| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6386CA45E70EAC022EEE395ACF120AD858947656 ~~~~~ Enable computer and user accounts to be trusted for delegation: No objects assigned to this right. Comments |
|||||
Check Text
This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeEnableDelegationPrivilege" user right, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Enable computer and user accounts to be trusted for delegation to be defined but containing no entries (blank).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 1E639BE4EE5A1CDEB45CD6D11961572DC003871E ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Installed: True Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Installed: True Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Installed: True Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF NotAfter: 1/24/2053 Installed: True Comments |
|||||
Check Text
The certificates and thumbprints referenced below apply to unclassified systems; refer to PKE documentation for other networks. Open "Windows PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB NotAfter: 12/30/2029 Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 NotAfter: 7/25/2032 Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B NotAfter: 6/14/2041 Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint : D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF NotAfter: 1/24/2053 11:36:17 AM Alternately, use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates" and click "Add". Select "Computer account" and click "Next". Select "Local computer: (the computer this console is running on)" and click "Finish". Click "OK". Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". For each of the DoD Root CA certificates noted below: Right-click on the certificate and select "Open". Select the "Details" tab. Scroll to the bottom and select "Thumbprint". If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. DoD Root CA 3 Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB Valid to: Sunday, December 30, 2029 DoD Root CA 4 Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 Valid to: Sunday, July 25, 2032 DoD Root CA 5 Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B Valid to: Friday, June 14, 2041 DoD Root CA 6 Thumbprint: D37ECF61C0B4ED88681EF3630C4E2FC787B37AEFB Valid to: Friday, January 24, 2053
Fix Text
Install the DoD Root CA certificates: DoD Root CA 3 DoD Root CA 4 DoD Root CA 5 DoD Root CA 6 The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. Certificate bundles published by the PKI can be found at https://crl.gds.disa.mil/.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be OPEN on 03/05/2026 ResultHash: 4982E06E870E9B395CD6921A477687F3A80D46EF ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 NotAfter: 11/16/2024 Installed: False Comments |
|||||
Check Text
This is applicable to unclassified systems. It is NA for others. Open "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 NotAfter: 11/16/2024 09:57:16 AM Alternately, use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates" and click "Add". Select "Computer account" and click "Next". Select "Local computer: (the computer this console is running on)" and click "Finish". Click "OK". Expand "Certificates" and navigate to Untrusted Certificates >> Certificates. For each certificate with "DoD Root CA..." under "Issued To" and "DoD Interoperability Root CA..." under "Issued By": Right-click on the certificate and select "Open". Select the "Details" tab. Scroll to the bottom and select "Thumbprint". If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. Issued To: DoD Root CA 3 Issued By: DoD Interoperability Root CA 2 Thumbprint: 49CBE933151872E17C8EAE7F0ABA97FB610F6477 Valid to: Wednesday, November 16, 2024
Fix Text
Install the DoD Interoperability Root CA cross-certificates on unclassified systems. Issued To - Issued By - Thumbprint DoD Root CA 3- DoD Interoperability Root CA 2 - 49CBE933151872E17C8EAE7F0ABA97FB610F6477 Administrators must run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user. The FBCA Cross-Certificate Remover Tool and User Guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. Certificate bundles published by the PKI can be found at https://crl.gds.disa.mil/.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: A49AC51E65251963BCF59A4603952BF695EF12C6 ~~~~~ Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 Installed: True Subject: CN=DoD Root CA 6, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: D471CA32F7A692CE6CBB6196BD3377FE4DBCD106 NotAfter: 7/18/2026 Installed: True Comments |
|||||
Check Text
This is applicable to unclassified systems. It is NA for others. Open "PowerShell" as an administrator. Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. Subject: CN=DOD Root CA 3, OU=PKI, OU=DOD, O=U.S. Government, C=US Issuer: CN=US DOD CCEB Interoperability Root CA 2, OU=PKI, OU=DOD, O=U.S. Government, C=US Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 9:56:22 AM Alternately, use the Certificates MMC snap-in: Run "MMC". Select "File", "Add/Remove Snap-in". Select "Certificates" and click "Add". Select "Computer account" and click "Next". Select "Local computer: (the computer this console is running on)" and click "Finish". Click "OK". Expand "Certificates" and navigate to Untrusted Certificates >> Certificates. For each certificate with "US DOD CCEB Interoperability Root CA ..." under "Issued By": Right-click on the certificate and select "Open". Select the "Details" tab. Scroll to the bottom and select "Thumbprint". If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. Issued To: DOD Root CA 3 Issued By: US DOD CCEB Interoperability Root CA 2 Thumbprint: 9B74964506C7ED9138070D08D5F8B969866560C8 NotAfter: 7/18/2025 Issued to: DOD Root CA 6 Issued By: US DOD CCEB Interoperability Root CA 2 Thumbprint: D471CA32F7A692CE6CBB6196BD3377FE4DBCD106 NotAfter: 7/18/2026
Fix Text
