USNS MONTFORD POINT - Findings

V-224821 CAT I Administrative accounts must not be used with applications t...

8 assets 8 Open Documented Pending Review Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details No details recorded. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details No details recorded. Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details No details recorded. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details No details recorded. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details No details recorded. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details No details recorded. Comments

Check Text

Determine whether organization policy, at a minimum, prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. If it does not, this is a finding. The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement.

Fix Text

Establish a policy, at minimum, to prohibit administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Ensure the policy is enforced. The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement.

V-224819 CAT I Users with Administrative privileges must have separate acco...

8 assets 7 Open 1 Closed Documented Pending Review Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details No details recorded. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details No details recorded. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details No details recorded. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details No details recorded. Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details No details recorded. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details No details recorded. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details No details recorded. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details No details recorded. Comments

Check Text

Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.

Fix Text

Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties.

V-218768 CAT I The IIS 10.0 private website must employ cryptographic mecha...

3 assets 3 Open Documented Pending Review Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 6275DCDEF057117A4E22688BC519EA5B675A222E ~~~~~ The following SSL flags are missing: Ssl SslRequireCert Ssl128 Comments If the server is hosting WSUS, this is Not Applicable.
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Exchange Back End ResultHash: 20F984A5D3F505EAE457B229ADD97C44EF33D3DC ~~~~~ The following SSL flags are missing: SslRequireCert Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 10/23/2025 Site: Default Web Site ResultHash: 20F984A5D3F505EAE457B229ADD97C44EF33D3DC ~~~~~ The following SSL flags are missing: SslRequireCert Comments

Check Text

Notes: - If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 10.0 server, and the IIS 10.0 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server. In this case, this requirement is not applicable. - If this is a public-facing web server, this requirement is not applicable. - If this server is hosting WSUS, this requirement is not applicable. - If the server being reviewed is hosting SharePoint, this is not applicable. - If the server being reviewed is hosting Simple Certificate Enrollment Services (SCEP), this is not applicable. - If the server being reviewed is hosting Network Device Enrollment Services (NDES), this is not applicable. - If the server is providing OCSP, and not otherwise hosting any content, this requirement is not applicable. - If the server is providing CRL, and not otherwise hosting any content, this requirement is not applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon under the "IIS" section. Verify "Require SSL" is checked. Verify "Client Certificates Required" is selected. Click the site under review. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.webServer/security/access". The value for "sslFlags" set must include "ssl128". If the "Require SSL" is not selected, this is a finding. If the "Client Certificates Required" is not selected, this is a finding. Note: "Client Certificates Required" can be considered Not Applicable in a Single Sign On (SSO) scenario where client certificates are no longer processed locally. If the "sslFlags" is not set to "ssl128", this is a finding.

Fix Text

Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon under the "IIS" section. Select the "Require SSL" setting. Select the "Client Certificates Required" setting. Click "Apply" in the "Actions" pane. Click the site under review. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.webServer/security/access". Click on the drop-down list for "sslFlags". Select the "Ssl128" check box. Click "Apply" in the "Actions" pane.

V-225007 CAT I Only administrators responsible for the member server or sta...

8 assets 3 Open 4 Closed Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: DC46B573621F6ECBBEBFC3EAC3FFB498356150AF ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONT-AP-002\DOD_Admin objectClass: User objectSID: S-1-5-21-3515710802-3801378020-2101878990-1000 Name: MONT-AP-002\X_Admin objectClass: User objectSID: S-1-5-21-3515710802-3801378020-2101878990-500 Name: MONTFORD-POINT\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1109 Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 04D272EFF579CBFBB029CA64C75D595999410214 ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONT-BE-002\DOD_Admin objectClass: User objectSID: S-1-5-21-2559903909-3818771750-2130456036-1000 Name: MONT-BE-002\X_Admin objectClass: User objectSID: S-1-5-21-2559903909-3818771750-2130456036-500 Name: MONTFORD-POINT\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1109 Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 3079F2CB216B05B092D336E25D350B864AFC05D2 ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONT-DB-002\DOD_Admin objectClass: User objectSID: S-1-5-21-3489894170-526094123-3548415114-1000 Name: MONT-DB-002\X_Admin objectClass: User objectSID: S-1-5-21-3489894170-526094123-3548415114-500 Name: MONTFORD-POINT\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1109 Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 26130FDD7AA4586B373FC80745ACC1E59F170514 ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONT-DP-001\DOD_Admin objectClass: User objectSID: S-1-5-21-388225469-2825430915-2362864043-1000 Name: MONT-DP-001\X_Admin objectClass: User objectSID: S-1-5-21-388225469-2825430915-2362864043-500 Name: MONTFORD-POINT\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1109 Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 195D3A4C9E0C1244F68BAB51B457A6CB3424C6A3 ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONTFORD-POINT\Domain Admins objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-512 Name: MONTFORD-POINT\Exchange Trusted Subsystem objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1134 Name: MONTFORD-POINT\Organization Management objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1119 Name: MONT-MB-002\DOD_Admin objectClass: User objectSID: S-1-5-21-3803552116-1809661109-1744339665-1000 Name: MONT-MB-002\SHB_Admin objectClass: User objectSID: S-1-5-21-3803552116-1809661109-1744339665-500 Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: E6DF78787BB4DA1415D3FA7445592C5F0EF90842 ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONTFORD-POINT\D.Admin objectClass: User objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 Name: MONTFORD-POINT\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1109 Name: MONT-VSF-003\dod_admin objectClass: User objectSID: S-1-5-21-4236012249-4164713760-2408648245-1000 Name: MONT-VSF-003\X_Admin objectClass: User objectSID: S-1-5-21-4236012249-4164713760-2408648245-500 Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 05C0319BF2208BE823FDDFBAF79265AC39289D00 ~~~~~ The following are members of the local Administrators group: --------------------- Name: MONTFORD-POINT\D.Admin objectClass: User objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 Name: MONTFORD-POINT\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1109 Name: MONT-VSF-004\dod_admin objectClass: User objectSID: S-1-5-21-2502410760-3344595884-382061215-1000 Name: MONT-VSF-004\X_Admin objectClass: User objectSID: S-1-5-21-2502410760-3344595884-382061215-500 Comments

Check Text

This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Open "Computer Management". Navigate to "Groups" under "Local Users and Groups". Review the local "Administrators" group. Only administrator groups or accounts responsible for administration of the system may be members of the group. For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group. Standard user accounts must not be members of the local Administrator group. If accounts that do not have responsibility for administration of the system are members of the local Administrators group, this is a finding. If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding.

Fix Text

Configure the local "Administrators" group to include only administrator groups or accounts responsible for administration of the system. For domain-joined member servers, replace the Domain Admins group with a domain member server administrator group. Remove any standard user accounts.

V-220703 CAT I Windows 10 systems must use a BitLocker PIN for pre-boot aut...

4 assets 2 Open 2 Closed Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: AE41F3DF4C82029ED7404BA4BE6A75115B769621 ~~~~~ BitLocker Network Unlock is not in use. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseAdvancedStartup Value: 0x00000001 (1) Value: REG_DWORD TPM Startup PIN Configuration: --------------------------- Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMPIN Value: 0x00000001 (1) [Compliant] Value: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: AE41F3DF4C82029ED7404BA4BE6A75115B769621 ~~~~~ BitLocker Network Unlock is not in use. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseAdvancedStartup Value: 0x00000001 (1) Value: REG_DWORD TPM Startup PIN Configuration: --------------------------- Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMPIN Value: 0x00000001 (1) [Compliant] Value: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: A0DEB1E83D788131EFCA0954E181AD87591B969A ~~~~~ BitLocker Network Unlock is not in use. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseAdvancedStartup Value: 0x00000001 (1) Value: REG_DWORD TPM Startup PIN Configuration: --------------------------- Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMPIN Value: 0x00000002 (2) [Expected '1'] Value: REG_DWORD Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMKeyPIN Value: 0x00000002 (2) [Expected '1'] Value: REG_DWORD Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: A0DEB1E83D788131EFCA0954E181AD87591B969A ~~~~~ BitLocker Network Unlock is not in use. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseAdvancedStartup Value: 0x00000001 (1) Value: REG_DWORD TPM Startup PIN Configuration: --------------------------- Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMPIN Value: 0x00000002 (2) [Expected '1'] Value: REG_DWORD Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: UseTPMKeyPIN Value: 0x00000002 (2) [Expected '1'] Value: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: UseAdvancedStartup Type: REG_DWORD Value: 0x00000001 (1) If one of the following registry values does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: UseTPMPIN Type: REG_DWORD Value: 0x00000001 (1) Value Name: UseTPMKeyPIN Type: REG_DWORD Value: 0x00000001 (1) When BitLocker network unlock is used: Value Name: UseTPMPIN Type: REG_DWORD Value: 0x00000002 (2) Value Name: UseTPMKeyPIN Type: REG_DWORD Value: 0x00000002 (2) BitLocker network unlock may be used in conjunction with a BitLocker PIN. Refer to the article at the link below for information about network unlock. https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Require additional authentication at startup" to "Enabled" with "Configure TPM Startup PIN:" set to "Require startup PIN with TPM" or with "Configure TPM startup key and PIN:" set to "Require startup key and PIN with TPM".

V-220726 CAT I Data Execution Prevention (DEP) must be configured to at lea...

2 assets 2 Open Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 8BD6B22DCF9582BB99D89D5C035DF8B52BDC2CF8 ~~~~~ Data Execution Prevention is configured to 'OptIn' Windows Boot Loader ------------------- identifier {current} device partition=C: path \windows\system32\winload.efi description Windows 10 locale en-US inherit {bootloadersettings} recoverysequence {e1d40356-fa9e-11ed-a81c-d132769a72eb} displaymessageoverride Recovery recoveryenabled Yes isolatedcontext Yes allowedinmemorysettings 0x15000075 osdevice partition=C: systemroot \windows resumeobject {e1d40354-fa9e-11ed-a81c-d132769a72eb} nx OptIn bootmenupolicy Standard Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 82C3F1B697DB48695C0120630E2A8ED6B8252DF2 ~~~~~ Data Execution Prevention is configured to 'OptIn' Windows Boot Loader ------------------- identifier {current} device partition=C: path \windows\system32\winload.efi description Windows 10 locale en-US inherit {bootloadersettings} recoverysequence {86fa2db6-faa5-11ed-8cb5-f1e0456ab8cf} displaymessageoverride Recovery recoveryenabled Yes isolatedcontext Yes allowedinmemorysettings 0x15000075 osdevice partition=C: systemroot \windows resumeobject {86fa2db4-faa5-11ed-8cb5-f1e0456ab8cf} nx OptIn bootmenupolicy Standard Comments

Check Text

Verify the DEP configuration. Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as administrator). Enter "BCDEdit /enum {current}". (If using PowerShell "{current}" must be enclosed in quotes.) If the value for "nx" is not "OptOut", this is a finding. (The more restrictive configuration of "AlwaysOn" would not be a finding.)

