| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 03/05/2026 Site: Default Web Site ResultHash: 11B73503DAE06F01B5185CC126C80F8941A56D00 ~~~~~ Anonymous Authentication is Enabled and using the account 'IUSR' for authentication. IUSR is not a member of any privileged groups. Comments |
|||||
Check Text
Check the account used for anonymous access to the website. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click "Authentication" in the IIS section of the website’s Home Pane. If "Anonymous access" is disabled, this is Not a Finding. If "Anonymous access" is enabled, click "Anonymous Authentication". Click "Edit" in the "Actions" pane. If the "Specific user" radio button is enabled and an ID is specified in the adjacent control box, this is the ID being used for anonymous access. Note the account name. If nothing is tied to "Specific User", this is Not a Finding. Check privileged groups that may allow the anonymous account inappropriate membership: Open "Computer Management" on the machine. Expand "Local Users and Groups". Open "Groups". Review the members of any of the following privileged groups: Administrators Backup Operators Certificate Services (of any designation) Distributed COM Users Event Log Readers Network Configuration Operators Performance Log Users Performance Monitor Users Power Users Print Operators Remote Desktop Users Replicator Double-click each group and review its members. If the IUSR account or any account noted above used for anonymous access is a member of any group with privileged access, this is a finding.
Fix Text
Remove the Anonymous access account from all privileged accounts and all privileged groups.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: Site: Default Web Site ResultHash: 6275DCDEF057117A4E22688BC519EA5B675A222E ~~~~~ The following SSL flags are missing: Ssl SslRequireCert Ssl128 Comments |
|||||
Check Text
Notes: - If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 10.0 server, and the IIS 10.0 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server. In this case, this requirement is not applicable. - If this is a public-facing web server, this requirement is not applicable. - If this server is hosting WSUS, this requirement is not applicable. - If the server being reviewed is hosting SharePoint, this is not applicable. - If the server being reviewed is hosting Simple Certificate Enrollment Services (SCEP), this is not applicable. - If the server being reviewed is hosting Network Device Enrollment Services (NDES), this is not applicable. - If the server is providing OCSP, and not otherwise hosting any content, this requirement is not applicable. - If the server is providing CRL, and not otherwise hosting any content, this requirement is not applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon under the "IIS" section. Verify "Require SSL" is checked. Verify "Client Certificates Required" is selected. Click the site under review. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.webServer/security/access". The value for "sslFlags" set must include "ssl128". If the "Require SSL" is not selected, this is a finding. If the "Client Certificates Required" is not selected, this is a finding. Note: "Client Certificates Required" can be considered Not Applicable in a Single Sign On (SSO) scenario where client certificates are no longer processed locally. If the "sslFlags" is not set to "ssl128", this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon under the "IIS" section. Select the "Require SSL" setting. Select the "Client Certificates Required" setting. Click "Apply" in the "Actions" pane. Click the site under review. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.webServer/security/access". Click on the drop-down list for "sslFlags". Select the "Ssl128" check box. Click "Apply" in the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: A61E6E1F4236FBB1D74C63FF96102D9E19672555 ~~~~~ There are no files or folders with names containing 'sample' in the targeted directories. To determine the correct status, a manual review is still required to identify if any example code, example applications or tutorials exist and are not explicitly used by the production website per the check text. Comments |
|||||
Check Text
Navigate to the following folders: inetpub\ Program Files\Common Files\System\msadc Program Files (x86)\Common Files\System\msadc If the folder or sub-folders contain any executable sample code, example applications, or tutorials which are not explicitly used by a production website, this is a finding.
Fix Text
Remove any executable sample code, example applications, or tutorials which are not explicitly used by a production website.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: 9A3718B89C7FADF6CB49CB06D125501748FAE274 ~~~~~ Below is a list of local groups and their members (if any): Group: Access Control Assistance Operators Group: Administrators X_Admin DOD_Admin Server Administrator Group Group: Backup Operators Server Administrator Group Group: Certificate Service DCOM Access Group: Cryptographic Operators Group: Distributed COM Users Group: Event Log Readers Group: Guests Visitor Group: Hyper-V Administrators Group: IIS_IUSRS Group: Network Configuration Operators Group: Performance Log Users Group: Performance Monitor Users Group: Power Users Group: Print Operators Group: RDS Endpoint Servers Group: RDS Management Servers Group: RDS Remote Access Servers Group: Remote Desktop Users Server Administrator Group Group: Remote Management Users Group: Replicator Group: Storage Replica Administrators Group: System Managed Accounts Group DefaultAccount Group: Users INTERACTIVE Authenticated Users Domain Users Comments |
|||||
Check Text
Obtain a list of the user accounts with access to the system, including all local and domain accounts. Review the privileges to the web server for each account. Verify with the system administrator or the ISSO that all privileged accounts are mission essential and documented. Verify with the system administrator or the ISSO that all non-administrator access to shell scripts and operating system functions are mission essential and documented. If undocumented privileged accounts are found, this is a finding. If undocumented non-administrator access to shell scripts and operating system functions are found, this is a finding. If this IIS 10 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable.
