| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B2677DF844BBD760C645DA2D8809408E9415C159 ~~~~~ 'Enable AutoFill for addresses' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: AutofillAddressEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable AutoFill for addresses" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "AutofillAddressEnabled" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable AutoFill for addresses" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 759AF9B5A64AFD60ADA201529452464B1D8B669F ~~~~~ 'Enable online OCSP/CRL checks' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: EnableOnlineRevocationChecks Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable online OCSP/CRL checks" must be set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "EnableOnlineRevocationChecks" is not set to "REG_DWORD = 1", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable online OCSP/CRL checks" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B9CCB256B27A09591F64025AEF672F537D8DC814 ~~~~~ 'Allow personalization of ads, search and news by sending browsing history to Microsoft' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: PersonalizationReportingEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow personalization of ads, search and news by sending browsing history to Microsoft" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "PersonalizationReportingEnabled" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow personalization of ads, search and news by sending browsing history to Microsoft" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: DBF4B8660CC702E433B75A2A859CD9E4E1FC7B5F ~~~~~ 'Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Default geolocation setting' is Enabled with 'Don't allow any site to track users' physical location' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: DefaultGeolocationSetting Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Default geolocation setting" must be set to "enabled" with the option value set to "Don't allow any site to track users' physical location". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "DefaultGeolocationSetting" is not set to "REG_DWORD = 2", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Default geolocation setting" to "enabled" and select "Don't allow any site to track users' physical location".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: BB37C332F0F43CE9B237493C3740BF5AFCDB70DB ~~~~~ 'Computer Configuration/Administrative Templates/Microsoft Edge/Enable deleting browser and download history' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: AllowDeletingBrowserHistory Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable deleting browser and download history" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "AllowDeletingBrowserHistory" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable deleting browser and download history" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 4097A18D2792A95FE262E20A225523C05426B446 ~~~~~ 'Control which extensions cannot be installed' is Enabled (With '*' added to the list) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallBlocklist Value Name: 1 Value: * Type: REG_SZ Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Extensions/Control which extensions cannot be installed" must be set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallBlocklist\1 If the value for "1" is not set to "REG_SZ = *", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Extensions/Control which extensions cannot be installed" to "Enabled". A list of blocklisted extensions may then be specified.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 7BCE53DE564BDFF816DA0D34AF460FA8B5561B18 ~~~~~ 'Enable saving passwords to the password manager' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: PasswordManagerEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Password manager and protection/Enable saving passwords to the password manager" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "PasswordManagerEnabled" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Password manager and protection/Enable saving passwords to the password manager" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: CDC59BF3B7F9E172DADA2D5A1B99AD5112919D25 ~~~~~ 'Enable site isolation for every site' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: SitePerProcess Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable site isolation for every site" must be set to "enabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "SitePerProcess" is not set to "REG_DWORD = 1", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable site isolation for every site" to "enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: D729C535227E8041CCECF0203A782A4147B1857A ~~~~~ 'Supported authentication schemes' is Enabled with 'ntlm,negotiate' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: AuthSchemes Value: ntlm,negotiate Type: REG_SZ Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/HTTP authentication/Supported authentication schemes" must be set to "ntlm,negotiate". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "AuthSchemes" is not set to "REG_SZ = ntlm,negotiate", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/HTTP authentication/Supported authentication schemes" to "ntlm,negotiate".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 0FE1775D93652DFC1E9031585F819F9158C92E5A ~~~~~ 'Configure Microsoft Defender SmartScreen' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: SmartScreenEnabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/Configure Microsoft Defender SmartScreen" must be set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "SmartScreenEnabled" is not set to "REG_DWORD = 1", this is a finding. If this machine is on SIPRNet, this is Not Applicable.