| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-254240 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 administrative accounts must n... | - | |||
Check TextDetermine whether organization policy, at a minimum, prohibits administrative accounts from using applications that access the internet, such as web browsers, or with potential internet sources, such as email, except as necessary for local service administration. If it does not, this is a finding. The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement. Fix TextEstablish a policy, at minimum, to prohibit administrative accounts from using applications that access the internet, such as web browsers, or with potential internet sources, such as email. Ensure the policy is enforced. The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement. CommentsAdministrative accounts are restricted from accessing internet-based applications, with technical controls enforcing this policy to mitigate potential security risks. NOT A FINDING
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254250 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 local volumes must use a forma... | - | |||
Check TextOpen "Computer Management". Select "Disk Management" under "Storage". For each local volume, if the file system does not indicate "NTFS", this is a finding. "ReFS" (resilient file system) is also acceptable and is not a finding. CSV ( Cluster Shared Volumes) is not a finding. This does not apply to system partitions such the Recovery and EFI System Partition. Fix TextFormat volumes to use NTFS, ReFS, or CSVFS. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B264AA7347D8EF3C29987476DF98F4696DE11F0D ~~~~~ All disk file systems are NTFS or ReFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Device ID: D: Drive Type: Local Disk (3) Volume Name: PROGLOGS File System: NTFS Device ID: E: Drive Type: Local Disk (3) Volume Name: MECM File System: NTFS Device ID: I: Drive Type: Local Disk (3) Volume Name: IIS File System: NTFS
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254262 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 systems requiring data at rest... | - | |||
Check TextVerify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If they do not, this is a finding. Fix TextConfigure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest. CommentsImplemented encryption mechanisms on Windows Server 2022 systems to protect sensitive data at rest, ensuring its confidentiality and integrity in compliance with DISA STIG requirements. NOT A FINDING
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254293 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 reversible password encryption... | - | |||
Check TextVerify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Store passwords using reversible encryption" is not set to "Disabled", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "ClearTextPassword" equals "1" in the file, this is a finding. Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> Store passwords using reversible encryption to "Disabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254352 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 Autoplay must be turned off fo... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Type: REG_DWORD Value: 0x00000001 (1) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> Disallow Autoplay for nonvolume devices to "Enabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 06CF0EC4F30E3C377A3E10B39BA0BD384D98F394 ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254353 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 default AutoRun behavior must ... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Type: REG_DWORD Value: 0x00000001 (1) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> Set the default behavior for AutoRun to "Enabled" with "Do not execute any autorun commands" selected. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 763263DA63BB845D32A031E492E9C3FA975310FB ~~~~~ 'Set the default behavior for AutoRun' is Enabled with 'Do not execute any autorun commands' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254354 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 AutoPlay must be disabled for ... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Type: REG_DWORD Value: 0x000000ff (255) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> Turn off AutoPlay to "Enabled" with "All Drives" selected. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: AE0235811E2BDD415A15CD26D20BB620C605AC2D ~~~~~ 'Turn off AutoPlay' is Enabled with 'All Drives' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254374 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must disable the Windows Insta... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Type: REG_DWORD Value: 0x00000000 (0) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> Always install with elevated privileges to "Disabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B8FA2EABE0FF7A96734CD88AEF585CD72E3FFAE8 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254378 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 Windows Remote Management (Win... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Type: REG_DWORD Value: 0x00000000 (0) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> Allow Basic authentication to "Disabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E4E40CE41CC8DAC825405E07025044FB81EE5440 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254381 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 Windows Remote Management (Win... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Type: REG_DWORD Value: 0x00000000 (0) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> Allow Basic authentication to "Disabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 68310D9F3AC255CDE6A52457A3F8A1FBA287B140 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254385 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must only allow administrators... | - | |||
