| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 2EE38D6B4E98B44453F4F74A2761EDEB80FBC3B1 ~~~~~ Take ownership of files or other objects: BUILTIN\Administrators Comments |
|||||
Check Text
Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeTakeOwnershipPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060).
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Take ownership of files or other objects to include only the following accounts or groups: - Administrators
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 78DBF7703C4344E1C9FEC6958B7770D32210875B ~~~~~ 'Visual search enabled' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: VisualSearchEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
Verify the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Visual search enabled" is set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "VisualSearchEnabled" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Visual search enabled" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E2685576C3025DD255C16A3C12819DC1828509E9 ~~~~~ 'Show Hubs Sidebar' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: HubsSidebarEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
Verify the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Show Hubs Sidebar" is set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "HubsSidebarEnabled" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Show Hubs Sidebar" to "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: CC86029292DF41B85ACCCA8CD609A962C4964A04 ~~~~~ 'Configure cookies' is Enabled: (Keep cookies for the duration of the session, except ones listed in 'SaveCookiesOnExit') Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: DefaultCookiesSetting Value: 0x00000004 (4) Type: REG_DWORD Comments |
|||||
Check Text
Verify the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Configure cookies" is set to "Enabled" with the option value set to "Keep cookies for the duration of the session, except ones listed in 'SaveCookiesOnExit'". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for “DefaultCookiesSetting” is not set to "REG_DWORD = 4", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Configure cookies" to "Enabled" with the option value set to "Keep cookies for the duration of the session, except ones listed in 'SaveCookiesOnExit'".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: D584CFBF4BC3ECBB5AAA9121E3B5A91B09C02156 ~~~~~ 'Configure the default paste format of URLs copied from Microsoft Edge, and determine if additional formats will be available to users' is Enabled: (The plain URL without any extra information, such as the page's title.) Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ConfigureFriendlyURLFormat Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Configure the default paste format of URLs copied from Microsoft Edge and determine if additional formats will be available to users" must be set to "enabled" with the option value set to "The plain URL without any extra information, such as the page´s title. This is the recommended option when this policy is configured. For more information, see the description.". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ConfigureFriendlyURLFormat" is not set to "REG_DWORD = 1", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft EdgeConfigure the default paste format of URLs copied from Microsoft Edge, and determine if additional formats will be available to users" to "enabled" and select "The plain URL without any extra information, such as the page´s title. This is the recommended option when this policy is configured. For more information, see the description."
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 9C13D4E19413A0316E06B6FA6D701ADB52DBB1C6 ~~~~~ Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value Name: DisableRequestSmuggling Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
Open Registry Editor. Navigate to "HKLM\System\CurrentControlSet\Services\HTTP\Parameters" Verify "DisableRequestSmuggling” is set to "1". If REG_DWORD DisableRequestSmuggling is not set to 1, this is a finding.
Fix Text
Navigate to "HKLM\System\CurrentControlSet\Services\HTTP\Parameters". Create REG_DWORD "DisableRequestSmuggling” and set it to "1". Note: This can be performed multiple ways; this is an example.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. This is not applicable for member servers. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: SYSTEM\CurrentControlSet\Services\Kdc Value Name: StrongCertificateBindingEnforcement Value Type: REG_DWORD Value: 0x00000001 (1) or 0x00000002 (2)
Fix Text
Configure the registry value. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: SYSTEM\CurrentControlSet\Services\Kdc Value Name: StrongCertificateBindingEnforcement Value Type: REG_DWORD Value: 0x00000001 (1) or 0x00000002 (2)
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. This is not applicable for member servers. Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Administrative Template >> System >> KDC >> Allow name-based strong mappings for certificates. If "Allow name-based strong mappings for certificates" is not "Enabled", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Administrative Template >> System >> KDC >> Allow name-based strong mappings for certificates to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 32DC3F7100D45592B3F29D4AE22539CF53C74144 ~~~~~ File System: Success and Failure Comments |
|||||
Check Text