Fix Text
Ensure non-administrators are not allowed access to the directory tree, the shell, or other operating system functions and utilities. All non-administrator access to shell scripts and operating system functions must be mission essential and documented.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B61C09790F563535A9E85CCAE0DFEC8635007810 ~~~~~ HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server ValueName 'DisabledByDefault' is '0' (REG_DWORD) ValueName 'Enabled' is '1' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) Comments |
|||||
Check Text
Access the IIS 10.0 Web Server. Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Verify a REG_DWORD value of "0" for "DisabledByDefault". Verify a REG_DWORD value of "1" for "Enabled". Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server Verify a REG_DWORD value of "1" for "DisabledByDefault". Verify a REG_DWORD value of "0" for "Enabled". If any of the respective registry paths do not exist or are configured with the wrong value, this is a finding. SSL 3.0 is disabled by default in newer Operating Systems. If SSL 3.0 has a registry DWORD enabled with a value of 1, this is a finding. If this key is not present, this is not a finding.
Fix Text
Access the IIS 10.0 Web Server. Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Create a REG_DWORD named "DisabledByDefault" with a value of "0". Create a REG_DWORD named "Enabled" with a value of "1". Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server For each protocol: Create a REG_DWORD named "DisabledByDefault" with a value of "1". Create a REG_DWORD named "Enabled" with a value of "0".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: 5A9A993DF5E4702982BD11FC1A399EF47A354B5D ~~~~~ Local user accounts on this system. Confirm if any are used by IIS and if so, verify that default passwords have been changed: Name: DOD_Admin Enabled: True SID: S-1-5-21-2359828523-3188837691-268305261-1000 Password Age: 113 days Comments |
|||||
Check Text
Access the IIS 10.0 web server. Access the "Apps" menu. Under "Administrative Tools", select "Computer Management". In left pane, expand "Local Users and Groups" and click "Users". Review the local users listed in the middle pane. If any local accounts are present and used by IIS 10.0, verify with System Administrator that default passwords have been changed. If passwords have not been changed from the default, this is a finding.
Fix Text
Access the IIS 10.0 web server. Access the "Apps" menu. Under Administrative Tools, select Computer Management. In left pane, expand "Local Users and Groups" and click on "Users". Change passwords for any local accounts present that are used by IIS 10.0, then verify with System Administrator default passwords have been changed. Develop an internal process for changing passwords on a regular basis.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: C8FEAB4CAE85FA4E90B6C6E61F778F398997D8EF ~~~~~ Microsoft Edge Version: 145.0.3800.70 Comments |
|||||
Check Text
Cross-reference the build information displayed with the Microsoft Edge site to identify, at minimum, the oldest supported build available. If the installed version of Edge is not supported by Microsoft, this is a finding.
Fix Text
Install a supported version of Edge.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Determine whether organization policy, at a minimum, prohibits administrative accounts from using applications that access the internet, such as web browsers, or with potential internet sources, such as email, except as necessary for local service administration. If it does not, this is a finding. The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement.
Fix Text
Establish a policy, at minimum, to prohibit administrative accounts from using applications that access the internet, such as web browsers, or with potential internet sources, such as email. Ensure the policy is enforced. The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B264AA7347D8EF3C29987476DF98F4696DE11F0D ~~~~~ All disk file systems are NTFS or ReFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Device ID: D: Drive Type: Local Disk (3) Volume Name: PROGLOGS File System: NTFS Device ID: E: Drive Type: Local Disk (3) Volume Name: MECM File System: NTFS Device ID: I: Drive Type: Local Disk (3) Volume Name: IIS File System: NTFS Comments |
|||||
Check Text
Open "Computer Management". Select "Disk Management" under "Storage". For each local volume, if the file system does not indicate "NTFS", this is a finding. "ReFS" (resilient file system) is also acceptable and is not a finding. CSV ( Cluster Shared Volumes) is not a finding. This does not apply to system partitions such the Recovery and EFI System Partition.
Fix Text
Format volumes to use NTFS, ReFS, or CSVFS.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If they do not, this is a finding.
