| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-224965 | CAT II | MONT-VSF-004 | Microsoft Windows Server 2016 Security T... | Kerberos user logon restrictions must be enforced. | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding. Fix TextConfigure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Enforce user logon restrictions" to "Enabled". Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_WinServer2016_V2R10_20251023-143909.ckl
Scan Date: 2026-01-14T12:57:30.046447
Technology Area: Windows Operating System
|
||||||||
| V-224965 | CAT II | MONT-VSF-003 | Microsoft Windows Server 2016 Security T... | Kerberos user logon restrictions must be enforced. | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding. Fix TextConfigure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Enforce user logon restrictions" to "Enabled". Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_WinServer2016_V2R10_20251023-143935.ckl
Scan Date: 2026-01-14T12:57:31.534241
Technology Area: Windows Operating System
|
||||||||
| V-224965 | CAT II | MONT-MB-002 | Microsoft Windows Server 2016 Security T... | Kerberos user logon restrictions must be enforced. | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding. Fix TextConfigure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Enforce user logon restrictions" to "Enabled". Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_WinServer2016_V2R10_20251023-152736.ckl
Scan Date: 2026-01-14T12:57:33.842838
Technology Area: Windows Operating System
|
||||||||
| V-224965 | CAT II | MONT-DP-001 | Microsoft Windows Server 2016 Security T... | Kerberos user logon restrictions must be enforced. | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding. Fix TextConfigure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Enforce user logon restrictions" to "Enabled". Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_WinServer2016_V2R10_20251023-144106.ckl
Scan Date: 2026-01-14T12:57:35.637816
Technology Area: Windows Operating System
|
||||||||
| V-224965 | CAT II | MONT-DC-003 | Microsoft Windows Server 2016 Security T... | Kerberos user logon restrictions must be enforced. | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding. Fix TextConfigure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Enforce user logon restrictions" to "Enabled". Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: DC0DD1172DDB62545189A23C183E1B9AAA6B3B45 ~~~~~ 'Enforce user logon restrictions' is Enabled GPO Path: Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy Value Name: TicketValidateClient Value: True
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServer2016_V2R10_20251023-172220.ckl
Scan Date: 2026-01-14T12:57:37.248886
Technology Area: Windows Operating System
|
||||||||
| V-224965 | CAT II | MONT-DB-002 | Microsoft Windows Server 2016 Security T... | Kerberos user logon restrictions must be enforced. | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding. Fix TextConfigure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Enforce user logon restrictions" to "Enabled". Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-DB-002/Checklist/MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl
Scan Date: 2026-01-14T12:57:39.082634
Technology Area: Windows Operating System
|
||||||||
| V-224965 | CAT II | MONT-BE-002 | Microsoft Windows Server 2016 Security T... | Kerberos user logon restrictions must be enforced. | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding. Fix TextConfigure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Enforce user logon restrictions" to "Enabled". Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_WinServer2016_V2R10_20251023-143943.ckl
Scan Date: 2026-01-14T12:57:41.363810
Technology Area: Windows Operating System
|
||||||||
| V-224965 | CAT II | MONT-AP-002 | Microsoft Windows Server 2016 Security T... | Kerberos user logon restrictions must be enforced. | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Verify the following is configured in the Default Domain Policy. Open "Group Policy Management". Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). Right-click on the "Default Domain Policy". Select "Edit". Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding. Fix TextConfigure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Enforce user logon restrictions" to "Enabled". Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-AP-002/Checklist/MONT-AP-002_WinServer2016_V2R10_20251023-144214.ckl
Scan Date: 2026-01-14T12:57:42.721079
Technology Area: Windows Operating System
|
||||||||