Home
Security Hardening
CIS Microsoft Windows Server 2019 STIG MS STIG V1.0.1

CIS Microsoft Windows Server 2019 STIG MS STIG V1.0.1

Ensure ‘Deny log on as a service’ to include ‘Enterprise Admins group and Domain Admins Group’ (STIG MS only)
Details This security setting determines which service accounts are prevented from registering a process as a service. This user right...
Ensure ‘Deny log on locally’ to include ‘Guests, Enterprise Admins group, and Domain Admins group’ (STIG MS only)
Details This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the...
Ensure ‘Deny log on through Remote Desktop Services’ is set to ‘Guests, Local account, Enterprise Admins group, and Domain Admins group’ (STIG MS only)
Details This policy setting determines whether users can log on as Remote Desktop clients. After the baseline Member Server is...
Ensure ‘Domain member: Digitally encrypt or sign secure channel data (always)’ is set to ‘Enabled’
Details This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed...
Ensure ‘Domain member: Digitally encrypt secure channel data (when possible)’ is set to ‘Enabled’
Details This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that...
Ensure ‘Domain member: Digitally sign secure channel data (when possible)’ is set to ‘Enabled’
Details This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it...
Ensure ‘Domain member: Disable machine account password changes’ is set to ‘Disabled’
Details This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically...
Ensure ‘Domain member: Maximum machine account password age’ is set to ’30 or fewer days, but not 0′
Details This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change...
Ensure ‘Domain member: Require strong (Windows 2000 or later) session key’ is set to ‘Enabled’
Details When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable...
Ensure ‘Enable computer and user accounts to be trusted for delegation’ is set to ‘No One’ (MS only)
Details This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory....

Prev Next

CIS Microsoft Windows Server 2019 STIG MS STIG V1.0.1

Ensure ‘Deny log on as a service’ to include ‘Enterprise Admins group and Domain Admins Group’ (STIG MS only)

Ensure ‘Deny log on locally’ to include ‘Guests, Enterprise Admins group, and Domain Admins group’ (STIG MS only)

Ensure ‘Deny log on through Remote Desktop Services’ is set to ‘Guests, Local account, Enterprise Admins group, and Domain Admins group’ (STIG MS only)

Ensure ‘Domain member: Digitally encrypt or sign secure channel data (always)’ is set to ‘Enabled’

Ensure ‘Domain member: Digitally encrypt secure channel data (when possible)’ is set to ‘Enabled’

Ensure ‘Domain member: Digitally sign secure channel data (when possible)’ is set to ‘Enabled’

Ensure ‘Domain member: Disable machine account password changes’ is set to ‘Disabled’

Ensure ‘Domain member: Maximum machine account password age’ is set to ’30 or fewer days, but not 0′

Ensure ‘Domain member: Require strong (Windows 2000 or later) session key’ is set to ‘Enabled’

Ensure ‘Enable computer and user accounts to be trusted for delegation’ is set to ‘No One’ (MS only)