| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 32AFF8CF36570A0DC084CA270EE023B4DED1D486 ~~~~~ There is nothing preventing an administrator from shutting down either the webservice or an individual IIS site in the event of an attack. Documentation exists describing how. Comments |
|||||
Check Text
Interview the System Administrator and Web Manager. Ask for documentation for the IIS 10.0 web server administration. Verify there are documented procedures for shutting down an IIS 10.0 website in the event of an attack. The procedure should, at a minimum, provide the following steps: Determine the respective website for the application at risk of an attack. Access the IIS 10.0 web server IIS Manager. Select the respective website. In the "Actions" pane, under "Manage Website", click "Stop". If necessary, stop all websites. If necessary, stop the IIS 10.0 web server by selecting the web server in the IIS Manager. In the "Actions" pane, under "Manage Server", click "Stop". If the web server is not capable or cannot be configured to disconnect or disable remote access to the hosted applications when necessary, this is a finding.
Fix Text
Prepare documented procedures for shutting down an IIS 10.0 website in the event of an attack. The procedure should, at a minimum, provide the following steps: Determine the respective website for the application at risk of an attack. Access the IIS 10.0 web server IIS Manager. Select the respective website. In the "Actions" pane, under "Manage Website", click "Stop". If necessary, stop all websites. If necessary, stop the IIS 10.0 web server by selecting the web server in the IIS Manager. In the "Actions" pane, under "Manage Server", click "Stop".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 3D17137C642E0082CB98AAEDAD92AC406296074C ~~~~~ Path: C:\inetpub OverallState: More restrictive than Expected Compliance: Compliant Unexpected rules... --------------------- State: MoreRestrictive Compliant: True Identity: APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Type: N/A Basic: N/A Expected: ReadAndExecute Advanced: Expected: ExecuteFile, ListDirectory, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Traverse Inherited: N/A AppliesTo: N/A Summary: Missing Rule: An expected rule with rights 'ReadAndExecute' was not found on the system. State: MoreRestrictive Compliant: True Identity: APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES Type: N/A Basic: N/A Expected: ReadAndExecute Advanced: Expected: ExecuteFile, ListDirectory, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Traverse Inherited: N/A AppliesTo: N/A Summary: Missing Rule: An expected rule with rights 'ReadAndExecute' was not found on the system. --------------------- Comments |
|||||
Check Text
Open Explorer and navigate to the inetpub directory. Right-click "inetpub" and select "Properties". Click the "Security" tab. Verify the permissions for the following users; if the permissions are less restrictive, this is a finding. System: Full control Administrators: Full control TrustedInstaller: Full control ALL APPLICATION PACKAGES (built-in security group): Read and execute, This folder, subfolders and files ALL RESTRICTED APPLICATION PACKAGES (built-in security group): Read and execute, This folder, subfolders and files Users: Read and execute, list folder contents CREATOR OWNER: Full Control, Subfolders and files only
Fix Text
Open Explorer and navigate to the inetpub directory. Right-click "inetpub" and select "Properties". Click the "Security" tab. Set the following permissions: System: Full control Administrators: Full control TrustedInstaller: Full control ALL APPLICATION PACKAGES (built-in security group): Read and execute, This folder, subfolders and files ALL RESTRICTED APPLICATION PACKAGES (built-in security group): Read and execute, This folder, subfolders and files Users: Read and execute, list folder contents CREATOR OWNER: Full Control, Subfolders and files only
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6ADE9501D86E927416808AF0B186536D51A249DE ~~~~~ Logs are set to roll over Daily. Comments |
|||||
Check Text
Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Under "IIS" double-click the "Logging" icon. In the "Logging" configuration box, determine the "Directory:" to which the "W3C" logging is being written. Confirm with the System Administrator that the designated log path is of sufficient size to maintain the logging. Under "Log File Rollover", verify "Do not create new log files" is not selected. Verify a schedule is configured to rollover log files on a regular basis. Consult with the System Administrator to determine if there is a documented process for moving the log files off of the IIS 10.0 web server to another logging device. If the designated logging path device is not of sufficient space to maintain all log files, and there is not a schedule to rollover files on a regular basis, this is a finding.
Fix Text
Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Under "IIS" double-click on the "Logging" icon. If necessary, in the "Logging" configuration box, re-designate a log path to a location able to house the logs. Under "Log File Rollover", de-select the "Do not create new log files" setting. Configure a schedule to rollover log files on a regular basis.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: C7672C2E607627099A46E345AF4C5CCB919F07F7 ~~~~~ Path: C:\WINDOWS\system32\inetsrv\Inetmgr.exe OverallState: More restrictive than Expected Compliance: Compliant Unexpected rules... --------------------- State: MoreRestrictive Compliant: True Identity: CREATOR OWNER Type: N/A Basic: N/A Expected: FullControl Advanced: Expected: AppendData, ChangePermissions, CreateDirectories, CreateFiles, Delete, DeleteSubdirectoriesAndFiles, ExecuteFile, ListDirectory, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, TakeOwnership, Traverse, WriteAttributes, WriteData, WriteExtendedAttributes Inherited: N/A AppliesTo: N/A Summary: Missing Rule: An expected rule with rights 'FullControl' was not found on the system. --------------------- Comments |
|||||
Check Text
Right-click "InetMgr.exe", then click "Properties" from the "Context" menu. Select the "Security" tab. Review the groups and user names. The following accounts may have Full control privileges: TrustedInstaller Web Managers Web Manager designees CREATOR OWNER The following accounts may have read and execute, or read permissions: Non Web Manager Administrators ALL APPLICATION PACKAGES (built-in security group) ALL RESTRICTED APPLICATION PACKAGES (built-in security group) SYSTEM Users Specific users may be granted read and execute and read permissions. Compare the local documentation authorizing specific users, against the users observed when reviewing the groups and users. If any other access is observed, this is a finding.