Check TextThis applies to domain controllers. A separate version applies to other systems. Review the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. Standard user accounts must not be members of the local administrator group. If prohibited accounts are members of the local administrators group, this is a finding. If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding. Fix TextConfigure the Administrators group to include only administrator groups or accounts that are responsible for the system. Remove any standard user accounts. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254391 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 permissions on the Active Dire... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Run "Regedit". Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters". Note the directory locations in the values for: Database log files path DSA Database file By default, they will be \Windows\NTDS. If the locations are different, the following will need to be run for each. Open "Command Prompt (Admin)". Navigate to the NTDS directory (\Windows\NTDS by default). Run "icacls *.*". If the permissions on each file are not as restrictive as the following, this is a finding: NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) (I) - permission inherited from parent container (F) - full access Fix TextMaintain the permissions on NTDS database and log files as follows: NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) (I) - permission inherited from parent container (F) - full access Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254392 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 Active Directory SYSVOL direct... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Open a command prompt. Run "net share". Make note of the directory location of the SYSVOL share. By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. The default permissions noted below meet this requirement: Open "Command Prompt". Run "icacls c:\Windows\SYSVOL". The following results must be displayed: NT AUTHORITY\Authenticated Users:(RX) NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) BUILTIN\Server Operators:(RX) BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) BUILTIN\Administrators:(M,WDAC,WO) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) CREATOR OWNER:(OI)(CI)(IO)(F) (RX) - Read & execute Run "icacls /help" to view definitions of other permission codes. Fix TextMaintain the permissions on the SYSVOL directory. Do not allow greater than "Read & execute" permissions for standard user accounts or groups. The defaults below meet this requirement: C:\Windows\SYSVOL Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read & execute - This folder, subfolder, and files Server Operators - Read & execute- This folder, subfolder, and files Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control) CREATOR OWNER - Full control - Subfolders and files only Administrators - Full control - Subfolders and files only SYSTEM - Full control - This folder, subfolders, and files Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254393 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 Active Directory Group Policy ... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select "Advanced". Select each Group or user name. View the permissions. If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the Information System Security Officer (ISSO). The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties: CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Fix TextMaintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement: Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254394 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 Active Directory Domain Contro... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on the Domain Controllers OU. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Domain Controllers" OU (folder in folder icon). Right-click and select "Properties". Select the "Security" tab. If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding. The default permissions listed below satisfy this requirement. Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "View" or "Edit" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions SELF - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Fix TextLimit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators. The default permissions listed below satisfy this requirement. Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions. CREATOR OWNER - Special permissions SELF - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read types. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254395 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 organization created Active Di... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on domain-defined OUs. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right-click the OU and select "Properties". Select the "Security" tab. If the Allow type permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an Information System Security Officer (ISSO)-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs). Fix TextMaintain the Allow type permissions on domain-defined OUs to be at least as restrictive as the defaults below. Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read type. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are for Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254399 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 directory data (outside the ro... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Open "Command Prompt" (not elevated). Run "ldp.exe". From the "Connection menu", select "Bind". Clear the User, Password, and Domain fields. Select "Simple bind" for the Bind type and click "OK". Confirmation of anonymous access will be displayed at the end: res = ldap_simple_bind_s Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' From the "Browse" menu, select "Search". In the Search dialog, enter the DN of the domain naming context (generally something like "dc=disaost,dc=mil") in the Base DN field. Clear the Attributes field and select "Run". Error messages must display related to Bind and user not authenticated. If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding. The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access. Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address. Fix TextConfigure directory data (outside the root DSE) of a nonpublic directory to prevent anonymous access. For AD, there are multiple configuration items that could enable anonymous access. Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions must be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc). The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254413 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 domain controller PKI certific... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane, and then click "Add >". Select "Computer Account", and then click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage", and then click "Finish". Click "OK". Select and expand the "Certificates (Local Computer)" entry in the left pane. Select and expand the "Personal" entry in the left pane. Select the "Certificates" entry in the left pane. In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DOD PKI or an approved ECA, this is a finding. If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. There are multiple sources from which lists of valid DOD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DOD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DOD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on Cyber Exchange: https://www.cyber.mil/pki-pke/tools-configuration-files. Fix TextObtain a server certificate for the domain controller issued by the DOD PKI or an approved ECA. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254414 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 PKI certificates associated wi... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review user account mappings to PKI certificates. Open "Windows PowerShell". Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding. For standard NIPRNet certificates, the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI). Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization. NIPRNet Example: Name - User Principal Name User1 - 1234567890@mil See PKE documentation for other network domain suffixes. If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding. Fix TextMap user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254428 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must only allow administrators... | - | |||