Fix Text

Configure DEP to at least OptOut. Note: Suspend BitLocker before making changes to the DEP configuration. Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as administrator). Enter "BCDEDIT /set {current} nx OptOut". (If using PowerShell "{current}" must be enclosed in quotes.) "AlwaysOn", a more restrictive selection, is also valid but does not allow applications that do not function properly to be opted out of DEP. Opted out exceptions can be configured in the "System Properties". Open "System" in Control Panel. Select "Advanced system settings". Click "Settings" in the "Performance" section. Select the "Data Execution Prevention" tab. Applications that are opted out are configured in the window below the selection "Turn on DEP for all programs and services except those I select:".

V-220737 CAT I Administrative accounts must not be used with applications t...

4 assets 2 Open 1 Closed Documented Pending Review Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details No details recorded. Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details No details recorded. Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details No details recorded. Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details No details recorded. Comments

Check Text

Determine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding.

Fix Text

Establish and enforce a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Implement technical measures where feasible such as removal of applications or use of application whitelisting to restrict the use of applications that can access the Internet.

V-215823 CAT I The Cisco router must be configured to prohibit the use of a...

1 asset 1 Open Documented Pending Review Cisco IOS XE Router ...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONTPOINTGTWYRTR	10.10.10.1			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: DD0C8EF05E5C236F6DE0AC78EFCA66F351187ECB ~~~~~ boot network not found ip boot server not found ip bootp server not found ip dns server not found ip identd not found ip finger not found ip http server not found ip rcmd rcp-enable not found ip rcmd rsh-enable not found service config not found service finger not found service tcp-small-servers not found service udp-small-servers not found service pad not found SERVICE CALL-HOME FOUND Comments SERVICE CALL-HOME FOUND

Check Text

Verify that the router does not have any unnecessary or nonsecure ports, protocols, and services enabled. For example, the following commands should not be in the configuration: boot network ip boot server ip bootp server ip dns server ip identd ip finger ip http server ip rcmd rcp-enable ip rcmd rsh-enable service config service finger service tcp-small-servers service udp-small-servers service pad service call-home Note: Certain legacy devices may require 'service call-home' be enabled to support Smart Licensing as they do not support the newer smart transport configuration. Those devices do not incur a finding for having call-home enabled for Smart Licensing. If any unnecessary or nonsecure ports, protocols, or services are enabled, this is a finding.

Fix Text

Disable the following services if enabled as shown in the example below. R2(config)#no boot network R2(config)#no ip boot server R2(config)#no ip bootp server R2(config)#no ip dns server R2(config)#no ip identd R2(config)#no ip finger R2(config)#no ip http server R2(config)#no ip rcmd rcp-enable R2(config)#no ip rcmd rsh-enable R2(config)#no service config R2(config)#no service finger R2(config)#no service tcp-small-servers R2(config)#no service udp-small-servers R2(config)#no service pad R2(config)#no service call-home R2(config)#end

V-215833 CAT I The Cisco router must be configured to terminate all network...

1 asset 1 Open Cisco IOS XE Router ...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONTPOINTGTWYRTR	10.10.10.1			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: EC2FCBD8253B86CFC2922A92FE8E178EA3988544 ~~~~~ IP HTTP Timeout Settings no ip http server no ip http secure-server http\https servers are disabled, http\https requirements are not applicable line con 0 privilege level 15 logging synchronous login authentication USER_AUTH stopbits 1 line con 0 exec-timeout is not configured. Default value of 10 is assumed Confirm value is correctly configured by checking against 'show running-config all' configuration file Line VTY Timeout Settings line vty 0 4 session-timeout 10 access-class vty_access in session-limit 3 logging synchronous transport preferred ssh transport input ssh transport output ssh ! exec-timeout is not configured. Default value of 10 is assumed Confirm value is correctly configured by checking against 'show running-config all' configuration file Comments

Check Text

Review the Cisco router configuration to verify that all network connections associated with a device management have an idle timeout value set to five minutes or less as shown in the following example: ip http secure-server ip http timeout-policy idle 300 life nnnn requests nn … … … line con 0 exec-timeout 5 0 line vty 0 1 exec-timeout 5 0 If the Cisco router is not configured to terminate all network connections associated with a device management after five minutes of inactivity, this is a finding.

Fix Text

Set the idle timeout value to five minutes or less on all configured login classes as shown in the example below. R1(config)#line vty 0 1 R1(config-line)#exec-timeout 5 0 R1(config-line)#exit R1(config)#line con 0 R1(config-line)#exec-timeout 5 0 R1(config-line)#exit R2(config)#ip http timeout-policy idle 300 life nnnn requests nn

V-215844 CAT I The Cisco router must be configured to use FIPS-validated Ke...

1 asset 1 Open Cisco IOS XE Router ...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONTPOINTGTWYRTR	10.10.10.1			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: FAA040DE8CA5849E5308201D0776B0A8AC84BA79 ~~~~~ SSH Server Algorithm is not configured per STIG check guidelines ip ssh source-interface BDI400 ip ssh logging events ip ssh version 2 ip ssh server algorithm mac hmac-sha1 ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr Comments

Check Text

Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. NOTE: Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and Government standards. Unless required for legacy use, DoD systems should not be configured to use SHA-1 for integrity of remote access sessions. SSH Example ip ssh version 2 ip ssh server algorithm mac hmac-sha2-256 If the Cisco router is not configured to use FIPS-validated HMAC to protect the integrity of remote maintenance sessions, this is a finding.

Fix Text

Configure SSH to use FIPS-validated HMAC for remote maintenance sessions as shown in the following example: SSH Example R1(config)#ip ssh version 2 R1(config)#ip ssh server algorithm mac hmac-sha2-256

V-218802 CAT I IIS 10.0 Web server accounts accessing the directory tree, t...

2 assets 1 Open Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: D895FC94452D188206C29C53687CC2115A1A7E8B ~~~~~ Below is a list of local groups and their members (if any): Group: Access Control Assistance Operators Group: Administrators X_Admin DOD_Admin Server Administrator Group Group: Backup Operators Group: Certificate Service DCOM Access Group: Cryptographic Operators Group: Distributed COM Users Group: Event Log Readers Group: Guests Visitor Group: Hyper-V Administrators Group: IIS_IUSRS Group: Network Configuration Operators Group: Performance Log Users Group: Performance Monitor Users Group: Power Users Group: Print Operators Group: RDS Endpoint Servers Group: RDS Management Servers Group: RDS Remote Access Servers Group: Remote Desktop Users Group: Remote Management Users Group: Replicator Group: Storage Replica Administrators Group: System Managed Accounts Group DefaultAccount Group: Users INTERACTIVE Authenticated Users Domain Users Group: ConfigMgr Remote Control Users Comments documentation
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 624D7AD7D647B59D79BA27D736EAFE3764D6EA5B ~~~~~ Below is a list of local groups and their members (if any): Group: Access Control Assistance Operators Group: Administrators SHB_Admin DOD_Admin Domain Admins Organization Management Exchange Trusted Subsystem Group: Backup Operators Group: Certificate Service DCOM Access Group: Cryptographic Operators Group: Distributed COM Users Group: Event Log Readers Group: Guests SHB_Visitor Group: Hyper-V Administrators Group: IIS_IUSRS Group: Network Configuration Operators Group: Performance Log Users Group: Performance Monitor Users Group: Power Users Group: Print Operators Group: RDS Endpoint Servers Group: RDS Management Servers Group: RDS Remote Access Servers Group: Remote Desktop Users Group: Remote Management Users Group: Replicator Group: Storage Replica Administrators Group: System Managed Accounts Group DefaultAccount Group: Users INTERACTIVE Authenticated Users Domain Users Comments

Check Text

Obtain a list of the user accounts with access to the system, including all local and domain accounts. Review the privileges to the web server for each account. Verify with the system administrator or the ISSO that all privileged accounts are mission essential and documented. Verify with the system administrator or the ISSO that all non-administrator access to shell scripts and operating system functions are mission essential and documented. If undocumented privileged accounts are found, this is a finding. If undocumented non-administrator access to shell scripts and operating system functions are found, this is a finding. If this IIS 10 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable.

Fix Text

Ensure non-administrators are not allowed access to the directory tree, the shell, or other operating system functions and utilities. All non-administrator access to shell scripts and operating system functions must be mission essential and documented.

V-218823 CAT I All accounts installed with the IIS 10.0 web server software...

2 assets 1 Open 1 Closed Documented Pending Review Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8AE742FA7487414B54F49AFC49412799439832C2 ~~~~~ Local user accounts on this system. Confirm if any are used by IIS and if so, verify that default passwords have been changed: Name: DOD_Admin Enabled: True SID: S-1-5-21-388225469-2825430915-2362864043-1000 Password Age: 884 days Comments documentation
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 7B7215D4389023C21A17987544BF8519AB42A58E ~~~~~ Local user accounts on this system. Confirm if any are used by IIS and if so, verify that default passwords have been changed: Name: DOD_Admin Enabled: True SID: S-1-5-21-3803552116-1809661109-1744339665-1000 Password Age: 888 days Comments

Check Text

Access the IIS 10.0 web server. Access the "Apps" menu. Under "Administrative Tools", select "Computer Management". In left pane, expand "Local Users and Groups" and click "Users". Review the local users listed in the middle pane. If any local accounts are present and used by IIS 10.0, verify with System Administrator that default passwords have been changed. If passwords have not been changed from the default, this is a finding.

Fix Text

Access the IIS 10.0 web server. Access the "Apps" menu. Under Administrative Tools, select Computer Management. In left pane, expand "Local Users and Groups" and click on "Users". Change passwords for any local accounts present that are used by IIS 10.0, then verify with System Administrator default passwords have been changed. Develop an internal process for changing passwords on a regular basis.

V-220139 CAT I The Cisco router must be configured to send log data to at l...

1 asset 1 Open Documented Pending Review Cisco IOS XE Router ...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONTPOINTGTWYRTR	10.10.10.1			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA349E0F1566CFDFB09D8F996B3AD3B036574454 ~~~~~ The router is not configured to send log data to the syslog server, this is a finding. Comments

Check Text

Verify that the router is configured to send logs to at least two syslog servers. The configuration should look similar to the example below: logging x.x.x.x logging x.x.x.x If the router is not configured to send log data to the syslog servers, this is a finding.