Fix Text
Restrict access to the web administration tool to only the web manager and the web manager’s designees.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: 909864146B7EF18AC7E6CCAEB573BFB88320271A ~~~~~ Software installed on this system: ActivID ActivClient x64 Axway Desktop Validator CRLAutoCache DoD Secure Host Baseline Server InstallRoot Microsoft Edge Microsoft NetBanner Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33130 Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.38.33130 STIG Viewer 3 (Machine) Veritas Backup Exec Remote Agent for Windows WinZip 23.0 Comments |
|||||
Check Text
Review programs installed on the OS. Open Control Panel. Open Programs and Features. The following programs may be installed without any additional documentation: Administration Pack for IIS IIS Search Engine Optimization Toolkit Microsoft .NET Framework version 3.5 SP1 or greater Microsoft Web Platform Installer version 3.x or greater Virtual Machine Additions Review the installed programs, if any programs are installed other than those listed above, this is a finding. Note: If additional software is needed and has supporting documentation signed by the ISSO, this is not a finding.
Fix Text
Remove all unapproved programs and roles from the production web server.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: 1BA0DAED412A266D2A2A6B88E64E20ADB5E27D37 ~~~~~ 'C:\WINDOWS\web\printers' does not exist. The Print Services role and the Internet Printing role are not installed so this check is Not Applicable. Comments |
|||||
Check Text
If the Print Services role and the Internet Printing role are not installed, this check is Not Applicable. Navigate to the following directory: %windir%\web\printers If this folder exists, this is a finding. Determine whether Internet Printing is enabled: Click “Start”, click “Administrative Tools”, and then click “Server Manager”. Expand the roles node, right-click “Print Services”, and then select “Remove Roles Services”. If the Internet Printing option is enabled, this is a finding.
Fix Text
Click “Start”, click “Administrative Tools”, and then click “Server Manager”. Expand the roles node, right-click “Print Services”, and then select “Remove Roles Services”. If the Internet Printing option is checked, clear the check box, click “Next”, and then click “Remove” to complete the wizard.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 8CBC995ED18829A1A7D2C11A22AFC94E2B587D36 ~~~~~ Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value Name: URIEnableCache Value: 0 Type: REG_DWORD Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value Name: UriMaxUriBytes Value: 0 Type: REG_DWORD Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value Name: UriScavengerPeriod Value: 0 Type: REG_DWORD Comments |
|||||
Check Text
If the IIS 10.0 web server is not hosting any applications, this is Not Applicable. If the IIS 10.0 web server is hosting applications, consult with the system administrator to determine risk analysis performed when the application was written and deployed to the IIS 10.0 web server. Obtain documentation on the configuration. Verify, at a minimum, the following tuning settings in the registry. Access the IIS 10.0 web server registry. Verify the following keys are present and configured. The required setting depends upon the requirements of the application. Recommended settings are not provided as these settings must be explicitly configured to show a conscientious tuning has been made. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\ REG_DWORD "URIEnableCache" REG_DWORD "UriMaxUriBytes" REG_DWORD "UriScavengerPeriod" If explicit settings are not configured for "URIEnableCache", "UriMaxUriBytes" and "UriScavengerPeriod", this is a finding.
Fix Text
Access the IIS 10.0 web server registry. Verify the following keys are present and configured. The required setting depends upon the requirements of the application. These settings must be explicitly configured to show a conscientious tuning has been made. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\ Configure the following registry keys to levels to accommodate the hosted applications. Create REG_DWORD "URIEnableCache" Create REG_DWORD "UriMaxUriBytes" Create REG_DWORD "UriScavengerPeriod"
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: C25C8289B0EA2E5E62D0AB638195DFF95EA06806 ~~~~~ keepSessionIdSecure is set to True Comments |
|||||
Check Text
Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Under the "Management" section, double-click the "Configuration Editor" icon. From the "Section:" drop-down list, select "system.webServer/asp". Expand the "session" section. Verify the "keepSessionIdSecure" is set to "True". If the "keepSessionIdSecure" is not set to "True", this is a finding.
Fix Text
Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Under "Management" section, double-click the "Configuration Editor" icon. From the "Section:" drop-down list, select "system.webServer/asp". Expand the "session" section. Select "True" for the "keepSessionIdSecure" setting. Select "Apply" from the "Actions" pane.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 4BDF84B533F31E10B68E8C1D4A5EA500F955AE4A ~~~~~ HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server ValueName 'DisabledByDefault' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) Comments |
|||||
Check Text
Review the web server documentation and deployed configuration to determine which version of TLS is being used. If the TLS version is not TLS 1.2 or higher, according to NIST SP 800-52, or if non-FIPS-approved algorithms are enabled, this is a finding.
