| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 3BB4559735E48794BD8165BD31FB3B91B5C97D70 ~~~~~ Impersonate a client after authentication: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SERVICE Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding: - Administrators - Service - Local Service - Network Service For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeImpersonatePrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) S-1-5-6 (Service) S-1-5-19 (Local Service) S-1-5-20 (Network Service) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Impersonate a client after authentication to include only the following accounts or groups: - Administrators - Service - Local Service - Network Service
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 71A81E9CA36B32AAB1ED8E7CD3EBF64365CC50CA ~~~~~ Increase scheduling priority: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Increase scheduling priority" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeIncreaseBasePriorityPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Increase scheduling priority to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 59F1C37C37F91193AA2671D4DEFF065B9A2BCA05 ~~~~~ Load and unload device drivers: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeLoadDriverPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Load and unload device drivers to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: AA88E2DBE75A77500E026C0631E31EB834CB2521 ~~~~~ Lock pages in memory: No objects assigned to this right. Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeLockMemoryPrivilege" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Lock pages in memory to be defined but containing no entries (blank).
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: F506B79F7BAE0B4B9C26A872BD506286097A5492 ~~~~~ Manage auditing and security log: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding. - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeSecurityPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If the organization has an Auditors group, the assignment of this group to the user right would not be a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Manage auditing and security log to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 17C44C7943BC8AAB7D21F72E23CEC41AFE1A9F0C ~~~~~ Modify firmware environment values: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Modify firmware environment values" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeSystemEnvironmentPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Modify firmware environment values to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: CF44D7B584EFD68DFC4D843B21D491E2F6848B64 ~~~~~ Perform volume maintenance tasks: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeManageVolumePrivilege" user right, this is a finding: S-1-5-32-544 (Administrators)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Perform volume maintenance tasks to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 15D359836034C5F1C910175CB6D5F67772067F27 ~~~~~ Profile single process: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Profile single process" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeProfileSingleProcessPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Profile single process to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: F888137124F8E9A99188DF6656EBE43CAAE52E7E ~~~~~ Restore files and directories: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeRestorePrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Restore files and directories to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 2EE38D6B4E98B44453F4F74A2761EDEB80FBC3B1 ~~~~~ Take ownership of files or other objects: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeTakeOwnershipPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Take ownership of files or other objects to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. This is not applicable for member servers. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: SYSTEM\CurrentControlSet\Services\Kdc Value Name: StrongCertificateBindingEnforcement Value Type: REG_DWORD Value: 0x00000001 (1) or 0x00000002 (2)
Fix Text
Configure the registry value. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: SYSTEM\CurrentControlSet\Services\Kdc Value Name: StrongCertificateBindingEnforcement Value Type: REG_DWORD Value: 0x00000001 (1) or 0x00000002 (2)
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. This is not applicable for member servers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Administrative Template >> System >> KDC >> Allow name-based strong mappings for certificates. If "Allow name-based strong mappings for certificates" is not "Enabled", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Administrative Template >> System >> KDC >> Allow name-based strong mappings for certificates to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 32DC3F7100D45592B3F29D4AE22539CF53C74144 ~~~~~ File System: Success and Failure Comments |
