Computers. Membership groups must be designated at the domain level specifically for domain member server administrators. Domain member server administrator groups and any accounts that are members of the groups must be documented with the IAO. Each member server administrator must have a separate unique account specifically for managing member servers. If any account listed in a domain member server administrator group is a member of other administrator groups including the Enterprise Admins group, the Domain Admins group, or domain workstation administrator groups, this is a finding.
Fix Text
Create the necessary documentation that identifies the members of domain member server administrator groups. Ensure that each member has a separate unique account that can only be used to manage domain member servers. Remove any domain member server accounts from other administrator groups.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Review the membership groups in Active Directory Users and Computers. Membership groups must be designated at the domain level specifically for domain workstation administrators. Domain workstation administrator groups and any accounts that are members of the groups must be documented with the IAO. Each domain workstation administrator must have a separate unique account specifically for managing domain workstations. If any account listed in a domain workstation administrator group is a member of other administrator groups including the Enterprise Admins group, the Domain Admins group, or domain member server administrator groups, this is a finding.
Fix Text
Create the necessary documentation that identifies the members of domain workstation administrator groups. Ensure that each member has a separate unique account that can only be used to manage domain workstations. Remove any domain workstation administrator accounts from other administrator groups.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Verify local administrator accounts on domain systems are using unique passwords. If local administrator accounts on domain systems are sharing a password, this is a finding. It is recommended to use Microsoft's Local Administrator Password Solution (LAPS), which provides an automated solution for maintaining and regularly changing a local administrator password for domain-joined systems. LAPS can manage a single local administrator account. The default is the built-in administrator account; however, it can be configured to manage an administrator account of a different name. If additional local administrator accounts exist across systems, the organization must have a process to require unique passwords on each system for the additional accounts. The authorizing official (AO) may approve other automated solutions that provide this capability. Open "Windows PowerShell". Get-ADComputer -Filter * -Properties msLAPS-EncryptedPassword | Where-Object { $_."msLAPS-EncryptedPassword" -eq $null } | Select-Object Name The newer "Windows LAPS" function stores the LAPS password in the object attribute "msLAPS-EncryptedPassword" as long as the "encrypted" option was selected when setting up the LAPS GPO settings. This will check that location. If "encrypted" wasn't enabled when setting up LAPS, then adjust the search command to be "msLAPS-Password" instead. Review the returned list for validity. If any active/deployed Windows systems that are not managed by another process to ensure unique passwords for local administrator accounts are listed, this is a finding. If the query fails, the organization must demonstrate that passwords for local administrator accounts are properly managed to ensure unique passwords for each. If not, this is a finding.
Fix Text
Set unique passwords for all local administrator accounts on domain systems. It is highly recommended to use Microsoft's LAPS, which provides an automated solution for maintaining and regularly changing a local administrator password for domain-joined systems. If additional local administrator accounts exist across systems, the organization must have a process to require unique passwords on each system for the additional accounts. The AO may approve other automated solutions that provide this capability. See Microsoft Security Advisory 3062591 for additional information and download of LAPS. https://www.microsoft.com/en-us/download/details.aspx?id=46899
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Verify separate smart cards are used for EA and DA accounts from smart cards used for other accounts. EA and DA accounts may be on the same smart card but must be separate from any other accounts. If separate smart cards for EA and DA accounts from other accounts are not used, this is a finding.
Fix Text
Use separate smart cards for EA and DA accounts from smart cards used for other accounts. EA and DA accounts may be on the same smart card but must be separate from any other accounts.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Verify domain controllers are blocked from Internet access. Various methods may be employed to accomplish this, such as restrictions at boundary firewalls, through proxy services, host based firewalls or IPsec. Review the Internet access restrictions with the administrator. If Internet access is not prevented, this is a finding. If a critical function requires Internet access, this must be documented and approved by the organization.