Install the US DOD CCEB Interoperability Root CA cross-certificate on unclassified systems. Issued To - Issued By - Thumbprint DOD Root CA 3 - US DOD CCEB Interoperability Root CA 2 - 9B74964506C7ED9138070D08D5F8B969866560C8 DOD Root CA 6 -US DOD CCEB Interoperability Root CA 2 - D471CA32F7A692CE6CBB6196BD3377FE4DBCD106 Administrators must run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user. The FBCA Cross-Certificate Remover Tool and User Guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. PKI can be found at https://crl.gds.disa.mil/.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 4B36C634C9C40B0094FF0676E2CD029965645B6F ~~~~~ 'Accounts: Guest account status' is Disabled EnableGuestAccount: 0 Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "EnableGuestAccount" equals "1" in the file, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Accounts: Guest account status to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 938B5D59F6EEE4836658D1458955462833BA0985 ~~~~~ 'Accounts: Rename administrator account' is Configured NewAdministratorName: X_Admin Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "NewAdministratorName" is not something other than "Administrator" in the file, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Accounts: Rename administrator account to a name other than "Administrator".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 65D963B5E42EA95D69DDA5CE0A378E6B2420D343 ~~~~~ 'Accounts: Rename guest account' is Configured NewGuestName: Visitor Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "NewGuestName" is not something other than "Guest" in the file, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Accounts: Rename guest account to a name other than "Guest".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 7AFC3CE567F252B2BE09FC92C1D55F904F5B444F ~~~~~ 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 768851CC97ECEB9EB63B747FCDA75CF7978BB583 ~~~~~ 'Domain member: Digitally encrypt or sign secure channel data (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain member: Digitally encrypt or sign secure channel data (always) to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: F343CF439907225DA5621C3F34434F566462DD05 ~~~~~ 'Domain member: Digitally encrypt secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain member: Digitally encrypt secure channel data (when possible) to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 36BAC351878C6C80896B265F9F8C16749B276082 ~~~~~ 'Domain member: Digitally sign secure channel data (when possible)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain member: Digitally sign secure channel data (when possible) to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: BB635AA6841E00077B664A8F94678C4D24F2AACE ~~~~~ 'Domain member: Disable machine account password changes' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain member: Disable machine account password changes to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: FD4D63A71698777BC7EC42B1C996A91D8276371E ~~~~~ 'Domain member: Maximum machine account password age' is 30 with '0' Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value: 0x0000001e (30) Type: REG_DWORD Comments |
|||||
Check Text
This is the default configuration for this setting (30 days). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge Value Type: REG_DWORD Value: 0x0000001e (30) (or less, but not 0)
Fix Text
This is the default configuration for this setting (30 days). Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain member: Maximum machine account password age to "30" or less (excluding "0", which is unacceptable).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 7A8877B1B464B449B4A82D21A20FE09800FBA1D8 ~~~~~ 'Domain member: Require strong (Windows 2000 or Later) session key' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 0x00000001 (1) This setting may prevent a system from being joined to a domain if not configured consistently between systems.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain member: Require strong (Windows 2000 or Later) session key to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 106D0A1D24637F2A65C89B4F7DA77EF34A14C166 ~~~~~ 'Interactive logon: Machine inactivity limit' is 900 with '0' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value: 0x00000384 (900) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs Value Type: REG_DWORD Value: 0x00000384 (900) (or less, excluding "0" which is effectively disabled)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Interactive logon: Machine inactivity limit to "900" seconds or less, excluding "0" which is effectively disabled.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 018D3D51B44A64283ACD50EE838B99BC47F1811C ~~~~~ 'Interactive logon: Message text for users attempting to log on' is Configured Properly Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: LegalNoticeText Value: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Type: REG_SZ Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText Value Type: REG_SZ Value: See message text below You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Interactive Logon: Message text for users attempting to log on to the following: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 8B161028B52B049F95101C070A22F225127B9051 ~~~~~ 'Interactive logon: Smart card removal behavior' is 'Lock Workstation' or 'Force Logoff' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: scremoveoption Value: 1 Type: REG_SZ Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: scremoveoption Value Type: REG_SZ Value: 1 (Lock Workstation) or 2 (Force Logoff) If configuring this on servers causes issues, such as terminating users' remote sessions, and the organization has a policy in place that any other sessions on the servers, such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the Information System Security Officer (ISSO).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Interactive logon: Smart card removal behavior to "Lock Workstation" or "Force Logoff".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: F3C1E8E33099B45BDB212B0519A2F33B9B2B5171 ~~~~~ 'Microsoft network client: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Microsoft network client: Digitally sign communications (always) to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 8AE5A1136C75ABE6423313D703CC15C146488D7A ~~~~~ 'Microsoft network client: Digitally sign communications (if server agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Microsoft network client: Digitally sign communications (if server agrees) to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: D6A4C224ED5457C6DAF9850BB9D0BC40612C173A ~~~~~ 'Microsoft Network Client: Send unencrypted password to third-party SMB servers' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Microsoft Network Client: Send unencrypted password to third-party SMB servers to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 899E5D4268B8FD2F2EB44326E2D59EE9E6C50F76 ~~~~~ 'Microsoft network server: Digitally sign communications (always)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Microsoft