| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-224972 | CAT I | MONT-VSF-004 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must have pr... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select each Group or user name. View the permissions. If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on organization created Group Policy objects. Fix TextMaintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO. The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created Group Policy objects. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_WinServer2016_V2R10_20251023-143909.ckl
Scan Date: 2026-01-14T12:57:30.046447
Technology Area: Windows Operating System
|
||||||||
| V-224972 | CAT I | MONT-VSF-003 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must have pr... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select each Group or user name. View the permissions. If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on organization created Group Policy objects. Fix TextMaintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO. The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created Group Policy objects. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_WinServer2016_V2R10_20251023-143935.ckl
Scan Date: 2026-01-14T12:57:31.534241
Technology Area: Windows Operating System
|
||||||||
| V-224972 | CAT I | MONT-MB-002 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must have pr... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select each Group or user name. View the permissions. If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on organization created Group Policy objects. Fix TextMaintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO. The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created Group Policy objects. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_WinServer2016_V2R10_20251023-152736.ckl
Scan Date: 2026-01-14T12:57:33.842838
Technology Area: Windows Operating System
|
||||||||
| V-224972 | CAT I | MONT-DP-001 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must have pr... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select each Group or user name. View the permissions. If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on organization created Group Policy objects. Fix TextMaintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO. The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created Group Policy objects. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_WinServer2016_V2R10_20251023-144106.ckl
Scan Date: 2026-01-14T12:57:35.637816
Technology Area: Windows Operating System
|
||||||||
| V-224972 | CAT I | MONT-DC-003 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must have pr... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select each Group or user name. View the permissions. If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on organization created Group Policy objects. Fix TextMaintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO. The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created Group Policy objects. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 0C64CE6EC5AA5EE43B5C88120001A05A00313856 ~~~~~ GPO Name: AR21 - Edge FIX FEB2022 GPO GUID: 003a4b00-8a6c-4430-82c7-eb242f312734 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Internet Explorer 11 V1R19 - User GPO GUID: 009ff87d-d932-441b-a2f6-3ba585dc8949 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: Domain User Pol Adds 04-22 GPO GUID: 0ab94efd-80cb-4182-8be0-4d5c77808fad --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Microsoft Edge v1r1 Computer GPO GUID: 0df1b468-68c7-4e60-bd66-971fbbabb95a --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: DotNet4 Fix 04-22 GPO GUID: 114ae059-841b-429a-aa8a-cea9346c4aa4 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - BitLocker Backup to Active Directory GPO GUID: 13cf8084-13ec-427b-9cab-f3243723b027 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: V-236000 Preview pane 02-22 GPO GUID: 18de13be-ce1c-4e53-9612-e440386ed806 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Microsoft Office 2016 - Outlook V2R1 User GPO GUID: 1adacc11-67f9-42e9-be04-f32b3799dcc6 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: Firefox 04-22 GPO GUID: 202579c9-9c90-480b-a706-cd206212448b --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Server Event Log Backup GPO GUID: 211d022b-3225-4167-99e4-0c48f09f6567 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Adobe Reader DC Continuous V1R2 User GPO GUID: 2401b4fb-1b36-42a9-84c3-4340dc2e7502 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Microsoft Office 2016 - PowerPoint V1R1 User GPO GUID: 27a66feb-16c8-4d31-85c6-38bd47c8fd20 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: Server Event Logs GPO GUID: 2e1d00fc-0115-4b8b-8c28-f17f7cc47ed4 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: Default Domain Policy GPO GUID: 31b2f340-016d-11d2-945f-00c04fb984f9 --------------------- Trustee : Domain Admins TrusteeType : Group Permission : GpoCustom Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoCustom Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False --------------------- GPO Name: AR21 - Windows 10 FIX FEB2022 GPO GUID: 330cdbf2-c03b-4b9c-b9ec-b6b872dde8db --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Disable Sleep/Hibernate GPO GUID: 35d3d931-a7dc-4b8b-9be0-a67cfbd6268d --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Adobe Add-In Removal GPO GUID: 3a0de786-3214-4547-b689-920a1783dd34 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Support Users Drive Mapping GPO GUID: 3c0b7467-8063-47b4-844e-2b1db72234f6 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Internet Explorer 11 V1R19 - Computer GPO GUID: 3c3c67e4-a139-4561-af7b-d5ac7cae2ad1 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Google Chrome FIX FEB2022 GPO GUID: 4077a504-b830-4b59-868a-35847b93e9c6 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR 2.1 - LAPS Configuration Policy GPO GUID: 