Verify that Audit File System auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System. If "Audit File System" is not set to "Failure", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit File System" with "Failure" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 32DC3F7100D45592B3F29D4AE22539CF53C74144 ~~~~~ File System: Success and Failure Comments |
|||||
Check Text
Verify that Audit File System auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System. If "Audit File System" is not set to "Success", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit File System" with "Success" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 2A5E8BE97C840AD2234C85F56C64FD8BCA308F03 ~~~~~ Handle Manipulation: Success and Failure Comments |
|||||
Check Text
Verify that Audit Handle Manipulation auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Handle Manipulation. If "Audit Handle Manipulation" is not set to "Failure", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Handle Manipulation" with "Failure" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 2A5E8BE97C840AD2234C85F56C64FD8BCA308F03 ~~~~~ Handle Manipulation: Success and Failure Comments |
|||||
Check Text
Verify that Audit Handle Manipulation auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Handle Manipulation. If "Audit Handle Manipulation" is not set to "Success", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Handle Manipulation" with "Success" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 0C7E32035E54411B6E149335F5BF0ADE578354B5 ~~~~~ Registry: Success and Failure Comments |
|||||
Check Text
Verify that Audit Registry auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry. If "Audit Registry" is not set to "Failure", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Registry" with "Failure" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 0C7E32035E54411B6E149335F5BF0ADE578354B5 ~~~~~ Registry: Success and Failure Comments |
|||||
Check Text
Verify that Audit Registry auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry. If "Audit Registry" is not set to "Success", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Registry" with "Success" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 5ADFCE8D22838148E00425A6936CEA3800FE7AA9 ~~~~~ Sensitive Privilege Use: Success and Failure Comments |
|||||
Check Text
Verify that Audit Sensitive Privilege Use auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use. If "Audit Sensitive Privilege Use" is not set to "Success", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with "Success" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 5ADFCE8D22838148E00425A6936CEA3800FE7AA9 ~~~~~ Sensitive Privilege Use: Success and Failure Comments |
|||||
Check Text
Verify that Audit Sensitive Privilege Use auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use. If "Audit Sensitive Privilege Use" is not set to "Failure", this is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with "Failure" selected.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 03/05/2026 Site: Default Web Site ResultHash: 104E498E88DEE469BE248058E3FD241D25AF3ECD ~~~~~ Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value Name: DisableServerHeader Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
Note: If the server is hosting WSUS, this is not applicable. Open Registry Editor. Navigate to "HKLM\System\CurrentControlSet\Services\HTTP\Parameters". Verify "DisableServerHeader” is set to "1". If REG_DWORD DisableServerHeader is not set to "1", this is a finding. If the system administrator (SA) can show that Server Version information has been removed via other means, such as using a rewrite outbound rule, this is not a finding.
Fix Text
Navigate to "HKLM\System\CurrentControlSet\Services\HTTP\Parameters". Create REG_DWORD "DisableServerHeader” and set it to "1". Note: This can be performed multiple ways; this is an example.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 502C8B71437749D29CB3E33985BDF72B0D30248E ~~~~~ 'Control access to Microsoft 365 Copilot writing assistance in Microsoft Edge for Business' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ComposeInlineEnabled Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Control access to Microsoft 365 Copilot writing assistance in Microsoft Edge for Business" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ComposeInlineEnabled" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Control access to Microsoft 365 Copilot writing assistance in Microsoft Edge for Business" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be OPEN on 03/05/2026 ResultHash: F09EC8ADFB484180B5174DA75304B712E14EBA02 ~~~~~ HSTS is not enabled. FINDING. HSTS max-age is not configured. FINDING. HSTS includeSubDomains is enabled. NOT A FINDING. HSTS redirectHttpToHttps is enabled. NOT A FINDING. Comments |
|||||
Check Text
Note: If the server is hosting WSUS, this is not applicable. Note: If the server is providing OCSP or CRL, and not otherwise hosting any content, this is not applicable. Access the IIS 10.0 Web Server. Open IIS Manager. Click the IIS 10.0 web server name. Open on Configuration Editor under Management. For the Section, navigate to system.applicationHost/sites. Expand siteDefaults and HSTS. If enabled is not set to True, this is a finding. If includeSubDomains is not set to True, this is a finding. If max-age is not set to a value greater than 0, this is a finding. If redirectHttpToHttps is not True, this is a finding. If the website is behind a load balancer or proxy server, and HSTS enablement is handled there, this is not applicable. If the version of Windows Server does not natively support HSTS, this is not a finding.
