| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-235758 | CAT I | SCHR-P3-DP-001 | Microsoft Edge Security Technical Implem... | The version of Microsoft Edge running on the syste... | - | |||
Check TextCross-reference the build information displayed with the Microsoft Edge site to identify, at minimum, the oldest supported build available. If the installed version of Edge is not supported by Microsoft, this is a finding. Fix TextInstall a supported version of Edge. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-MicrosoftEdge_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: C8FEAB4CAE85FA4E90B6C6E61F778F398997D8EF ~~~~~ Microsoft Edge Version: 145.0.3800.70 CommentsThe version of Microsoft Edge running on the system is a supported version. This is Not a Finding
Source: SCHR-P3-DP-001_MSEdge_V2R4_20260305-132826.cklb
Scan Date: 2026-03-12T15:38:14.495854
Technology Area: Windows Operating System
|
||||||||
| V-218795 | CAT I | SCHR-P3-DP-001 | Microsoft IIS 10.0 Server Security Techn... | All IIS 10.0 web server sample code, example appli... | - | |||
Check TextNavigate to the following folders: inetpub\ Program Files\Common Files\System\msadc Program Files (x86)\Common Files\System\msadc If the folder or sub-folders contain any executable sample code, example applications, or tutorials which are not explicitly used by a production website, this is a finding. Fix TextRemove any executable sample code, example applications, or tutorials which are not explicitly used by a production website. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: A61E6E1F4236FBB1D74C63FF96102D9E19672555 ~~~~~ There are no files or folders with names containing 'sample' in the targeted directories. To determine the correct status, a manual review is still required to identify if any example code, example applications or tutorials exist and are not explicitly used by the production website per the check text. CommentsThere are no sample files in the targeted directories. This is Not a Finding
Source: SCHR-P3-DP-001_IIS10Server_V3R6_20260305-132942.cklb
Scan Date: 2026-03-12T15:38:14.420977
Technology Area: Web Review
|
||||||||
| V-218802 | CAT I | SCHR-P3-DP-001 | Microsoft IIS 10.0 Server Security Techn... | IIS 10.0 Web server accounts accessing the directo... | - | |||
Check TextObtain a list of the user accounts with access to the system, including all local and domain accounts. Review the privileges to the web server for each account. Verify with the system administrator or the ISSO that all privileged accounts are mission essential and documented. Verify with the system administrator or the ISSO that all non-administrator access to shell scripts and operating system functions are mission essential and documented. If undocumented privileged accounts are found, this is a finding. If undocumented non-administrator access to shell scripts and operating system functions are found, this is a finding. If this IIS 10 installation is supporting Microsoft Exchange, and not otherwise hosting any content, this requirement is Not Applicable. Fix TextEnsure non-administrators are not allowed access to the directory tree, the shell, or other operating system functions and utilities. All non-administrator access to shell scripts and operating system functions must be mission essential and documented. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: 9A3718B89C7FADF6CB49CB06D125501748FAE274 ~~~~~ Below is a list of local groups and their members (if any): Group: Access Control Assistance Operators Group: Administrators X_Admin DOD_Admin Server Administrator Group Group: Backup Operators Server Administrator Group Group: Certificate Service DCOM Access Group: Cryptographic Operators Group: Distributed COM Users Group: Event Log Readers Group: Guests Visitor Group: Hyper-V Administrators Group: IIS_IUSRS Group: Network Configuration Operators Group: Performance Log Users Group: Performance Monitor Users Group: Power Users Group: Print Operators Group: RDS Endpoint Servers Group: RDS Management Servers Group: RDS Remote Access Servers Group: Remote Desktop Users Server Administrator Group Group: Remote Management Users Group: Replicator Group: Storage Replica Administrators Group: System Managed Accounts Group DefaultAccount Group: Users INTERACTIVE Authenticated Users Domain Users CommentsRestricted system resource access to authorized administrators, enforce least privilege, disable unnecessary user access, and conduct regular audits to ensure compliance. This is Not a Finding
Source: SCHR-P3-DP-001_IIS10Server_V3R6_20260305-132942.cklb
Scan Date: 2026-03-12T15:38:14.420977
Technology Area: Web Review
|
||||||||
| V-218821 | CAT I | SCHR-P3-DP-001 | Microsoft IIS 10.0 Server Security Techn... | An IIS 10.0 web server must maintain the confident... | - | |||
Check TextAccess the IIS 10.0 Web Server. Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Verify a REG_DWORD value of "0" for "DisabledByDefault". Verify a REG_DWORD value of "1" for "Enabled". Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server Verify a REG_DWORD value of "1" for "DisabledByDefault". Verify a REG_DWORD value of "0" for "Enabled". If any of the respective registry paths do not exist or are configured with the wrong value, this is a finding. SSL 3.0 is disabled by default in newer Operating Systems. If SSL 3.0 has a registry DWORD enabled with a value of 1, this is a finding. If this key is not present, this is not a finding. Fix TextAccess the IIS 10.0 Web Server. Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Create a REG_DWORD named "DisabledByDefault" with a value of "0". Create a REG_DWORD named "Enabled" with a value of "1". Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server For each protocol: Create a REG_DWORD named "DisabledByDefault" with a value of "1". Create a REG_DWORD named "Enabled" with a value of "0". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B61C09790F563535A9E85CCAE0DFEC8635007810 ~~~~~ HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server ValueName 'DisabledByDefault' is '0' (REG_DWORD) ValueName 'Enabled' is '1' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD) HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server ValueName 'DisabledByDefault' is '1' (REG_DWORD) ValueName 'Enabled' is '0' (REG_DWORD)
Source: SCHR-P3-DP-001_IIS10Server_V3R6_20260305-132942.cklb
Scan Date: 2026-03-12T15:38:14.420977