Fix Text
Configure the web server to use an approved TLS version according to NIST SP 800-52 and to disable all non-approved versions.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6CC480805F1D38F03EA4026B3D32A856071B7CC3 ~~~~~ Unspecified ISAPI is not enabled. NOT A FINDING. Unspecified CGI is not enabled. NOT A FINDING. Comments |
|||||
Check Text
Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Double-click the "ISAPI and CGI restrictions" icon. Click “Edit Feature Settings". Verify the "Allow unspecified CGI modules" and the "Allow unspecified ISAPI modules" check boxes are NOT checked. If either or both of the "Allow unspecified CGI modules" and the "Allow unspecified ISAPI modules" check boxes are checked, this is a finding.
Fix Text
Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Double-click the "ISAPI and CGI restrictions" icon. Click "Edit Feature Settings". Remove the check from the "Allow unspecified CGI modules" and the "Allow unspecified ISAPI modules" check boxes. Click "OK".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: A801FC129AB7FA426BB47F800991FE54A5673509 ~~~~~ Compliant Rules: ---------------- Mode: allow Users: All Users Roles: Verbs: Mode: deny Users: Anonymous Users Roles: Verbs: Comments |
|||||
Check Text
Note: If ASP.NET is not installed, this is Not Applicable. Note: If the Server is hosting Microsoft SharePoint, this is Not Applicable. Note: If the server is hosting WSUS, this is Not Applicable. Note: If the server is hosting Exchange, this is Not Applicable. Note: If the server is public facing, this is Not Applicable. Note: If the website is behind a load balancer or proxy server, this is Not Applicable. Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Double-click the ".NET Authorization Rules" icon. Ensure "All Users" is set to "Allow", and "Anonymous Users" is set to "Deny", otherwise this is a finding. If any other rules are present, this is a finding.
Fix Text
Open the IIS 10.0 Manager. Click the IIS 10.0 web server name. Double-click the ".NET Authorization Rules" icon. Alter the list as necessary to ensure "All Users" is set to "Allow" and "Anonymous Users" is set to "Deny". Remove any other line items.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 5A7B32B2A3CB2520F7640F390CB84EC0B4D2A14A ~~~~~ MaxConnections is set to 4294967295 Comments |
|||||
Check Text
Access the IIS 10.0 IIS Manager. Click the IIS 10.0 server. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.applicationHost/sites". Expand "siteDefaults". Expand "limits". Review the results and verify the value is greater than zero for the "maxconnections" parameter. If the maxconnections parameter is set to zero, this is a finding.
Fix Text
Access the IIS 10.0 IIS Manager. Click the IIS 10.0 server. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.applicationHost/sites". Expand "siteDefaults". Expand "limits". Set the "maxconnections" parameter to a value greater than zero.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B3CB706A6ADDE1748C32DB756BC478CBF6005E4B ~~~~~ HKLM:\SOFTWARE\Microsoft\StrongName\Verification exists but no values were found within. Comments |
|||||
Check Text
Use regedit to review the Windows registry key HKLM\Software\Microsoft\StrongName\Verification. There should be no assemblies or hash values listed under this registry key. If the StrongName\Verification key does not exist, this is not a finding. If there are assemblies or hash values listed in this key, each value represents a distinct application assembly that does not have the application strong name verified. If any assemblies are listed as omitting strong name verification in a production environment, this is a finding. If any assemblies are listed as omitting strong name verification in a development or test environment and the IAO has not provided documented approvals, this is a finding.
Fix Text
Use regedit to remove the values stored in Windows registry key HKLM\Software\Microsoft\StrongName\Verification. There should be no assemblies or hash values listed under this registry key. All assemblies must require strong name verification in a production environment. Strong name assemblies that do not require verification in a development or test environment must have documented approvals from the IAO.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 76CBF5A7C87686EA51FA77410808A92FDB3A947F ~~~~~ All user profiles have State configured to 0x00023c00 Comments |
|||||
Check Text
If the system or application being reviewed is SIPR based, this finding is NA. This check must be performed for each user on the system. Use regedit to locate "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State". If the State value for any user is not set to the hexadecimal value of 0x23C00, this is a finding.
Fix Text
This fix must be performed for each user on the system. Using regedit, change the hexadecimal value of the "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State" registry key to 0x23C00.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: 0E4360D1A69538A55E456743C4260C8FCE83E079 ~~~~~ Installed .NET version is '4.8'. This check only applies to .NET version 4.0 specifically so this requirement is NA. Comments |
|||||
Check Text
The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. This requirement is Not Applicable (NA) for .NET Framework greater than 4.x. (Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions. The location of the caspol utility is dependent upon the system architecture of the system running .Net. For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319. For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319. Example: cd %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319 To check code groups for the machine, run the following command: caspol.exe -m -lg Sample Results: Microsoft (R) .NET Framework CasPol 4.0.30319.1 Copyright (c) Microsoft Corporation. All rights reserved. Policy change prompt is ON Level = Machine Code Groups: 1. All code: Nothing 1.1. Zone - MyComputer: FullTrust (LevelFinal) 1.1.1. StrongName - 002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293: FullTrust 1.1.2. StrongName - 00000000000000000400000000000000: FullTrust 1.2. Zone - Intranet: LocalIntranet 1.2.1. All code: Same site Web 1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery' 1.3. Zone - Internet: Internet 1.3.1. All code: Same site Web 1.4. Zone - Untrusted: Nothing 1.5. (First Match) Zone - Trusted: Internet 1.5.1. All code: Same site Web 1.6. Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust Success Section 1.6 above indicates the presence of a publisher's key that meets the Publisher's Membership Condition and is also given full trust. If the Publisher Membership Condition is used on a nondefault Code Group and the use of that publisher's certificate is not documented and approved by the ISSO, this is a finding.