Fix Text
Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0 Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Store passwords using reversible encryption" is not set to "Disabled", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "ClearTextPassword" equals "1" in the file, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> Store passwords using reversible encryption to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 06CF0EC4F30E3C377A3E10B39BA0BD384D98F394 ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> Disallow Autoplay for nonvolume devices to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 763263DA63BB845D32A031E492E9C3FA975310FB ~~~~~ 'Set the default behavior for AutoRun' is Enabled with 'Do not execute any autorun commands' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> Set the default behavior for AutoRun to "Enabled" with "Do not execute any autorun commands" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: AE0235811E2BDD415A15CD26D20BB620C605AC2D ~~~~~ 'Turn off AutoPlay' is Enabled with 'All Drives' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Type: REG_DWORD Value: 0x000000ff (255)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> Turn off AutoPlay to "Enabled" with "All Drives" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B8FA2EABE0FF7A96734CD88AEF585CD72E3FFAE8 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> Always install with elevated privileges to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E4E40CE41CC8DAC825405E07025044FB81EE5440 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> Allow Basic authentication to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 68310D9F3AC255CDE6A52457A3F8A1FBA287B140 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> Allow Basic authentication to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. A separate version applies to other systems. Review the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. Standard user accounts must not be members of the local administrator group. If prohibited accounts are members of the local administrators group, this is a finding. If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding.
Fix Text
Configure the Administrators group to include only administrator groups or accounts that are responsible for the system. Remove any standard user accounts.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Run "Regedit". Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters". Note the directory locations in the values for: Database log files path DSA Database file By default, they will be \Windows\NTDS. If the locations are different, the following will need to be run for each. Open "Command Prompt (Admin)". Navigate to the NTDS directory (\Windows\NTDS by default). Run "icacls *.*". If the permissions on each file are not as restrictive as the following, this is a finding: NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) (I) - permission inherited from parent container (F) - full access
Fix Text
Maintain the permissions on NTDS database and log files as follows: NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) (I) - permission inherited from parent container (F) - full access
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Open a command prompt. Run "net share". Make note of the directory location of the SYSVOL share. By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. The default permissions noted below meet this requirement: Open "Command Prompt". Run "icacls c:\Windows\SYSVOL". The following results must be displayed: NT AUTHORITY\Authenticated Users:(RX) NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) BUILTIN\Server Operators:(RX) BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) BUILTIN\Administrators:(M,WDAC,WO) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) CREATOR OWNER:(OI)(CI)(IO)(F) (RX) - Read & execute Run "icacls /help" to view definitions of other permission codes.
Fix Text
Maintain the permissions on the SYSVOL directory. Do not allow greater than "Read & execute" permissions for standard user accounts or groups. The defaults below meet this requirement: C:\Windows\SYSVOL Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read & execute - This folder, subfolder, and files Server Operators - Read & execute- This folder, subfolder, and files Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control) CREATOR OWNER - Full control - Subfolders and files only Administrators - Full control - Subfolders and files only SYSTEM - Full control - This folder, subfolders, and files
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the permissions on Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select "Advanced". Select each Group or user name. View the permissions. If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the Information System Security Officer (ISSO). The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties: CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
Fix Text
Maintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement: Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the permissions on the Domain Controllers OU. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Domain Controllers" OU (folder in folder icon). Right-click and select "Properties". Select the "Security" tab. If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding. The default permissions listed below satisfy this requirement. Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "View" or "Edit" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions SELF - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
Fix Text
Limit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators. The default permissions listed below satisfy this requirement. Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions. CREATOR OWNER - Special permissions SELF - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read types. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review the permissions on domain-defined OUs. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right-click the OU and select "Properties". Select the "Security" tab. If the Allow type permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an Information System Security Officer (ISSO)-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs).
Fix Text
Maintain the Allow type permissions on domain-defined OUs to be at least as restrictive as the defaults below. Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read type. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are for Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Open "Command Prompt" (not elevated). Run "ldp.exe". From the "Connection menu", select "Bind". Clear the User, Password, and Domain fields. Select "Simple bind" for the Bind type and click "OK". Confirmation of anonymous access will be displayed at the end: res = ldap_simple_bind_s Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' From the "Browse" menu, select "Search". In the Search dialog, enter the DN of the domain naming context (generally something like "dc=disaost,dc=mil") in the Base DN field. Clear the Attributes field and select "Run". Error messages must display related to Bind and user not authenticated. If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding. The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access. Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.