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/Configure Microsoft Defender SmartScreen" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: AF7BFAF51876CD911EA583D31A1AB2F474242704 ~~~~~ 'Configure Microsoft Defender SmartScreen to block potentially unwanted apps' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: SmartScreenPuaEnabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/Configure Microsoft Defender SmartScreen to block potentially unwanted apps" must be set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for SmartScreenPuaEnabled is not set to "REG_DWORD = 1", this is a finding. If this machine is on SIPRNet, this is Not Applicable.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/Configure Microsoft Defender SmartScreen to block potentially unwanted apps" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: BFB209185613574AFDC8D1FDCE5645138B8F0AF6 ~~~~~ 'Block tracking of users' web-browsing activity' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: TrackingPrevention Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Block tracking of users' web-browsing activity" must be set to "Enabled" with the option value set to "Balanced" or "Strict". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "TrackingPrevention" is not set to "REG_DWORD = 2" or "REG_DWORD = 3", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Block tracking of users' web-browsing activity" to "Balanced" or "Strict".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: F85BD56BBF7FAFBC610EBA052F199608B6E3DE06 ~~~~~ 'Allow websites to query for available payment methods' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: PaymentMethodQueryEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow websites to query for available payment methods" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for PaymentMethodQueryEnabled is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow websites to query for available payment methods" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 5FE8B17D491D95624AA3D36520DEE4CABCA519E7 ~~~~~ 'Suggest similar pages when a webpage can't be found' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: AlternateErrorPagesEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Suggest similar pages when a webpage can't be found" must be set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for AlternateErrorPagesEnabled is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Suggest similar pages when a webpage can't be found" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: A9C3CB492BC4DCF667581F324F2BF3C87024DD4D ~~~~~ 'Allow user feedback' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: UserFeedbackAllowed Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow user feedback" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for UserFeedbackAllowed is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow user feedback" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 2D6CF3DC871908B27103BD2A0AADA788DC08FE5D ~~~~~ 'Enable the Collections feature' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: EdgeCollectionsEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable the Collections feature" must be set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "EdgeCollectionsEnabled" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable the Collections feature" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: AF9F31C9048C1464BABE364BC395F8BF0F0D2874 ~~~~~ 'Configure the Share experience' is Enabled with 'Don't allow using the Share experience' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ConfigureShare Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Configure the Share experience" must be set to "enabled" with the option value set to "Don't allow using the Share experience". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ConfigureShare" is not set to "REG_DWORD = 1", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Configure the Share experience" to "Don't allow using the Share experience".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: C41C1EBCD929E62126289710DB0512B0C3589702 ~~~~~ 'Enable guest mode' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: BrowserGuestModeEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable guest mode" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "BrowserGuestModeEnabled" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Enable guest mode" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B57A03559EAFB980D5E9D52175B1F7A68F888C51 ~~~~~ 'Notify a user that a browser restart is recommended or required for pending updates' is Enabled with 'Required' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: RelaunchNotification Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Notify a user that a browser restart is recommended or required for pending updates" must be set to "Enabled" with the option value set to "Required". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "RelaunchNotification" is not set to "REG_DWORD = 2", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Notify a user that a browser restart is recommended or required for pending updates" web-browsing activity to "Required".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B76F0C6311068EC7685D073365C478451F16B7A8 ~~~~~ 'Use built-in DNS client' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: BuiltInDnsClientEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Use built-in DNS client" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "BuiltInDnsClientEnabled" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Use built-in DNS client" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 9F96AAF9C4DC4B5A831AA5160BD50D280B3F5EC2 ~~~~~ 'Allow QUIC protocol' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: QuicAllowed Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow QUIC protocol" must be set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "QuicAllowed" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow QUIC protocol" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.