|||||
Check Text
Verify that Audit File System auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System. If "Audit File System" is not set to "Failure", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit File System" with "Failure" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 32DC3F7100D45592B3F29D4AE22539CF53C74144 ~~~~~ File System: Success and Failure Comments |
|||||
Check Text
Verify that Audit File System auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System. If "Audit File System" is not set to "Success", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit File System" with "Success" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 2A5E8BE97C840AD2234C85F56C64FD8BCA308F03 ~~~~~ Handle Manipulation: Success and Failure Comments |
|||||
Check Text
Verify that Audit Handle Manipulation auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Handle Manipulation. If "Audit Handle Manipulation" is not set to "Failure", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Handle Manipulation" with "Failure" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 2A5E8BE97C840AD2234C85F56C64FD8BCA308F03 ~~~~~ Handle Manipulation: Success and Failure Comments |
|||||
Check Text
Verify that Audit Handle Manipulation auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Handle Manipulation. If "Audit Handle Manipulation" is not set to "Success", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Handle Manipulation" with "Success" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 0C7E32035E54411B6E149335F5BF0ADE578354B5 ~~~~~ Registry: Success and Failure Comments |
|||||
Check Text
Verify that Audit Registry auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry. If "Audit Registry" is not set to "Failure", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Registry" with "Failure" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 0C7E32035E54411B6E149335F5BF0ADE578354B5 ~~~~~ Registry: Success and Failure Comments |
|||||
Check Text
Verify that Audit Registry auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry. If "Audit Registry" is not set to "Success", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Registry" with "Success" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 5ADFCE8D22838148E00425A6936CEA3800FE7AA9 ~~~~~ Sensitive Privilege Use: Success and Failure Comments |
|||||
Check Text
Verify that Audit Sensitive Privilege Use auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use. If "Audit Sensitive Privilege Use" is not set to "Success", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with "Success" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 5ADFCE8D22838148E00425A6936CEA3800FE7AA9 ~~~~~ Sensitive Privilege Use: Success and Failure Comments |
|||||
Check Text
Verify that Audit Sensitive Privilege Use auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use. If "Audit Sensitive Privilege Use" is not set to "Failure", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with "Failure" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: 441A3895DA97E895CBFC18CFC98C8DF854F334FE ~~~~~ No printers are configured on this server so this requirement is NA. Comments |
|||||
Check Text
Open "Printers & scanners" in "Settings". If there are no printers configured, this is NA. (Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.) For each printer: Select the printer and "Manage". Select "Printer Properties". Select the "Sharing" tab. If "Share this printer" is checked, select the "Security" tab. If any standard user accounts or groups have permissions other than "Print", this is a finding. The default is for the "Everyone" group to be given "Print" permission. "All APPLICATION PACKAGES" and "CREATOR OWNER" are not standard user accounts.
Fix Text
Configure the permissions on shared printers to restrict standard users to only have Print permissions.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 9EA96422EDF496B5515908982651D9091ACEA304 ~~~~~ DomainRole: Member Server NtpClient (Local) Type: NT5DS (Local) Comments |
|||||
Check Text
Review the Windows time service configuration. Open an elevated "Command Prompt" (run as administrator). Enter "W32tm /query /configuration". Domain-joined systems (excluding the domain controller with the PDC emulator role): If the value for "Type" under "NTP Client" is not "NT5DS", this is a finding. Other systems: If systems are configured with a "Type" of "NTP", including standalone or nondomain-joined systems and the domain controller with the PDC Emulator role, and do not have a DOD time server defined for "NTPServer", this is a finding. To determine the domain controller with the PDC Emulator role: Open "PowerShell". Enter "Get-ADDomain | FT PDCEmulator".