446e9640-684e-4528-a16f-a72f31b95b67 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Google Chrome V2R1 - Computer GPO GUID: 466a3169-b8b0-4e46-bc61-6ca031284f5e --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: V-2244896 V-224897 Audits 02-22 GPO GUID: 5101821e-891e-495e-ad1b-05150a0fb41c --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Mozilla Firefox FIX FEB2022 GPO GUID: 5464ea36-f45c-4be0-89e6-a0043741fa96 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: Map CAC GPO GUID: 54f949d4-864c-40fc-9756-59a367edaf66 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Disable print spooler inbound GPO GUID: 57995639-3cc1-481e-871d-b60d68b54f2a --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - OneNote and OneDrive STIGs GPO GUID: 57db8f1d-cf8e-45dd-afb2-4747c1fa02e8 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Add Server Admins to Local Administrators GPO GUID: 59e937c0-585e-4d7a-b2bc-17f943583d35 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Microsoft Office 2016 - Office System V1R1 Computer GPO GUID: 5ad817c7-2bbb-40fa-b6ce-ad8ac845a998 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: User Pol 4 Exchange 5-22 GPO GUID: 5ce6ea3f-55a6-49f0-bf68-18a8bcc32bfb --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Windows 10 v2r1 Computer GPO GUID: 633bf66a-4f82-4562-a78f-eefa83686f95 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: Default Domain Controllers Policy GPO GUID: 6ac1786c-016f-11d2-945f-00c04fb984f9 --------------------- Trustee : Domain Admins TrusteeType : Group Permission : GpoCustom Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoCustom Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False --------------------- GPO Name: AR21 - Axway Enterprise Configuration GPO GUID: 6c45f92c-56f0-46e4-a921-2ffbdc92a92a --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Windows 10 v2r1 User GPO GUID: 6f85b0d1-36d3-491e-91c4-c6ba3cef6d91 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Adobe Disable FIPS GPO GUID: 6faf5e3a-caf7-4ac5-a9b3-201db0ca8011 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Adobe Reader DC Continuous protected view MAR2022 GPO GUID: 73fb4c08-5e4e-4613-9c92-a1935473c0b8 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Microsoft Office 2016 - Word V1R1 User GPO GUID: 795e8ed2-6ce5-4658-a2c3-d52595e7c6e3 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Microsoft Office 2016 - Office System V1R1 User GPO GUID: 7cf27d8d-3025-453a-a598-1c52df19feba --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Adobe Reader DC Continuous V1R2 Computer GPO GUID: 80340fc8-26a3-4c92-a327-dea83f1ed6d6 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Windows Server 2016 V2R1 - DC - Computer GPO GUID: 816b5f36-4efa-4a32-82c0-a88cf0cecbf3 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - RBAC GPO GUID: 88602f3d-3a9f-4447-934a-2dde7e6ac06d --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Axway Configuration GPO GUID: 9a2e7ffb-86b0-4c62-bfc8-6e7ac786a1ed --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: V-224921 Hardened UNC 02-22 GPO GUID: 9f2930fd-254e-4f1b-ae4d-722bb9f35b41 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: DoD Adobe Acrobat Pro DC Continuous STIG Computer V1R2 GPO GUID: a1c7ddff-5f74-49b9-9ac2-f92d1735189a --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : ENTERPRISE DOMAIN CONTROLLERS TrusteeType : WellKnownGroup Permission : GpoRead Inherited : False Trustee : SYSTEM TrusteeType : WellKnownGroup Permission : GpoEditDeleteModifySecurity Inherited : False --------------------- GPO Name: AR21 - Drive Mapping GPO GUID: a5fcab78-2b37-4b84-8487-bcd275a129a6 --------------------- Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False Trustee : Enterprise Admins TrusteeType : Group Permission : GpoEditDeleteModify ---truncated results. met character limit---
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServer2016_V2R10_20251023-172220.ckl
Scan Date: 2026-01-14T12:57:37.248886
Technology Area: Windows Operating System
|
||||||||
| V-224972 | CAT I | MONT-DB-002 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must have pr... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select each Group or user name. View the permissions. If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on organization created Group Policy objects. Fix TextMaintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO. The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created Group Policy objects. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-DB-002/Checklist/MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl
Scan Date: 2026-01-14T12:57:39.082634
Technology Area: Windows Operating System
|
||||||||
| V-224972 | CAT I | MONT-BE-002 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must have pr... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select each Group or user name. View the permissions. If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on organization created Group Policy objects. Fix TextMaintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO. The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created Group Policy objects. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_WinServer2016_V2R10_20251023-143943.ckl
Scan Date: 2026-01-14T12:57:41.363810
Technology Area: Windows Operating System
|
||||||||
| V-224972 | CAT I | MONT-AP-002 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must have pr... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select each Group or user name. View the permissions. If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on organization created Group Policy objects. Fix TextMaintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO. The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created Group Policy objects. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-AP-002/Checklist/MONT-AP-002_WinServer2016_V2R10_20251023-144214.ckl
Scan Date: 2026-01-14T12:57:42.721079
Technology Area: Windows Operating System
|
||||||||