Fix Text
Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be OPEN on 03/05/2026 ResultHash: CF568A5923900BF3889A9601FFD0FFE6DEB1930C ~~~~~ Enabled local administrator accounts with a password older than 60 days: --------------------------- Account: DOD_Admin SID: S-1-5-21-2359828523-3188837691-268305261-1000 Enabled: True Password Last Set: 11/11/2025 23:12:23 (113 days ago) LAPS Configuration: --------------------------- Policy Name: Password Settings | Password Complexity Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordComplexity Value: 4 Value Type: REG_DWORD Configured: True Policy Name: Password Settings | Password Length Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordLength Value: 14 Value Type: REG_DWORD Configured: True Policy Name: Password Settings | PasswordAge (Days) Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordAgeDays Value: 60 Value Type: REG_DWORD Configured: True Comments |
|||||
Check Text
If there are no enabled local Administrator accounts, this is Not Applicable. Review the password last set date for the enabled local Administrator account. On the stand alone or domain-joined server: Open "PowerShell". Enter "Get-LocalUser | Where-Object {$_.SID -like "*500"} | ForEach-Object ($_.PasswordLastSet){"$($_.Name) password is: $([int]((Get-Date) - $_.PasswordLastSet).TotalDays) days old"}". If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer, this is a finding. Verify LAPS is configured and operational. If the system is a stand alone member server, the LAPS portion of this requirement is Not Applicable. Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is a finding. Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding.
Fix Text
Change the enabled local Administrator account password at least every 60 days. For domain-joined systems, Windows LAPS must be used to change the built-in Administrator account password. More information is available at: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747 https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be OPEN on 03/05/2026 ResultHash: 2245DCDBB4CAC4ADD9A8E14225C8F4280B87D952 ~~~~~ The following are members of the local Backup Operators group: ============== Name: SCHROEDER3\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1160972651-4155981999-2770166294-1115 Comments |
|||||
Check Text
If no accounts are members of the Backup Operators group, this is NA. Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding.
Fix Text
Ensure each member of the Backup Operators group has separate accounts for backup functions and standard user functions.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6BE08ACAB8AD3365003019D2702FDF3075E0F32E ~~~~~ 'Minimum password length' is Configured MinimumPasswordLength: 14 Comments |
|||||
Check Text
Determine if manually managed application/service accounts exist. If none exist, this is NA. Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 14 characters in length. If such a policy does not exist or has not been implemented, this is a finding.
Fix Text
Establish a policy that requires application/service account passwords that are manually managed to be at least 14 characters in length. Ensure the policy is enforced.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Determine if manually managed application/service accounts exist. If none exist, this is NA. If passwords for manually managed application/service accounts are not changed at least annually or when an administrator with knowledge of the password leaves the organization, this is a finding. Identify manually managed application/service accounts. To determine the date a password was last changed: Domain controllers: Open "PowerShell". Enter "Get-AdUser -Identity [application account name] -Properties PasswordLastSet | FT Name, PasswordLastSet", where [application account name] is the name of the manually managed application/service account. If the "PasswordLastSet" date is more than one year old, this is a finding. Member servers and standalone or nondomain-joined systems: Open "Command Prompt". Enter 'Net User [application account name] | Find /i "Password Last Set"', where [application account name] is the name of the manually managed application/service account. If the "Password Last Set" date is more than one year old, this is a finding.
Fix Text
Change passwords for manually managed application/service accounts at least annually or when an administrator with knowledge of the password leaves the organization. It is recommended that system-managed service accounts be used whenever possible.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Determine whether any shared accounts exist. If no shared accounts exist, this is NA. Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the Information System Security Officer (ISSO). Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. If unapproved shared accounts exist, this is a finding.
Fix Text
Remove unapproved shared accounts from the system. Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: 6FF711AFAE14E49C15CD28D71EFFCBA6D6AF6065 ~~~~~ AppLocker is configured but 'Appx' and/or 'Exe' rules are not enabled. Ensure an application allowlisting solution is in place and configured to a deny-all, permit-by-exception policy. AppLocker rules: --------------------------- Rule Type: Appx Enforcement Mode: NotConfigured Rule Type: Dll Enforcement Mode: AuditOnly Rule Type: Exe Enforcement Mode: AuditOnly Rule Type: Msi Enforcement Mode: AuditOnly Rule Type: Script Enforcement Mode: AuditOnly Comments |
|||||
Check Text
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. If an application allowlisting program is not in use on the system, this is a finding. Configuration of allowlisting applications will vary by the program. AppLocker is an allowlisting application built in to Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. If AppLocker is used, perform the following to view the configuration of AppLocker: Open "PowerShell". If the AppLocker PowerShell module has not been imported previously, execute the following first: Import-Module AppLocker Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. Implementation guidance for AppLocker is available at the following link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide
Fix Text
Configure an application allowlisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. Configuration of allowlisting applications will vary by the program. AppLocker is an allowlisting application built in to Windows Server. If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker. Implementation guidance for AppLocker is available at the following link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be OPEN on 03/05/2026 ResultHash: 4F6E062C9AD17A9410FB01815F3313C5770EAE33 ~~~~~ No TPM has been detected on this system. Comments |
|||||
Check Text
For standalone or nondomain-joined systems, this is NA. Verify the system has a TPM and it is ready for use. Run "tpm.msc". Review the sections in the center pane. "Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken". TPM Manufacturer Information - Specific Version = 2.0 or 1.2 If a TPM is not found or is not ready for use, this is a finding.