Fix Text

Configure the router to send log messages to the syslog servers as shown in the example below. R4(config)#logging host x.x.x.x R4(config)#logging host x.x.x.x

V-220140 CAT I The Cisco router must be running an IOS release that is curr...

1 asset 1 Open Documented Pending Review Cisco IOS XE Router ...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONTPOINTGTWYRTR	10.10.10.1			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: F616F024AD309ED67328DF3127A0A41B41DA2441 ~~~~~ Check with vendor for support status of the device Device Info: Hostname : MONTPOINTGTWYRTR DomainName : MACAddress : DeviceInfo : {Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.4, RELEASE SOFTWARE (fc5)} CiscoOS : IOS-XE CiscoOSVer : 16.12.4 CiscoSoftware : ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M) SerialNumber : FLM2122V0D9 Model : ISR4351/K9 DeviceType : Router Comments CiscoOSVer : 16.12.4

Check Text

Verify that the router is in compliance with this requirement by having the router administrator enter the following command: show version Verify that the release is still supported by Cisco. All releases supported by Cisco can be found on the following URL: www.cisco.com/c/en/us/support/ios-nx-os-software If the router is not running a supported release, this is a finding.

Fix Text

Upgrade the router to a supported release.

V-224993 CAT I PKI certificates associated with user accounts must be issue...

8 assets 1 Open Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 3D3B4BF9D172F1653F4CA64457844979FAECE364 ~~~~~ Trusted Suffix: MONTFORD-POINT.navy.mil DC Cert Subject: CN=MONT-DC-003.MONTFORD-POINT.navy.mil, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US DC Cert Issuer: CN=DOD SW CA-67, OU=PKI, OU=DoD, O=U.S. Government, C=US DC Cert Thumbprint: 09D2721B5061A5BD0B8E3C771D94CCF915BA291C Trusted Suffix: mil DC Cert Subject: Well Known UPN suffix DC Cert Issuer: Well Known UPN suffix DC Cert Thumbprint: Well Known UPN suffix There are 7 account findings: ------------------------------------- Name: SHB_Admin Enabled: True UPN: DN: CN=SHB_Admin,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil Name: S.Admin Enabled: True UPN: DN: CN=S.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: N.Admin Enabled: True UPN: DN: CN=N.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONT-EM-NAA Enabled: True UPN: DN: CN=MONT-EM-NAA,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONT-EM-SVRCP Enabled: True UPN: DN: CN=MONT-EM-SVRCP,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONT-EM-WKSCP Enabled: True UPN: DN: CN=MONT-EM-WKSCP,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONT-EM-Admin Enabled: True UPN: DN: CN=MONT-EM-Admin,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This applies to domain controllers. It is NA for other systems. Review user account mappings to PKI certificates. Open "Windows PowerShell". Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding. For standard NIPRNet certificates the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI). Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization. NIPRNet Example: Name - User Principal Name User1 - 1234567890@mil See PKE documentation for other network domain suffixes. If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.

Fix Text

Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details.

V-225012 CAT I Windows Server 2016 must be running Credential Guard on doma...

8 assets 1 Open 6 Closed Documented Pending Review Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1 Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1 Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1 Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: C0F3904C423975C11B19B4BFBF943881A50CAA13 ~~~~~ System is a 'Primary Domain Controller' so this requirement is NA. Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1 Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: E80A78FBEDDA324884CAAB1E479460FD319F84B4 ~~~~~ SecurityServicesRunning: 0 Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1 Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 83848C949BBF8A4E2EBDBB4A433926F0E07188E0 ~~~~~ SecurityServicesRunning: 1 Comments

Check Text

For domain controllers and standalone or nondomain-joined systems, this is NA. Open "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Device Guard Security Services Running" does not list "Credential Guard", this is a finding. The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: LsaCfgFlags Value Type: REG_DWORD Value: 0x00000001 (1) (Enabled with UEFI lock) A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration". A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements Severity Override Guidance: The AO can allow the severity override if they have reviewed the overall protection provided to the affected servers that are not capable of complying with the Credential Guard requirement. Items that should be reviewed/considered for compliance or mitigation for non-Credential Guard compliance are: The use of Microsoft Local Administrator Password Solution (LAPS) or similar products to control different local administrative passwords for all affected affected servers. This is to include a strict password change requirement (60 days or less). …. Strict separation of roles and duties. Server administrator credentials cannot be used on Windows 10 desktop to administer it. Documentation of all exceptions should be supplied. …. Use of a Privileged Access Workstation (PAW) and adherence to the Clean Source principle for administering affected affected servers. …. Boundary Protection that is currently in place to protect from vulnerabilities in the network/servers. …. Windows Defender rule block credential stealing from LSASS.exe is applied. This rule can only be applied if Windows Defender is in use. …. The overall number of vulnerabilities that are unmitigated on the network/servers.

V-243466 CAT I Membership to the Enterprise Admins group must be restricted...

1 asset 1 Open Documented Pending Review Active Directory Dom...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DC-003	164.231.187.34			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) found this to be OPEN on 10/23/2025 ResultHash: 1852EDAFFD0549867EBD2E419B98256759732803 ~~~~~ Members of 'Enterprise Admins' ========================= Name: MONTFORD-POINT\Alexandra.M.Perl objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1160 DistinguishedName: CN=Perl\, Alexandra M.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT ALL HANDS MONTFORD-POINT RADIO MONTFORD-POINT LAN Management MONTFORD-POINT EO Name: MONTFORD-POINT\altucker.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1224 DistinguishedName: CN=Tucker\, Adam L.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Domain Administrator Group Domain Admins [FINDING] Remote Desktop Users Name: MONTFORD-POINT\amperl.admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1638 DistinguishedName: CN=ADMIN\, AMPerl,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT LAN Management Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Remote Management Users Name: MONTFORD-POINT\d.admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 DistinguishedName: CN=D.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Schema Admins [FINDING] Remote Management Users Remote Desktop Users Name: MONTFORD-POINT\jrsanders.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1253 DistinguishedName: CN=Sanders\, James R.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Remote Management Users Remote Desktop Users Name: MONTFORD-POINT\MONT-EM-Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1157 DistinguishedName: CN=MONT-EM-Admin,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Domain Administrator Group Domain Admins [FINDING] Remote Desktop Users Administrators [FINDING] Name: MONTFORD-POINT\montford.exchange [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1118 DistinguishedName: CN=Exchange Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Organization Management Schema Admins [FINDING] Administrators [FINDING] Name: MONTFORD-POINT\SHB_Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-500 DistinguishedName: CN=SHB_Admin,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Group Policy Creator Owners Domain Admins [FINDING] Schema Admins [FINDING] Administrators [FINDING] Name: MONTFORD-POINT\Thomas.L.Jones objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1176 DistinguishedName: CN=Jones\, Thomas L.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT ENG MONTFORD-POINT ALL HANDS MONTFORD-POINT RADIO MONTFORD-POINT LAN Management MONTFORD-POINT EO Name: MONTFORD-POINT\TLJones.Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1250 DistinguishedName: CN=Jones\, Thomas L.\, Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT LAN Management Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Remote Management Users Comments

Check Text

Review the Enterprise Admins group in Active Directory Users and Computers. Any accounts that are members of the Enterprise Admins group must be documented with the IAO. Each Enterprise Administrator must have a separate unique account specifically for managing the Active Directory forest. If any account listed in the Enterprise Admins group is a member of other administrator groups including the Domain Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding.

Fix Text

Create the necessary documentation that identifies the members of the Enterprise Admins group. Ensure that each member has a separate unique account that can only be used to manage the Active Directory Forest. Remove any Enterprise Admin accounts from other administrator groups.

V-243467 CAT I Membership to the Domain Admins group must be restricted to ...

1 asset 1 Open Documented Pending Review Active Directory Dom...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DC-003	164.231.187.34			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) found this to be OPEN on 10/23/2025 ResultHash: 7225AB9272CF53F1FFEA5139423A0233F41DA652 ~~~~~ Members of 'Domain Admins' ========================= Name: MONTFORD-POINT\adsmith.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1249 DistinguishedName: CN=Smith\, Alexander D.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Name: MONTFORD-POINT\altucker.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1224 DistinguishedName: CN=Tucker\, Adam L.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Domain Administrator Group Enterprise Admins [FINDING] Remote Desktop Users Name: MONTFORD-POINT\amperl.admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1638 DistinguishedName: CN=ADMIN\, AMPerl,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT LAN Management Member Server Administrator Group Domain Administrator Group Enterprise Admins [FINDING] Remote Management Users Name: MONTFORD-POINT\ANOC.FIM objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1203 DistinguishedName: CN=FIM\, ANOC,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Organization Management Domain Administrator Group Name: MONTFORD-POINT\d.admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 DistinguishedName: CN=D.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Member Server Administrator Group Domain Administrator Group Enterprise Admins [FINDING] Schema Admins [FINDING] Remote Management Users Remote Desktop Users Name: MONTFORD-POINT\iwgonzalez.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1242 DistinguishedName: CN=Gonzalez\, Ian W.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Name: MONTFORD-POINT\jrsanders.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1253 DistinguishedName: CN=Sanders\, James R.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Member Server Administrator Group Domain Administrator Group Enterprise Admins [FINDING] Remote Management Users Remote Desktop Users Name: MONTFORD-POINT\jtbegarek.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1212 DistinguishedName: CN=IA ADMIN\, JTBegarek,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Organization Management Member Server Administrator Group Domain Administrator Group Domain Users Name: MONTFORD-POINT\MONT-EM-Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1157 DistinguishedName: CN=MONT-EM-Admin,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Domain Administrator Group Enterprise Admins [FINDING] Remote Desktop Users Administrators [FINDING] Name: MONTFORD-POINT\montford.exchange [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1118 DistinguishedName: CN=Exchange Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Organization Management Enterprise Admins [FINDING] Schema Admins [FINDING] Administrators [FINDING] Name: MONTFORD-POINT\RDRivera.IAADMIN objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1213 DistinguishedName: CN=Rivera\, RJ,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Name: MONTFORD-POINT\scan.admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1192 DistinguishedName: CN=Scan Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Workstation Administrator Group Member Server Administrator Group Remote Desktop Users Name: MONTFORD-POINT\SHB_Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-500 DistinguishedName: CN=SHB_Admin,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Group Policy Creator Owners Enterprise Admins [FINDING] Schema Admins [FINDING] Administrators [FINDING] Name: MONTFORD-POINT\tagavrilovic.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1231 DistinguishedName: CN=Gavrilovic\, Tyler A.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Remote Desktop Users Administrators [FINDING] Name: MONTFORD-POINT\TLJones.Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1250 DistinguishedName: CN=Jones\, Thomas L.\, Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT LAN Management Member Server Administrator Group Domain Administrator Group Enterprise Admins [FINDING] Remote Management Users Comments

Check Text

Review the Domain Admins group in Active Directory Users and Computers. Any accounts that are members of the Domain Admins group must be documented with the IAO. Each Domain Administrator must have a separate unique account specifically for managing the Active Directory domain and domain controllers. If any account listed in the Domain Admins group is a member of other administrator groups including the Enterprise Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding.