Fix Text
Trust must be established when utilizing Publishers Membership Condition. All publisher's certificates must have documented approvals from the ISSO.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: 0E4360D1A69538A55E456743C4260C8FCE83E079 ~~~~~ Installed .NET version is '4.8'. This check only applies to .NET version 4.0 specifically so this requirement is NA. Comments |
|||||
Check Text
If the application is a COTS product, this requirement is Not Applicable (NA). The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. The requirement is Not Applicable (NA) for .NET Framework greater than 4.x. (Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions. The location of the caspol utility is dependent upon the system architecture of the system running .Net. For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319. For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319. Example: cd %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319 To check code groups, run the following command: caspol.exe -all -lg Sample response: Microsoft (R) .NET Framework CasPol 4.0.30319.1 Security is ON Execution checking is ON Policy change prompt is ON Level = Machine Code Groups: 1. All code: Nothing 1.1. Zone - MyComputer: FullTrust (LevelFinal) 1.1.1. StrongName - 002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293: FullTrust 1.1.2. StrongName - 00000000000000000400000000000000: FullTrust 1.2. Zone - Intranet: LocalIntranet 1.2.1. All code: Same site Web 1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery' 1.3. Zone - Internet: Internet 1.3.1. All code: Same site Web 1.4. Zone - Untrusted: Nothing 1.5. (First Match) Zone - Trusted: Internet 1.5.1. All code: Same site Web 1.6. Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust Success An assembly will satisfy the StrongNameMembershipCondition if its metadata contains the strongly identifying data associated with the specified strong name. At the least, this means it has been digitally signed with the private key associated with the public key recorded in the policy. The presence of the encryption key values in the StrongName field indicates the use of StrongNameMembershipCondition. If a Strong Name Membership Condition is assigned to a non-default Code Group the private key must be adequately protected by the software developer or the entity responsible for signing the assemblies. Ask the Systems Programmer how the private keys are protected. Private keys are simply values stored as strings of data. Keys can be stored in files on the file system or in a centralized data repository. Adequate protection methods include, but are not limited to: - utilizing centralized key management; - using strict file permissions to limit access; and - tying strong pass phrases to the key. If the private key used to sign the assembly is not adequately protected, this is a finding.
Fix Text
Ask the Systems Programmer how the private keys used to sign the assembly are protected. Private keys are simply values stored as strings of data. Keys can be stored in files on the file system or in a centralized data repository. Adequate protection methods include, but are not limited to: - utilizing centralized key management; - using strict file permissions to limit access; and - tying strong pass phrases to the key. The private key(s) used to sign the assembly must be protected. Utilize centralized key management or strict file permissions along with strong pass phrases and/or other well-established industry practices for managing and controlling access to private keys.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: 0E4360D1A69538A55E456743C4260C8FCE83E079 ~~~~~ Installed .NET version is '4.8'. This check only applies to .NET version 4.0 specifically so this requirement is NA. Comments |
|||||
Check Text
The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. The requirement is Not Applicable (NA) for .NET Framework greater than 4.x. (Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) Ask the System Administrator if all CAS policy and policy configuration files are included in the system backup. If they are not, this is a finding. Ask the System Administrator if the policy and configuration files are backed up prior to migration, deployment, and reconfiguration. If they are not, this is a finding. Ask the System Administrator for documentation that shows CAS Policy configuration files are backed up as part of a disaster recovery plan. If they have no documentation proving the files are backed up, this is a finding.
Fix Text
All CAS policy and policy configuration files must be included in the system backup. All CAS policy and policy configuration files must be backed up prior to migration, deployment, and reconfiguration. CAS policy configuration files must be included in disaster recovery plan documentation.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: 5484AA1F334AF98C429F840221EEC8B7ADB0A2EE ~~~~~ No machine.config or *.exe.config files found using .NET remoting with HTTP channel so this requirement is NA. Comments |
|||||
Check Text
If .NET remoting with HTTP channel is not used, this check is Not Applicable. Review the machine.config file and the [application name].exe.config file. For 32-bit systems, the "machine.config" file is contained in the following folder: %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config For 64-bit systems, the "machine.config" file is contained in the following folder: %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config. Microsoft specifies locating the [application].config file in the same folder as the application executable (.exe) file. However, the developer does have the capability to specify a different location when the application is compiled. Therefore, if the file is not found in the application home folder, a search of the system is required. If the [application name].exe.config file is not found on the system, then only a check of the machine.config file is required. Sample machine/application config file: <application name=“remoteserver”> <service> <activated type=“sample.my.object, myobjects”/> </service> <channels> <channel ref=“http server” port=“80”/> </channels> </application> <serverProviders> <provider ref="wsdl" /> <formatter ref="soap" typeFilterLevel="Low" /> <formatter ref="binary" typeFilterLevel="Low" /> </serverProviders> Microsoft provides three "channels" that are used for remoting connectivity. They are the HTTP, TCP, and IPC channels. The channel that is used is specified via the <channels> element in the config file. HTTP channel example: <channel ref=“http server” port=“80”/> The HTTP channel only supports encryption and message integrity when the remote object is hosted in Internet Information Services (IIS) using TLS. The above example shows the well-known TLS port of 443 is not being used. If the HTTP remoting channel is not configured to protect the channel by using TLS encryption, this is a finding.