Fix Text
Configure the system to synchronize time with an appropriate DOD time source. Domain-joined systems use NT5DS to synchronize time from other systems in the domain by default. If the system needs to be configured to an NTP server, configure the system to point to an authorized time server by setting the policy value for Computer Configuration >> Administrative Templates >> System >> Windows Time Service >> Time Providers. Change "Configure Windows NTP Client" to "Enabled", and configure the "NtpServer" field to point to an appropriate DOD time server. The US Naval Observatory operates stratum 1 time servers, identified at https://www.cnmoc.usff.navy.mil/Our-Commands/United-States-Naval-Observatory/Precise-Time-Department/Network-Time-Protocol-NTP/. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: FD2A5F481DC8E7F2CF188AA48C139FDEA170A28D ~~~~~ 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Value Name: DisableIPSourceRouting Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Value Name: DisableIPSourceRouting Type: REG_DWORD Value: 0x00000002 (2)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) to "Enabled" with "Highest protection, source routing is completely disabled" selected. This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B01D70CC85ACFF0BB8A61E31234D618894184D3B ~~~~~ 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting Value Type: REG_DWORD Value: 0x00000002 (2)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) to "Enabled" with "Highest protection, source routing is completely disabled" selected. This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 1DDC780C39BA1038E120F73A8B04C0E6786A7642 ~~~~~ 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect Value Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes to "Disabled". This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 2C22458F77057B8B0299AC398322BD1B4C853C80 ~~~~~ 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ Value Name: NoNameReleaseOnDemand Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ Value Name: NoNameReleaseOnDemand Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers to "Enabled". This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: C098CF3CC287BA2ADF7ECCD0876CB0AF916DA7DD ~~~~~ 'Turn off Inventory Collector' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat\ Value Name: DisableInventory Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppCompat\ Value Name: DisableInventory Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Application Compatibility >> Turn off Inventory Collector to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E9B6549BAE42CBD670A0DBEA8CBF0FA02AA949CD ~~~~~ 'Download Mode' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\ Value Name: DODownloadMode Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\ Value Name: DODownloadMode Value Type: REG_DWORD Value: 0x00000000 (0) - No peering (HTTP Only) 0x00000001 (1) - Peers on same NAT only (LAN) 0x00000002 (2) - Local Network / Private group peering (Group) 0x00000063 (99) - Simple download mode, no peering (Simple) A value of 0x00000003 (3), Internet, is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Delivery Optimization >> Download Mode to "Enabled" with any option except "Internet" selected. Acceptable selections include: HTTP only (0) LAN (1) Group (2) Internet (3) Simple (99)
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 596D29423B76A43C4DE1155D696635B51AB9ABD1 ~~~~~ 'Turn off heap termination on corruption' is Not Configured or Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoHeapTerminationOnCorruption Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The default behavior is for File Explorer heap termination on corruption to be enabled. If the registry Value Name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoHeapTerminationOnCorruption Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)
Fix Text
The default behavior is for File Explorer heap termination on corruption to be disabled. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> Turn off heap termination on corruption to "Not Configured" or "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Open an elevated "Command Prompt" (run as administrator). Enter "ntdsutil". At the "ntdsutil:" prompt, enter "LDAP policies". At the "ldap policy:" prompt, enter "connections". At the "server connections:" prompt, enter "connect to server [host-name]" (where [host-name] is the computer name of the domain controller). At the "server connections:" prompt, enter "q". At the "ldap policy:" prompt, enter "show values". If the value for MaxConnIdleTime is greater than "300" (5 minutes) or is not specified, this is a finding. Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit. Alternately, Dsquery can be used to display MaxConnIdleTime: Open "Command Prompt (Admin)". Enter the following command (on a single line). dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil). If the results do not specify a "MaxConnIdleTime" or it has a value greater than "300" (5 minutes), this is a finding.
Fix Text
Configure the directory service to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity. Open an elevated "Command prompt" (run as administrator). Enter "ntdsutil". At the "ntdsutil:" prompt, enter "LDAP policies". At the "ldap policy:" prompt, enter "connections". At the "server connections:" prompt, enter "connect to server [host-name]" (where [host-name] is the computer name of the domain controller). At the "server connections:" prompt, enter "q". At the "ldap policy:" prompt, enter "Set MaxConnIdleTime to 300". Enter "Commit Changes" to save. Enter "Show values" to verify changes. Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 94854FF1D86F23AA1E8C8DA8BD0A2FDD0916B300 ~~~~~ 'Interactive logon: Message title for users attempting to log on' is Configured Properly Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: LegalNoticeCaption Value: US Department of Defense Warning Statement Type: REG_SZ Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeCaption Value Type: REG_SZ Value: See message title options below "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN22-SO-000150. Automated tools may only search for the titles defined above. If an organization-defined title is used, a manual review will be required.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Interactive Logon: Message title for users attempting to log on to "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the message text required in WN22-SO-000150.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: BFB64B7D780EA1E5C79D016BA948BBC98408343C ~~~~~ 'System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) to "Enabled".