Fix Text

Create the necessary documentation that identifies the members of the Domain Admins group. Ensure that each member has a separate unique account that can only be used to manage the Active Directory domain and domain controllers. Remove any Domain Admin accounts from other administrator groups.

V-243470 CAT I Delegation of privileged accounts must be prohibited.

1 asset 1 Open Documented Pending Review Active Directory Dom...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DC-003	164.231.187.34			2026-01-14
Finding Details No details recorded. Comments

Check Text

Review the properties of all privileged accounts in Active Directory Users and Computers. Under the Account tab, verify "Account is sensitive and cannot be delegated" is selected in the Account Options section. If delegation is not prohibited for any privileged account, this is a finding.

Fix Text

Open Active Directory Users and Computers. View the properties of all privileged accounts. Under the Account tab, select "Account is sensitive and cannot be delegated" in the Account Options section.

V-271430 CAT I Windows Server 2016 must be configured for name-based strong...

8 assets 1 Open Microsoft Windows Se...

Hostname	IP Address	Last Scan
MONT-AP-002	164.231.187.39	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DB-002	164.231.187.38	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-DC-003	164.231.187.34	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be OPEN on 10/23/2025 ResultHash: 6BC616B0CF84131BFB017A9DC62E207CE8D4CF40 ~~~~~ Server is a 'Primary Domain Controller' This requirement is a permanent finding for server 2016 domain controllers per DOD CIO Memo Upgrading of MS Domain Controller OS to MS Server 2019 or Later (CIO000911-23) Comments
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-003	164.231.187.42	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments
MONT-VSF-004	164.231.187.43	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments

Check Text

This requirement is not applicable for Member Servers. Note: This requirement is a permanent finding for server 2016 domain controllers per DOD CIO Memo Upgrading of MS Domain Controller OS to MS Server 2019 or Later (CIO000911-23). If the server is acting as a domain controller, this is a finding.

Fix Text

For servers acting as a domain controller, upgrade the operating system to Microsoft Server 2019 or greater.

V-206520 CAT I The DBMS must integrate with an organization-level authentic...

1 asset 1 Closed Database Security Re...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DB-002	-			2026-03-06
Finding Details No details recorded. Comments The database server can only be accessed by a privileged user, who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. Installer accounts are created and sent from shore and are authenticated using user id/password. The naming convention for the domain admin account is not consistent across various platforms and installers may not have access to a CAC reader. Application accounts are authenticated using either user id/password or a CAC. This allows flexibility to allow a mariner to access the ShipCLIP application when CAC card issues occur during ship deployments and a mariner is unable to correct until in port.

Check Text

If all accounts are authenticated by the organization-level authentication/access mechanism and not by the DBMS, this is not a finding. If there are any accounts managed by the DBMS, review the system documentation for justification and approval of these accounts. If any DBMS-managed accounts exist that are not documented and approved, this is a finding.

Fix Text

Integrate DBMS security with an organization-level authentication/access mechanism providing account management for all users, groups, roles, and any other principals. For each DBMS-managed account that is not documented and approved, either transfer it to management by the external mechanism, or document the need for it and obtain approval, as appropriate.

V-206521 CAT I The DBMS must enforce approved authorizations for logical ac...

1 asset 1 Closed Database Security Re...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DB-002	-			2026-03-06
Finding Details No details recorded. Comments MSC Afloat Applications utilize access controls and access authentication to the database server and the DBMS enforces roles at the database level in accordance with MSC IBS Access Control Policy 2.2.

Check Text

Check DBMS settings to determine whether users are restricted from accessing objects and data they are not authorized to access. If appropriate access controls are not implemented to restrict access to authorized users and to restrict the access of those users to objects and data they are authorized to see, this is a finding.

Fix Text

Configure the DBMS settings and access controls to permit user access only to objects and data that the user is authorized to view or interact with, and to prevent access to all other objects and data.

V-206545 CAT I The DBMS software installation account must be restricted to...

1 asset 1 Closed Database Security Re...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DB-002	-			2026-03-06
Finding Details No details recorded. Comments Software installations can only be performed by a privileged user. The database server can only be accessed by a privileged user who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. A request to relax the HBSS policy is also submitted to Afloat Operations Service Desk who approves and implements the request.

Check Text

Review procedures for controlling, granting access to, and tracking use of the DBMS software installation account. If access or use of this account is not restricted to the minimum number of personnel required or if unauthorized access to the account has been granted, this is a finding.

Fix Text

Develop, document, and implement procedures to restrict and track use of the DBMS software installation account.

V-206555 CAT I If DBMS authentication, using passwords, is employed, the DB...

1 asset 1 Closed Database Security Re...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DB-002	-			2026-03-06
Finding Details No details recorded. Comments Database contains an obfuscated procedure, f_verify_pwd, that enforces password complexity. Login Policies enforce password lifetime.

Check Text

If DBMS authentication, using passwords, is not employed, this is not a finding. If the DBMS is configured to inherit password complexity and lifetime rules from the operating system or access control program, this is not a finding. Review the DBMS settings relating to password complexity. Determine whether the following rules are enforced. If any are not, this is a finding. a. minimum of 15 characters, including at least one of each of the following character sets: - Uppercase. - Lowercase. - Numerics. - Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <). b. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight. Review the DBMS settings relating to password lifetime. Determine whether the following rules are enforced. If any are not, this is a finding. a. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days. b. Password lifetime limits for noninteractive accounts: Minimum 24 hours, maximum 365 days. c. Number of password changes before an old one may be reused: Minimum of five.

Fix Text

If the use of passwords is not needed, configure the DBMS to prevent their use if it is capable of this; if it is not, institute policies and procedures to prohibit their use. If the DBMS can inherit password complexity rules from the operating system or access control program, configure it to do so. Otherwise, use DBMS configuration parameters and/or custom code to enforce the following rules for passwords: a. Minimum of 15 characters, including at least one of each of the following character sets: - Uppercase. - Lowercase. - Numerics. - Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <). b. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight. c. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days. d. Password lifetime limits for non-interactive accounts: Minimum 24 hours, maximum 365 days. e. Number of password changes before an old one may be reused: Minimum of five.

V-206556 CAT I The DBMS must for password-based authentication, store passw...

1 asset 1 Closed Database Security Re...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DB-002	-			2026-03-06
Finding Details No details recorded. Comments Database passwords are stored as hashed, salted representations.

Check Text

Review the list of DBMS database objects, database configuration files, associated scripts, and applications defined within and external to the DBMS that access the database. The list should also include files or settings used to configure the operational environment for the DBMS and for interactive DBMS user accounts. Determine whether any DBMS database objects, database configuration files, associated scripts, applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings contain database passwords. If any do, confirm that DBMS passwords stored internally or externally to the DBMS are hashed using FIPS-approved cryptographic algorithms and include a salt. If any passwords are stored in clear text, this is a finding. If any passwords are stored with reversible encryption, this is a finding. If any passwords are stored using unsalted hashes, this is a finding.

Fix Text

Develop, document, and maintain a list of DBMS database objects, database configuration files, associated scripts, applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings in the System Security Plan. Record whether they do or do not contain DBMS passwords. If passwords are present, ensure they are correctly hashed using one-way, salted hashing functions, and that the hashes are protected by host system security.

V-206557 CAT I If passwords are used for authentication, the DBMS must tran...

1 asset 1 Closed Database Security Re...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DB-002	-			2026-03-06
Finding Details No details recorded. Comments Database or application connections transmit data using TLS in-transit encryption which includes the encrypted representations of passwords. In-transit encryption is configured in the smisdbs17-E.cfg file using the -ec option and specifying the identity path+filename of the obfuscated TLS configuration file.

Check Text

Review configuration settings for encrypting passwords in transit across the network. If passwords are not encrypted, this is a finding. If it is determined that passwords are passed unencrypted at any point along the transmission path between the source and destination, this is a finding.

Fix Text

Configure encryption for transmission of passwords across the network. If the database does not provide encryption for logon events natively, employ encryption at the OS or network level. Ensure passwords remain encrypted from source to destination.

V-206559 CAT I The DBMS must enforce authorized access to all PKI private k...

1 asset 1 Closed Database Security Re...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DB-002	-			2026-03-06
Finding Details No details recorded. Comments The database server can only be accessed by a privileged user, who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. Access to PKI private keys is restricted to privileged users having direct access to the server. Files containing In-transit and at-rest encryption keys are obfuscated. If the keys are modified, the database will not start or be accessible.

Check Text

Review DBMS configuration to determine whether appropriate access controls exist to protect the DBMS's private key(s). If the DMBS’s private key(s) are not stored in a FIPS 140-2 or 140-3 validated cryptographic module, this is a finding. If access to the DBMS’s private key(s) is not restricted to authenticated and authorized users, this is a finding.

Fix Text

Store all DBMS PKI private keys in a FIPS 140-2 or 140-3 validated cryptographic module. Ensure access to the DBMS PKI private keys is restricted to only authenticated and authorized users.

V-206561 CAT I The DBMS must obscure feedback of authentication information...

1 asset 1 Closed Database Security Re...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DB-002	-			2026-03-06
Finding Details No details recorded. Comments The DBMS is configured to obfuscate passwords during the authentication process.

Check Text

If all interaction with the user for purposes of authentication is handled by a software component separate from the DBMS, this is not a finding. If any application, tool or feature associated with the DBMS/database displays any authentication secrets (to include PINs and passwords) during - or after - the authentication process, this is a finding.

Fix Text

Modify and configure each non-compliant application, tool, or feature associated with the DBMS/database so that it does not display authentication secrets.

V-206562 CAT I The DBMS must use NIST FIPS 140-2 or 140-3 validated cryptog...