Fix Text
If .NET remoting with HTTP channel is not used, this fix is Not Applicable. Ensure encryption and message integrity are used for HTTP remoting channels. The HTTP channel only supports encryption and message integrity when the remote object is hosted in Internet Information Services (IIS) using TLS. HTTP channels are protected via TLS (HTTPS). <channels> <channel ref=“http server” port=“443”/> </channels> Change the channel ref parameter to utilize a TLS port and leverage TLS on the remote IIS server.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 69B5FA47DB52CEE6EE623CD1C66B970ACFE69DFB ~~~~~ Operating system: --------------------------------- Name: Microsoft Windows Server 2022 Standard [21H2] Version: 10.0.20348 Enabled .NET Windows features: --------------------------------- NET-Framework-45-Core Library files: --------------------------------- File Path: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Version: 4.8.4795.0 File Path: C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Version: 4.8.4795.0 Ref - https://learn.microsoft.com/en-us/lifecycle/products/microsoft-net-framework Ref - https://support.microsoft.com/en-us/topic/clarification-on-the-support-life-cycle-for-the-net-framework-3-5-the-net-framework-3-0-and-the-net-framework-2-0-28621c7b-226c-7682-27f5-2e2a42db39c3 Comments |
|||||
Check Text
Determine which versions of the .NET Framework are installed by opening the directory %systemroot%\Microsoft.NET. The folder named "%systemroot%\Microsoft.NET\Framework" contains .NET files for 32 bit systems. The folder named "%systemroot%\Microsoft.NET\Framework64" contains .NET files for 64 bit systems. 64 bit systems will have both the 32 bit and the 64 bit folders. 32 bit systems do not have a Framework64 folder. Within each of the folders are the individual folder names that contain the corresponding versions of the .NET Framework: v4.0.30319 v3.5 v3.0 v2.0.50727 v1.1.4322 v1.0.3705 Search for all the Mscorlib.dll files in the %systemroot%\Microsoft.NET\Framework folder and the %systemroot%\Microsoft.NET\Framework64 folder if the folder exists. Click on each of the files, view properties, and click the version tab to determine the version installed. If there is no Mscorlib.dll, there is no installed version of .Net Framework in that directory. More specific information on determining versions of .Net Framework installed can be found at the following link. http://support.microsoft.com/kb/318785 Verify extended support is available for the installed versions of .Net Framework. Verify the .Net Framework support dates with Microsoft Product Lifecycle Search link. http://support.microsoft.com/lifecycle/search/?sort=PN&alpha=.NET+Framework Beginning with .NET 3.5 SP1, the .NET Framework is considered a Component of the Windows OS. Components follow the Support Lifecycle policy of their parent product or platform. .NET Framework 3.5 cannot function without the .NET Framework 2.0 and the .NET Framework 3.0, because there is no common language runtime (CLR) in the .NET Framework 3.5 layer. Therefore, when the .NET Framework 3.5 product is installed, the .NET Framework 2.0 and the .NET Framework 3.0 SP products are also installed. Installation of .NET 2.0 and 3.0 SP products as part of .NET Framework 3.5 is Not a Finding. (https://support.microsoft.com/en-us/topic/clarification-on-the-support-life-cycle-for-the-net-framework-3-5-the-net-framework-3-0-and-the-net-framework-2-0-28621c7b-226c-7682-27f5-2e2a42db39c3) If any versions of the .Net Framework are installed and support is no longer available, this is a finding.
Fix Text
Remove unsupported versions of the .NET Framework and upgrade legacy applications that utilize unsupported versions of the .NET framework.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 665ECD2BE03F9086D5C3B003C3B3238D2C474D25 ~~~~~ No machine.config or *.exe.config files found with 'enforceFIPSPolicy enabled=false'. Comments |
|||||
Check Text
Examine the .NET CLR configuration files from the vulnerability discussion to find the runtime element and then the "enforceFIPSPolicy" element. Example: <configuration> <runtime> <enforceFIPSPolicy enabled="true|false" /> </runtime> </configuration> By default, the .NET "enforceFIPSPolicy" element is set to "true". If the "enforceFIPSPolicy" element does not exist within the "runtime" element of the CLR configuration, this is not a finding. If the "enforceFIPSPolicy" element exists and is set to "false", and the IAO has not accepted the risk and documented the risk acceptance, this is a finding.