Fix Text
Using the Configuration Editor in the IIS Manager or Powershell: Enable HSTS. Set includeSubDomains to True. Set max-age to a value greater than 0. Set redirectHttpToHttps to True.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: 0E4360D1A69538A55E456743C4260C8FCE83E079 ~~~~~ Installed .NET version is '4.8'. This check only applies to .NET version 4.0 specifically so this requirement is NA. Comments |
|||||
Check Text
The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x - 4.x. The requirement is Not Applicable (NA) for .NET Framework > 4.x. (Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) Open Windows explorer and search for all *.exe.config files. This requirement does not apply to the caspol.exe assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB). To find relevant files, run the FINDSTR command from an elevated (admin) command prompt: FINDSTR /i /s "NetFx40_LegacySecurityPolicy" c:\*.exe.config This command will search all ."exe.config" files on the c: drive partition for the "LegacySecurityPolicy" setting. Repeat the command for each drive partition on the system. If the .NET application configuration file uses the legacy policy element, and .NET STIG guidance that covers these legacy versions has not been applied, this is a finding.
Fix Text
The infrastructure to enable CAS exists only in .NET Framework 2.x - 4.x. The requirement is Not Applicable (NA) for .NET Framework > 4.x. (Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) Apply the .NET Framework Security Checklist for .Net versions 1 through 3.5 when using the NetFx40_LegacySecurityPolicy setting.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: D494EFC0B5BFFA0F47A4414E95B31461DB797F2D ~~~~~ No machine.config or *.exe.config files found with 'defaultProxy enabled=false' or with 'bypasslist', 'module', or 'proxy' elements. Comments |
|||||
Check Text
Open Windows explorer and search for all "*.exe.config" and "machine.config" files. The referenced file is in the WinSxS directory (original source component file used when the Windows component was installed). If the files under WinSxS are read-only and cannot be modified, this is not a finding. Search each file for the "defaultProxy" element. <defaultProxy enabled="true|false" useDefaultCredentials="true|false" <bypasslist> … </bypasslist> <proxy> … </proxy> <module> … </module> /> If the "defaultProxy" setting "enabled=false" or if the "bypasslist", "module", or "proxy" child elements have configuration entries and there are no documented approvals from the authorizing official (AO), this is a finding. If the "defaultProxy" element is empty or if "useSystemDefault =True” then the framework is using default browser settings, this is not a finding.
Fix Text
Open Windows explorer and search for all "*.exe.config" and "machine.config" files. Search each file for the "defaultProxy" element. Clear the values contained in the "defaultProxy" element, and the "bypasslist", "module", and "proxy" child elements. The IAO must provide documented approvals of any non-default proxy servers.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be OPEN on 03/05/2026 ResultHash: EC0EC4B4146EC68BE0B5FF96A0FCCA30E8EF2031 ~~~~~ Improper configuration detected. Refer to https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#proxysettings Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ProxySettings Value: ADD YOUR PROXY CONFIGURATIONS HERE Type: REG_SZ Proper configuration of this setting requires that it be enclosed in { } brackets. Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Proxy server/Proxy Settings" must be "Enabled", and have a "Proxy Settings" value defined for "ProxyMode". "ProxyMode" must be defined and set to one of the following: "direct", "system", "auto_detect", "fixed_servers", or "pac_script". Consult Microsoft documentation for proper configuration of the text string required to define the "Proxy Settings" value. Example: {"ProxyMode": "fixed_servers", "ProxyServer": "123.123.123.123:8080"} Values for "ProxyPacUrl", "ProxyServer", or "ProxyBypassList" are optional. Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the REG_SZ value for "ProxySettings" does not have "ProxyMode" configured, this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Proxy server/Proxy Settings" to "Enabled" and define a value for "ProxyMode". "ProxyMode" must be defined and set to one of the following: "direct", "system", "auto_detect", "fixed_servers", or "pac_script". Consult Microsoft documentation for proper configuration of the text string required to define the "Proxy Settings" value. Example: {"ProxyMode": "fixed_servers", "ProxyServer": "127.0.0.1:8080"} "ProxyPacUrl", "ProxyServer", or "ProxyBypassList" are optional.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 252F745C52C3FE26367A884C0FFF075A7D5765B7 ~~~~~ 'Configure the list of domains for which Microsoft Defender SmartScreen won't trigger warnings' is Not Configured in Group Policy which is acceptable per the STIG. Comments |
|||||
Check Text
If this machine is on SIPRNet, this is Not Applicable. This requirement for "SmartScreenAllowListDomains" is not required; this is optional. The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/Configure the list of domains for which Microsoft Defender SmartScreen won't trigger warnings" may be set to "allow" for allowlisted domains. Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge SmartScreenAllowListDomains may be set as follows: HKLM\SOFTWARE\Policies\Microsoft\Edge\SmartScreenAllowListDomains\1 = mydomain.com HKLM\SOFTWARE\Policies\Microsoft\Edge\SmartScreenAllowListDomains\2 = myagency.mil If configured, the list of domains for which Microsoft Defender SmartScreen will not trigger warnings may be allowlisted.