Fix Text
Ensure domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.) The TPM must be enabled in the firmware. Run "tpm.msc" for configuration options in Windows.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: D407E9034731F662CE2E7F849EE72FE3FD0AE83F ~~~~~ Operating system is 'Windows Server 2022 Standard 21H2' (10.0.20348.4773) Comments |
|||||
Check Text
Open "Command Prompt". Enter "winver.exe". If the "About Windows" dialog box does not display "Microsoft Windows Server Version 21H1 (Build 20348.xxx)" or greater, this is a finding. Preview versions must not be used in a production environment.
Fix Text
Update the system to a Version 21H2 (Build 20348.xxx) or greater.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: ED004DFCA8B66091F04DB4817B417CC1901B40D4 ~~~~~ Windows Defender Antivirus is installed and running. Feature: Windows-Defender State: Enabled Service: WinDefend Status: Running Comments |
|||||
Check Text
Verify an antivirus solution is installed on the system. The antivirus solution may be bundled with an approved host-based security solution. If there is no antivirus solution installed on the system, this is a finding. Verify if Microsoft Defender antivirus is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName" Verify if third-party antivirus is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName
Fix Text
If no antivirus software is in use, install Microsoft Defender or third-party antivirus. Open "PowerShell". Enter "Install-WindowsFeature -Name Windows-Defender". For third-party antivirus, install per antivirus instructions and disable Windows Defender. Open "PowerShell". Enter "Uninstall-WindowsFeature -Name Windows-Defender".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Determine if there is a HIDS and HIPS on each server. A HIDS device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the information system security officer (ISSO). If a HIDS and HIPS are not installed on the system, this is a finding.
Fix Text
Install a HIDS and HIPS on each server.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: F081F472C14C9789CFC4D12C508F7C0925558A02 ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 Path: C:\ OverallState: Expected permissions in place Compliance: Compliant Comments |
|||||
Check Text
The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN22-SO-000240). Review the permissions for the system drive's root directory (usually C:\). Nonprivileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions except where noted as defaults. Individual accounts must not be used to assign permissions. If permissions are not as restrictive as the default permissions listed below, this is a finding. Viewing in File Explorer: View the Properties of the system drive's root directory. Select the "Security" tab, and the "Advanced" button. Default permissions: C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders, and files Administrators - Full control - This folder, subfolders, and files Users - Read & execute - This folder, subfolders, and files Users - Create folders/append data - This folder and subfolders Users - Create files/write data - Subfolders only CREATOR OWNER - Full Control - Subfolders and files only Alternately, use icacls: Open "Command Prompt (Admin)". Enter "icacls" followed by the directory: "icacls c:\" The following results must be displayed: c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files
Fix Text
Maintain the default permissions for the system drive's root directory and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN22-SO-000240). Default Permissions C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders, and files Administrators - Full control - This folder, subfolders, and files Users - Read & execute - This folder, subfolders, and files Users - Create folders/append data - This folder and subfolders Users - Create files/write data - Subfolders only CREATOR OWNER - Full Control - Subfolders and files only
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 67D7443EABCEBA86F318DC3E0BAE19A215A4A644 ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 Path: C:\Program Files OverallState: Expected permissions in place Compliance: Compliant Path: C:\Program Files (x86) OverallState: Expected permissions in place Compliance: Compliant Comments |
|||||
Check Text
The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN22-SO-000240). Review the permissions for the program file directories (Program Files and Program Files [x86]). Nonprivileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. Individual accounts must not be used to assign permissions. If permissions are not as restrictive as the default permissions listed below, this is a finding. Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default permissions: \Program Files and \Program Files (x86) Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files Alternately, use icacls: Open a Command prompt (admin). Enter "icacls" followed by the directory: 'icacls "c:\program files"' 'icacls "c:\program files (x86)"' The following results must be displayed for each when entered: c:\program files (c:\program files (x86)) NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files
Fix Text