Check TextThis applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Open "Computer Management". Navigate to "Groups" under "Local Users and Groups". Review the local "Administrators" group. Only administrator groups or accounts responsible for administration of the system may be members of the group. For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group. Standard user accounts must not be members of the local Administrator group. If accounts that do not have responsibility for administration of the system are members of the local Administrators group, this is a finding. If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding. Fix TextConfigure the local "Administrators" group to include only administrator groups or accounts responsible for administration of the system. For domain-joined member servers, replace the Domain Admins group with a domain member server administrator group. Remove any standard user accounts. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: CF7C91A195CBE710A8E0F73C0AAA4360670D7BAA ~~~~~ The following are members of the local Administrators group: --------------------- Name: SCHROEDER3\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1160972651-4155981999-2770166294-1115 Name: SCHR-P3-DP-001\DOD_Admin objectClass: User objectSID: S-1-5-21-2359828523-3188837691-268305261-1000 Name: SCHR-P3-DP-001\X_Admin objectClass: User objectSID: S-1-5-21-2359828523-3188837691-268305261-500 CommentsVerified that Windows Server 2022 only allows administrators responsible for the member server to have Administrator rights on the system. This is Not a Finding
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254441 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must be running Credential Gua... | - | |||
Check TextFor domain controllers and standalone or nondomain-joined systems, this is NA. Open "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Device Guard Security Services Running" does not list "Credential Guard", this is a finding. The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: LsaCfgFlags Value Type: REG_DWORD Value: 0x00000001 (1) (Enabled with UEFI lock) A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> Turn On Virtualization Based Security to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration". A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements Severity Override Guidance: The AO can allow the severity override if they have reviewed the overall protection provided to the affected servers that are not capable of complying with the Credential Guard requirement. Items that must be reviewed/considered for compliance or mitigation for non-Credential Guard compliance are: The use of Microsoft Local Administrator Password Solution (LAPS) or similar products to control different local administrative passwords for all affected servers. This is to include a strict password change requirement (60 days or less). .... Strict separation of roles and duties. Server administrator credentials cannot be used on Windows 10 desktop to administer it. Documentation of all exceptions must be supplied. .... Use of a Privileged Access Workstation (PAW) and adherence to the Clean Source principle for administering affected servers. .... Boundary Protection that is currently in place to protect from vulnerabilities in the network/servers. .... Windows Defender rule block credential stealing from LSASS.exe is applied. This rule can only be applied if Windows Defender is in use. .... The overall number of vulnerabilities that are unmitigated on the network/servers. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6771B96D1ED1098549965ED8F67FF9028082CC2A ~~~~~ SecurityServicesRunning: 1, 2
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254446 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must prevent local accounts wi... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value Type: REG_DWORD Value: 0x00000001 (1) Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Accounts: Limit local account use of blank passwords to console logon only to "Enabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 7AC1D020AB6148539D57E4FB73B39D6CD29DBDBF ~~~~~ 'Accounts: Limit local account use of blank passwords to console logon only' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value: 0x00000001 (1) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254465 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must not allow anonymous SID/N... | - | |||
Check TextVerify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding. Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Allow anonymous SID/Name translation to "Disabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254466 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must not allow anonymous enume... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value Type: REG_DWORD Value: 0x00000001 (1) Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Do not allow anonymous enumeration of SAM accounts to "Enabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 626DA34A65C05C1C220101534FE1788BBD495E56 ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254467 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must not allow anonymous enume... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value Type: REG_DWORD Value: 0x00000001 (1) Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Do not allow anonymous enumeration of SAM accounts and shares to "Enabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 4B5021F1C8C390A907EFF7C0B541B8772B1C668D ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254469 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must restrict anonymous access... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value Type: REG_DWORD Value: 0x00000001 (1) Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Restrict anonymous access to Named Pipes and Shares to "Enabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E07BBC4D71D24D912C7B7521C5945409D833E711 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254474 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must be configured to prevent ... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value Type: REG_DWORD Value: 0x00000001 (1) Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Do not store LAN Manager hash value on next password change to "Enabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 59F308CA0C17B53FC330F51C46C1E3AB01AF5CBA ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254475 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 LAN Manager authentication lev... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value Type: REG_DWORD Value: 0x00000005 (5) Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: LAN Manager authentication level to "Send NTLMv2 response only. Refuse LM & NTLM". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 1CC5D989E6B73511369D6A08B8D0016672826C20 ~~~~~ 'Network security: LAN Manager authentication level' is Send NTLMv2 response only. Refuse LM & NTLM Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254492 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 Act as part of the operating s... | - | |||
Check TextVerify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeTcbPrivilege" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060). Passwords for accounts with this user right must be protected as highly privileged accounts. Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Act as part of the operating system to be defined but containing no entries (blank). Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254496 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 create a token object user rig... | - | |||
Check TextVerify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Create a token object" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeCreateTokenPrivilege" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060). Passwords for application accounts with this user right must be protected as highly privileged accounts. Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Create a token object to be defined but containing no entries (blank). Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254500 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 debug programs user right must... | - | |||
Check TextVerify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeDebugPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060). Passwords for application accounts with this user right must be protected as highly privileged accounts. Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Debug programs to include only the following accounts or groups: - Administrators Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E5554733A1BAD484044698CCA1825B99C1BA28E2 ~~~~~ Debug programs: BUILTIN\Administrators
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254238 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 users with Administrative priv... | - | |||
Check TextVerify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding. Fix TextEnsure each user with administrative privileges has a separate account for user duties and one for privileged duties. CommentsAdministrative privileges are segregated by assigning dedicated accounts for administrative tasks, with enforced policies and regular audits to maintain compliance and enhance security. NOT A FINDING
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254239 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 passwords for the built-in Adm... | - | |||
Check TextIf there are no enabled local Administrator accounts, this is Not Applicable. Review the password last set date for the enabled local Administrator account. On the stand alone or domain-joined server: Open "PowerShell". Enter "Get-LocalUser | Where-Object {$_.SID -like "*500"} | ForEach-Object ($_.PasswordLastSet){"$($_.Name) password is: $([int]((Get-Date) - $_.PasswordLastSet).TotalDays) days old"}". If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer, this is a finding. Verify LAPS is configured and operational. If the system is a stand alone member server, the LAPS portion of this requirement is Not Applicable. Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is a finding. Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding. Fix TextChange the enabled local Administrator account password at least every 60 days. For domain-joined systems, Windows LAPS must be used to change the built-in Administrator account password. More information is available at: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747 https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be OPEN on 03/05/2026 ResultHash: CF568A5923900BF3889A9601FFD0FFE6DEB1930C ~~~~~ Enabled local administrator accounts with a password older than 60 days: --------------------------- Account: DOD_Admin SID: S-1-5-21-2359828523-3188837691-268305261-1000 Enabled: True Password Last Set: 11/11/2025 23:12:23 (113 days ago) LAPS Configuration: --------------------------- Policy Name: Password Settings | Password Complexity Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordComplexity Value: 4 Value Type: REG_DWORD Configured: True Policy Name: Password Settings | Password Length Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordLength Value: 14 Value Type: REG_DWORD Configured: True Policy Name: Password Settings | PasswordAge (Days) Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordAgeDays Value: 60 Value Type: REG_DWORD Configured: True CommentsWindows Server 2022 passwords for the built-in Administrator account has been changed. This is Not a Finding
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254241 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 members of the Backup Operator... | - | |||
Check TextIf no accounts are members of the Backup Operators group, this is NA. Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding. Fix TextEnsure each member of the Backup Operators group has separate accounts for backup functions and standard user functions. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be OPEN on 03/05/2026 ResultHash: 2245DCDBB4CAC4ADD9A8E14225C8F4280B87D952 ~~~~~ The following are members of the local Backup Operators group: ============== Name: SCHROEDER3\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1160972651-4155981999-2770166294-1115 CommentsWindows Server 2022 has the correct members of the Backup Operators group account for backup duties and normal operational tasks. This is Not a Finding
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254242 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 manually managed application a... | - | |||