Fix Text
Examine the .NET CLR configuration files to find the runtime element and then the "enforceFIPSPolicy" element. Example: <configuration> <runtime> <enforceFIPSPolicy enabled="true|false" /> </runtime> </configuration> Delete the "enforceFIPSPolicy" runtime element, change the setting to "true" or there must be documented IAO approvals for the FIPS setting.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E28F7B07BF034968DDD074235F2D4C0EFC0E8F76 ~~~~~ Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework Value Name: AllowStrongNameBypass Value: 0x00000000 (0) Type: REG_DWORD Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework Value Name: AllowStrongNameBypass Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If there is documented ISSO risk acceptance for development systems, this is not a finding. For 32 bit production systems: Use regedit to examine the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework” key. On 64-bit production systems: Use regedit to examine both the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework” and “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework” keys. If the "AllowStrongNameBypass" value does not exist, or if the “DWORD” value is set to “1”, this is a finding. Documentation must include a complete list of installed .Net applications, application versions, and acknowledgement that ISSO trusts each installed application. If application versions installed on the system do not match approval documentation, this is a finding.
Fix Text
For 32 bit production systems: Set “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AllowStrongNameBypass" to a “DWORD” value of “0”. On 64-bit production systems: Set “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ AllowStrongNameBypass” and “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ AllowStrongNameBypass” to a “DWORD” value of “0”. Or, obtain documented ISSO risk acceptance for each .Net application installed on the system. Approval documentation will include complete list of all installed .Net applications, application versions, and acknowledgement of ISSO trust of each installed application.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6CC95A95DACFD9A95160D8D82AE7400D383C1A8D ~~~~~ No *.exe.config files found with 'loadFromRemoteSources enabled=true'. Comments |
|||||
Check Text
Open Windows explorer and search for *.exe.config. Search each config file found for the "loadFromRemoteSources" element. If the loadFromRemoteSources element is enabled ("loadFromRemoteSources enabled = true"), and the remotely loaded application is not run in a sandboxed environment, or if OS based software controls, such as AppLocker or Software Security Policies, are not utilized, this is a finding.
Fix Text
.Net application code loaded from a remote source must be run in a controlled environment. A controlled environment consists of a sandbox, such as running in an Internet Explorer host environment or employing OS based software access controls, such as AppLocker or Software Security Policies, when application design permits. Obtain documented IAO approvals for all remotely loaded code.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 337EA4CB8826346C79B61FFD2C48107B8F2246C3 ~~~~~ No machine.config or *.exe.config files found with 'etwEnable enabled=false'. Comments |
|||||
Check Text
Open Windows explorer and search for all .NET config files including application config files (*.exe.config) NOTE: Beginning with Windows Vista and Windows Server 2008, ETW Tracing is enabled by default and the "etwEnable" setting is not required in order for Event Tracing to be enabled. An etwEnable setting of "true" IS required in earlier versions of Windows as ETW is disabled by default. Examine the configuration settings for <etwEnable enabled="false" />. If the "etwEnable" element is set to "true", this is not a finding. If the "etwEnable" element is set to "false" and documented approvals by the IAO are not provided, this is a finding.
Fix Text
Open Windows explorer and search for all .NET config files including application config files (*.exe.config). Examine the configuration settings for <etwEnable enabled="false" />. Enable ETW Tracing by setting the etwEnable flag to "true" or obtain documented IAO approvals.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 4E9D9F9778F6BF1402126A5E6E14400D9AF77B9C ~~~~~ No applications found requiring .NET 4.0 specifically. Comments |
|||||
Check Text
This requirement does not apply to the "caspol.exe" assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB). Ask the system administrator to provide documentation that identifies: - Each .Net 4.0 application run on the system. - The .Net runtime host that invokes the application. - The security measures employed to control application access to system resources or user access to application. For additional insight run: tasklist /fi "modules eq mscoree.dll" If all .Net applications, runtime hosts and security protections have been documented or if there are no .Net 4.0 applications existing on the system, this is not a finding. If there is no documentation that identifies the existence of .NET 4.0 applications or the lack thereof, this is a finding. If the runtime hosts have not been identified, this is a finding. If the security protections have not been identified, this is a finding.
Fix Text
Document the existence of all .Net 4.0 applications that are not provided by the host Windows OS or the Windows Secure Host Baseline (SHB). Document the corresponding runtime hosts that are used to invoke the applications. Document the applications security control requirements (restricting application access to resources or user access to the application).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: 499D611575281956E8E80B6EFACA64CD0F81EBAD ~~~~~ No machine.config or *.exe.config files found using .NET remoting with TCP channel so this requirement is NA. Comments |
|||||
Check Text
If .NET remoting with TCP channel is not used, this check is Not Applicable. Check the machine.config and the [application executable name].exe.config configuration files. For 32-bit systems, the "machine.config" file is contained in the following folder. %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config For 64-bit systems, the "machine.config" file is contained in the following folder. %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config. Microsoft specifies locating the application config file in the same folder as the application executable (.exe) file. However, the developer does have the capability to specify a different location when the application is compiled. Therefore, if the config file is not found in the application home folder, a search of the system is required. If the [application name].exe.config file is not found on the system, then only a check of the machine.config file is required. Sample machine/application config file: <application name=“remoteserver”> <service> <activated type=“sample.my.object, myobjects”/> </service> <channels> <channel ref=“tcp server” port=“6134”/> </channels> </application> <serverProviders> <provider ref="wsdl" /> <formatter ref="soap" typeFilterLevel="Full" /> <formatter ref="binary" typeFilterLevel="Full" /> </serverProviders> Microsoft provides three "channels" that are used for remoting connectivity. They are the HTTP, TCP, and IPC channels. The channel that is used is specified via the <channels> element in the config file. TCP channel example: <channel ref=“tcp” port=“6134” secure="true"/> The TCP channel provides encryption and message integrity when the "secure" flag is set to "true" as shown in the above example. If the "secure" flag is not set to "true" for the TCP channel, this is a finding.