Fix Text
Configure directory data (outside the root DSE) of a nonpublic directory to prevent anonymous access. For AD, there are multiple configuration items that could enable anonymous access. Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions must be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc). The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane, and then click "Add >". Select "Computer Account", and then click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage", and then click "Finish". Click "OK". Select and expand the "Certificates (Local Computer)" entry in the left pane. Select and expand the "Personal" entry in the left pane. Select the "Certificates" entry in the left pane. In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DOD PKI or an approved ECA, this is a finding. If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. There are multiple sources from which lists of valid DOD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DOD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DOD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on Cyber Exchange: https://www.cyber.mil/pki-pke/tools-configuration-files.
Fix Text
Obtain a server certificate for the domain controller issued by the DOD PKI or an approved ECA.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Review user account mappings to PKI certificates. Open "Windows PowerShell". Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding. For standard NIPRNet certificates, the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI). Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization. NIPRNet Example: Name - User Principal Name User1 - 1234567890@mil See PKE documentation for other network domain suffixes. If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.
Fix Text
Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: CF7C91A195CBE710A8E0F73C0AAA4360670D7BAA ~~~~~ The following are members of the local Administrators group: --------------------- Name: SCHROEDER3\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1160972651-4155981999-2770166294-1115 Name: SCHR-P3-DP-001\DOD_Admin objectClass: User objectSID: S-1-5-21-2359828523-3188837691-268305261-1000 Name: SCHR-P3-DP-001\X_Admin objectClass: User objectSID: S-1-5-21-2359828523-3188837691-268305261-500 Comments |
|||||
Check Text
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Open "Computer Management". Navigate to "Groups" under "Local Users and Groups". Review the local "Administrators" group. Only administrator groups or accounts responsible for administration of the system may be members of the group. For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group. Standard user accounts must not be members of the local Administrator group. If accounts that do not have responsibility for administration of the system are members of the local Administrators group, this is a finding. If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding.
Fix Text
Configure the local "Administrators" group to include only administrator groups or accounts responsible for administration of the system. For domain-joined member servers, replace the Domain Admins group with a domain member server administrator group. Remove any standard user accounts.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6771B96D1ED1098549965ED8F67FF9028082CC2A ~~~~~ SecurityServicesRunning: 1, 2 Comments |
|||||
Check Text
For domain controllers and standalone or nondomain-joined systems, this is NA. Open "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Device Guard Security Services Running" does not list "Credential Guard", this is a finding. The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: LsaCfgFlags Value Type: REG_DWORD Value: 0x00000001 (1) (Enabled with UEFI lock) A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> Turn On Virtualization Based Security to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration". A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements Severity Override Guidance: The AO can allow the severity override if they have reviewed the overall protection provided to the affected servers that are not capable of complying with the Credential Guard requirement. Items that must be reviewed/considered for compliance or mitigation for non-Credential Guard compliance are: The use of Microsoft Local Administrator Password Solution (LAPS) or similar products to control different local administrative passwords for all affected servers. This is to include a strict password change requirement (60 days or less). .... Strict separation of roles and duties. Server administrator credentials cannot be used on Windows 10 desktop to administer it. Documentation of all exceptions must be supplied. .... Use of a Privileged Access Workstation (PAW) and adherence to the Clean Source principle for administering affected servers. .... Boundary Protection that is currently in place to protect from vulnerabilities in the network/servers. .... Windows Defender rule block credential stealing from LSASS.exe is applied. This rule can only be applied if Windows Defender is in use. .... The overall number of vulnerabilities that are unmitigated on the network/servers.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 7AC1D020AB6148539D57E4FB73B39D6CD29DBDBF ~~~~~ 'Accounts: Limit local account use of blank passwords to console logon only' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Accounts: Limit local account use of blank passwords to console logon only to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0 Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Allow anonymous SID/Name translation to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 626DA34A65C05C1C220101534FE1788BBD495E56 ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Do not allow anonymous enumeration of SAM accounts to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 4B5021F1C8C390A907EFF7C0B541B8772B1C668D ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Do not allow anonymous enumeration of SAM accounts and shares to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E07BBC4D71D24D912C7B7521C5945409D833E711 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Restrict anonymous access to Named Pipes and Shares to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 59F308CA0C17B53FC330F51C46C1E3AB01AF5CBA ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Do not store LAN Manager hash value on next password change to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 1CC5D989E6B73511369D6A08B8D0016672826C20 ~~~~~ 'Network security: LAN Manager authentication level' is Send NTLMv2 response only. Refuse LM & NTLM Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value Type: REG_DWORD Value: 0x00000005 (5)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: LAN Manager authentication level to "Send NTLMv2 response only. Refuse LM & NTLM".