Technology Area: Web Review
|
||||||||
| V-218823 | CAT I | SCHR-P3-DP-001 | Microsoft IIS 10.0 Server Security Techn... | All accounts installed with the IIS 10.0 web serve... | - | |||
Check TextAccess the IIS 10.0 web server. Access the "Apps" menu. Under "Administrative Tools", select "Computer Management". In left pane, expand "Local Users and Groups" and click "Users". Review the local users listed in the middle pane. If any local accounts are present and used by IIS 10.0, verify with System Administrator that default passwords have been changed. If passwords have not been changed from the default, this is a finding. Fix TextAccess the IIS 10.0 web server. Access the "Apps" menu. Under Administrative Tools, select Computer Management. In left pane, expand "Local Users and Groups" and click on "Users". Change passwords for any local accounts present that are used by IIS 10.0, then verify with System Administrator default passwords have been changed. Develop an internal process for changing passwords on a regular basis. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Server_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: 5A9A993DF5E4702982BD11FC1A399EF47A354B5D ~~~~~ Local user accounts on this system. Confirm if any are used by IIS and if so, verify that default passwords have been changed: Name: DOD_Admin Enabled: True SID: S-1-5-21-2359828523-3188837691-268305261-1000 Password Age: 113 days CommentsEnsured IIS 10.0 web server logs all required HTTP request details to facilitate auditing, forensic analysis, and security monitoring. This is Not a Finding
Source: SCHR-P3-DP-001_IIS10Server_V3R6_20260305-132942.cklb
Scan Date: 2026-03-12T15:38:14.420977
Technology Area: Web Review
|
||||||||
| V-218750 | CAT I | SCHR-P3-DP-001 | Microsoft IIS 10.0 Site Security Technic... | Anonymous IIS 10.0 website access accounts must be... | - | |||
Check TextCheck the account used for anonymous access to the website. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click "Authentication" in the IIS section of the website’s Home Pane. If "Anonymous access" is disabled, this is Not a Finding. If "Anonymous access" is enabled, click "Anonymous Authentication". Click "Edit" in the "Actions" pane. If the "Specific user" radio button is enabled and an ID is specified in the adjacent control box, this is the ID being used for anonymous access. Note the account name. If nothing is tied to "Specific User", this is Not a Finding. Check privileged groups that may allow the anonymous account inappropriate membership: Open "Computer Management" on the machine. Expand "Local Users and Groups". Open "Groups". Review the members of any of the following privileged groups: Administrators Backup Operators Certificate Services (of any designation) Distributed COM Users Event Log Readers Network Configuration Operators Performance Log Users Performance Monitor Users Power Users Print Operators Remote Desktop Users Replicator Double-click each group and review its members. If the IUSR account or any account noted above used for anonymous access is a member of any group with privileged access, this is a finding. Fix TextRemove the Anonymous access account from all privileged accounts and all privileged groups. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) found this to be NOT A FINDING on 03/05/2026 Site: Default Web Site ResultHash: 11B73503DAE06F01B5185CC126C80F8941A56D00 ~~~~~ Anonymous Authentication is Enabled and using the account 'IUSR' for authentication. IUSR is not a member of any privileged groups.
Source: SCHR-P3-DP-001_IIS10Site_Default_Web_Site_V2R14_20260305-133115.cklb
Scan Date: 2026-03-12T15:38:14.459023
Technology Area: Web Review
|
||||||||
| V-218768 | CAT I | SCHR-P3-DP-001 | Microsoft IIS 10.0 Site Security Technic... | The IIS 10.0 private website must employ cryptogra... | - | |||
Check TextNotes: - If SSL is installed on load balancer/proxy server through which traffic is routed to the IIS 10.0 server, and the IIS 10.0 server receives traffic from the load balancer/proxy server, the SSL requirement must be met on the load balancer/proxy server. In this case, this requirement is not applicable. - If this is a public-facing web server, this requirement is not applicable. - If this server is hosting WSUS, this requirement is not applicable. - If the server being reviewed is hosting SharePoint, this is not applicable. - If the server being reviewed is hosting Simple Certificate Enrollment Services (SCEP), this is not applicable. - If the server being reviewed is hosting Network Device Enrollment Services (NDES), this is not applicable. - If the server is providing OCSP, and not otherwise hosting any content, this requirement is not applicable. - If the server is providing CRL, and not otherwise hosting any content, this requirement is not applicable. Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon under the "IIS" section. Verify "Require SSL" is checked. Verify "Client Certificates Required" is selected. Click the site under review. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.webServer/security/access". The value for "sslFlags" set must include "ssl128". If the "Require SSL" is not selected, this is a finding. If the "Client Certificates Required" is not selected, this is a finding. Note: "Client Certificates Required" can be considered Not Applicable in a Single Sign On (SSO) scenario where client certificates are no longer processed locally. If the "sslFlags" is not set to "ssl128", this is a finding. Fix TextFollow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Double-click the "SSL Settings" icon under the "IIS" section. Select the "Require SSL" setting. Select the "Client Certificates Required" setting. Click "Apply" in the "Actions" pane. Click the site under review. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.webServer/security/access". Click on the drop-down list for "sslFlags". Select the "Ssl128" check box. Click "Apply" in the "Actions" pane. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-IIS10_0_Site_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: Site: Default Web Site ResultHash: 6275DCDEF057117A4E22688BC519EA5B675A222E ~~~~~ The following SSL flags are missing: Ssl SslRequireCert Ssl128 CommentsThe IIS 10.0 private website employs cryptographic mechanisms (TLS) and require client certificates. This is Not a Finding Ssl, SslRequireCert, and Ssl128 are all set.