Fix Text
If .NET remoting with TCP channel is not used, this fix is Not Applicable. Ensure encryption and message integrity are used for TCP remoting channels. TCP remoting connections are protected via the secure=true configuration parameter. <channels> <channel ref="tcp" secure="true" /> </channels> Include the secure="true" flag in the channel ref parameter of the machine.config and [application name].exe.config file if the [application name].exe.config file exists on the system.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 23C37571322EA7216F197978D4B3FF97743E9C71 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto". SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2). Check Registry: Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ 1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. 2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system. If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration.
Fix Text
1. SchUseStrongCrypto enabled: Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto. Set SchUseStrongCrypto to a REG_DWORD value of "1". 2. SystemDefaultTlsVersions enabled (.NET Framework >4.6): For 64-bit Windows, create a .reg file with the following content and apply it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 3. Restart the system for changes to take effect.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: 3B7C7319D6AEB5A130CFDA357A0A502827AB79ED ~~~~~ SMTP-Server Feature: Available System is not listening on port 25. Confirm there are no SMTP relays using a custom port. If no SMTP relays exist, this may be marked as 'Not Applicable'. Comments |
|||||
Check Text
Interview the System Administrator about the role of the IIS 10.0 web server. If the IIS 10.0 web server is running SMTP relay services, have the SA provide supporting documentation on how the server is hardened. A DoD-issued certificate, and specific allowed IP address should be configured. If the IIS web server is not running SMTP relay services, this is Not Applicable. If the IIS web server running SMTP relay services without TLS enabled, this is a finding. If the IIS web server running SMTP relay services is not configured to only allow a specific IP address, from the same network as the relay, this is a finding.
Fix Text
Configure the relay server with a specific allowed IP address, from the same network as the relay, and implement TLS.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: C33E388254DDCB5B7A5AA275DCEC3789FA6C6D8C ~~~~~ 'Prevent bypassing Microsoft Defender SmartScreen prompts for sites' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: PreventSmartScreenPromptOverride Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/Prevent bypassing Microsoft Defender SmartScreen prompts for sites" must be set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "PreventSmartScreenPromptOverride" is not set to "REG_DWORD = 1", this is a finding. If this machine is on SIPRNet, this is Not Applicable.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/Prevent bypassing Microsoft Defender SmartScreen prompts for sites" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 00754A8B44AD87CBB6D5FBC53E664288E16117B4 ~~~~~ 'Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: PreventSmartScreenPromptOverrideForFiles Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads" must be set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "PreventSmartScreenPromptOverrideForFiles" is not set to "REG_DWORD = 1", this is a finding. If this machine is on SIPRNet, this is Not Applicable.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads" must to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6A26062584CE53C883FDC08AC7C990D375CD472F ~~~~~ 'Configure InPrivate mode availability' is Enabled with 'InPrivate mode disabled' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: InPrivateModeAvailability Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Configure InPrivate mode availability" must be set to "enabled" with the option value set to "InPrivate mode disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "InPrivateModeAvailability" is not set to "REG_DWORD = 1", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Configure InPrivate mode availability" to "enabled" and select "InPrivate mode disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: A95AA40B6F30C779A0CE892F14BD0215ED60B0AA ~~~~~ 'Continue running background apps after Microsoft Edge closes' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: BackgroundModeEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Continue running background apps after Microsoft Edge closes" must be set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "BackgroundModeEnabled" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Continue running background apps after Microsoft Edge closes" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: A3DBEC9663EEDC90775D105ED8029C5BC806A409 ~~~~~ 'Default pop-up window setting' is Enabled with 'Do not allow any site to show pop-ups' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: DefaultPopupsSetting Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Default pop-up window setting" must be set to "Enabled" with the option value set to "Do not allow any site to show pop-ups". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for DefaultPopupsSetting is not set to "REG_DWORD = 2", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Default pop-up window setting" to "Enabled" with the option value set to "Do not allow any site to show pop-ups".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 859E1524C5E43114ADA3981FB6DFA4354BB11E7A ~~~~~ Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ManagedSearchEngines Value: [{"allow_search_engine_discovery": false},{"is_default": true,"name": "Microsoft Bing","keyword": "bing","search_url": "https://www.bing.com/search?q={searchTerms}"},{"name": "Google","keyword": "google","search_url": "https://www.google.com/search?q={searchTerms}"}] Type: REG_SZ Search URLs ======================= https://www.bing.com/search?q={searchTerms} https://www.google.com/search?q={searchTerms} Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Manage Search Engines" must be configured. Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge Example REG_SZ value text for "ManagedSearchEngines": [{"allow_search_engine_discovery": false},{"is_default": true,"name": "Microsoft Bing","keyword": "bing","search_url": "https://www.bing.com/search?q={searchTerms}"},{"name": "Google","keyword": "google","search_url": "https://www.google.com/search?q={searchTerms}"}] If any of the search URLs in the list do not begin with "https", this is a finding.