network server: Digitally sign communications (always) to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: FD8E0D554726CFB8905B2B726A4944CC4D7ACE69 ~~~~~ 'Microsoft network server: Digitally sign communications (if client agrees)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Microsoft network server: Digitally sign communications (if client agrees) to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: AC46176E36B5AD551B2D02BEF397E0465B660237 ~~~~~ 'Network access: Let Everyone permissions apply to anonymous users' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Let Everyone permissions apply to anonymous users to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 164DB84D831559475134E000319130634298EA3B ~~~~~ 'Network security: Allow Local System to use computer identity for NTLM' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Allow Local System to use computer identity for NTLM to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 5D6C0BC2C8171041F930D845BE80EE2BD8659E12 ~~~~~ 'Network security: Allow LocalSystem NULL session fallback' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Allow LocalSystem NULL session fallback to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: EAB0D07DEDC065B44229C9732CF27E1EE69C9BC7 ~~~~~ 'Network security: Allow PKU2U authentication requests to this computer to use online identities' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Allow PKU2U authentication requests to this computer to use online identities to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: EB2E1C21CBD2C88EBB89CDF510B713F7A18E062B ~~~~~ 'Network security: Configure encryption types allowed for Kerberos' is Enabled with 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, and Future encryption types' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value: 0x7ffffff8 (2147483640) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Value Type: REG_DWORD Value: 0x7ffffff8 (2147483640)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Configure encryption types allowed for Kerberos to "Enabled" with only the following selected: AES128_HMAC_SHA1 AES256_HMAC_SHA1 Future encryption types Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting "The other domain supports Kerberos AES Encryption" on domain trusts, may be required to allow client communication across the trust relationship.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: CFE3936D1DF99F42BB95CBA55FD8FE4C27770EE2 ~~~~~ 'Network security: LDAP client signing requirements' is Negotiate signing Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: LDAP client signing requirements to "Negotiate signing" at a minimum.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6802EBE26CD5FF48DF408F26F7CB8084098AB071 ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is Configured with 'Require NTLMv2 session security' and 'Require 128-bit encryption' Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value Type: REG_DWORD Value: 0x20080000 (537395200)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Minimum session security for NTLM SSP based (including secure RPC) clients to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: DC6D70BA7750B4643BD7CE13AF8B68FBA994B3DD ~~~~~ 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is Configured with 'Require NTLMv2 session security' and 'Require 128-bit encryption' Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value: 0x20080000 (537395200) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value Type: REG_DWORD Value: 0x20080000 (537395200)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Minimum session security for NTLM SSP based (including secure RPC) servers to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E10C5B4F863FA065AD5387F2743A222FA15AA5E8 ~~~~~ 'System cryptography: Force strong key protection for user keys stored on the computer' is Configured Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\ Value Name: ForceKeyProtection Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\ Value Name: ForceKeyProtection Type: REG_DWORD Value: 0x00000002 (2)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> System cryptography: Force strong key protection for user keys stored on the computer to "User must enter a password each time they use a key".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be OPEN on 03/05/2026 ResultHash: E46D3484D8944AFFA46967D60ACD605B428DDB1D ~~~~~ 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' is NOT Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value: 0x00000000 (0) [Expected 1] Type: REG_DWORD Comments |
|||||
Check Text
This is NA if the host is running SharePoint. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value Type: REG_DWORD Value: 0x00000001 (1) Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise the browser will not be able to connect to a secure site.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 70E59D3D7BCF2AFB0B1B2813244D3E2B6DE68BD5 ~~~~~ 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2022 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Admin Approval Mode for the Built-in Administrator account to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 3EB1B083F7DF5FA8446DC810CB471A52F4C7F8A5 ~~~~~ 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is Disabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2022 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle Value Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 1DED330A39AA7F6CAC7DF413BA95D334BDB7FCD9 ~~~~~ 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is Configured Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is default installation option for Windows Server 2022 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value Type: REG_DWORD Value: 0x00000002 (2) (Prompt for consent on the secure desktop) 0x00000001 (1) (Prompt for credentials on the secure desktop)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode to "Prompt for consent on the secure desktop". The more secure option for this setting, "Prompt for credentials on the secure desktop", would also be acceptable.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: BE525AED7069FB59A3EAC5D0AF05F4EE40A99E22 ~~~~~ 'User Account Control: Behavior of the elevation prompt for standard users' is Configured Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2022 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Behavior of the elevation prompt for standard users to "Automatically deny elevation requests".