1 asset 1 Closed Database Security Re...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DB-002	-			2026-03-06
Finding Details No details recorded. Comments The DBMS is configured to start in FIPS mode using the -fips database server option (SQL Anywhere 17 - -fips Database Option.pdf). This option enables the DBMS to use the FIPS 140-2 cryptographic modules (SQL Anywhere 17 - FIPS-certified Encryption Technology.pdf).

Check Text

Review DBMS configuration to verify it is using NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations. If NIST FIPS 140-2 or 140-3 validated modules are not being used for all cryptographic operations, this is a finding.

Fix Text

Utilize NIST FIPS 140-2 or 140-3 validated cryptographic modules for all cryptographic operations.

V-206570 CAT I The DBMS must protect the confidentiality and integrity of a...

1 asset 1 Closed Database Security Re...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DB-002	-			2026-03-06
Finding Details No details recorded. Comments Data encryption is configured to protect the confidentiality and integrity of data at rest.

Check Text

If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding. Review DBMS settings to determine whether controls exist to protect the confidentiality and integrity of data at rest in the database. If controls do not exist or are not enabled, this is a finding.

Fix Text

Apply appropriate controls to protect the confidentiality and integrity of data at rest in the database.

V-206604 CAT I The DBMS must implement cryptographic mechanisms to prevent ...

1 asset 1 Closed Database Security Re...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DB-002	-			2026-03-06
Finding Details No details recorded. Comments Data encryption is configured to protect the confidentiality and integrity of data at rest using the -ek (strong database encryption) option in the database configuration file.

Check Text

Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of the DBMS, operating system/file system, and additional software as relevant. If any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding.

Fix Text

Configure the DBMS, operating system/file system, and additional software as relevant, to provide the required level of cryptographic protection.

V-206605 CAT I The DBMS must implement cryptographic mechanisms preventing ...

1 asset 1 Closed Database Security Re...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-DB-002	-			2026-03-06
Finding Details No details recorded. Comments Data encryption is configured to protect the confidentiality and integrity of data at rest using the -ek (strong database encryption) option in the database configuration file.

Check Text

Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from disclosure, which must include, at a minimum, PII and classified information. If the documentation indicates no information requires such protections, this is not a finding. Review the configuration of the DBMS, operating system/file system, and additional software as relevant. If any of the information defined as requiring protection is not encrypted in a manner that provides the required level of protection and is not physically secured to the required level, this is a finding.

Fix Text

Configure the DBMS, operating system/file system, and additional software as relevant, to provide the required level of cryptographic protection for information requiring cryptographic protection against disclosure. Secure the premises, equipment, and media to provide the required level of physical protection.

V-213129 CAT I The Adobe Acrobat Pro DC Continuous latest security-related ...

1 asset 1 Closed Adobe Acrobat Profes...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONT-WS-92010	164.231.187.45			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-AdobeAcrobatProDCContinuous_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8A5C406AE5197A673C1E9CCAF985C1CF27558D6A ~~~~~ Name: Adobe Acrobat DC Version: DC Track: Continuous DisplayVersion: 25.001.20756 Architecture: x64 Comments

Check Text

Open Adobe Acrobat Pro DC. Navigate to and click on Help >> About Adobe Acrobat Pro DC. Verify that the latest security-related software updates by Adobe are being applied. If the latest security-related software updates by Adobe are not being applied, this is a finding.

Fix Text

Apply the latest security-related software updates to the Adobe Acrobat Pro DC application.

V-213192 CAT I Adobe Reader DC must have the latest Security-related Softwa...

3 assets 2 Closed Adobe Acrobat Reader...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-AdobeReaderDCContinuous_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 55F395109A6C5171DE708830F5FECF87BC7FEB32 ~~~~~ Name: Adobe Reader DC Version: DC Track: Continuous DisplayVersion: 25.001.20997 Architecture: x86 Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-AdobeReaderDCContinuous_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 55F395109A6C5171DE708830F5FECF87BC7FEB32 ~~~~~ Name: Adobe Reader DC Version: DC Track: Continuous DisplayVersion: 25.001.20997 Architecture: x86 Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-AdobeReaderDCContinuous_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 52C747ED8AD535C8D5B3C3BFCE49764504D0FE1D ~~~~~ Name: Adobe Reader DC Version: DC Track: Continuous DisplayVersion: 25.001.20756 Architecture: x86 Comments

Check Text

Determine the method for doing this (e.g., connection to a WSUS server, local procedure, auto update, etc.). Open Adobe Acrobat Reader DC. Navigate to and click on Help >> About Adobe Acrobat Reader DC. Verify that the latest security-related software updates by Adobe are being applied. If the latest security-related software updates by Adobe are not being applied, this is a finding.

Fix Text

Apply the latest security-related software updates to the Adobe Acrobat Reader application.

V-213900 CAT I SQL Server databases must integrate with an organization-lev...

5 assets 5 Closed MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT A FINDING on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: F911D1618A43C229D41C33D29888EAA6D14257A5 ~~~~~ Instance does not have Contained Databases enabled. Comments

Check Text

Determine if SQL Server is configured to allow the use of contained databases, if it is, take the appropriate precautions to limit their risk. 1) In the Object Explorer in SQL Server Management Studio (SSMS), right-click on the server instance, select "Properties", and then select the "Advanced" page. If "Enabled Contained Databases" is "False", this is not a finding. 2) If "Enabled Contained Databases" is "True", then in a query interface such as the SSMS Transact-SQL editor, run the statement: EXEC sp_configure 'contained database authentication' If the returned value in the "config_value" and/or "run_value" column is "0", this is not a finding. 3) Determine whether SQL Server is configured to use only Windows authentication. In a query interface such as the SSMS Transact-SQL editor, run the statement: SELECT CASE SERVERPROPERTY('IsIntegratedSecurityOnly') WHEN 1 THEN 'Windows Authentication' WHEN 0 THEN 'Windows and SQL Server Authentication' END as [Authentication Mode] If the returned value in the "Authentication Mode" column is "Windows Authentication", this is not a finding. If mixed mode (both SQL Server authentication and Windows authentication) is in use, then it must be documented and approved. From the documentation, obtain the list of accounts authorized to be managed by SQL Server. Determine the accounts (SQL Logins) actually managed by SQL Server. Run the statement: SELECT name FROM sys.database_principals WHERE type_desc = 'SQL_USER' AND authentication_type_desc = 'DATABASE'; If any accounts listed by the query are not listed in the documentation, this is a finding. Documentation must be approved by the information system security officer (ISSO)/ information system security manager (ISSM).

Fix Text

If mixed mode is required, document the need and justification; describe the measures taken to ensure the use of SQL Server authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; and obtain official approval. If mixed mode is not required, disable it as follows: In the SSMS Object Explorer, right-click on the server instance, select Properties >> Security page. Click the radio button for "Windows Authentication Mode", and then click "OK". Restart the SQL Server instance. OR Run the statement: USE [master] EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'LoginMode', REG_DWORD, 2 GO Restart the SQL Server instance. For each account being managed by SQL Server but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a User in the SSMS Object Explorer: Navigate to Databases >> Security Users. Right-click on the User name, and then click "Delete". To drop a User via a query: USE database_name; DROP USER <user_name>;

V-213901 CAT I SQL Server must enforce approved authorizations for logical ...