Fix Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/SmartScreen settings/Configure the list of domains for which Microsoft Defender SmartScreen will not trigger warnings" may be set to "allow" for allowlisted domains.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 8FC1BA97C73E26DF2F4FFBFA42EEF58E3174020A ~~~~~ 'Disable synchronization of data using Microsoft sync services' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: SyncDisabled Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Disable synchronization of data using Microsoft sync services" must be set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "SyncDisabled" is not set to "REG_DWORD = 1", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Disable synchronization of data using Microsoft sync services" to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 9C262364743C3FB68606CA959D2E3A2DCA16CB69 ~~~~~ 'Allow importing of browser settings' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: ImportBrowserSettings Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of browser settings" must be set to "disabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "ImportBrowserSettings" is not set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow importing of browser settings" to "disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: D0C011C3620DE26B3AC5D2A94FE6AC62E823B8E6 ~~~~~ 'Computer Configuration/Administrative Templates/Microsoft Edge/Control where developer tools can be used' is Enabled with 'Don't allow using the developer tools' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: DeveloperToolsAvailability Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Control where developer tools can be used" with the option value set to "Don't allow using the developer tools". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "DeveloperToolsAvailability" is not set to "REG_DWORD = 2", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Control where developer tools can be used" to "enabled" and select "Don't allow using the developer tools".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: BE3D82589FDCADE0CBAA20C00C665847239339B7 ~~~~~ 'Allow download restrictions' is Enabled with (1)'BlockDangerousDownloads' or (2)'Block potentially dangerous or unwanted downloads' or (3)'Block all downloads' or (4) 'Block malicious downloads' Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: DownloadRestrictions Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If this machine is on SIPRNet, this is Not Applicable. The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow download restrictions" must be set to "Enabled" with the option value set to "BlockDangerousDownloads", "Block potentially dangerous or unwanted downloads", or "BlockMaliciousDownloads". The more restrictive option, "Block all downloads", is also acceptable. Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "DownloadRestrictions" is set to "REG_DWORD = 0", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow download restrictions" to "Enabled" and select one of the following: "BlockDangerousDownloads", "Block potentially dangerous or unwanted downloads", "BlockAllDownloads", or "BlockMaliciousDownloads".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: F277020857C97BCB2CDBE776BF649532A4E75FC3 ~~~~~ 'Allow pop-up windows on specific sites' is Configured Allowed popups: =========================== [*.]mil [*.]gov Comments |
|||||
Check Text
This requirement for "Allow pop-up windows on specific sites" is not required; this is optional. The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Allow pop-up windows on specific sites" must be set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge "PopupsAllowedForUrls" must be set as follows: HKLM\SOFTWARE\Policies\Microsoft\Edge\PopupsAllowedForUrls\1 = mydomain.com HKLM\SOFTWARE\Policies\Microsoft\Edge\PopupsAllowedForUrls\2 = myagency.mil If configured, the list of domains for which Microsoft Edge allows pop-ups may be allowlisted.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Allow pop-up windows on specific sites" to "Enabled". A list of allowlisted URLs may be specified here.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 74D93E07BB01C85E69D696BD1039ECC68270753C ~~~~~ 'Allow specific extensions to be installed' is Not Configured in Group Policy which is acceptable per the STIG. Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist Value Name: (Not found) Comments |
|||||
Check Text
This requirement for "Allow specific extensions to be installed" is not required; this is optional. The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Extensions/Allow specific extensions to be installed" must be set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge "ExtensionInstallAllowlist" must be set as follows: HKLM\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist\1 = "extension_id1" HKLM\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist\2 = "extension_id2" If configured, the list of extensions for which Microsoft Edge allows to be installed may be allowlisted.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Extensions/Allow specific extensions to be installed" to "Enabled". A list of allowlisted extensions may then be specified.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 83E6551EBCA0DB90D3E94FCB2E45DB4FB4E84AAB ~~~~~ 'Ask where to save downloaded files' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Edge Value Name: PromptForDownloadLocation Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Ask where to save downloaded files" must be set to "enabled". Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge If the value for "PromptForDownloadLocation" is not set to "REG_DWORD = 1", this is a finding.