Maintain the default permissions for the program file directories and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN22-SO-000240). Default permissions: \Program Files and \Program Files (x86) Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders, and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: BEECA7612E0B6DD07552469BDA0A29F4268519F5 ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 Path: C:\WINDOWS OverallState: Expected permissions in place Compliance: Compliant Comments |
|||||
Check Text
The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN22-SO-000240). Review the permissions for the Windows installation directory (usually C:\Windows). Nonprivileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. Individual accounts must not be used to assign permissions. If permissions are not as restrictive as the default permissions listed below, this is a finding: Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab and the "Advanced" button. Default permissions: \Windows Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders, and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files Alternately, use icacls: Open a Command prompt (admin). Enter "icacls" followed by the directory: "icacls c:\windows" The following results must be displayed for each when entered: c:\windows NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files
Fix Text
Maintain the default file ACLs and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN22-SO-000240). Default permissions: Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders, and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6CFAAD398147CBD6AF58E8CC3C59CEF6D25F6236 ~~~~~ Path: HKLM:\SECURITY OverallState: Expected permissions in place Compliance: Compliant Path: HKLM:\SOFTWARE OverallState: Expected permissions in place Compliance: Compliant Path: HKLM:\SYSTEM OverallState: Expected permissions in place Compliance: Compliant Comments |
|||||
Check Text
Review the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive noted below. If any nonprivileged groups such as Everyone, Users, or Authenticated Users have greater than Read permission, this is a finding. If permissions are not as restrictive as the default permissions listed below, this is a finding: Run "Regedit". Right-click on the registry areas noted below. Select "Permissions" and "Advanced". HKEY_LOCAL_MACHINE\SECURITY Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full Control - This key and subkeys Administrators - Special - This key and subkeys HKEY_LOCAL_MACHINE\SOFTWARE Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys HKEY_LOCAL_MACHINE\SYSTEM Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and Subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys Server Operators - Read - This Key and subkeys (Domain controllers only) Other examples under the noted keys may also be sampled. There may be some instances where nonprivileged groups have greater than Read permission. Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2022 to the following SID. This is currently not a finding. S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 If the defaults have not been changed, these are not a finding.
Fix Text
Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive. The default permissions of the higher-level keys are noted below. HKEY_LOCAL_MACHINE\SECURITY Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full Control - This key and subkeys Administrators - Special - This key and subkeys HKEY_LOCAL_MACHINE\SOFTWARE Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys HKEY_LOCAL_MACHINE\SYSTEM Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys Server Operators - Read - This Key and subkeys (Domain controllers only) Microsoft has also given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2022 to the following SID: S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: 490BD2E899FA3C7F6E247F8A18AC1F6BEB815876 ~~~~~ Failed accounts: --------------------- Name: DOD_Admin SID: S-1-5-21-2359828523-3188837691-268305261-1000 Enabled: True Last Logon: 11/11/2025 23:11:45 [113 days] Comments |
|||||
Check Text
Open "Windows PowerShell". Domain Controllers: Enter "Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. Member servers and standalone or nondomain-joined systems: Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) "([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { $user = ([ADSI]$_.Path) $lastLogin = $user.Properties.LastLogin.Value $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 if ($lastLogin -eq $null) { $lastLogin = 'Never' } Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). For example: User1 10/31/2015 5:49:56 AM True Review the list of accounts returned by the above queries to determine the finding validity for each account reported. Exclude the following accounts: - Built-in administrator account (Renamed, SID ending in 500) - Built-in guest account (Renamed, Disabled, SID ending in 501) - Application accounts If any enabled accounts have not been logged on to within the past 35 days, this is a finding. Inactive accounts that have been reviewed and deemed to be required must be documented with the Information System Security Officer (ISSO).