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: C5D7BBC45FF654CBF4E175605BDC5FD7B063BBDB ~~~~~ 'User Account Control: Detect application installations and prompt for elevation' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2022 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Detect application installations and prompt for elevation to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 06A665D592B4B23BCFB8A09B17AFF2A0D38F7E7D ~~~~~ 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2022 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Only elevate UIAccess applications that are installed in secure locations to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be OPEN on 03/05/2026 ResultHash: 357698FA2953D54C7396A10623B6A500DB0F3D95 ~~~~~ 'User Account Control: Run all administrators in Admin Approval Mode' is NOT Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value: 0x00000000 (0) [Expected 1] Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2022 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Run all administrators in Admin Approval Mode to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 3F065E81CCABC3C5F47A5BAE70F17477E17BB4EA ~~~~~ 'User Account Control: Virtualize file and registry write failures to per-user locations' is Enabled Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2022 versus Server with Desktop Experience). If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Virtualize file and registry write failures to per-user locations to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 Username: SCHROEDER3\S.Admin UserSID: S-1-5-21-1160972651-4155981999-2770166294-1108 ResultHash: E1E8733E0EB898F9D2EF428AC96620439C92F3E6 ~~~~~ 'Do not preserve zone information in file attachments' is Not Configured in group policy which is acceptable per the STIG. Registry Path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments Value Name: SaveZoneInformation (Not found) Comments |
|||||
Check Text
The default behavior is for Windows to mark file attachments with their zone information. If the registry Value Name below does not exist, this is not a finding. If it exists and is configured with a value of "2", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_CURRENT_USER Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ Value Name: SaveZoneInformation Value Type: REG_DWORD Value: 0x00000002 (2) (or if the Value Name does not exist)
Fix Text
The default behavior is for Windows to mark file attachments with their zone information. If this needs to be corrected, configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> Attachment Manager >> Do not preserve zone information in file attachments to "Not Configured" or "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 87F79F66720D9E2E7AA2D4F0BD4E49B75FB81A54 ~~~~~ Access Credential Manager as a trusted caller: No objects assigned to this right. Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeTrustedCredManAccessPrivilege" user right, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Access Credential Manager as a trusted caller to be defined but containing no entries (blank).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 078AAF9877C8DD4E87675C8D70F3B334B130B1F6 ~~~~~ Allow log on locally: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeInteractiveLogonRight" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Allow log on locally to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: FE97405F6D28A745E95E87B5555D354412968910 ~~~~~ Back up files and directories: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeBackupPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Back up files and directories to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 392F23BFEA1FFA843FBED2A87296251BF545F4E6 ~~~~~ Create a pagefile: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeCreatePagefilePrivilege" user right, this is a finding: S-1-5-32-544 (Administrators)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Create a pagefile to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 1B5B4C099509D3018C425654D2D4FB7E1B14B154 ~~~~~ Create global objects: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding: - Administrators - Service - Local Service - Network Service For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeCreateGlobalPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) S-1-5-6 (Service) S-1-5-19 (Local Service) S-1-5-20 (Network Service) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Create global objects to include only the following accounts or groups: - Administrators - Service - Local Service - Network Service
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 9E9F312FE6D327D0F8B24DB218DD2C4C9713AAB7 ~~~~~ Create permanent shared objects: No objects assigned to this right. Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeCreatePermanentPrivilege" user right, this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Create permanent shared objects to be defined but containing no entries (blank).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 3CD4E9016C9F359F5DA68C3C0F6C5C9FA18CC580 ~~~~~ Create symbolic links: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeCreateSymbolicLinkPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) Systems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines", SID S-1-5-83-0). This is not a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Create symbolic links to include only the following accounts or groups: - Administrators Systems that have the Hyper-V role will also have "Virtual Machines" given this user right. If this needs to be added manually, enter it as "NT Virtual Machine\Virtual Machines".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B79C184446E73079F465BE23CEE82A18CF0870A8 ~~~~~ Force shutdown from a remote system: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeRemoteShutdownPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Force shutdown from a remote system to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 2104116F3E578932C6928A7C2DD8A48B8D144C66 ~~~~~ Generate security audits: NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding: - Local Service - Network Service For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeAuditPrivilege" user right, this is a finding: S-1-5-19 (Local Service) S-1-5-20 (Network Service) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Generate security audits to include only the following accounts or groups: - Local Service - Network Service