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right. Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeTcbPrivilege" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060). Passwords for accounts with this user right must be protected as highly privileged accounts.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Act as part of the operating system to be defined but containing no entries (blank).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right. Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Create a token object" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeCreateTokenPrivilege" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060). Passwords for application accounts with this user right must be protected as highly privileged accounts.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Create a token object to be defined but containing no entries (blank).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E5554733A1BAD484044698CCA1825B99C1BA28E2 ~~~~~ Debug programs: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeDebugPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060). Passwords for application accounts with this user right must be protected as highly privileged accounts.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Debug programs to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 03/05/2026 Site: Default Web Site ResultHash: 453FAD461534700007B4F585B0D2FD1A4236A4FD ~~~~~ Cookie Settings is set to 'UseCookies' Comments |
|||||
Check Text
Note: If ASP.NET is not installed, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Under the "ASP.NET" section, select "Session State". Under "Cookie Settings", verify the "Use Cookies" mode is selected from the "Mode:" drop-down list. If the "Use Cookies" mode is selected, this is not a finding. Alternative method: Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Verify the "cookieless" is set to "UseCookies". If the "cookieless" is not set to "UseCookies", this is a finding. Note: If IIS 10.0 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Under the ASP.NET section, select "Session State". Under "Cookie Settings", select the "Use Cookies" from the "Mode:" drop-down list. Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: Site: Default Web Site ResultHash: 1F8B0BF251048DDF52481451B9AA669A5C254D2B ~~~~~ Require SSL is NOT enabled Comments |
|||||
Check Text
Note: If the server being reviewed is a public IIS 10.0 web server, this is Not Applicable. Note: If the server is hosting SharePoint, this is Not Applicable. Note: If the server is hosting WSUS, this is Not Applicable. Note: If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 10.0 server, and the IIS 10.0 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server and is Not Applicable in this STIG. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Double-click the "SSL Settings" icon. Verify "Require SSL" check box is selected. If the "Require SSL" check box is not selected, this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Double-click the "SSL Settings" icon. Select "Require SSL" check box. Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: Site: Default Web Site ResultHash: 1F8B0BF251048DDF52481451B9AA669A5C254D2B ~~~~~ Require SSL is NOT enabled Comments |
|||||
Check Text
Note: If the server being reviewed is a private IIS 10.0 web server, this is Not Applicable. Note: If the server being reviewed is a public IIS 10.0 web server not requiring authentication, this is Not Applicable. Note: If the server being reviewed is hosting SharePoint, this is Not Applicable. Note: If the server being reviewed is hosting WSUS, this is Not Applicable. Note: If the server being reviewed is hosting Simple Certificate Enrollment Services (SCEP), this is Not Applicable. Note: If the server being reviewed is hosting Network Device Enrollment Services (NDES), this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Double-click the "SSL Settings" icon. Verify "Require SSL" check box is selected. If the "Require SSL" check box is not selected, this is a finding.
Fix Text
Note: If the server being reviewed is a private IIS 10.0 web server, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Double-click the "SSL Settings" icon. Select "Require SSL" check box. Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 03/05/2026 Site: Default Web Site ResultHash: 0B44ED3D6039C1A0BDB60FE41477857D9DAB447E ~~~~~ 'File' is the only option selected. Comments |
|||||
Check Text
Note: If this server is hosting WSUS, this requirement is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Click the "Logging" icon. Under Log Event Destination, verify the "Both log file and ETW event" radio button is selected. If the "Both log file and ETW event" radio button is not selected, this is a finding. Note: "Microsoft-IIS-Logging/logs" must be enabled prior to configuring this setting. More configuration information is available at: https://blogs.intelink.gov/blogs/_disairrt/?p=1317
Fix Text
Note: "Microsoft-IIS-Logging/logs" must be enabled prior to configuring this setting. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Click the "Logging" icon. Under Log Event Destination, select the "Both log file and ETW event" radio button. Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Interview the System Administrator to review the configuration of the IIS 10.0 architecture and determine if inbound web traffic is passed through a proxy. If the IIS 10.0 is receiving inbound web traffic through a proxy, the audit logs must be reviewed to determine if correct source information is being passed through by the proxy server. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name. Click the "Logging" icon. Click "View log file". When log file is displayed, review source IP information in log entries and verify entries do not reflect the IP address of the proxy server. If the website is not behind a load balancer or proxy server, this is Not Applicable. If the log entries in the log file(s) reflect the IP address of the proxy server as the source, this is a finding. If provisions have been made to log the client IP via another field (i.e., utilizing X-Forwarded-For), this is not a finding.