Fix Text
Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: A8361572FCF4DDE4D6872D094DE902234124BB6E ~~~~~ No enabled accounts found that do not require a password. Comments |
|||||
Check Text
Review the password required status for enabled user accounts. Open "PowerShell". Domain Controllers: Enter "Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs). If "Passwordnotrequired" is "True" or blank for any enabled user account, this is a finding. Member servers and standalone or nondomain-joined systems: Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. Exclude disabled accounts (e.g., DefaultAccount, Guest). If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding.
Fix Text
Configure all enabled accounts to require passwords. The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 03421DBAA63FB77EFDA8438D19174504036DC035 ~~~~~ No enabled accounts found where the password does not expire. Comments |
|||||
Check Text
Review the password never expires status for enabled user accounts. Open "PowerShell". Domain Controllers: Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name, PasswordNeverExpires, Enabled". Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding. Member servers and standalone or nondomain-joined systems: Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'. Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest). If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding.
Fix Text
Configure all enabled user account passwords to expire. Uncheck "Password never expires" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone or nondomain-joined systems. Document any exceptions with the information system security officer (ISSO).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
Determine whether the system is monitored for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. If system files are not monitored for unauthorized changes, this is a finding. An approved and properly configured solution will contain both a list of baselines that includes all system file locations and a file comparison task that is scheduled to run at least weekly.
Fix Text
Monitor the system for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. This can be done with the use of various monitoring tools.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: FE6E08BCA44D55D33AD47289B0481DA21EA7058A ~~~~~ Only system-created shares exist on this system so this requirement is NA. Comments |
|||||
Check Text
If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. (System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) Run "Computer Management". Navigate to System Tools >> Shared Folders >> Shares. Right-click any nonsystem-created shares. Select "Properties". Select the "Share Permissions" tab. If the file shares have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding. Select the "Security" tab. If the permissions have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.
Fix Text
If a nonsystem-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. Remove any unnecessary nonsystem-created shares.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6D1B1446FB5CC2634D5EADF74C6B8A5903ECB08C ~~~~~ No .p12 or .pfx certificate files found. Comments |
|||||
Check Text
Search all drives for *.p12 and *.pfx files. If any files with these extensions exist, this is a finding. This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of noncertificate installation files from systems is not required. These must be documented with the Information System Security Officer (ISSO).
Fix Text
Remove any certificate installation files (*.p12 and *.pfx) found on a system. Note: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsNo details recorded. Comments |
|||||
Check Text
If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPsec have been implemented. If protection methods have not been implemented, this is a finding.
Fix Text
Configure protection methods such as TLS, encrypted VPNs, or IPsec when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: 6EFFFCDAA74F2893347505F85C0B7A675BCD956A ~~~~~ Installed Roles: --------------------- Device Health Attestation File and Storage Services Web Server (IIS) Installed Role Services: --------------------- File and iSCSI Services File Server Storage Services Web Server Common HTTP Features Default Document Directory Browsing HTTP Errors Static Content Health and Diagnostics HTTP Logging Tracing Performance Static Content Compression Security Request Filtering Application Development .NET Extensibility 4.8 ASP.NET 4.8 ISAPI Extensions ISAPI Filters Server Side Includes Management Tools IIS Management Console Installed Features: --------------------- .NET Framework 4.8 Features .NET Framework 4.8 ASP.NET 4.8 WCF Services HTTP Activation TCP Port Sharing Azure Arc Setup Microsoft Defender Antivirus System Data Archiver Windows PowerShell Windows PowerShell 5.1 Windows Process Activation Service Process Model Configuration APIs WoW64 Support Comments |
|||||
Check Text
Required roles and features will vary based on the function of the individual system. Roles and features specifically required to be disabled per the STIG are identified in separate requirements. If the organization has not documented the roles and features required for the system(s), this is a finding. The PowerShell command "Get-WindowsFeature | Where-Object {$_. installstate -eq "Installed"} | Format-List Displayname, Name, Featuretype" will list all roles and features with an "Installed" state.