Fix Text
Configure the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Manage Search Engines".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: C3B61B9619246C488256EF969782678101E04209 ~~~~~ 'Enable network prediction' is Enabled with 'Don't predict network actions on any network connection' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: NetworkPredictionOptions Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable network prediction" must be set to "Enabled" with the option value set to "Don't predict network actions on any network connection". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for NetworkPredictionOptions is not set to "REG_DWORD = 2", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable network prediction" to "Enabled" with the option value set to "Don't predict network actions on any network connection".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E3CAF58DF9DE07E23A04EE57FFC5F9C8460C6537 ~~~~~ 'Enable search suggestions' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: SearchSuggestEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable search suggestions" must be set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "SearchSuggestEnabled" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable search suggestions" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: F08C62B7F2ABE15A36FB514AA57C9D82DC746279 ~~~~~ 'Allow importing of autofill form data' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ImportAutofillFormData Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of autofill form data" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ImportAutofillFormData" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of autofill form data" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 16BF98FC3F0EBB1565C797CB6FFC1D57C15A20D6 ~~~~~ 'Allow importing of cookies' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ImportCookies Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of cookies" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ImportCookies" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of cookies" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 63C9813DC2198C4155927B003A768D2286A93864 ~~~~~ 'Allow importing of extensions' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ImportExtensions Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of extensions" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ImportExtensions" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of extensions" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 5A369FE00E668F3D5C55ABC808997BA81CD6BF1E ~~~~~ 'Allow importing of browsing history' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ImportHistory Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of browsing history" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ImportHistory" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of browsing history" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 8A5E12CFE2D497A7160E25D907CE340169B6750C ~~~~~ 'Allow importing of home page settings' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ImportHomepage Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of home page settings" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ImportHomepage" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of home page settings" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 94DC9B1B6FE2DD930D8E55CE31A926ACC092E032 ~~~~~ 'Allow importing of open tabs' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ImportOpenTabs Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of open tabs" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ImportOpenTabs" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of open tabs" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 4C351B4F0B7E4589FBCAC8225414BBCC72F8003B ~~~~~ 'Allow importing of payment info' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ImportPaymentInfo Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of payment info" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ImportPaymentInfo" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of payment info" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 1C95A1EA9C9DCB1DC440C4F491925769F6EA7AD2 ~~~~~ 'Allow importing of saved passwords' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ImportSavedPasswords Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of saved passwords" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ImportSavedPasswords" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of saved passwords" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: BF82D8CD5BAE85B427F586A1EBFE413B23378C4F ~~~~~ 'Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of search engine settings' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ImportSearchEngine Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of search engine settings" must be set to "disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ImportSearchEngine" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of search engine settings" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 7F3AD249882C08B8647088E3B2BAE57EC9CB22F2 ~~~~~ 'Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of shortcuts' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ImportShortcuts Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of shortcuts" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ImportShortcuts" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of shortcuts" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 7B48931F199FBAC2686E7530ADC669B50010403D ~~~~~ 'Allow media autoplay for websites' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: AutoplayAllowed Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow media autoplay for websites" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "AutoplayAllowed" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow media autoplay for websites" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 38497FE6B80E6BB81740D721841068941DA03567 ~~~~~ 'Control use of the WebUSB API' is Enabled with 'Do not allow any site to request access to USB devices via the WebUSB API' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: DefaultWebUsbGuardSetting Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Control use of the WebUSB API" must be set to "enabled" with the option value set to "Do not allow any site to request access to USB devices via the WebUSB API". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "DefaultWebUsbGuardSetting" is not set to "REG_DWORD = 2", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Control use of the WebUSB API" to enabled" and select "Do not allow any site to request access to USB devices via the WebUSB API".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 1528C14AEEB65CCC54DF466080527EB385DF1760 ~~~~~ 'Enable Google Cast' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: EnableMediaRouter Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Cast/Enable Google Cast" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "EnableMediaRouter" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Cast/Enable Google Cast" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 77C9F2CFAD6FB07DF15769E13BF655A14D6EC237 ~~~~~ 'Control use of the Web Bluetooth API' is Enabled with 'Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: DefaultWebBluetoothGuardSetting Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Control use of the Web Bluetooth API" must be set to "enabled" with the option value set to "Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "DefaultWebBluetoothGuardSetting" is not set to "REG_DWORD = 2", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Control use of the Web Bluetooth API" to "enabled" with the option value set to "Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: D09B8C1D767D0AF121E2C7FBFDF4C858A96F2B8A ~~~~~ 'Enable AutoFill for credit cards' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: AutofillCreditCardEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable AutoFill for credit cards" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "AutofillCreditCardEnabled" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable AutoFill for credit cards" to "disabled".