Fix Text
Access the proxy server through which inbound web traffic is passed and configure settings to pass web traffic to the IIS 10.0 web server transparently.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 03/05/2026 Site: Default Web Site ResultHash: 7599E6F84AF0FE02631E378C3BDEFF3AC6CE19D6 ~~~~~ Log format is 'W3C' The 'Request Header >> Connection' custom field is NOT configured. The 'Request Header >> Warning' custom field is NOT configured. Comments |
|||||
Check Text
Note: If this server is hosting WSUS, this requirement is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Select the website being reviewed. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select "Fields". Under "Custom Fields", verify the following fields are selected: Request Header >> Connection Request Header >> Warning If any of the above fields are not selected, this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Select the website being reviewed. Under "IIS", double-click the "Logging" icon. Configure the "Format:" under "Log File" to "W3C". Select "Fields". Under "Custom Fields", select the following fields: Request Header >> Connection Request Header >> Warning Click "OK". Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 03/05/2026 Site: Default Web Site ResultHash: C3C26BB04CA1EEAB0A14FFB0A603274C530242F3 ~~~~~ Log format is 'W3C' User Agent, User Name, and Referrer are all logged. The 'Request Header >> Authorization' custom field is NOT configured. The 'Response Header >> Content-Type' custom field is NOT configured. Comments |
|||||
Check Text
Note: If this server is hosting WSUS, this requirement is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 web server IIS 10.0 Manager. Under "IIS", double-click the "Logging" icon. Verify the "Format:" under "Log File" is configured to "W3C". Select "Fields". Under "Standard Fields", verify "User Agent", "User Name", and "Referrer" are selected. Under "Custom Fields", verify the following fields have been configured: Request Header >> Authorization Response Header >> Content-Type If any of the above fields are not selected, this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 web server IIS 10.0 Manager. Select the website being reviewed. Under "IIS", double-click the "Logging" icon. Configure the "Format:" under "Log File" to "W3C". Select "Fields". Under "Standard Fields", select "User Agent", "User Name", and "Referrer". Under "Custom Fields", select the following fields: Request Header >> Authorization Response Header >> Content-Type Click "OK". Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 03/05/2026 Site: Default Web Site ResultHash: 655AA1250F9F447877A75E551AC19473E3E576A5 ~~~~~ WSUS Hosted: False The following invalid MIME types for OS shell program extensions are configured: .exe .dll .csh Comments |
|||||
Check Text
Note: If the server is hosting WSUS, this is not applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click on the IIS 10.0 site. Under IIS, double-click the “MIME Types” icon. From the "Group by:" drop-down list, select "Content Type". From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions: .exe .dll .com .bat .csh If any OS shell MIME types are configured, this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click on the IIS 10.0 site. Under IIS, double-click the “MIME Types” icon. From the "Group by:" drop-down list, select "Content Type". From the list of extensions under "Application", remove MIME types for OS shell program extensions, to include at a minimum, the following extensions: .exe .dll .com .bat .csh Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: Site: Default Web Site ResultHash: 273D18146DC4BC86A65EF8CB8BEEC3EE2EA27C2B ~~~~~ Access Policy: Read,Script Enabled Handler Mappings: ----------------------------------- Name: xamlx-ISAPI-4.0_64bit Path: *.xamlx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: xamlx-ISAPI-4.0_32bit Path: *.xamlx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: xamlx-Integrated-4.0 Path: *.xamlx State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: rules-ISAPI-4.0_64bit Path: *.rules State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: rules-ISAPI-4.0_32bit Path: *.rules State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: rules-Integrated-4.0 Path: *.rules State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: xoml-ISAPI-4.0_64bit Path: *.xoml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: xoml-ISAPI-4.0_32bit Path: *.xoml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: xoml-Integrated-4.0 Path: *.xoml State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: svc-ISAPI-4.0_64bit Path: *.svc State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: svc-ISAPI-4.0_32bit Path: *.svc State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: svc-Integrated-4.0 Path: *.svc State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: AXD-ISAPI-4.0_64bit Path: *.axd State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: PageHandlerFactory-ISAPI-4.0_64bit Path: *.aspx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: SimpleHandlerFactory-ISAPI-4.0_64bit Path: *.ashx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: WebServiceHandlerFactory-ISAPI-4.0_64bit Path: *.asmx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: HttpRemotingHandlerFactory-rem-ISAPI-4.0_64bit Path: *.rem State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: HttpRemotingHandlerFactory-soap-ISAPI-4.0_64bit Path: *.soap State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: aspq-ISAPI-4.0_64bit Path: *.aspq State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: cshtm-ISAPI-4.0_64bit Path: *.cshtm State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: cshtml-ISAPI-4.0_64bit Path: *.cshtml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: vbhtm-ISAPI-4.0_64bit Path: *.vbhtm State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: vbhtml-ISAPI-4.0_64bit Path: *.vbhtml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: TraceHandler-Integrated-4.0 Path: trace.