5 assets MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) found this to be NOT APPLICABLE on 10/23/2025 Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: E72A43AA1F56BC880CAFBD122F108E27602D0980 ~~~~~ This is the 'tempdb' database so this requirement is NA. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: CD95A213FC4476 ~~~~~ Review the system Here are the row QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 391 -403485259 Roles 17 348690621 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role ------------- db_owner dbo SQLAgentUserRole SQLAgentReaderRole SQLAgentUserRole db_ssisltduser db_ssisoperator dc_operator db_ssisltduser db_ssisoperator SQLAgentUserRole db_ssisoperator dc_admin SQLAgentOperatorRole ServerGroupReaderRole PolicyAdministratorRole PolicyAdministratorRole UtilityIMRReader Details for the Privileges query: grantee_type grantee ------------ ------- SQL_USER ##MS_PolicyE SQL_USER ##MS_PolicyE SQL_USER ##MS_PolicyT DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE DatabaseMailUserRole DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisadmin DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisltduser DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator DATABASE_ROLE db_ssisoperator SQL_USER dbo DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_admin DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_operator DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy DATABASE_ROLE dc_proxy SQL_USER guest SQL_USER MS_DataColle DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole DATABASE_ROLE PolicyAdministratorRole ---truncated results. (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: B7F4C08031802041EE9D911C58 documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': role_member ----------- SQLAgentReaderRole SQLAgentOperatorRole dc_operator dc_operator dc_operator dc_admin dc_proxy dc_proxy MS_DataCollectorInternalUser MS_DataCollectorInternalUser MS_DataCollectorInternalUser PolicyAdministratorRole ServerGroupAdministratorRole ##MS_PolicyEventProcessingLogin## ##MS_PolicyTsqlExecutionLogin## UtilityIMRWriter state_desc permission_name securable_class schema_or_owner securable ---------- --------------- --------------- --------------- --------- ventProcessingLogin## GRANT CONNECT DATABASE msdb ventProcessingLogin## GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_events_reader sqlExecutionLogin## GRANT CONNECT DATABASE msdb GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_send_dbmail GRANT SELECT VIEW dbo sysmail_allitems GRANT EXECUTE SQL_STORED_PROCEDURE dbo sysmail_delete_mailitems_sp GRANT SELECT VIEW dbo sysmail_event_log GRANT SELECT VIEW dbo sysmail_faileditems GRANT EXECUTE SQL_STORED_PROCEDURE dbo sysmail_help_status_sp GRANT SELECT VIEW dbo sysmail_mailattachments GRANT SELECT VIEW dbo sysmail_sentitems GRANT SELECT VIEW dbo sysmail_unsentitems GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addfolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addlogentry GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletefolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackageroles GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_renamefolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_setpackageroles GRANT DELETE USER_TABLE dbo sysssislog GRANT INSERT USER_TABLE dbo sysssislog GRANT REFERENCES USER_TABLE dbo sysssislog GRANT SELECT USER_TABLE dbo sysssislog GRANT UPDATE USER_TABLE dbo sysssislog GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addfolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_addlogentry GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletefolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackageroles GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_renamefolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_setpackageroles GRANT INSERT USER_TABLE dbo sysssislog GRANT SELECT USER_TABLE dbo sysssislog GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_checkexists GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_deletepackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getfolder GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_getpackage GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listfolders GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_listpackages GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_ssis_putpackage GRANT INSERT USER_TABLE dbo sysssislog GRANT SELECT USER_TABLE dbo sysssislog GRANT CONNECT DATABASE msdb GRANT IMPERSONATE DATABASE_PRINCIPAL MS_DataCollectorInternalUser GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_highest_incompatible_mdw_version GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Generic SQL Trace Collector Type GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Generic SQL Trace Collector Type GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Generic T-SQL Query Collector... GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Generic T-SQL Query Collector... GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Performance Counters Collecto... GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Performance Counters Collecto... GRANT EXECUTE XML_SCHEMA_COLLECTION dbo schema_collection_Query Activity Collector Type GRANT VIEW DEFINITION XML_SCHEMA_COLLECTION dbo schema_collection_Query Activity Collector Type GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_cleanup_collector GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collection_item GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collection_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_collector_type GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collection_item GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collection_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_collector_type GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_cache_directory GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_cache_window GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_warehouse_database_name GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_set_warehouse_instance_name GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_find_collection_set_root GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_details GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_log_tree GRANT SELECT SQL_INLINE_TABLE_VALUED_FUNCTION dbo fn_syscollector_get_execution_stats GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_tsql_query_collector GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_delete_execution_log_tree GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_disable_collector GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_enable_collector GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_tsql_query_collector_packag... GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_run_collection_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_start_collection_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_stop_collection_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_update_collection_item GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_update_collection_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_upload_collection_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_verify_subsystems GRANT SELECT VIEW dbo syscollector_collection_items GRANT SELECT VIEW dbo syscollector_collection_sets GRANT SELECT VIEW dbo syscollector_collector_types GRANT SELECT VIEW dbo syscollector_config_store GRANT SELECT VIEW dbo syscollector_execution_log GRANT SELECT VIEW dbo syscollector_execution_log_full GRANT SELECT VIEW dbo syscollector_execution_stats GRANT EXECUTE SQL_SCALAR_FUNCTION dbo fn_syscollector_highest_incompatible_mdw_version GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_create_tsql_query_collector GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_oncollectionbegin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_oncollectionend GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onerror GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackagebegin GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackageend GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onpackageupdate GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_event_onstatsupdate GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_tsql_query_collector_packag... GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_get_warehouse_connection_string GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_snapshot_dm_exec_query_stats GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syscollector_snapshot_dm_exec_requests GRANT SELECT VIEW dbo syscollector_collection_items GRANT SELECT VIEW dbo syscollector_collection_sets GRANT SELECT VIEW dbo syscollector_collector_types GRANT SELECT VIEW dbo syscollector_config_store GRANT CONNECT DATABASE msdb ctorInternalUser GRANT CONNECT DATABASE msdb GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_condition GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_object_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy_category GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_policy_category_subscription GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_target_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_add_target_set_level GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_configure GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_create_purge_job GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_condition GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_object_set GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy_category GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_delete_policy_category_subscription GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_dispatch_event GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_detail GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_end GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_log_policy_execution_start GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_purge_health_state GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_purge_history GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_condition GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_policy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_rename_policy_category GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_repair_policy_automation GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_config_enabled GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_config_history_retention GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_set_log_on_success GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_condition GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_policy GRANT EXECUTE SQL_STORED_PROCEDURE dbo sp_syspolicy_update_policy_category GRANT EXECUTE SQL_STORED_PROCEDURE met character limit--- Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 67138811F3D3035DB7C13B6F224A4015F4C21EB3 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 3 -2020448801 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable column_name grantor_type grantor ------------ ------- ---------- --------------- --------------- --------------- --------- ----------- ------------ ------- SQL_USER dbo GRANT CONNECT DATABASE model SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE model SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE model SQL_USER dbo Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: A5133F4A8B2717CDEB397EC5433932ABBE14A87B ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 2260 -1243632689 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable ------------ ------- ---------- --------------- --------------- --------------- --------- CERTIFICATE_MAPPED_USER ##MS_AgentSigningCertificate## GRANT CONNECT DATABASE master CERTIFICATE_MAPPED_USER ##MS_AgentSigningCertificate## GRANT EXECUTE DATABASE master SQL_USER ##MS_PolicyEventProcessingLogin## GRANT CONNECT DATABASE master SQL_USER ##MS_PolicyEventProcessingLogin## GRANT EXECUTE SQL_STORED_PROCEDURE sys sp_syspolicy_execute_policy SQL_USER dbo GRANT CONNECT DATABASE master SQL_USER guest GRANT CONNECT DATABASE master DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1005... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1030... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1042... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1046... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1059... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1063... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1069... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1078... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1090... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1104... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1163... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1182... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1189... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1337... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1361... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1369... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1425... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1465... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1529... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1786... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1792... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -1814... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2059... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2063... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2144... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2271... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2318... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2397... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2456... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2456... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2462... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2520... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2610... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -2978... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3055... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3144... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3160... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3226... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3319... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3462... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3508... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3624... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3825... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -3984... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4083... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4095... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4129... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4159... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4167... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4258... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4317... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4438... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4633... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4642... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4714... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4730... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4810... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4828... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -4975... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5004... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5043... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5200... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5221... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5233... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5261... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5313... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5378... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5381... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5462... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5576... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5683... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5846... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -590 * DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5905... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -591 * DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -592 * DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -593 * DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -5963... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6084... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6219... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6234... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6259... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6366... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6383... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6385... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6495... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6584... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6724... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -6980... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7167... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7264... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7310... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7327... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7362... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7494... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7578... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7644... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7786... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7850... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7909... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7947... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -7989... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8028... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8167... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8186... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8248... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8268... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8300... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8481... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8483... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8604... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8752... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8824... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8834... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8962... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -8986... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9111... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9139... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9273... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9343... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9442... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9679... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9764... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9798... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9861... DATABASE_ROLE public GRANT SELECT OBJECT * Internal Hidden Object : -9886... DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE master DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE master DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_db DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_dev DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_fallback_usg DATABASE_ROLE public GRANT SELECT USER_TABLE dbo spt_monitor DATABASE_ROLE public GRANT SELECT VIEW dbo spt_values DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CHECK_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMN_DOMAIN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMN_PRIVILEGES DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA COLUMNS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CONSTRAINT_COLUMN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA CONSTRAINT_TABLE_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA DOMAIN_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA DOMAINS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA KEY_COLUMN_USAGE DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA PARAMETERS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA REFERENTIAL_CONSTRAINTS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA ROUTINE_COLUMNS DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA ROUTINES DATABASE_ROLE public GRANT SELECT VIEW INFORMATION_SCHEMA SCHEMATA DATABASE_ROLE public GRANT SELECT VIEW INFORMA ---truncated results. met character limit--- Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 4E0BE29691469BB6268E1305E905DFBC61DC8366 ~~~~~ Review the system documentation to determine the required levels of protection for securables in the database by type of user, then compare that against the following permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Here are the row counts and checksums for the three queries in the supplemental STIG file 'Database permission assignments to users and roles.sql': QueryType ResultCount CheckSum --------- ----------- -------- Owner 1 34509070 Privileges 59 -882091564 Roles 1 510085263 Details for the Database Owner query: database_owner -------------- sa Details for the Database Roles query: database_role role_member ------------- ----------- db_owner dbo Details for the Privileges query: grantee_type grantee state_desc permission_name securable_class schema_or_owner securable column_name grantor_type grantor ------------ ------- ---------- --------------- --------------- --------------- --------- ----------- ------------ ------- SQL_USER dbo GRANT CONNECT DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT VIEW ANY COLUMN MASTER KEY DEFINITION DATABASE BEDB SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatDeletionEvent SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatDeletionEventProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatDlmProcessedImage SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatEvents SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatFragment SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatFragmentProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatImage SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatMedia SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatMediaProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatPieceIdTable SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo CatPieceIdTableProc SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatResource SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo CatSynthTable SQL_USER dbo DATABASE_ROLE public GRANT DELETE USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT INSERT USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT REFERENCES USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT SELECT USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT UPDATE USER_TABLE dbo ControlInfo SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo DeleteOrphandedResourcesProc SQL_USER dbo DATABASE_ROLE public GRANT EXECUTE SQL_STORED_PROCEDURE dbo InsertVirtualSet SQL_USER dbo Comments

Check Text

Review the system documentation to determine the required levels of protection for securables in the database by type of login. If the database is tempdb, this is not applicable. Review the permissions actually in place in the database. If the actual permissions do not match the documented requirements, this is a finding. Use the supplemental file "Database permission assignments to users and roles.sql".

Fix Text

Use GRANT, REVOKE, DENY, ALTER ROLE … ADD MEMBER … and/or ALTER ROLE …. DROP MEMBER statements to add and remove permissions on database-level securables, bringing them into line with the documented requirements.

V-213926 CAT I SQL Server must implement cryptographic mechanisms to preven...

5 assets MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments

Check Text

Review the system documentation to determine whether the organization has defined the information at rest be protected from modification, which must include at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of SQL Server, Windows, and additional software as relevant. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, verify it is enabled: SELECT db.name AS DatabaseName, db.is_encrypted AS IsEncrypted, CASE WHEN dm.encryption_state = 0 THEN 'No database encryption key present, no encryption' WHEN dm.encryption_state = 1 THEN 'Unencrypted' WHEN dm.encryption_state = 2 THEN 'Encryption in progress' WHEN dm.encryption_state = 3 THEN 'Encrypted' WHEN dm.encryption_state = 4 THEN 'Key change in progress' WHEN dm.encryption_state = 5 THEN 'Decryption in progress' WHEN dm.encryption_state = 6 THEN 'Protection change in progress' END AS EncryptionState, dm.encryption_state AS EncryptionState, dm.key_algorithm AS KeyAlgorithm, dm.key_length AS KeyLength FROM sys.databases db LEFT OUTER JOIN sys.dm_database_encryption_keys dm ON db.database_id = dm.database_id WHERE db.database_id NOT IN (1,2,3,4) For each user database for which encryption is called for and that is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encrypted settings. If any of the information that requires cryptographic protection is not encrypted, this is a finding.

Fix Text

Where full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the tables/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx.

V-213927 CAT I SQL Server must implement cryptographic mechanisms preventin...

5 assets MS SQL Server 2016 D...