Check TextDetermine if manually managed application/service accounts exist. If none exist, this is NA. Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 14 characters in length. If such a policy does not exist or has not been implemented, this is a finding. Fix TextEstablish a policy that requires application/service account passwords that are manually managed to be at least 14 characters in length. Ensure the policy is enforced. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6BE08ACAB8AD3365003019D2702FDF3075E0F32E ~~~~~ 'Minimum password length' is Configured MinimumPasswordLength: 14
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254243 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 manually managed application a... | - | |||
Check TextDetermine if manually managed application/service accounts exist. If none exist, this is NA. If passwords for manually managed application/service accounts are not changed at least annually or when an administrator with knowledge of the password leaves the organization, this is a finding. Identify manually managed application/service accounts. To determine the date a password was last changed: Domain controllers: Open "PowerShell". Enter "Get-AdUser -Identity [application account name] -Properties PasswordLastSet | FT Name, PasswordLastSet", where [application account name] is the name of the manually managed application/service account. If the "PasswordLastSet" date is more than one year old, this is a finding. Member servers and standalone or nondomain-joined systems: Open "Command Prompt". Enter 'Net User [application account name] | Find /i "Password Last Set"', where [application account name] is the name of the manually managed application/service account. If the "Password Last Set" date is more than one year old, this is a finding. Fix TextChange passwords for manually managed application/service accounts at least annually or when an administrator with knowledge of the password leaves the organization. It is recommended that system-managed service accounts be used whenever possible. CommentsEnsured that passwords for manually managed application and service accounts are changed at least annually or immediately upon the departure of an administrator with knowledge of the password. NOT A FINDING
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254244 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 shared user accounts must not ... | - | |||
Check TextDetermine whether any shared accounts exist. If no shared accounts exist, this is NA. Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the Information System Security Officer (ISSO). Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. If unapproved shared accounts exist, this is a finding. Fix TextRemove unapproved shared accounts from the system. Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. CommentsEliminated unapproved shared user accounts and ensured that any necessary shared accounts are formally approved, documented, and monitored. NOT A FINDING
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254245 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must employ a deny-all, permit... | - | |||
Check TextVerify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. If an application allowlisting program is not in use on the system, this is a finding. Configuration of allowlisting applications will vary by the program. AppLocker is an allowlisting application built in to Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. If AppLocker is used, perform the following to view the configuration of AppLocker: Open "PowerShell". If the AppLocker PowerShell module has not been imported previously, execute the following first: Import-Module AppLocker Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. Implementation guidance for AppLocker is available at the following link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide Fix TextConfigure an application allowlisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. Configuration of allowlisting applications will vary by the program. AppLocker is an allowlisting application built in to Windows Server. If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker. Implementation guidance for AppLocker is available at the following link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: 6FF711AFAE14E49C15CD28D71EFFCBA6D6AF6065 ~~~~~ AppLocker is configured but 'Appx' and/or 'Exe' rules are not enabled. Ensure an application allowlisting solution is in place and configured to a deny-all, permit-by-exception policy. AppLocker rules: --------------------------- Rule Type: Appx Enforcement Mode: NotConfigured Rule Type: Dll Enforcement Mode: AuditOnly Rule Type: Exe Enforcement Mode: AuditOnly Rule Type: Msi Enforcement Mode: AuditOnly Rule Type: Script Enforcement Mode: AuditOnly CommentsWindows Server 2022 has been configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This is Not a Finding
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254246 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 domain-joined systems must hav... | - | |||
Check TextFor standalone or nondomain-joined systems, this is NA. Verify the system has a TPM and it is ready for use. Run "tpm.msc". Review the sections in the center pane. "Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken". TPM Manufacturer Information - Specific Version = 2.0 or 1.2 If a TPM is not found or is not ready for use, this is a finding. Fix TextEnsure domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.) The TPM must be enabled in the firmware. Run "tpm.msc" for configuration options in Windows. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be OPEN on 03/05/2026 ResultHash: 4F6E062C9AD17A9410FB01815F3313C5770EAE33 ~~~~~ No TPM has been detected on this system. CommentsWindows Server 2022 domain-joined systems has a Trusted Platform Module (TPM) enabled and ready for use. This is Not a Finding
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254247 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must be maintained at a suppor... | - | |||
Check TextOpen "Command Prompt". Enter "winver.exe". If the "About Windows" dialog box does not display "Microsoft Windows Server Version 21H1 (Build 20348.xxx)" or greater, this is a finding. Preview versions must not be used in a production environment. Fix TextUpdate the system to a Version 21H2 (Build 20348.xxx) or greater. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: D407E9034731F662CE2E7F849EE72FE3FD0AE83F ~~~~~ Operating system is 'Windows Server 2022 Standard 21H2' (10.0.20348.4773)
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254248 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must use an antivirus program. | - | |||