Fix Text
Set the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Ask where to save downloaded files" to "enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 66B7D124A0E1520B94BF24EE1F406C85600BB6A2 ~~~~~ 'X-Powered-By' HTTP header has been removed. Comments |
|||||
Check Text
Note: If ASP.NET is not installed, this is Not Applicable. Open the IIS 10.0 Manager. Under the "Connections" pane on the left side of the management console, select the IIS 10.0 web server. Click the HTTP Response Headers button. Click to select the “X-Powered-By” HTTP Header. If “X-Powered-By” has not been removed, this is a finding.
Fix Text
Open the IIS 10.0 Manager. Under the "Connections" pane on the left side of the management console, select the IIS 10.0 web server. Click the HTTP Response Headers button. Click to select the “X-Powered-By” HTTP Header. Click “Remove” in the Actions Panel. Note: This can be performed multiple ways, this is an example.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-12 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 53EFE8294F1A016100A439E68BDC4A955D8F191C ~~~~~ 'Allow media autoplay on specific sites' is Configured Allowed sites: =========================== Comments |
|||||
Check Text
If this machine is on SIPRNet, this is Not Applicable. This requirement for "AutoplayAllowlist" is not required; this is optional. The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow media autoplay on specific sites" may be set to "allow" for allowlisted domains. Use the Windows Registry Editor to navigate to the following key: HKLM\SOFTWARE\Policies\Microsoft\Edge AutoplayAllowlist may be set as follows: HKLM\SOFTWARE\Policies\Microsoft\Edge\AutoplayAllowlist\1 = mydomain.com HKLM\SOFTWARE\Policies\Microsoft\Edge\AutoplayAllowlist\2 = myagency.mil If configured, the list of domains for which autoplay is allowed may be allowlisted.
Fix Text
The policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Allow media autoplay on specific sites" may be set to "allow" for allowlisted domains.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: 441A3895DA97E895CBFC18CFC98C8DF854F334FE ~~~~~ No printers are configured on this server so this requirement is NA. Comments |
|||||
Check Text
Open "Printers & scanners" in "Settings". If there are no printers configured, this is NA. (Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.) For each printer: Select the printer and "Manage". Select "Printer Properties". Select the "Sharing" tab. If "Share this printer" is checked, select the "Security" tab. If any standard user accounts or groups have permissions other than "Print", this is a finding. The default is for the "Everyone" group to be given "Print" permission. "All APPLICATION PACKAGES" and "CREATOR OWNER" are not standard user accounts.
Fix Text
Configure the permissions on shared printers to restrict standard users to only have Print permissions.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 9EA96422EDF496B5515908982651D9091ACEA304 ~~~~~ DomainRole: Member Server NtpClient (Local) Type: NT5DS (Local) Comments |
|||||
Check Text
Review the Windows time service configuration. Open an elevated "Command Prompt" (run as administrator). Enter "W32tm /query /configuration". Domain-joined systems (excluding the domain controller with the PDC emulator role): If the value for "Type" under "NTP Client" is not "NT5DS", this is a finding. Other systems: If systems are configured with a "Type" of "NTP", including standalone or nondomain-joined systems and the domain controller with the PDC Emulator role, and do not have a DOD time server defined for "NTPServer", this is a finding. To determine the domain controller with the PDC Emulator role: Open "PowerShell". Enter "Get-ADDomain | FT PDCEmulator".
Fix Text
Configure the system to synchronize time with an appropriate DOD time source. Domain-joined systems use NT5DS to synchronize time from other systems in the domain by default. If the system needs to be configured to an NTP server, configure the system to point to an authorized time server by setting the policy value for Computer Configuration >> Administrative Templates >> System >> Windows Time Service >> Time Providers. Change "Configure Windows NTP Client" to "Enabled", and configure the "NtpServer" field to point to an appropriate DOD time server. The US Naval Observatory operates stratum 1 time servers, identified at https://www.cnmoc.usff.navy.mil/Our-Commands/United-States-Naval-Observatory/Precise-Time-Department/Network-Time-Protocol-NTP/. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: FD2A5F481DC8E7F2CF188AA48C139FDEA170A28D ~~~~~ 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Value Name: DisableIPSourceRouting Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Value Name: DisableIPSourceRouting Type: REG_DWORD Value: 0x00000002 (2)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) to "Enabled" with "Highest protection, source routing is completely disabled" selected. This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B01D70CC85ACFF0BB8A61E31234D618894184D3B ~~~~~ 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: DisableIPSourceRouting Value Type: REG_DWORD Value: 0x00000002 (2)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) to "Enabled" with "Highest protection, source routing is completely disabled" selected. This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 1DDC780C39BA1038E120F73A8B04C0E6786A7642 ~~~~~ 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableICMPRedirect Value Type: REG_DWORD Value: 0x00000000 (0)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes to "Disabled". This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 2C22458F77057B8B0299AC398322BD1B4C853C80 ~~~~~ 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ Value Name: NoNameReleaseOnDemand Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ Value Name: NoNameReleaseOnDemand Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers to "Enabled". This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: C098CF3CC287BA2ADF7ECCD0876CB0AF916DA7DD ~~~~~ 'Turn off Inventory Collector' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat\ Value Name: DisableInventory Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppCompat\ Value Name: DisableInventory Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Application Compatibility >> Turn off Inventory Collector to "Enabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E9B6549BAE42CBD670A0DBEA8CBF0FA02AA949CD ~~~~~ 'Download Mode' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\ Value Name: DODownloadMode Value: 0x00000002 (2) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\ Value Name: DODownloadMode Value Type: REG_DWORD Value: 0x00000000 (0) - No peering (HTTP Only) 0x00000001 (1) - Peers on same NAT only (LAN) 0x00000002 (2) - Local Network / Private group peering (Group) 0x00000063 (99) - Simple download mode, no peering (Simple) A value of 0x00000003 (3), Internet, is a finding.