Source: SCHR-P3-DP-001_IIS10Site_Default_Web_Site_V2R14_20260305-133115.cklb
Scan Date: 2026-03-12T15:38:14.459023
Technology Area: Web Review
|
||||||||
| V-254240 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 administrative accounts must n... | - | |||
Check TextDetermine whether organization policy, at a minimum, prohibits administrative accounts from using applications that access the internet, such as web browsers, or with potential internet sources, such as email, except as necessary for local service administration. If it does not, this is a finding. The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement. Fix TextEstablish a policy, at minimum, to prohibit administrative accounts from using applications that access the internet, such as web browsers, or with potential internet sources, such as email. Ensure the policy is enforced. The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement. CommentsAdministrative accounts are restricted from accessing internet-based applications, with technical controls enforcing this policy to mitigate potential security risks. NOT A FINDING
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254250 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 local volumes must use a forma... | - | |||
Check TextOpen "Computer Management". Select "Disk Management" under "Storage". For each local volume, if the file system does not indicate "NTFS", this is a finding. "ReFS" (resilient file system) is also acceptable and is not a finding. CSV ( Cluster Shared Volumes) is not a finding. This does not apply to system partitions such the Recovery and EFI System Partition. Fix TextFormat volumes to use NTFS, ReFS, or CSVFS. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B264AA7347D8EF3C29987476DF98F4696DE11F0D ~~~~~ All disk file systems are NTFS or ReFS. Device ID: C: Drive Type: Local Disk (3) Volume Name: Windows File System: NTFS Device ID: D: Drive Type: Local Disk (3) Volume Name: PROGLOGS File System: NTFS Device ID: E: Drive Type: Local Disk (3) Volume Name: MECM File System: NTFS Device ID: I: Drive Type: Local Disk (3) Volume Name: IIS File System: NTFS
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254262 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 systems requiring data at rest... | - | |||
Check TextVerify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If they do not, this is a finding. Fix TextConfigure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest. CommentsImplemented encryption mechanisms on Windows Server 2022 systems to protect sensitive data at rest, ensuring its confidentiality and integrity in compliance with DISA STIG requirements. NOT A FINDING
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254293 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 reversible password encryption... | - | |||
Check TextVerify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. If the value for "Store passwords using reversible encryption" is not set to "Disabled", this is a finding. For server core installations, run the following command: Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt If "ClearTextPassword" equals "1" in the file, this is a finding. Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> Store passwords using reversible encryption to "Disabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 0C3874C178BF034376FC830F77095A4B14233118 ~~~~~ 'Store passwords using reversible encryption' is Disabled ClearTextPassword: 0
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254352 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 Autoplay must be turned off fo... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Type: REG_DWORD Value: 0x00000001 (1) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> Disallow Autoplay for nonvolume devices to "Enabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 06CF0EC4F30E3C377A3E10B39BA0BD384D98F394 ~~~~~ 'Disallow Autoplay for non-volume devices' is Enabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\ Value Name: NoAutoplayfornonVolume Value: 0x00000001 (1) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254353 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 default AutoRun behavior must ... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Type: REG_DWORD Value: 0x00000001 (1) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> Set the default behavior for AutoRun to "Enabled" with "Do not execute any autorun commands" selected. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 763263DA63BB845D32A031E492E9C3FA975310FB ~~~~~ 'Set the default behavior for AutoRun' is Enabled with 'Do not execute any autorun commands' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoAutorun Value: 0x00000001 (1) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254354 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 AutoPlay must be disabled for ... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Type: REG_DWORD Value: 0x000000ff (255) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> Turn off AutoPlay to "Enabled" with "All Drives" selected. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: AE0235811E2BDD415A15CD26D20BB620C605AC2D ~~~~~ 'Turn off AutoPlay' is Enabled with 'All Drives' Registry Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ Value Name: NoDriveTypeAutoRun Value: 0x000000ff (255) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254374 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must disable the Windows Insta... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Type: REG_DWORD Value: 0x00000000 (0) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> Always install with elevated privileges to "Disabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B8FA2EABE0FF7A96734CD88AEF585CD72E3FFAE8 ~~~~~ 'Always install with elevated privileges' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer\ Value Name: AlwaysInstallElevated Value: 0x00000000 (0) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254378 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 Windows Remote Management (Win... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Type: REG_DWORD Value: 0x00000000 (0) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> Allow Basic authentication to "Disabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E4E40CE41CC8DAC825405E07025044FB81EE5440 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254381 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 Windows Remote Management (Win... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Type: REG_DWORD Value: 0x00000000 (0) Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> Allow Basic authentication to "Disabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 68310D9F3AC255CDE6A52457A3F8A1FBA287B140 ~~~~~ 'Allow Basic authentication' is Disabled Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ Value Name: AllowBasic Value: 0x00000000 (0) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254385 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must only allow administrators... | - | |||
Check TextThis applies to domain controllers. A separate version applies to other systems. Review the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. Standard user accounts must not be members of the local administrator group. If prohibited accounts are members of the local administrators group, this is a finding. If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding. Fix TextConfigure the Administrators group to include only administrator groups or accounts that are responsible for the system. Remove any standard user accounts. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254391 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 permissions on the Active Dire... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Run "Regedit". Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters". Note the directory locations in the values for: Database log files path DSA Database file By default, they will be \Windows\NTDS. If the locations are different, the following will need to be run for each. Open "Command Prompt (Admin)". Navigate to the NTDS directory (\Windows\NTDS by default). Run "icacls *.*". If the permissions on each file are not as restrictive as the following, this is a finding: NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) (I) - permission inherited from parent container (F) - full access Fix TextMaintain the permissions on NTDS database and log files as follows: NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) (I) - permission inherited from parent container (F) - full access Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254392 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 Active Directory SYSVOL direct... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Open a command prompt. Run "net share". Make note of the directory location of the SYSVOL share. By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. The default permissions noted below meet this requirement: Open "Command Prompt". Run "icacls c:\Windows\SYSVOL". The following results must be displayed: NT AUTHORITY\Authenticated Users:(RX) NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) BUILTIN\Server Operators:(RX) BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) BUILTIN\Administrators:(M,WDAC,WO) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) CREATOR OWNER:(OI)(CI)(IO)(F) (RX) - Read & execute Run "icacls /help" to view definitions of other permission codes. Fix TextMaintain the permissions on the SYSVOL directory. Do not allow greater than "Read & execute" permissions for standard user accounts or groups. The defaults below meet this requirement: C:\Windows\SYSVOL Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read & execute - This folder, subfolder, and files Server Operators - Read & execute- This folder, subfolder, and files Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control) CREATOR OWNER - Full control - Subfolders and files only Administrators - Full control - Subfolders and files only SYSTEM - Full control - This folder, subfolders, and files Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254393 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 Active Directory Group Policy ... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on Group Policy objects. Open "Group Policy Management" (available from various menus or run "gpmc.msc"). Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). For each Group Policy object: Select the Group Policy object item in the left pane. Select the "Delegation" tab in the right pane. Select "Advanced". Select each Group or user name. View the permissions. If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the Information System Security Officer (ISSO). The default permissions noted below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties: CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Fix TextMaintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement: Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. CREATOR OWNER - Special permissions SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254394 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 Active Directory Domain Contro... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on the Domain Controllers OU. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Select "Advanced Features" in the "View" menu if not previously selected. Select the "Domain Controllers" OU (folder in folder icon). Right-click and select "Properties". Select the "Security" tab. If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding. The default permissions listed below satisfy this requirement. Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "View" or "Edit" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions SELF - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Fix TextLimit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators. The default permissions listed below satisfy this requirement. Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions. CREATOR OWNER - Special permissions SELF - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read types. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254395 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 organization created Active Di... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on domain-defined OUs. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right-click the OU and select "Properties". Select the "Security" tab. If the Allow type permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an Information System Security Officer (ISSO)-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs). Fix TextMaintain the Allow type permissions on domain-defined OUs to be at least as restrictive as the defaults below. Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read type. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are for Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254399 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 directory data (outside the ro... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Open "Command Prompt" (not elevated). Run "ldp.exe". From the "Connection menu", select "Bind". Clear the User, Password, and Domain fields. Select "Simple bind" for the Bind type and click "OK". Confirmation of anonymous access will be displayed at the end: res = ldap_simple_bind_s Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' From the "Browse" menu, select "Search". In the Search dialog, enter the DN of the domain naming context (generally something like "dc=disaost,dc=mil") in the Base DN field. Clear the Attributes field and select "Run". Error messages must display related to Bind and user not authenticated. If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding. The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access. Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address. Fix TextConfigure directory data (outside the root DSE) of a nonpublic directory to prevent anonymous access. For AD, there are multiple configuration items that could enable anonymous access. Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions must be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc). The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254413 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 domain controller PKI certific... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Run "MMC". Select "Add/Remove Snap-in" from the "File" menu. Select "Certificates" in the left pane, and then click "Add >". Select "Computer Account", and then click "Next". Select the appropriate option for "Select the computer you want this snap-in to manage", and then click "Finish". Click "OK". Select and expand the "Certificates (Local Computer)" entry in the left pane. Select and expand the "Personal" entry in the left pane. Select the "Certificates" entry in the left pane. In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DOD PKI or an approved ECA, this is a finding. If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. There are multiple sources from which lists of valid DOD CAs and approved ECAs can be obtained: The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. DOD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DOD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on Cyber Exchange: https://www.cyber.mil/pki-pke/tools-configuration-files. Fix TextObtain a server certificate for the domain controller issued by the DOD PKI or an approved ECA. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254414 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 PKI certificates associated wi... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review user account mappings to PKI certificates. Open "Windows PowerShell". Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding. For standard NIPRNet certificates, the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI). Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization. NIPRNet Example: Name - User Principal Name User1 - 1234567890@mil See PKE documentation for other network domain suffixes. If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding. Fix TextMap user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254428 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must only allow administrators... | - | |||
Check TextThis applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Open "Computer Management". Navigate to "Groups" under "Local Users and Groups". Review the local "Administrators" group. Only administrator groups or accounts responsible for administration of the system may be members of the group. For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group. Standard user accounts must not be members of the local Administrator group. If accounts that do not have responsibility for administration of the system are members of the local Administrators group, this is a finding. If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding. Fix TextConfigure the local "Administrators" group to include only administrator groups or accounts responsible for administration of the system. For domain-joined member servers, replace the Domain Admins group with a domain member server administrator group. Remove any standard user accounts. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) was unable to determine a Status but found the below configuration on 03/05/2026: ResultHash: CF7C91A195CBE710A8E0F73C0AAA4360670D7BAA ~~~~~ The following are members of the local Administrators group: --------------------- Name: SCHROEDER3\Server Administrator Group objectClass: Group objectSID: S-1-5-21-1160972651-4155981999-2770166294-1115 Name: SCHR-P3-DP-001\DOD_Admin objectClass: User objectSID: S-1-5-21-2359828523-3188837691-268305261-1000 Name: SCHR-P3-DP-001\X_Admin objectClass: User objectSID: S-1-5-21-2359828523-3188837691-268305261-500 CommentsVerified that Windows Server 2022 only allows administrators responsible for the member server to have Administrator rights on the system. This is Not a Finding
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254441 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must be running Credential Gua... | - | |||
Check TextFor domain controllers and standalone or nondomain-joined systems, this is NA. Open "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Device Guard Security Services Running" does not list "Credential Guard", this is a finding. The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: LsaCfgFlags Value Type: REG_DWORD Value: 0x00000001 (1) (Enabled with UEFI lock) A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements Fix TextConfigure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> Turn On Virtualization Based Security to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration". A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements Severity Override Guidance: The AO can allow the severity override if they have reviewed the overall protection provided to the affected servers that are not capable of complying with the Credential Guard requirement. Items that must be reviewed/considered for compliance or mitigation for non-Credential Guard compliance are: The use of Microsoft Local Administrator Password Solution (LAPS) or similar products to control different local administrative passwords for all affected servers. This is to include a strict password change requirement (60 days or less). .... Strict separation of roles and duties. Server administrator credentials cannot be used on Windows 10 desktop to administer it. Documentation of all exceptions must be supplied. .... Use of a Privileged Access Workstation (PAW) and adherence to the Clean Source principle for administering affected servers. .... Boundary Protection that is currently in place to protect from vulnerabilities in the network/servers. .... Windows Defender rule block credential stealing from LSASS.exe is applied. This rule can only be applied if Windows Defender is in use. .... The overall number of vulnerabilities that are unmitigated on the network/servers. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6771B96D1ED1098549965ED8F67FF9028082CC2A ~~~~~ SecurityServicesRunning: 1, 2
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254446 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must prevent local accounts wi... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value Type: REG_DWORD Value: 0x00000001 (1) Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Accounts: Limit local account use of blank passwords to console logon only to "Enabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 7AC1D020AB6148539D57E4FB73B39D6CD29DBDBF ~~~~~ 'Accounts: Limit local account use of blank passwords to console logon only' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LimitBlankPasswordUse Value: 0x00000001 (1) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254465 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must not allow anonymous SID/N... | - | |||
Check TextVerify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding. Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Allow anonymous SID/Name translation to "Disabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: A51800A7EB71E8DB49CCE183B779719692119D7F ~~~~~ 'Network access: Allow anonymous SID/Name translation' is Disabled LSAAnonymousNameLookup: 0