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: WebAdminHandler-Integrated-4.0 Path: WebAdmin.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: AssemblyResourceLoader-Integrated-4.0 Path: WebResource.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: PageHandlerFactory-Integrated-4.0 Path: *.aspx State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: SimpleHandlerFactory-Integrated-4.0 Path: *.ashx State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: WebServiceHandlerFactory-Integrated-4.0 Path: *.asmx State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: HttpRemotingHandlerFactory-rem-Integrated-4.0 Path: *.rem State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: HttpRemotingHandlerFactory-soap-Integrated-4.0 Path: *.soap State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: aspq-Integrated-4.0 Path: *.aspq State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: cshtm-Integrated-4.0 Path: *.cshtm State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: cshtml-Integrated-4.0 Path: *.cshtml State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: vbhtm-Integrated-4.0 Path: *.vbhtm State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: vbhtml-Integrated-4.0 Path: *.vbhtml State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: ScriptHandlerFactoryAppServices-Integrated-4.0 Path: *_AppService.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: ScriptResourceIntegrated-4.0 Path: *ScriptResource.axd State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: AXD-ISAPI-4.0_32bit Path: *.axd State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: PageHandlerFactory-ISAPI-4.0_32bit Path: *.aspx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: SimpleHandlerFactory-ISAPI-4.0_32bit Path: *.ashx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: WebServiceHandlerFactory-ISAPI-4.0_32bit Path: *.asmx State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: HttpRemotingHandlerFactory-rem-ISAPI-4.0_32bit Path: *.rem State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: HttpRemotingHandlerFactory-soap-ISAPI-4.0_32bit Path: *.soap State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: aspq-ISAPI-4.0_32bit Path: *.aspq State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: cshtm-ISAPI-4.0_32bit Path: *.cshtm State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: cshtml-ISAPI-4.0_32bit Path: *.cshtml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: vbhtm-ISAPI-4.0_32bit Path: *.vbhtm State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: vbhtml-ISAPI-4.0_32bit Path: *.vbhtml State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: SSINC-stm Path: *.stm State: Enabled PathType: File Handler: ServerSideIncludeModule ReqAccess: Script Name: SSINC-shtm Path: *.shtm State: Enabled PathType: File Handler: ServerSideIncludeModule ReqAccess: Script Name: SSINC-shtml Path: *.shtml State: Enabled PathType: File Handler: ServerSideIncludeModule ReqAccess: Script Name: TRACEVerbHandler Path: * State: Enabled PathType: Unspecified Handler: ProtocolSupportModule ReqAccess: None Name: OPTIONSVerbHandler Path: * State: Enabled PathType: Unspecified Handler: ProtocolSupportModule ReqAccess: None Name: ExtensionlessUrlHandler-ISAPI-4.0_32bit Path: *. State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: ExtensionlessUrlHandler-ISAPI-4.0_64bit Path: *. State: Enabled PathType: Unspecified Handler: IsapiModule ReqAccess: Script Name: ExtensionlessUrlHandler-Integrated-4.0 Path: *. State: Enabled PathType: Unspecified Handler: ManagedPipelineHandler ReqAccess: Script Name: StaticFile Path: * State: Enabled PathType: File or Folder Handler: StaticFileModule,DefaultDocumentModule,DirectoryListingModule ReqAccess: Read Disabled Handler Mappings: ----------------------------------- Name: ISAPI-dll Path: *.dll State: Disabled PathType: File Handler: IsapiModule ReqAccess: Execute Comments |
|||||
Check Text
Note: If the server being reviewed is hosting SharePoint, this is not applicable. For Handler Mappings, the ISSO must document and approve all allowable scripts the website allows (whitelist) and denies (blacklist). The whitelist and blacklist will be compared to the Handler Mappings in IIS 10.0. Handler Mappings at the site level take precedence over Handler Mappings at the server level. Open the IIS 10.0 Manager. Click the site name under review. Double-click "Handler Mappings". If any script file extensions from the blacklist are enabled, this is a finding.