Fix Text
Block domain controllers from internet access. This can be accomplished with various methods, such as restrictions at boundary firewalls, proxy services, host based firewalls, or IPsec. If a critical function requires Internet access, this must be documented and approved by the organization.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 314B6E5CF1F8B145CB057FCD5D58C475C8C3C370 ~~~~~ Accounts are missing from 'Protected Users'. Only service accounts and one (1) user account with domain level administrative privileges may be excluded. Please confirm for compliance. Users Missing From 'Protected Users' Group ============================================ Name: MONTFORD-POINT\adsmith.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1249 DistinguishedName: CN=Smith\, Alexander D.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins Name: MONTFORD-POINT\Alexandra.M.Perl objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1160 DistinguishedName: CN=Perl\, Alexandra M.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Enterprise Admins, Schema Admins Name: MONTFORD-POINT\altucker.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1224 DistinguishedName: CN=Tucker\, Adam L.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins Name: MONTFORD-POINT\amperl.admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1638 DistinguishedName: CN=ADMIN\, AMPerl,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins, Schema Admins Name: MONTFORD-POINT\ANOC.FIM objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1203 DistinguishedName: CN=FIM\, ANOC,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins Name: MONTFORD-POINT\d.admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 DistinguishedName: CN=D.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins, Schema Admins Name: MONTFORD-POINT\DOD_Admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1000 DistinguishedName: CN=DOD_Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators Name: MONTFORD-POINT\iwgonzalez.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1242 DistinguishedName: CN=Gonzalez\, Ian W.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins Name: MONTFORD-POINT\jrsanders.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1253 DistinguishedName: CN=Sanders\, James R.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins Name: MONTFORD-POINT\jtbegarek.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1212 DistinguishedName: CN=IA ADMIN\, JTBegarek,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins Name: MONTFORD-POINT\MONT-EM-Admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1157 DistinguishedName: CN=MONT-EM-Admin,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins Name: MONTFORD-POINT\Montford.backup objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1614 DistinguishedName: CN=Backup,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators Name: MONTFORD-POINT\montford.exchange objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1118 DistinguishedName: CN=Exchange Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins, Schema Admins Name: MONTFORD-POINT\RDRivera.IAADMIN objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1213 DistinguishedName: CN=Rivera\, RJ,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins Name: MONTFORD-POINT\scan.admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1192 DistinguishedName: CN=Scan Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins Name: MONTFORD-POINT\SHB_Admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-500 DistinguishedName: CN=SHB_Admin,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins, Schema Admins Name: MONTFORD-POINT\tagavrilovic.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1231 DistinguishedName: CN=Gavrilovic\, Tyler A.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins Name: MONTFORD-POINT\Thomas.L.Jones objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1176 DistinguishedName: CN=Jones\, Thomas L.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Enterprise Admins, Schema Admins Name: MONTFORD-POINT\TLJones.Admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1250 DistinguishedName: CN=Jones\, Thomas L.\, Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins, Schema Admins Comments |
|||||
Check Text
Open "Windows PowerShell". Enter "Get-ADDomain | FL DomainMode" to determine the domain functional level. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Compare membership of the Protected Users group to membership of the following groups. By default, the groups are under the node referenced; however, it is possible to move those under "Users" to another location. Enterprise Admins (Users node) Domain Admins (Users node) Schema Admins (Users node) Administrators (Builtin node) Account Operators (Builtin node) Backup Operators (Builtin node) It is recommended that one account be excluded to ensure availability if there are issues with Kerberos. Excluding the account left out for availability, if all user accounts from the local domain that are members of the domain level groups above are not also members of the Protected Users group, this is a finding. (User accounts is referring to accounts for personnel, not service accounts.)
Fix Text
Add user accounts from the local domain that are members of the domain level administrative groups listed below to the Protected Users group. One account may excluded to ensure availability if there are issues with Kerberos. Enterprise Admins (Users node) Domain Admins (Users node) Schema Admins (Users node) Administrators (Builtin node) Account Operators (Builtin node) Backup Operators (Builtin node) The use of the Protected Users group should be thoroughly tested before fully implementing.