Check TextVerify an antivirus solution is installed on the system. The antivirus solution may be bundled with an approved host-based security solution. If there is no antivirus solution installed on the system, this is a finding. Verify if Microsoft Defender antivirus is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName" Verify if third-party antivirus is in use or enabled: Open "PowerShell". Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName Fix TextIf no antivirus software is in use, install Microsoft Defender or third-party antivirus. Open "PowerShell". Enter "Install-WindowsFeature -Name Windows-Defender". For third-party antivirus, install per antivirus instructions and disable Windows Defender. Open "PowerShell". Enter "Uninstall-WindowsFeature -Name Windows-Defender". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: ED004DFCA8B66091F04DB4817B417CC1901B40D4 ~~~~~ Windows Defender Antivirus is installed and running. Feature: Windows-Defender State: Enabled Service: WinDefend Status: Running
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254249 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must have a host-based intrusi... | - | |||
Check TextDetermine if there is a HIDS and HIPS on each server. A HIDS device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the information system security officer (ISSO). If a HIDS and HIPS are not installed on the system, this is a finding. Fix TextInstall a HIDS and HIPS on each server. CommentsImplemented a host-based intrusion detection and prevention system (ESS deployed/monitored from NOC) on all Windows Server 2022 systems. This system is regularly updated and monitored to detect and respond to potential security threats, ensuring compliance with DISA STIG requirements. NOT A FINDING
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254251 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 permissions for the system dri... | - | |||
Check TextThe default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN22-SO-000240). Review the permissions for the system drive's root directory (usually C:\). Nonprivileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions except where noted as defaults. Individual accounts must not be used to assign permissions. If permissions are not as restrictive as the default permissions listed below, this is a finding. Viewing in File Explorer: View the Properties of the system drive's root directory. Select the "Security" tab, and the "Advanced" button. Default permissions: C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders, and files Administrators - Full control - This folder, subfolders, and files Users - Read & execute - This folder, subfolders, and files Users - Create folders/append data - This folder and subfolders Users - Create files/write data - Subfolders only CREATOR OWNER - Full Control - Subfolders and files only Alternately, use icacls: Open "Command Prompt (Admin)". Enter "icacls" followed by the directory: "icacls c:\" The following results must be displayed: c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files Fix TextMaintain the default permissions for the system drive's root directory and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN22-SO-000240). Default Permissions C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders, and files Administrators - Full control - This folder, subfolders, and files Users - Read & execute - This folder, subfolders, and files Users - Create folders/append data - This folder and subfolders Users - Create files/write data - Subfolders only CREATOR OWNER - Full Control - Subfolders and files only Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: F081F472C14C9789CFC4D12C508F7C0925558A02 ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 Path: C:\ OverallState: Expected permissions in place Compliance: Compliant
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254252 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 permissions for program file d... | - | |||
Check TextThe default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN22-SO-000240). Review the permissions for the program file directories (Program Files and Program Files [x86]). Nonprivileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. Individual accounts must not be used to assign permissions. If permissions are not as restrictive as the default permissions listed below, this is a finding. Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab, and the "Advanced" button. Default permissions: \Program Files and \Program Files (x86) Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files Alternately, use icacls: Open a Command prompt (admin). Enter "icacls" followed by the directory: 'icacls "c:\program files"' 'icacls "c:\program files (x86)"' The following results must be displayed for each when entered: c:\program files (c:\program files (x86)) NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files Fix TextMaintain the default permissions for the program file directories and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN22-SO-000240). Default permissions: \Program Files and \Program Files (x86) Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders, and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 67D7443EABCEBA86F318DC3E0BAE19A215A4A644 ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 Path: C:\Program Files OverallState: Expected permissions in place Compliance: Compliant Path: C:\Program Files (x86) OverallState: Expected permissions in place Compliance: Compliant
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254253 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 permissions for the Windows in... | - | |||
Check TextThe default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN22-SO-000240). Review the permissions for the Windows installation directory (usually C:\Windows). Nonprivileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. Individual accounts must not be used to assign permissions. If permissions are not as restrictive as the default permissions listed below, this is a finding: Viewing in File Explorer: For each folder, view the Properties. Select the "Security" tab and the "Advanced" button. Default permissions: \Windows Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders, and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files Alternately, use icacls: Open a Command prompt (admin). Enter "icacls" followed by the directory: "icacls c:\windows" The following results must be displayed for each when entered: c:\windows NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files Fix TextMaintain the default file ACLs and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN22-SO-000240). Default permissions: Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders, and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: BEECA7612E0B6DD07552469BDA0A29F4268519F5 ~~~~~ Network access: Let Everyone permissions apply to anonymous users is set to Disabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa Value Name: EveryoneIncludesAnonymous Value 0 Path: C:\WINDOWS OverallState: Expected permissions in place Compliance: Compliant