Fix Text
Document the roles and features required for the system to operate. Uninstall any that are not required.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: DDEB8EC31627B565DA9A6E2585FF589E535BD0A3 ~~~~~ Active Network Connections: --------------------------- Network Category: DomainAuthenticated Windows Firewall: Disabled Windows Firewall is disabled on one or more active network profiles. Confirm a host-based firewall is in use on this system. Comments |
|||||
Check Text
Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. The configuration requirements will be determined by the applicable firewall STIG.
Fix Text
Install and enable a host-based firewall on the system.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsNo details recorded. Comments |
|||||
Fix Text
Install a DOD-approved ESS software and ensure it is operating continuously.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: 129AAEF8C98B12262CD5814E10D70D7749FB55E0 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'temporary' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
Check Text
Review temporary user accounts for expiration dates. Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA. Domain Controllers: Open "PowerShell". Enter "Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate". If "AccountExpirationDate" has not been defined within 72 hours for any temporary user account, this is a finding. Member servers and standalone or nondomain-joined systems: Open "Command Prompt". Run "Net user [username]", where [username] is the name of the temporary user account. If "Account expires" has not been defined within 72 hours for any temporary user account, this is a finding.
Fix Text
Configure temporary user accounts to automatically expire within 72 hours. Domain accounts can be configured with an account expiration date, under "Account" properties. Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where [username] is the name of the temporary user account. Delete any temporary user accounts that are no longer necessary.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: A2DFD837F05076354B18E9404AAC0860BC860EE5 ~~~~~ No enabled accounts found that are set to expire within 72 hours of the PasswordLastSet date. If there are enabled 'emergency' accounts currently on the system, this should be marked as Open. Otherwise, mark as Not Applicable. Comments |
|||||
Check Text
Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA. If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved. If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding. Domain Controllers: Open "PowerShell". Enter "Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate". If "AccountExpirationDate" has been defined and is not within 72 hours for an emergency administrator account, this is a finding. Member servers and standalone or nondomain-joined systems: Open "Command Prompt". Run "Net user [username]", where [username] is the name of the emergency account. If "Account expires" has been defined and is not within 72 hours for an emergency administrator account, this is a finding.
Fix Text
Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours. Domain accounts can be configured with an account expiration date, under "Account" properties. Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where [username] is the name of the temporary user account.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 4D0C4B866AA7FEEDE82ECD2E8B4A22DEDE2618CF ~~~~~ Feature Name: Fax Expected State: Available, Removed Detected State: Available Comments |
|||||
Check Text
Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq Fax". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding.
Fix Text
Uninstall the "Fax Server" role. Start "Server Manager". Select the server with the role. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Fax Server" on the "Roles" page. Click "Next" and "Remove" as prompted.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 8AB08F4114350A4A86D884EB5E8C414772162FB9 ~~~~~ Feature Name: Web-Ftp-Service Expected State: Available, Removed Detected State: Available Comments |
|||||
Check Text
If the server has the role of an FTP server, this is NA. Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq Web-Ftp-Service". If "Installed State" is "Installed", this is a finding. An Installed State of "Available" or "Removed" is not a finding. If the system has the role of an FTP server, this must be documented with the Information System Security Officer (ISSO).
Fix Text
Uninstall the "FTP Server" role. Start "Server Manager". Select the server with the role. Scroll down to "ROLES AND FEATURES" in the right pane. Select "Remove Roles and Features" from the drop-down "TASKS" list. Select the appropriate server on the "Server Selection" page and click "Next". Deselect "FTP Server" under "Web Server (IIS)" on the "Roles" page. Click "Next" and "Remove" as prompted.