Options
Sign in to Download

Windows Server 2016 STIG (version 1, rel. 10)

This policy compares the configuration for a Windows 2016 Server to the criteria defined in the Microsoft Windows Server 2016 STIG and advises you of the results for each rule, this server, and for the policy. The following rules are not included in this policy:

  • V-73217 - Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
  • V-73219 - Only administrators responsible for the domain controller must have Administrator rights on the system.
  • V-73221 - Only administrators responsible for the member server or standalone system must have Administrator rights on the system.
  • V-73225 - Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
  • V-73227 - Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
  • V-73229 - Manually managed application account passwords must be at least 15 characters in length.
  • V-73231 - Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
  • V-73233 - Shared user accounts must not be permitted on the system.
  • V-73235 - Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
  • V-73241 - The Windows Server 2016 system must use an anti-virus program.
  • V-73245 - Servers must have a host-based intrusion detection or prevention system.
  • V-73265 - System files must be monitored for unauthorized changes.
  • V-73267 - Non-system-created file shares on a system must limit access to groups that require it.
  • V-73271 - Software certificate installation files must be removed from Windows Server 2016.
  • V-73273 - Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
  • V-73275 - Protection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
  • V-73277 - The roles and features required by the system must be documented.
  • V-73279 - A host-based firewall must be installed and enabled on the system.
  • V-73281 - Windows Server 2016 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
  • V-73283 - Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours.
  • V-73285 - Windows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
  • V-73289 - The Microsoft FTP service must not be installed unless required.
  • V-73303 - FTP servers must be configured to prevent anonymous logons.
  • V-73305 - FTP servers must be configured to prevent access to the system drive.
  • V-73373 - Active Directory Group Policy objects must have proper access control permissions.
  • V-73381 - Domain controllers must run on a machine dedicated to that function.
  • V-73383 - Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
  • V-73385 - Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
  • V-73389 - Active Directory Group Policy objects must be configured with proper audit settings.
  • V-73401 - Audit records must be backed up to a different system or media than the system being audited.
  • V-73403 - Windows Server 2016 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.
  • V-73553 - The Application event log size must be configured to 32768 KB or greater.
  • V-73555 - The Security event log size must be configured to 196608 KB or greater.
  • V-73557 - The System event log size must be configured to 32768 KB or greater.
  • V-73613 - Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
  • V-73615 - PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).

Product Disclaimer: Please note, this policy is based on the Microsoft Windows Server 2016 STIG – Ver 1, Rel 10 XCCDF (see the latest definition at https://nvd.nist.gov/ncp/checklist/753), which was published as a tool to improve the security of information systems. Your organization should internally review and assess to what extent, if any, such policy should be incorporated into your environment and how you can best ensure compliance with your internal policies. All policies contain a subset of rules deemed automatable by SolarWinds. SolarWinds makes no warranty, express or implied, or assumes any legal liability or responsibility for the policies contained herein, including the accuracy, completeness, or usefulness of any information.

solarwinds_worldwide_llc

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.