Fix Text
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Delivery Optimization >> Download Mode to "Enabled" with any option except "Internet" selected. Acceptable selections include: HTTP only (0) LAN (1) Group (2) Internet (3) Simple (99)
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 596D29423B76A43C4DE1155D696635B51AB9ABD1 ~~~~~ 'Turn off heap termination on corruption' is Not Configured or Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoHeapTerminationOnCorruption Value: 0x00000000 (0) Type: REG_DWORD Comments |
|||||
Check Text
The default behavior is for File Explorer heap termination on corruption to be enabled. If the registry Value Name below does not exist, this is not a finding. If it exists and is configured with a value of "0", this is not a finding. If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoHeapTerminationOnCorruption Value Type: REG_DWORD Value: 0x00000000 (0) (or if the Value Name does not exist)
Fix Text
The default behavior is for File Explorer heap termination on corruption to be disabled. If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> Turn off heap termination on corruption to "Not Configured" or "Disabled".
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA. Comments |
|||||
Check Text
This applies to domain controllers. It is NA for other systems. Open an elevated "Command Prompt" (run as administrator). Enter "ntdsutil". At the "ntdsutil:" prompt, enter "LDAP policies". At the "ldap policy:" prompt, enter "connections". At the "server connections:" prompt, enter "connect to server [host-name]" (where [host-name] is the computer name of the domain controller). At the "server connections:" prompt, enter "q". At the "ldap policy:" prompt, enter "show values". If the value for MaxConnIdleTime is greater than "300" (5 minutes) or is not specified, this is a finding. Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit. Alternately, Dsquery can be used to display MaxConnIdleTime: Open "Command Prompt (Admin)". Enter the following command (on a single line). dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil). If the results do not specify a "MaxConnIdleTime" or it has a value greater than "300" (5 minutes), this is a finding.
Fix Text
Configure the directory service to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity. Open an elevated "Command prompt" (run as administrator). Enter "ntdsutil". At the "ntdsutil:" prompt, enter "LDAP policies". At the "ldap policy:" prompt, enter "connections". At the "server connections:" prompt, enter "connect to server [host-name]" (where [host-name] is the computer name of the domain controller). At the "server connections:" prompt, enter "q". At the "ldap policy:" prompt, enter "Set MaxConnIdleTime to 300". Enter "Commit Changes" to save. Enter "Show values" to verify changes. Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 94854FF1D86F23AA1E8C8DA8BD0A2FDD0916B300 ~~~~~ 'Interactive logon: Message title for users attempting to log on' is Configured Properly Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value Name: LegalNoticeCaption Value: US Department of Defense Warning Statement Type: REG_SZ Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeCaption Value Type: REG_SZ Value: See message title options below "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN22-SO-000150. Automated tools may only search for the titles defined above. If an organization-defined title is used, a manual review will be required.
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Interactive Logon: Message title for users attempting to log on to "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the message text required in WN22-SO-000150.
| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| SCHR-P3-DP-001 | 164.231.170.44 | 2026-03-05 | |||
Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: BFB64B7D780EA1E5C79D016BA948BBC98408343C ~~~~~ 'System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode Value: 0x00000001 (1) Type: REG_DWORD Comments |
|||||
Check Text
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode Value Type: REG_DWORD Value: 0x00000001 (1)
Fix Text
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) to "Enabled".