| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-224980 | CAT II | MONT-VSF-004 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must be conf... | Documented Pending Review | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the auditing configuration for all Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select the "Advanced" button again and then the "Auditing" tab. If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Fix TextConfigure the audit settings for Group Policy objects to include the following. This can be done at the Policy level in Active Directory to apply to all group policies. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" from the "View" Menu. Navigate to [Domain] >> System >> Policies in the left panel. Right click "Policies", select "Properties". Select the "Security" tab. Select the "Advanced" button. Select the "Auditing" tab. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_WinServer2016_V2R10_20251023-143909.ckl
Scan Date: 2026-01-14T12:57:30.046447
Technology Area: Windows Operating System
|
||||||||
| V-224980 | CAT II | MONT-VSF-003 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must be conf... | Documented Pending Review | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the auditing configuration for all Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select the "Advanced" button again and then the "Auditing" tab. If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Fix TextConfigure the audit settings for Group Policy objects to include the following. This can be done at the Policy level in Active Directory to apply to all group policies. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" from the "View" Menu. Navigate to [Domain] >> System >> Policies in the left panel. Right click "Policies", select "Properties". Select the "Security" tab. Select the "Advanced" button. Select the "Auditing" tab. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_WinServer2016_V2R10_20251023-143935.ckl
Scan Date: 2026-01-14T12:57:31.534241
Technology Area: Windows Operating System
|
||||||||
| V-224980 | CAT II | MONT-MB-002 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must be conf... | Documented Pending Review | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the auditing configuration for all Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select the "Advanced" button again and then the "Auditing" tab. If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Fix TextConfigure the audit settings for Group Policy objects to include the following. This can be done at the Policy level in Active Directory to apply to all group policies. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" from the "View" Menu. Navigate to [Domain] >> System >> Policies in the left panel. Right click "Policies", select "Properties". Select the "Security" tab. Select the "Advanced" button. Select the "Auditing" tab. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_WinServer2016_V2R10_20251023-152736.ckl
Scan Date: 2026-01-14T12:57:33.842838
Technology Area: Windows Operating System
|
||||||||
| V-224980 | CAT II | MONT-DP-001 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must be conf... | Documented Pending Review | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the auditing configuration for all Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select the "Advanced" button again and then the "Auditing" tab. If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Fix TextConfigure the audit settings for Group Policy objects to include the following. This can be done at the Policy level in Active Directory to apply to all group policies. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" from the "View" Menu. Navigate to [Domain] >> System >> Policies in the left panel. Right click "Policies", select "Properties". Select the "Security" tab. Select the "Advanced" button. Select the "Auditing" tab. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_WinServer2016_V2R10_20251023-144106.ckl
Scan Date: 2026-01-14T12:57:35.637816
Technology Area: Windows Operating System
|
||||||||
| V-224980 | CAT II | MONT-DC-003 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must be conf... | Documented Pending Review | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the auditing configuration for all Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select the "Advanced" button again and then the "Auditing" tab. If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Fix TextConfigure the audit settings for Group Policy objects to include the following. This can be done at the Policy level in Active Directory to apply to all group policies. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" from the "View" Menu. Navigate to [Domain] >> System >> Policies in the left panel. Right click "Policies", select "Properties". Select the "Security" tab. Select the "Advanced" button. Select the "Auditing" tab. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8D32877A8D5F1013203836ACB5293727D0EF11E5 ~~~~~ GPO Name: AR21 - Edge FIX FEB2022 GPO GUID: 003a4b00-8a6c-4430-82c7-eb242f312734 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Internet Explorer 11 V1R19 - User GPO GUID: 009ff87d-d932-441b-a2f6-3ba585dc8949 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Domain User Pol Adds 04-22 GPO GUID: 0ab94efd-80cb-4182-8be0-4d5c77808fad --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Microsoft Edge v1r1 Computer GPO GUID: 0df1b468-68c7-4e60-bd66-971fbbabb95a --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: DotNet4 Fix 04-22 GPO GUID: 114ae059-841b-429a-aa8a-cea9346c4aa4 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - BitLocker Backup to Active Directory GPO GUID: 13cf8084-13ec-427b-9cab-f3243723b027 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: V-236000 Preview pane 02-22 GPO GUID: 18de13be-ce1c-4e53-9612-e440386ed806 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Microsoft Office 2016 - Outlook V2R1 User GPO GUID: 1adacc11-67f9-42e9-be04-f32b3799dcc6 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Firefox 04-22 GPO GUID: 202579c9-9c90-480b-a706-cd206212448b --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Server Event Log Backup GPO GUID: 211d022b-3225-4167-99e4-0c48f09f6567 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Adobe Reader DC Continuous V1R2 User GPO GUID: 2401b4fb-1b36-42a9-84c3-4340dc2e7502 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Microsoft Office 2016 - PowerPoint V1R1 User GPO GUID: 27a66feb-16c8-4d31-85c6-38bd47c8fd20 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Server Event Logs GPO GUID: 2e1d00fc-0115-4b8b-8c28-f17f7cc47ed4 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Default Domain Policy GPO GUID: 31b2f340-016d-11d2-945f-00c04fb984f9 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows 10 FIX FEB2022 GPO GUID: 330cdbf2-c03b-4b9c-b9ec-b6b872dde8db --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Disable Sleep/Hibernate GPO GUID: 35d3d931-a7dc-4b8b-9be0-a67cfbd6268d --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Adobe Add-In Removal GPO GUID: 3a0de786-3214-4547-b689-920a1783dd34 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Support Users Drive Mapping GPO GUID: 3c0b7467-8063-47b4-844e-2b1db72234f6 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Internet Explorer 11 V1R19 - Computer GPO GUID: 3c3c67e4-a139-4561-af7b-d5ac7cae2ad1 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Google Chrome FIX FEB2022 GPO GUID: 4077a504-b830-4b59-868a-35847b93e9c6 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR 2.1 - LAPS Configuration Policy GPO GUID: 446e9640-684e-4528-a16f-a72f31b95b67 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Google Chrome V2R1 - Computer GPO GUID: 466a3169-b8b0-4e46-bc61-6ca031284f5e --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: V-2244896 V-224897 Audits 02-22 GPO GUID: 5101821e-891e-495e-ad1b-05150a0fb41c --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Mozilla Firefox FIX FEB2022 GPO GUID: 5464ea36-f45c-4be0-89e6-a0043741fa96 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Map CAC GPO GUID: 54f949d4-864c-40fc-9756-59a367edaf66 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Disable print spooler inbound GPO GUID: 57995639-3cc1-481e-871d-b60d68b54f2a --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - OneNote and OneDrive STIGs GPO GUID: 57db8f1d-cf8e-45dd-afb2-4747c1fa02e8 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Add Server Admins to Local Administrators GPO GUID: 59e937c0-585e-4d7a-b2bc-17f943583d35 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Microsoft Office 2016 - Office System V1R1 Computer GPO GUID: 5ad817c7-2bbb-40fa-b6ce-ad8ac845a998 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: User Pol 4 Exchange 5-22 GPO GUID: 5ce6ea3f-55a6-49f0-bf68-18a8bcc32bfb --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows 10 v2r1 Computer GPO GUID: 633bf66a-4f82-4562-a78f-eefa83686f95 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Default Domain Controllers Policy GPO GUID: 6ac1786c-016f-11d2-945f-00c04fb984f9 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Axway Enterprise Configuration GPO GUID: 6c45f92c-56f0-46e4-a921-2ffbdc92a92a --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows 10 v2r1 User GPO GUID: 6f85b0d1-36d3-491e-91c4-c6ba3cef6d91 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Adobe Disable FIPS GPO GUID: 6faf5e3a-caf7-4ac5-a9b3-201db0ca8011 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Adobe Reader DC Continuous protected view MAR2022 GPO GUID: 73fb4c08-5e4e-4613-9c92-a1935473c0b8 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Microsoft Office 2016 - Word V1R1 User GPO GUID: 795e8ed2-6ce5-4658-a2c3-d52595e7c6e3 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Microsoft Office 2016 - Office System V1R1 User GPO GUID: 7cf27d8d-3025-453a-a598-1c52df19feba --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Adobe Reader DC Continuous V1R2 Computer GPO GUID: 80340fc8-26a3-4c92-a327-dea83f1ed6d6 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows Server 2016 V2R1 - DC - Computer GPO GUID: 816b5f36-4efa-4a32-82c0-a88cf0cecbf3 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - RBAC GPO GUID: 88602f3d-3a9f-4447-934a-2dde7e6ac06d --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Axway Configuration GPO GUID: 9a2e7ffb-86b0-4c62-bfc8-6e7ac786a1ed --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: V-224921 Hardened UNC 02-22 GPO GUID: 9f2930fd-254e-4f1b-ae4d-722bb9f35b41 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: DoD Adobe Acrobat Pro DC Continuous STIG Computer V1R2 GPO GUID: a1c7ddff-5f74-49b9-9ac2-f92d1735189a --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Drive Mapping GPO GUID: a5fcab78-2b37-4b84-8487-bcd275a129a6 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: DoD Adobe Acrobat Pro DC Continuous STIG User V1R2 GPO GUID: a97a2258-64f7-43c8-a1f4-cfaa5eea748a --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Workstation Admins - Add Local GPO GUID: a9ec0f9b-d4f9-46ec-921d-9172267d8c09 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Deny log in FIX MAR2022 GPO GUID: a9f4d156-1c9e-42d0-8e7b-78b559953f05 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Outlook 2016 FIX FEB2022 GPO GUID: b89f8bf2-9285-408f-9827-30714a8bf255 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows 10 V1R22 - Users GPO GUID: bc42462a-8dc6-4693-b2eb-bd7152273354 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR2.1-Disable