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254466 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must not allow anonymous enume... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value Type: REG_DWORD Value: 0x00000001 (1) Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Do not allow anonymous enumeration of SAM accounts to "Enabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 626DA34A65C05C1C220101534FE1788BBD495E56 ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM Value: 0x00000001 (1) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254467 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must not allow anonymous enume... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value Type: REG_DWORD Value: 0x00000001 (1) Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Do not allow anonymous enumeration of SAM accounts and shares to "Enabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 4B5021F1C8C390A907EFF7C0B541B8772B1C668D ~~~~~ 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous Value: 0x00000001 (1) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254469 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must restrict anonymous access... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value Type: REG_DWORD Value: 0x00000001 (1) Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Restrict anonymous access to Named Pipes and Shares to "Enabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E07BBC4D71D24D912C7B7521C5945409D833E711 ~~~~~ 'Network access: Restrict anonymous access to Named Pipes and Shares' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess Value: 0x00000001 (1) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254474 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 must be configured to prevent ... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value Type: REG_DWORD Value: 0x00000001 (1) Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Do not store LAN Manager hash value on next password change to "Enabled". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 59F308CA0C17B53FC330F51C46C1E3AB01AF5CBA ~~~~~ 'Network security: Do not store LAN Manager hash value on next password change' is Enabled Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash Value: 0x00000001 (1) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254475 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 LAN Manager authentication lev... | - | |||
Check TextIf the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value Type: REG_DWORD Value: 0x00000005 (5) Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: LAN Manager authentication level to "Send NTLMv2 response only. Refuse LM & NTLM". Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 1CC5D989E6B73511369D6A08B8D0016672826C20 ~~~~~ 'Network security: LAN Manager authentication level' is Send NTLMv2 response only. Refuse LM & NTLM Registry Path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: LmCompatibilityLevel Value: 0x00000005 (5) Type: REG_DWORD
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254492 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 Act as part of the operating s... | - | |||
Check TextVerify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeTcbPrivilege" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060). Passwords for accounts with this user right must be protected as highly privileged accounts. Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Act as part of the operating system to be defined but containing no entries (blank). Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: FE3BC21CE05FC8AF06B5779CBF8444CACC0434C3 ~~~~~ Act as part of the operating system: No objects assigned to this right.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254496 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 create a token object user rig... | - | |||
Check TextVerify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Create a token object" user right, this is a finding. For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs are granted the "SeCreateTokenPrivilege" user right, this is a finding. If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060). Passwords for application accounts with this user right must be protected as highly privileged accounts. Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Create a token object to be defined but containing no entries (blank). Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: DC364635E02E4550D6A89063BCA91A5342767023 ~~~~~ Create a token object: No objects assigned to this right.
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-254500 | CAT I | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 debug programs user right must... | - | |||
Check TextVerify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding: - Administrators For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If any SIDs other than the following are granted the "SeDebugPrivilege" user right, this is a finding: S-1-5-32-544 (Administrators) If an application requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the Information System Security Officer (ISSO). The application account must meet requirements for application account passwords, such as length (WN22-00-000050) and required frequency of changes (WN22-00-000060). Passwords for application accounts with this user right must be protected as highly privileged accounts. Fix TextConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Debug programs to include only the following accounts or groups: - Administrators Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E5554733A1BAD484044698CCA1825B99C1BA28E2 ~~~~~ Debug programs: BUILTIN\Administrators
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||
| V-225223 | CAT II | SCHR-P3-DP-001 | Microsoft DotNet Framework 4.0 Security ... | Digital signatures assigned to strongly named asse... | - | |||
Check TextUse regedit to review the Windows registry key HKLM\Software\Microsoft\StrongName\Verification. There should be no assemblies or hash values listed under this registry key. If the StrongName\Verification key does not exist, this is not a finding. If there are assemblies or hash values listed in this key, each value represents a distinct application assembly that does not have the application strong name verified. If any assemblies are listed as omitting strong name verification in a production environment, this is a finding. If any assemblies are listed as omitting strong name verification in a development or test environment and the IAO has not provided documented approvals, this is a finding. Fix TextUse regedit to remove the values stored in Windows registry key HKLM\Software\Microsoft\StrongName\Verification. There should be no assemblies or hash values listed under this registry key. All assemblies must require strong name verification in a production environment. Strong name assemblies that do not require verification in a development or test environment must have documented approvals from the IAO. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: B3CB706A6ADDE1748C32DB756BC478CBF6005E4B ~~~~~ HKLM:\SOFTWARE\Microsoft\StrongName\Verification exists but no values were found within.
Source: SCHR-P3-DP-001_DotNET4_V2R7_20260305-132722.cklb
Scan Date: 2026-03-12T15:38:14.388995
Technology Area: Windows Operating System
|
||||||||
| V-225224 | CAT II | SCHR-P3-DP-001 | Microsoft DotNet Framework 4.0 Security ... | The Trust Providers Software Publishing State must... | - | |||
Check TextIf the system or application being reviewed is SIPR based, this finding is NA. This check must be performed for each user on the system. Use regedit to locate "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State". If the State value for any user is not set to the hexadecimal value of 0x23C00, this is a finding. Fix TextThis fix must be performed for each user on the system. Using regedit, change the hexadecimal value of the "HKEY_USER\[UNIQUE USER SID VALUE]\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State" registry key to 0x23C00. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 76CBF5A7C87686EA51FA77410808A92FDB3A947F ~~~~~ All user profiles have State configured to 0x00023c00
Source: SCHR-P3-DP-001_DotNET4_V2R7_20260305-132722.cklb
Scan Date: 2026-03-12T15:38:14.388995
Technology Area: Windows Operating System
|
||||||||
| V-225225 | CAT II | SCHR-P3-DP-001 | Microsoft DotNet Framework 4.0 Security ... | Developer certificates used with the .NET Publishe... | - | |||
Check TextThe infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. This requirement is Not Applicable (NA) for .NET Framework greater than 4.x. (Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions. The location of the caspol utility is dependent upon the system architecture of the system running .Net. For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319. For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319. Example: cd %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319 To check code groups for the machine, run the following command: caspol.exe -m -lg Sample Results: Microsoft (R) .NET Framework CasPol 4.0.30319.1 Copyright (c) Microsoft Corporation. All rights reserved. Policy change prompt is ON Level = Machine Code Groups: 1. All code: Nothing 1.1. Zone - MyComputer: FullTrust (LevelFinal) 1.1.1. StrongName - 002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293: FullTrust 1.1.2. StrongName - 00000000000000000400000000000000: FullTrust 1.2. Zone - Intranet: LocalIntranet 1.2.1. All code: Same site Web 1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery' 1.3. Zone - Internet: Internet 1.3.1. All code: Same site Web 1.4. Zone - Untrusted: Nothing 1.5. (First Match) Zone - Trusted: Internet 1.5.1. All code: Same site Web 1.6. Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust Success Section 1.6 above indicates the presence of a publisher's key that meets the Publisher's Membership Condition and is also given full trust. If the Publisher Membership Condition is used on a nondefault Code Group and the use of that publisher's certificate is not documented and approved by the ISSO, this is a finding. Fix TextTrust must be established when utilizing Publishers Membership Condition. All publisher's certificates must have documented approvals from the ISSO. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: 0E4360D1A69538A55E456743C4260C8FCE83E079 ~~~~~ Installed .NET version is '4.8'. This check only applies to .NET version 4.0 specifically so this requirement is NA.