Fix Text
Open the IIS 10.0 Manager. Click the site name under review. Double-click "Handler Mappings". Remove any script file extensions listed on the black list that are enabled. Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: Site: Default Web Site ResultHash: 2F23BA53ABD5080AF448F9773A244BEC788276EC ~~~~~ Denied file extensions: ----------------------------------- FileExtension: .asax Allowed: False FileExtension: .ascx Allowed: False FileExtension: .master Allowed: False FileExtension: .skin Allowed: False FileExtension: .browser Allowed: False FileExtension: .sitemap Allowed: False FileExtension: .config Allowed: False FileExtension: .cs Allowed: False FileExtension: .csproj Allowed: False FileExtension: .vb Allowed: False FileExtension: .vbproj Allowed: False FileExtension: .webinfo Allowed: False FileExtension: .licx Allowed: False FileExtension: .resx Allowed: False FileExtension: .resources Allowed: False FileExtension: .mdb Allowed: False FileExtension: .vjsproj Allowed: False FileExtension: .java Allowed: False FileExtension: .jsl Allowed: False FileExtension: .ldb Allowed: False FileExtension: .dsdgm Allowed: False FileExtension: .ssdgm Allowed: False FileExtension: .lsad Allowed: False FileExtension: .ssmap Allowed: False FileExtension: .cd Allowed: False FileExtension: .dsprototype Allowed: False FileExtension: .lsaprototype Allowed: False FileExtension: .sdm Allowed: False FileExtension: .sdmDocument Allowed: False FileExtension: .mdf Allowed: False FileExtension: .ldf Allowed: False FileExtension: .ad Allowed: False FileExtension: .dd Allowed: False FileExtension: .ldd Allowed: False FileExtension: .sd Allowed: False FileExtension: .adprototype Allowed: False FileExtension: .lddprototype Allowed: False FileExtension: .exclude Allowed: False FileExtension: .refresh Allowed: False FileExtension: .compiled Allowed: False FileExtension: .msgx Allowed: False FileExtension: .vsdisco Allowed: False FileExtension: .rules Allowed: False Allowed file extensions: ----------------------------------- None Comments |
|||||
Check Text
Note: If the server being reviewed is hosting SharePoint, this is Not Applicable. For Request Filtering, the ISSO must document and approve all allowable scripts the website allows (white list) and denies (black list). The white list and black list will be compared to the Request Filtering in IIS 10.0. Request Filtering at the site level take precedence over Request Filtering at the server level. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name to review. Double-click Request Filtering->File Name Extensions Tab. If any script file extensions from the black list are not denied, this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name to review. Double-click Request Filtering->File Name Extensions Tab->Deny File Name Extension. Add any script file extensions listed on the black list that are not listed. Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 03/05/2026 Site: Default Web Site ResultHash: 8E8482E042BD27CE6D91B327DB52B5325B740854 ~~~~~ The site is NOT bound to a specific host header on port 80 Comments |
|||||
Check Text
Note: If the server being reviewed is hosting SharePoint, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Right-click on the site name under review. Select "Edit Bindings". Verify there are hostname entries and unique IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used. If both hostname entries and unique IP addresses are not configured to port 80 for HTTP and port 443 for HTTPS (or other approved and documented port), this is a finding. Note: If certificate handling is performed at the Proxy/Load Balancer, this is not a finding. Note: If HTTP/Port 80 is not being used, and is not configured as above, this is not a finding. Note: If this IIS 10.0 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable.
Fix Text
Note: If the server being reviewed is hosting SharePoint, this is Not Applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Right-click on the site name under review. Select "Edit Bindings". Assign hostname entries and unique IP addresses to port 80 for HTTP and port 443 for HTTPS. Other approved and documented ports may be used. Click "OK". Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) found this to be OPEN on 03/05/2026 Site: Default Web Site ResultHash: C9147AB75E3FE047BDF3394C860E38FD3A03A4FC ~~~~~ Client Certificates is NOT set to 'Require' Confirm if this this is a public server. If so, mark this finding as Not Applicable. Comments |
|||||
Check Text
Note: If the server being reviewed is a public IIS 10.0 web server, this is not applicable. Note: If the server being reviewed is hosting SharePoint, this is not applicable. Note: If the server being reviewed is hosting WSUS, this is not applicable. Note: If certificate handling is performed at the Proxy/Load Balancer, this is not applicable. Note: If the server being reviewed is hosting Simple Certificate Enrollment Services (SCEP), this is not applicable. Note: If the server being reviewed is hosting Network Device Enrollment Services (NDES), this is not applicable. Note: If the server is providing OCSP, and not otherwise hosting any content, this requirement is not applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon. Verify the "Clients Certificate Required" check box is selected. If the "Clients Certificate Required" check box is not selected, this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon. Verify the "Clients Certificate Required" check box is selected. Select "Apply" from the "Actions" pane.