Hostname	IP Address	Last Scan
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: tempdb ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: msdb ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: model ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: master ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments
MONT-BE-002	164.231.187.37	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-SqlServer2016Database_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: Instance: MONT-BE-002\BKUPEXEC64 Database: BEDB ResultHash: 66B2395E4819598547AA9A752F7C6724D60F98EB ~~~~~ No database encryption key was found. Documentation needs reviewed to see if encryption is required. Comments

Check Text

Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from disclosure, which must include, at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. If full-disk encryption is required, and Windows or the storage system is not configured for this, this is a finding. If database transparent data encryption (TDE) is called for, check whether it is enabled: SELECT DB_NAME(database_id) AS [Database Name], CASE encryption_state WHEN 0 THEN 'No database encryption key present, no encryption' WHEN 1 THEN 'Unencrypted' WHEN 2 THEN 'Encryption in progress' WHEN 3 THEN 'Encrypted' WHEN 4 THEN 'Key change in progress' WHEN 5 THEN 'Decryption in progress' WHEN 6 THEN 'Protection change in progress' END AS [Encryption State] FROM sys.dm_database_encryption_keys For each user database for which encryption is called for and it is marked Unencrypted, this is a finding. If table/column encryption and/or a separation between those who own the data (and can view it) and those who manage the data (but should have no access) is required for PII or similar types of data, use Always Encrypted. The details for configuring Always Encrypted are located here: https://msdn.microsoft.com/en-us/library/mt163865.aspx. Review the definitions and contents of the relevant tables/columns for the Always Encryption settings, if any of the information defined as requiring cryptographic protection is not encrypted this is a finding.

Fix Text

Where full-disk encryption is required, configure Windows and/or the storage system to provide this. Where transparent data encryption (TDE) is required, create a master key, obtain a certificate protected by the master key, create a database encryption key and protect it by the certificate, and then set the database to use encryption. For guidance from MSDN on how to do this: https://msdn.microsoft.com/en-us/library/bb934049.aspx. Where table/column encryption is required, enable encryption on the table/columns in question. For guidance from the Microsoft Developer Network on how to do this with Always Encrypted: https://msdn.microsoft.com/en-us/library/mt163865.aspx.

V-215832 CAT I The Cisco router must only store cryptographic representatio...

1 asset 1 Closed Cisco IOS XE Router ...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONTPOINTGTWYRTR	10.10.10.1			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 6FFE5E388F143FAEAC142114D4F65C55EDC01323 ~~~~~ service password-encryption Comments

Check Text

Review the router configuration to determine if passwords are encrypted as shown in the example below. service password-encryption If the router is not configured to encrypt passwords, this is a finding.

Fix Text

Configure the router to encrypt all passwords. R4(config)#service password-encryption R4(config)#end

V-215845 CAT I The Cisco router must be configured to implement cryptograph...

1 asset 1 Closed Cisco IOS XE Router ...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONTPOINTGTWYRTR	10.10.10.1			2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-CiscoXERouterNDM_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 93C96089FB06A0232EAFE70A05C0C894B0598049 ~~~~~ ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr Comments

Check Text

Review the Cisco router configuration to verify that it is compliant with this requirement. SSH Example ip ssh version 2 ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr If the router is not configured to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm, this is a finding.

Fix Text

Configure the Cisco router to implement cryptographic mechanisms to protect the confidentiality of remote maintenance sessions using a FIPS 140-2 approved algorithm as shown in the examples below. SSH Example R1(config)#ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr

V-215854 CAT I The Cisco router must be configured to use at least two auth...

1 asset 1 Closed Cisco IOS XE Router ...

Hostname	IP Address	Status	Assigned To	Last Scan	Actions
MONTPOINTGTWYRTR	10.10.10.1			2026-01-14
Finding Details aaa new-model ! ! aaa group server radius AR21-Radius server name AR21-DC003 server name AR21-DC004 ip radius source-interface BDI400 load-balance method least-outstanding ! aaa group server tacacs+ ISE server-private 164.231.72.99 key 7 060B1C22424F1F0044 server-private 164.231.111.4 key 7 060B1C22424F1F0044 ip tacacs source-interface BDI400 ! aaa authentication login default group ISE group AR21-Radius local aaa authentication enable default group ISE group AR21-Radius enable aaa authorization config-commands aaa authorization exec default group ISE group AR21-Radius local if-authenticated aaa authorization network ISE group AR21-Radius local if-authenticated aaa accounting exec default start-stop group ISE group AR21-Radius ! aaa common-criteria policy PASSWORD_POLICY min-length 15 max-length 127 numeric-count 1 upper-case 1 lower-case 1 special-case 1 char-changes 8 ! ! ! ! ! ! aaa session-id common call-home ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications. contact-email-addr sch-smart-licensing@cisco.com profile "CiscoTAC-1" active destination transport-method http no destination transport-method email no ip source-route ! ! ! ! ! ! ! no ip domain lookup ip domain name MONTPOINTGTWRTR.navy.mil ! ! ! login block-for 900 attempts 3 within 120 login on-failure log login on-success log ipv6 hop-limit 32 Comments radius server AR21-DC003 address ipv4 164.231.187.34 auth-port 1812 acct-port 1813 retransmit 0 key 7 15222B59513D24362C7205024652010C135218 ! radius server AR21-DC004 address ipv4 164.231.187.35 auth-port 1812 acct-port 1813 retransmit 0 key 7 046B2B535A36435C0D583537475E1B0B382F65

Check Text

Review the Cisco router configuration to verify the device is configured to use at least two authentication servers as primary source for authentication as shown in the following example: aaa new-model ! aaa authentication CONSOLE group radius local aaa authentication login LOGIN_AUTHENTICATION group radius local … … … ip http authentication aaa login-authentication LOGIN_AUTHENTICATION ip http secure-server … … … radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxxxx radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxxxx … … … line con 0 exec-timeout 5 0 login authentication CONSOLE line vty 0 1 exec-timeout 5 0 login authentication LOGIN_AUTHENTICATION If the Cisco router is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.

Fix Text

Step 1: Configure the Cisco router to use at least two authentication servers as shown in the following example: R4(config)#radius host 10.1.48.2 key xxxxxx R4(config)#radius host 10.1.48.3 key xxxxxx Step 2: Configure the authentication order to use the authentication servers as primary source for authentication as shown in the following example: R4(config)#aaa authentication CONSOLE group radius local R4(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local Step 3: Configure all network connections associated with a device management to use the authentication servers for the purpose of login authentication. R4(config)#line vty 0 1 R4(config-line)#login authentication LOGIN_AUTHENTICATION R4(config-line)#exit R4(config)#line con 0 R4(config-line)#login authentication CONSOLE R4(config-line)#exit R4(config)#ip http authentication aaa login-authentication LOGIN_AUTHENTICATION

V-218750 CAT I Anonymous IIS 10.0 website access accounts must be restricte...

3 assets 3 Closed Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Default Web Site ResultHash: 11B73503DAE06F01B5185CC126C80F8941A56D00 ~~~~~ Anonymous Authentication is Enabled and using the account 'IUSR' for authentication. IUSR is not a member of any privileged groups. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Exchange Back End ResultHash: 11B73503DAE06F01B5185CC126C80F8941A56D00 ~~~~~ Anonymous Authentication is Enabled and using the account 'IUSR' for authentication. IUSR is not a member of any privileged groups. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 10/23/2025 Site: Default Web Site ResultHash: 11B73503DAE06F01B5185CC126C80F8941A56D00 ~~~~~ Anonymous Authentication is Enabled and using the account 'IUSR' for authentication. IUSR is not a member of any privileged groups. Comments

Check Text

Check the account used for anonymous access to the website. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click "Authentication" in the IIS section of the website’s Home Pane. If "Anonymous access" is disabled, this is Not a Finding. If "Anonymous access" is enabled, click "Anonymous Authentication". Click "Edit" in the "Actions" pane. If the "Specific user" radio button is enabled and an ID is specified in the adjacent control box, this is the ID being used for anonymous access. Note the account name. If nothing is tied to "Specific User", this is Not a Finding. Check privileged groups that may allow the anonymous account inappropriate membership: Open "Computer Management" on the machine. Expand "Local Users and Groups". Open "Groups". Review the members of any of the following privileged groups: Administrators Backup Operators Certificate Services (of any designation) Distributed COM Users Event Log Readers Network Configuration Operators Performance Log Users Performance Monitor Users Power Users Print Operators Remote Desktop Users Replicator Double-click each group and review its members. If the IUSR account or any account noted above used for anonymous access is a member of any group with privileged access, this is a finding.

Fix Text

Remove the Anonymous access account from all privileged accounts and all privileged groups.

V-218795 CAT I All IIS 10.0 web server sample code, example applications, a...

2 assets 2 Closed Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: A61E6E1F4236FBB1D74C63FF96102D9E19672555 ~~~~~ There are no files or folders with names containing 'sample' in the targeted directories. To determine the correct status, a manual review is still required to identify if any example code, example applications or tutorials exist and are not explicitly used by the production website per the check text. Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: A61E6E1F4236FBB1D74C63FF96102D9E19672555 ~~~~~ There are no files or folders with names containing 'sample' in the targeted directories. To determine the correct status, a manual review is still required to identify if any example code, example applications or tutorials exist and are not explicitly used by the production website per the check text. Comments

Check Text

Navigate to the following folders: inetpub\ Program Files\Common Files\System\msadc Program Files (x86)\Common Files\System\msadc If the folder or sub-folders contain any executable sample code, example applications, or tutorials which are not explicitly used by a production website, this is a finding.

Fix Text

Remove any executable sample code, example applications, or tutorials which are not explicitly used by a production website.

V-218821 CAT I An IIS 10.0 web server must maintain the confidentiality of ...

2 assets 2 Closed Microsoft IIS 10.0 S...

Hostname	IP Address	Last Scan
MONT-DP-001	164.231.187.44	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B61C09790F563535A9E85CCAE0DFEC8635007810 ~~~~~ HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server ValueName 'DisabledByDefault' is '0' (REG_DWORD) ValueName 'Enabled' is '1' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) Comments
MONT-MB-002	164.231.187.36	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: B61C09790F563535A9E85CCAE0DFEC8635007810 ~~~~~ HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server ValueName 'DisabledByDefault' is '0' (REG_DWORD) ValueName 'Enabled' is '1' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) Comments

Check Text

Access the IIS 10.0 Web Server. Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Verify a REG_DWORD value of "0" for "DisabledByDefault". Verify a REG_DWORD value of "1" for "Enabled". Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server Verify a REG_DWORD value of "1" for "DisabledByDefault". Verify a REG_DWORD value of "0" for "Enabled". If any of the respective registry paths do not exist or are configured with the wrong value, this is a finding. SSL 3.0 is disabled by default in newer Operating Systems. If SSL 3.0 has a registry DWORD enabled with a value of 1, this is a finding. If this key is not present, this is not a finding.