Source: SCHR-P3-DP-001_DotNET4_V2R7_20260305-132722.cklb
Scan Date: 2026-03-12T15:38:14.388995
Technology Area: Windows Operating System
|
||||||||
| V-225226 | CAT II | SCHR-P3-DP-001 | Microsoft DotNet Framework 4.0 Security ... | Encryption keys used for the .NET Strong Name Memb... | - | |||
Check TextIf the application is a COTS product, this requirement is Not Applicable (NA). The infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. The requirement is Not Applicable (NA) for .NET Framework greater than 4.x. (Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) Caspol.exe is a Microsoft tool used for working with .Net policy. Use caspol.exe to list the code groups and any publisher membership conditions. The location of the caspol utility is dependent upon the system architecture of the system running .Net. For 32 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319. For 64 bit systems, caspol.exe is located at %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319. Example: cd %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319 To check code groups, run the following command: caspol.exe -all -lg Sample response: Microsoft (R) .NET Framework CasPol 4.0.30319.1 Security is ON Execution checking is ON Policy change prompt is ON Level = Machine Code Groups: 1. All code: Nothing 1.1. Zone - MyComputer: FullTrust (LevelFinal) 1.1.1. StrongName - 002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293: FullTrust 1.1.2. StrongName - 00000000000000000400000000000000: FullTrust 1.2. Zone - Intranet: LocalIntranet 1.2.1. All code: Same site Web 1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery' 1.3. Zone - Internet: Internet 1.3.1. All code: Same site Web 1.4. Zone - Untrusted: Nothing 1.5. (First Match) Zone - Trusted: Internet 1.5.1. All code: Same site Web 1.6. Publisher - 30818902818100E47B359ACC061D70C237B572FA276C9854CFABD469DFB74E77D026630BEE2A0C2F8170A823AE69FDEB65704D7FD446DEFEF1F6BA12B6ACBDB1BFA7B9B595AB9A40636467CFF7C73F198B53A9A7CF177F6E7896EBC591DD3003C5992A266C0AD9FBEE4E2A056BE7F7ED154D806F7965F83B0AED616C192C6416CFCB46FC2F5CFD0203010001: FullTrust Success An assembly will satisfy the StrongNameMembershipCondition if its metadata contains the strongly identifying data associated with the specified strong name. At the least, this means it has been digitally signed with the private key associated with the public key recorded in the policy. The presence of the encryption key values in the StrongName field indicates the use of StrongNameMembershipCondition. If a Strong Name Membership Condition is assigned to a non-default Code Group the private key must be adequately protected by the software developer or the entity responsible for signing the assemblies. Ask the Systems Programmer how the private keys are protected. Private keys are simply values stored as strings of data. Keys can be stored in files on the file system or in a centralized data repository. Adequate protection methods include, but are not limited to: - utilizing centralized key management; - using strict file permissions to limit access; and - tying strong pass phrases to the key. If the private key used to sign the assembly is not adequately protected, this is a finding. Fix TextAsk the Systems Programmer how the private keys used to sign the assembly are protected. Private keys are simply values stored as strings of data. Keys can be stored in files on the file system or in a centralized data repository. Adequate protection methods include, but are not limited to: - utilizing centralized key management; - using strict file permissions to limit access; and - tying strong pass phrases to the key. The private key(s) used to sign the assembly must be protected. Utilize centralized key management or strict file permissions along with strong pass phrases and/or other well-established industry practices for managing and controlling access to private keys. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: 0E4360D1A69538A55E456743C4260C8FCE83E079 ~~~~~ Installed .NET version is '4.8'. This check only applies to .NET version 4.0 specifically so this requirement is NA.
Source: SCHR-P3-DP-001_DotNET4_V2R7_20260305-132722.cklb
Scan Date: 2026-03-12T15:38:14.388995
Technology Area: Windows Operating System
|
||||||||
| V-225227 | CAT II | SCHR-P3-DP-001 | Microsoft DotNet Framework 4.0 Security ... | CAS and policy configuration files must be backed ... | - | |||
Check TextThe infrastructure to enable Code Access Security (CAS) exists only in .NET Framework 2.x-4.x. The requirement is Not Applicable (NA) for .NET Framework greater than 4.x. (Note: The infrastructure is deprecated and is not receiving servicing or security fixes.) Ask the System Administrator if all CAS policy and policy configuration files are included in the system backup. If they are not, this is a finding. Ask the System Administrator if the policy and configuration files are backed up prior to migration, deployment, and reconfiguration. If they are not, this is a finding. Ask the System Administrator for documentation that shows CAS Policy configuration files are backed up as part of a disaster recovery plan. If they have no documentation proving the files are backed up, this is a finding. Fix TextAll CAS policy and policy configuration files must be included in the system backup. All CAS policy and policy configuration files must be backed up prior to migration, deployment, and reconfiguration. CAS policy configuration files must be included in disaster recovery plan documentation. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: 0E4360D1A69538A55E456743C4260C8FCE83E079 ~~~~~ Installed .NET version is '4.8'. This check only applies to .NET version 4.0 specifically so this requirement is NA.