SmartScreen GPO CRQ#200000 GPO GUID: bdcf3db0-ed6b-4cfd-a3de-a0ee39cff553 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows Server 2016 V2R1 - MS - User GPO GUID: c09f48fa-c03a-4fb2-b5bc-bda9e3d15eba --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Time Service 5-22 GPO GUID: c692edd4-18d1-4698-afe9-226c60ef20d2 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - KDC Smart Card Fix CRQ195530 GPO GUID: c7c1449f-8ad7-4901-967d-fe3d50593ca1 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Event Logs 5-22 GPO GUID: ccbb3d99-e1c0-472c-a67a-61d8470c1d01 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Firefox 4-22A GPO GUID: d67e0f1c-6313-4a2e-bfaf-35bf893763ac --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Member Server Admins - Add Local GPO GUID: d8bbfb6f-ae1c-4cac-acbc-098d77e707c8 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows Server 2016 V2R2 - MS - Computer GPO GUID: e3110a28-cdd2-4091-b703-e3947ffe804f --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - PDC Timeservers 5-22 GPO GUID: e3cfb6e6-c5f0-4eae-9dc7-8d02431cf0ed --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows 10 V1R22 - Computer GPO GUID: e430bd69-f153-4db6-b566-ddfab9967afd --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Windows Server 2016 V2R1 - DC - User GPO GUID: ef7dc0bc-3268-41c3-9181-f6c56fd27f6a --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: AR21 - Microsoft Office 2016 - Excel V1R2 User GPO GUID: f17fdb9c-2ad0-47f0-a5eb-6693e16651a5 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: IE11 STIG V2R1 4-22 GPO GUID: ff4cf530-57bd-4651-8020-451cf511bf99 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All --------------------- GPO Name: Exchange usr rights 5-22 GPO GUID: ffa4f8e2-fa9a-4162-99c7-1439aae19de0 --------------------- AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty IsInherited : True InheritanceType : Descendents AuditFlags : Success IdentityReference : Everyone ActiveDirectoryRights : WriteProperty, WriteDacl IsInherited : True InheritanceType : All ---------------------
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServer2016_V2R10_20251023-172220.ckl
Scan Date: 2026-01-14T12:57:37.248886
Technology Area: Windows Operating System
|
||||||||
| V-224980 | CAT II | MONT-DB-002 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must be conf... | Documented Pending Review | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the auditing configuration for all Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select the "Advanced" button again and then the "Auditing" tab. If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Fix TextConfigure the audit settings for Group Policy objects to include the following. This can be done at the Policy level in Active Directory to apply to all group policies. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" from the "View" Menu. Navigate to [Domain] >> System >> Policies in the left panel. Right click "Policies", select "Properties". Select the "Security" tab. Select the "Advanced" button. Select the "Auditing" tab. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-DB-002/Checklist/MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl
Scan Date: 2026-01-14T12:57:39.082634
Technology Area: Windows Operating System
|
||||||||
| V-224980 | CAT II | MONT-BE-002 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must be conf... | Documented Pending Review | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the auditing configuration for all Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select the "Advanced" button again and then the "Auditing" tab. If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Fix TextConfigure the audit settings for Group Policy objects to include the following. This can be done at the Policy level in Active Directory to apply to all group policies. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" from the "View" Menu. Navigate to [Domain] >> System >> Policies in the left panel. Right click "Policies", select "Properties". Select the "Security" tab. Select the "Advanced" button. Select the "Auditing" tab. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_WinServer2016_V2R10_20251023-143943.ckl
Scan Date: 2026-01-14T12:57:41.363810
Technology Area: Windows Operating System
|
||||||||
| V-224980 | CAT II | MONT-AP-002 | Microsoft Windows Server 2016 Security T... | Active Directory Group Policy objects must be conf... | Documented Pending Review | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the auditing configuration for all Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select the "Advanced" button. Select the "Advanced" button again and then the "Auditing" tab. If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Fix TextConfigure the audit settings for Group Policy objects to include the following. This can be done at the Policy level in Active Directory to apply to all group policies. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" from the "View" Menu. Navigate to [Domain] >> System >> Policies in the left panel. Right click "Policies", select "Properties". Select the "Security" tab. Select the "Advanced" button. Select the "Auditing" tab. Type - Fail Principal - Everyone Access - Full Control Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Type - Success Principal - Everyone Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed. Type - Success Principal - Everyone Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) Inherited from - Parent Object Applies to - Descendant Organization Unit Objects Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-AP-002/Checklist/MONT-AP-002_WinServer2016_V2R10_20251023-144214.ckl
Scan Date: 2026-01-14T12:57:42.721079
Technology Area: Windows Operating System
|
||||||||