Fix Text

Access the IIS 10.0 Web Server. Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Create a REG_DWORD named "DisabledByDefault" with a value of "0". Create a REG_DWORD named "Enabled" with a value of "1". Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server For each protocol: Create a REG_DWORD named "DisabledByDefault" with a value of "1". Create a REG_DWORD named "Enabled" with a value of "0".

V-220702 CAT I Windows 10 information systems must use BitLocker to encrypt...

4 assets 4 Closed Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: CD1B9B58B26C7C0564EB502A00E7A6FB74E3E282 ~~~~~ All disk(s) encrypted with BitLocker. Mount Point: C: Encryption Method: XtsAes128 Volume Type: OperatingSystem Volume Status: FullyEncrypted Protection Status: Off Lock Status: Unlocked Encryption %: 100 Key Protector: RecoveryPassword, Tpm Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: CD1B9B58B26C7C0564EB502A00E7A6FB74E3E282 ~~~~~ All disk(s) encrypted with BitLocker. Mount Point: C: Encryption Method: XtsAes128 Volume Type: OperatingSystem Volume Status: FullyEncrypted Protection Status: Off Lock Status: Unlocked Encryption %: 100 Key Protector: RecoveryPassword, Tpm Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 374DA62AC80E33993305E73BF38A7CE33E45FF4B ~~~~~ All disk(s) encrypted with BitLocker. Mount Point: C: Encryption Method: XtsAes128 Volume Type: OperatingSystem Volume Status: FullyEncrypted Protection Status: On Lock Status: Unlocked Encryption %: 100 Key Protector: Tpm, RecoveryPassword Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 374DA62AC80E33993305E73BF38A7CE33E45FF4B ~~~~~ All disk(s) encrypted with BitLocker. Mount Point: C: Encryption Method: XtsAes128 Volume Type: OperatingSystem Volume Status: FullyEncrypted Protection Status: On Lock Status: Unlocked Encryption %: 100 Key Protector: Tpm, RecoveryPassword Comments

Check Text

Verify all Windows 10 information systems (including SIPRNet) employ BitLocker for full disk encryption. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. If full disk encryption using BitLocker is not implemented, this is a finding. Verify BitLocker is turned on for the operating system drive and any fixed data drives. Open "BitLocker Drive Encryption" from the Control Panel. If the operating system drive or any fixed data drives have "Turn on BitLocker", this is a finding. NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032).

Fix Text

Enable full disk encryption on all information systems (including SIPRNet) using BitLocker. BitLocker, included in Windows, can be enabled in the Control Panel under "BitLocker Drive Encryption" as well as other management tools. NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032).

V-220704 CAT I Windows 10 systems must use a BitLocker PIN with a minimum l...

4 assets 4 Closed Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: FC6199A9C32FADB82FFBB308E7C19D62F33E6804 ~~~~~ 'Configure minimum PIN length for startup' is Enabled: (Minimum characters set to 6 or greater) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: MinimumPIN Value: 0x00000006 (6) Type: REG_DWORD Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: FC6199A9C32FADB82FFBB308E7C19D62F33E6804 ~~~~~ 'Configure minimum PIN length for startup' is Enabled: (Minimum characters set to 6 or greater) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: MinimumPIN Value: 0x00000006 (6) Type: REG_DWORD Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FC6199A9C32FADB82FFBB308E7C19D62F33E6804 ~~~~~ 'Configure minimum PIN length for startup' is Enabled: (Minimum characters set to 6 or greater) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: MinimumPIN Value: 0x00000006 (6) Type: REG_DWORD Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: FC6199A9C32FADB82FFBB308E7C19D62F33E6804 ~~~~~ 'Configure minimum PIN length for startup' is Enabled: (Minimum characters set to 6 or greater) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\FVE Value Name: MinimumPIN Value: 0x00000006 (6) Type: REG_DWORD Comments

Check Text

If the following registry value does not exist or is not configured as specified, this is a finding. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: MinimumPIN Type: REG_DWORD Value: 0x00000006 (6) or greater

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Configure minimum PIN length for startup" to "Enabled" with "Minimum characters:" set to "6" or greater.

V-220706 CAT I Windows 10 systems must be maintained at a supported servici...

4 assets 4 Closed Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 43A1582C809B264B02D1678B8CB1FFE0AB4890CA ~~~~~ Operating system is 'Windows 10 Enterprise LTSC 2021 21H2' (10.0.19044) Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 43A1582C809B264B02D1678B8CB1FFE0AB4890CA ~~~~~ Operating system is 'Windows 10 Enterprise LTSC 2021 21H2' (10.0.19044) Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 43A1582C809B264B02D1678B8CB1FFE0AB4890CA ~~~~~ Operating system is 'Windows 10 Enterprise LTSC 2021 21H2' (10.0.19044) Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 43A1582C809B264B02D1678B8CB1FFE0AB4890CA ~~~~~ Operating system is 'Windows 10 Enterprise LTSC 2021 21H2' (10.0.19044) Comments

Check Text

Run "winver.exe". If the "About Windows" dialog box does not display a version supported by the vendor, this is a finding.

Fix Text

Upgrade to a supported version of the operating system.

V-220707 CAT I The Windows 10 system must use an anti-virus program.

4 assets 4 Closed Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 9F637B38FFA9011906DB3132B81BF7C3A5BDC17C ~~~~~ WMI Namespace: ROOT/SecurityCenter2 WMI Class: AntiVirusProduct Display Name: Trellix Endpoint Security Product State: On Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 9F637B38FFA9011906DB3132B81BF7C3A5BDC17C ~~~~~ WMI Namespace: ROOT/SecurityCenter2 WMI Class: AntiVirusProduct Display Name: Trellix Endpoint Security Product State: On Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9F637B38FFA9011906DB3132B81BF7C3A5BDC17C ~~~~~ WMI Namespace: ROOT/SecurityCenter2 WMI Class: AntiVirusProduct Display Name: Trellix Endpoint Security Product State: On Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 9F637B38FFA9011906DB3132B81BF7C3A5BDC17C ~~~~~ WMI Namespace: ROOT/SecurityCenter2 WMI Class: AntiVirusProduct Display Name: Trellix Endpoint Security Product State: On Comments

Check Text

Verify an antivirus solution is installed on the system and in use. The antivirus solution may be bundled with an approved Endpoint Security Solution. Verify if Windows Defender is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName" Verify third-party antivirus is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName" Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName" Enter "get-service | where {$_.DisplayName -Like "*trellix*"} | Select Status,DisplayName" If there is no antivirus solution installed on the system, this is a finding.

Fix Text

If no antivirus software is on the system and in use, install Windows Defender or a third-party antivirus solution.

V-220708 CAT I Local volumes must be formatted using NTFS.

4 assets 4 Closed Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 3902149AE7346482F89E57F8AC8722F42D01C119 ~~~~~ All disk(s) formatted as NTFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be NOT A FINDING on 12/17/2025 ResultHash: 3902149AE7346482F89E57F8AC8722F42D01C119 ~~~~~ All disk(s) formatted as NTFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3902149AE7346482F89E57F8AC8722F42D01C119 ~~~~~ All disk(s) formatted as NTFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 3902149AE7346482F89E57F8AC8722F42D01C119 ~~~~~ All disk(s) formatted as NTFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Comments

Check Text

Run "Computer Management". Navigate to Storage >> Disk Management. If the "File System" column does not indicate "NTFS" for each volume assigned a drive letter, this is a finding. This does not apply to system partitions such the Recovery and EFI System Partition.

Fix Text

Format all local volumes to use NTFS.

V-220712 CAT I Only accounts responsible for the administration of a system...

4 assets 3 Closed Microsoft Windows 10...

Hostname	IP Address	Last Scan
MONT-SW-89108	22.19.120.22	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 20E099B9F72979B59022E9A2A9ED1BDEE0865FF1 ~~~~~ The following are members of the local Administrators group: ============== Name: MONT-SW-89108\AMPerl.IAAdmin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1018 Name: MONT-SW-89108\dod_admin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1001 Name: MONT-SW-89108\jtbegarek.iaadmin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1024 Name: MONT-SW-89108\Scan.Admin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1016 Name: MONT-SW-89108\tljones.iaadmin objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-1023 Name: MONT-SW-89108\xAdministrator objectClass: User objectSID: S-1-5-21-4163428051-2768110797-3591193048-500 Comments
MONT-SW-89134	22.19.120.21	2026-03-04
Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 12/17/2025: ResultHash: 755D0E653E43EF30F999A01A9B8C1F315C41FADD ~~~~~ The following are members of the local Administrators group: ============== Name: MONT-SW-89134\AMPerl.IAAdmin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1021 Name: MONT-SW-89134\dod_admin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1001 Name: MONT-SW-89134\jtbegarek.iaadmin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1026 Name: MONT-SW-89134\scan.admin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1022 Name: MONT-SW-89134\tljones.iaadmin objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-1024 Name: MONT-SW-89134\xAdministrator objectClass: User objectSID: S-1-5-21-4004422625-1934610219-1178763574-500 Comments
MONT-WS-92010	164.231.187.45	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 8CF8EB2216BA99A2A79DC17F45300F57F0A47C32 ~~~~~ The following are members of the local Administrators group: ============== Name: MONTFORD-POINT\Workstation Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1110 Name: MONT-WS-92010\dod_admin objectClass: User objectSID: S-1-5-21-2586659569-2484290388-2027984285-1001 Name: MONT-WS-92010\X_Admin objectClass: User objectSID: S-1-5-21-2586659569-2484290388-2027984285-500 Comments
MONT-WS-92040	164.231.187.72	2026-01-14
Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 3E830C5BCEA1AA12EC57417D52A215ACB2E2E5E1 ~~~~~ The following are members of the local Administrators group: ============== Name: MONTFORD-POINT\Workstation Administrator Group objectClass: Group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1110 Name: MONT-WS-92040\dod_admin objectClass: User objectSID: S-1-5-21-3703204072-2228436765-3422267048-1001 Name: MONT-WS-92040\X_Admin objectClass: User objectSID: S-1-5-21-3703204072-2228436765-3422267048-500 Comments

Check Text

Run "Computer Management". Navigate to System Tools >> Local Users and Groups >> Groups. Review the members of the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. Standard user accounts must not be members of the local administrator group. If prohibited accounts are members of the local administrators group, this is a finding. The built-in Administrator account or other required administrative accounts would not be a finding.

Fix Text

Configure the system to include only administrator groups or accounts that are responsible for the system in the local Administrators group. For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. Remove any standard user accounts.

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments

Finding Details

Comments

Check Text

Fix Text

Finding Details

Comments