Source: SCHR-P3-DP-001_DotNET4_V2R7_20260305-132722.cklb
Scan Date: 2026-03-12T15:38:14.388995
Technology Area: Windows Operating System
|
||||||||
| V-225228 | CAT II | SCHR-P3-DP-001 | Microsoft DotNet Framework 4.0 Security ... | Remoting Services HTTP channels must utilize authe... | - | |||
Check TextIf .NET remoting with HTTP channel is not used, this check is Not Applicable. Review the machine.config file and the [application name].exe.config file. For 32-bit systems, the "machine.config" file is contained in the following folder: %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config For 64-bit systems, the "machine.config" file is contained in the following folder: %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config. Microsoft specifies locating the [application].config file in the same folder as the application executable (.exe) file. However, the developer does have the capability to specify a different location when the application is compiled. Therefore, if the file is not found in the application home folder, a search of the system is required. If the [application name].exe.config file is not found on the system, then only a check of the machine.config file is required. Sample machine/application config file: <application name=“remoteserver”> <service> <activated type=“sample.my.object, myobjects”/> </service> <channels> <channel ref=“http server” port=“80”/> </channels> </application> <serverProviders> <provider ref="wsdl" /> <formatter ref="soap" typeFilterLevel="Low" /> <formatter ref="binary" typeFilterLevel="Low" /> </serverProviders> Microsoft provides three "channels" that are used for remoting connectivity. They are the HTTP, TCP, and IPC channels. The channel that is used is specified via the <channels> element in the config file. HTTP channel example: <channel ref=“http server” port=“80”/> The HTTP channel only supports encryption and message integrity when the remote object is hosted in Internet Information Services (IIS) using TLS. The above example shows the well-known TLS port of 443 is not being used. If the HTTP remoting channel is not configured to protect the channel by using TLS encryption, this is a finding. Fix TextIf .NET remoting with HTTP channel is not used, this fix is Not Applicable. Ensure encryption and message integrity are used for HTTP remoting channels. The HTTP channel only supports encryption and message integrity when the remote object is hosted in Internet Information Services (IIS) using TLS. HTTP channels are protected via TLS (HTTPS). <channels> <channel ref=“http server” port=“443”/> </channels> Change the channel ref parameter to utilize a TLS port and leverage TLS on the remote IIS server. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT APPLICABLE on 03/05/2026 ResultHash: 5484AA1F334AF98C429F840221EEC8B7ADB0A2EE ~~~~~ No machine.config or *.exe.config files found using .NET remoting with HTTP channel so this requirement is NA.
Source: SCHR-P3-DP-001_DotNET4_V2R7_20260305-132722.cklb
Scan Date: 2026-03-12T15:38:14.388995
Technology Area: Windows Operating System
|
||||||||
| V-225229 | CAT II | SCHR-P3-DP-001 | Microsoft DotNet Framework 4.0 Security ... | .Net Framework versions installed on the system mu... | - | |||
Check TextDetermine which versions of the .NET Framework are installed by opening the directory %systemroot%\Microsoft.NET. The folder named "%systemroot%\Microsoft.NET\Framework" contains .NET files for 32 bit systems. The folder named "%systemroot%\Microsoft.NET\Framework64" contains .NET files for 64 bit systems. 64 bit systems will have both the 32 bit and the 64 bit folders. 32 bit systems do not have a Framework64 folder. Within each of the folders are the individual folder names that contain the corresponding versions of the .NET Framework: v4.0.30319 v3.5 v3.0 v2.0.50727 v1.1.4322 v1.0.3705 Search for all the Mscorlib.dll files in the %systemroot%\Microsoft.NET\Framework folder and the %systemroot%\Microsoft.NET\Framework64 folder if the folder exists. Click on each of the files, view properties, and click the version tab to determine the version installed. If there is no Mscorlib.dll, there is no installed version of .Net Framework in that directory. More specific information on determining versions of .Net Framework installed can be found at the following link. http://support.microsoft.com/kb/318785 Verify extended support is available for the installed versions of .Net Framework. Verify the .Net Framework support dates with Microsoft Product Lifecycle Search link. http://support.microsoft.com/lifecycle/search/?sort=PN&alpha=.NET+Framework Beginning with .NET 3.5 SP1, the .NET Framework is considered a Component of the Windows OS. Components follow the Support Lifecycle policy of their parent product or platform. .NET Framework 3.5 cannot function without the .NET Framework 2.0 and the .NET Framework 3.0, because there is no common language runtime (CLR) in the .NET Framework 3.5 layer. Therefore, when the .NET Framework 3.5 product is installed, the .NET Framework 2.0 and the .NET Framework 3.0 SP products are also installed. Installation of .NET 2.0 and 3.0 SP products as part of .NET Framework 3.5 is Not a Finding. (https://support.microsoft.com/en-us/topic/clarification-on-the-support-life-cycle-for-the-net-framework-3-5-the-net-framework-3-0-and-the-net-framework-2-0-28621c7b-226c-7682-27f5-2e2a42db39c3) If any versions of the .Net Framework are installed and support is no longer available, this is a finding. Fix TextRemove unsupported versions of the .NET Framework and upgrade legacy applications that utilize unsupported versions of the .NET framework. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 69B5FA47DB52CEE6EE623CD1C66B970ACFE69DFB ~~~~~ Operating system: --------------------------------- Name: Microsoft Windows Server 2022 Standard [21H2] Version: 10.0.20348 Enabled .NET Windows features: --------------------------------- NET-Framework-45-Core Library files: --------------------------------- File Path: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Version: 4.8.4795.0 File Path: C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Version: 4.8.4795.0 Ref - https://learn.microsoft.com/en-us/lifecycle/products/microsoft-net-framework Ref - https://support.microsoft.com/en-us/topic/clarification-on-the-support-life-cycle-for-the-net-framework-3-5-the-net-framework-3-0-and-the-net-framework-2-0-28621c7b-226c-7682-27f5-2e2a42db39c3
Source: SCHR-P3-DP-001_DotNET4_V2R7_20260305-132722.cklb
Scan Date: 2026-03-12T15:38:14.388995
Technology Area: Windows Operating System
|
||||||||
| V-225230 | CAT II | SCHR-P3-DP-001 | Microsoft DotNet Framework 4.0 Security ... | The .NET CLR must be configured to use FIPS approv... | - | |||
Check TextExamine the .NET CLR configuration files from the vulnerability discussion to find the runtime element and then the "enforceFIPSPolicy" element. Example: <configuration> <runtime> <enforceFIPSPolicy enabled="true|false" /> </runtime> </configuration> By default, the .NET "enforceFIPSPolicy" element is set to "true". If the "enforceFIPSPolicy" element does not exist within the "runtime" element of the CLR configuration, this is not a finding. If the "enforceFIPSPolicy" element exists and is set to "false", and the IAO has not accepted the risk and documented the risk acceptance, this is a finding. Fix TextExamine the .NET CLR configuration files to find the runtime element and then the "enforceFIPSPolicy" element. Example: <configuration> <runtime> <enforceFIPSPolicy enabled="true|false" /> </runtime> </configuration> Delete the "enforceFIPSPolicy" runtime element, change the setting to "true" or there must be documented IAO approvals for the FIPS setting. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 665ECD2BE03F9086D5C3B003C3B3238D2C474D25 ~~~~~ No machine.config or *.exe.config files found with 'enforceFIPSPolicy enabled=false'.