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254254 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 default permissions for the HK... | - | |||
Check TextReview the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive noted below. If any nonprivileged groups such as Everyone, Users, or Authenticated Users have greater than Read permission, this is a finding. If permissions are not as restrictive as the default permissions listed below, this is a finding: Run "Regedit". Right-click on the registry areas noted below. Select "Permissions" and "Advanced". HKEY_LOCAL_MACHINE\SECURITY Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full Control - This key and subkeys Administrators - Special - This key and subkeys HKEY_LOCAL_MACHINE\SOFTWARE Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys HKEY_LOCAL_MACHINE\SYSTEM Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and Subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys Server Operators - Read - This Key and subkeys (Domain controllers only) Other examples under the noted keys may also be sampled. There may be some instances where nonprivileged groups have greater than Read permission. Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2022 to the following SID. This is currently not a finding. S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 If the defaults have not been changed, these are not a finding. Fix TextMaintain the default permissions for the HKEY_LOCAL_MACHINE registry hive. The default permissions of the higher-level keys are noted below. HKEY_LOCAL_MACHINE\SECURITY Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full Control - This key and subkeys Administrators - Special - This key and subkeys HKEY_LOCAL_MACHINE\SOFTWARE Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys HKEY_LOCAL_MACHINE\SYSTEM Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys Server Operators - Read - This Key and subkeys (Domain controllers only) Microsoft has also given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2022 to the following SID: S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6CFAAD398147CBD6AF58E8CC3C59CEF6D25F6236 ~~~~~ Path: HKLM:\SECURITY OverallState: Expected permissions in place Compliance: Compliant Path: HKLM:\SOFTWARE OverallState: Expected permissions in place Compliance: Compliant Path: HKLM:\SYSTEM OverallState: Expected permissions in place Compliance: Compliant
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254256 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 outdated or unused accounts mu... | - | |||
Check TextOpen "Windows PowerShell". Domain Controllers: Enter "Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. Member servers and standalone or nondomain-joined systems: Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) "([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { $user = ([ADSI]$_.Path) $lastLogin = $user.Properties.LastLogin.Value $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 if ($lastLogin -eq $null) { $lastLogin = 'Never' } Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). For example: User1 10/31/2015 5:49:56 AM True Review the list of accounts returned by the above queries to determine the finding validity for each account reported. Exclude the following accounts: - Built-in administrator account (Renamed, SID ending in 500) - Built-in guest account (Renamed, Disabled, SID ending in 501) - Application accounts If any enabled accounts have not been logged on to within the past 35 days, this is a finding. Inactive accounts that have been reviewed and deemed to be required must be documented with the Information System Security Officer (ISSO). Fix TextRegularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: 490BD2E899FA3C7F6E247F8A18AC1F6BEB815876 ~~~~~ Failed accounts: --------------------- Name: DOD_Admin SID: S-1-5-21-2359828523-3188837691-268305261-1000 Enabled: True Last Logon: 11/11/2025 23:11:45 [113 days] CommentsWindows Server 2022 unused account has been disabled. This is Not a Finding
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254257 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 accounts must require password... | - | |||
Check TextReview the password required status for enabled user accounts. Open "PowerShell". Domain Controllers: Enter "Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs). If "Passwordnotrequired" is "True" or blank for any enabled user account, this is a finding. Member servers and standalone or nondomain-joined systems: Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. Exclude disabled accounts (e.g., DefaultAccount, Guest). If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding. Fix TextConfigure all enabled accounts to require passwords. The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: A8361572FCF4DDE4D6872D094DE902234124BB6E ~~~~~ No enabled accounts found that do not require a password.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254258 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 passwords must be configured t... | - | |||
Check TextReview the password never expires status for enabled user accounts. Open "PowerShell". Domain Controllers: Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name, PasswordNeverExpires, Enabled". Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding. Member servers and standalone or nondomain-joined systems: Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'. Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest). If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding. Fix TextConfigure all enabled user account passwords to expire. Uncheck "Password never expires" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone or nondomain-joined systems. Document any exceptions with the information system security officer (ISSO). Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 03421DBAA63FB77EFDA8438D19174504036DC035 ~~~~~ No enabled accounts found where the password does not expire.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254259 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 system files must be monitored... | - | |||
Check TextDetermine whether the system is monitored for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. If system files are not monitored for unauthorized changes, this is a finding. An approved and properly configured solution will contain both a list of baselines that includes all system file locations and a file comparison task that is scheduled to run at least weekly. Fix TextMonitor the system for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. This can be done with the use of various monitoring tools. CommentsGPO is implemented to mitigate unauthorized modifications to system files that can compromise the integrity, confidentiality, and availability of a Windows Server 2022 system. This is Not A Finding
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||