Source: SCHR-P3-DP-001_DotNET4_V2R7_20260305-132722.cklb
Scan Date: 2026-03-12T15:38:14.388995
Technology Area: Windows Operating System
|
||||||||
| V-225231 | CAT II | SCHR-P3-DP-001 | Microsoft DotNet Framework 4.0 Security ... | .NET must be configured to validate strong names o... | - | |||
Check TextIf there is documented ISSO risk acceptance for development systems, this is not a finding. For 32 bit production systems: Use regedit to examine the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework” key. On 64-bit production systems: Use regedit to examine both the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework” and “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework” keys. If the "AllowStrongNameBypass" value does not exist, or if the “DWORD” value is set to “1”, this is a finding. Documentation must include a complete list of installed .Net applications, application versions, and acknowledgement that ISSO trusts each installed application. If application versions installed on the system do not match approval documentation, this is a finding. Fix TextFor 32 bit production systems: Set “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AllowStrongNameBypass" to a “DWORD” value of “0”. On 64-bit production systems: Set “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ AllowStrongNameBypass” and “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ AllowStrongNameBypass” to a “DWORD” value of “0”. Or, obtain documented ISSO risk acceptance for each .Net application installed on the system. Approval documentation will include complete list of all installed .Net applications, application versions, and acknowledgement of ISSO trust of each installed application. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: E28F7B07BF034968DDD074235F2D4C0EFC0E8F76 ~~~~~ Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework Value Name: AllowStrongNameBypass Value: 0x00000000 (0) Type: REG_DWORD Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework Value Name: AllowStrongNameBypass Value: 0x00000000 (0) Type: REG_DWORD
Source: SCHR-P3-DP-001_DotNET4_V2R7_20260305-132722.cklb
Scan Date: 2026-03-12T15:38:14.388995
Technology Area: Windows Operating System
|
||||||||
| V-225233 | CAT II | SCHR-P3-DP-001 | Microsoft DotNet Framework 4.0 Security ... | Trust must be established prior to enabling the lo... | - | |||
Check TextOpen Windows explorer and search for *.exe.config. Search each config file found for the "loadFromRemoteSources" element. If the loadFromRemoteSources element is enabled ("loadFromRemoteSources enabled = true"), and the remotely loaded application is not run in a sandboxed environment, or if OS based software controls, such as AppLocker or Software Security Policies, are not utilized, this is a finding. Fix Text.Net application code loaded from a remote source must be run in a controlled environment. A controlled environment consists of a sandbox, such as running in an Internet Explorer host environment or employing OS based software access controls, such as AppLocker or Software Security Policies, when application design permits. Obtain documented IAO approvals for all remotely loaded code. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 6CC95A95DACFD9A95160D8D82AE7400D383C1A8D ~~~~~ No *.exe.config files found with 'loadFromRemoteSources enabled=true'.
Source: SCHR-P3-DP-001_DotNET4_V2R7_20260305-132722.cklb
Scan Date: 2026-03-12T15:38:14.388995
Technology Area: Windows Operating System
|
||||||||
| V-225235 | CAT II | SCHR-P3-DP-001 | Microsoft DotNet Framework 4.0 Security ... | Event tracing for Windows (ETW) for Common Languag... | - | |||
Check TextOpen Windows explorer and search for all .NET config files including application config files (*.exe.config) NOTE: Beginning with Windows Vista and Windows Server 2008, ETW Tracing is enabled by default and the "etwEnable" setting is not required in order for Event Tracing to be enabled. An etwEnable setting of "true" IS required in earlier versions of Windows as ETW is disabled by default. Examine the configuration settings for <etwEnable enabled="false" />. If the "etwEnable" element is set to "true", this is not a finding. If the "etwEnable" element is set to "false" and documented approvals by the IAO are not provided, this is a finding. Fix TextOpen Windows explorer and search for all .NET config files including application config files (*.exe.config). Examine the configuration settings for <etwEnable enabled="false" />. Enable ETW Tracing by setting the etwEnable flag to "true" or obtain documented IAO approvals. Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 337EA4CB8826346C79B61FFD2C48107B8F2246C3 ~~~~~ No machine.config or *.exe.config files found with 'etwEnable enabled=false'.
Source: SCHR-P3-DP-001_DotNET4_V2R7_20260305-132722.cklb
Scan Date: 2026-03-12T15:38:14.388995
Technology Area: Windows Operating System
|
||||||||
| V-225236 | CAT II | SCHR-P3-DP-001 | Microsoft DotNet Framework 4.0 Security ... | Software utilizing .Net 4.0 must be identified and... | - | |||
Check TextThis requirement does not apply to the "caspol.exe" assembly or other assemblies provided with the Windows OS or the Windows Secure Host Baseline (SHB). Ask the system administrator to provide documentation that identifies: - Each .Net 4.0 application run on the system. - The .Net runtime host that invokes the application. - The security measures employed to control application access to system resources or user access to application. For additional insight run: tasklist /fi "modules eq mscoree.dll" If all .Net applications, runtime hosts and security protections have been documented or if there are no .Net 4.0 applications existing on the system, this is not a finding. If there is no documentation that identifies the existence of .NET 4.0 applications or the lack thereof, this is a finding. If the runtime hosts have not been identified, this is a finding. If the security protections have not been identified, this is a finding. Fix TextDocument the existence of all .Net 4.0 applications that are not provided by the host Windows OS or the Windows Secure Host Baseline (SHB). Document the corresponding runtime hosts that are used to invoke the applications. Document the applications security control requirements (restricting application access to resources or user access to the application). Finding DetailsEvaluate-STIG 1.2601.0 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 03/05/2026 ResultHash: 4E9D9F9778F6BF1402126A5E6E14400D9AF77B9C ~~~~~ No applications found requiring .NET 4.0 specifically.
Source: SCHR-P3-DP-001_DotNET4_V2R7_20260305-132722.cklb
Scan Date: 2026-03-12T15:38:14.388995
Technology Area: Windows Operating System
|
||||||||