Windows 10 STIG

Windows 10 Security Technical Implementation Guide

ID Vuln ID Title Cat Status
WN10-AU-000155 V-220777 The system must be configured to audit System - System Integrity failures. Cat II
WN10-UR-000070 V-220968 The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. Cat II
WN10-SO-000190 V-220936 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. Cat II
WN10-CC-000238 V-220842 Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge. Cat II
WN10-00-000145 V-220726 Data Execution Prevention (DEP) must be configured to at least OptOut. Cat I
WN10-00-000025 V-220701 Windows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). Cat II
WN10-CC-000220 V-220838 Turning off File Explorer heap termination on corruption must be disabled. Cat III
WN10-AU-000107 V-220769 The system must be configured to audit Policy Change - Authorization Policy Change successes. Cat II
WN10-00-000140 V-220725 Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts. Cat II
WN10-AU-000060 V-220756 The system must be configured to audit Logon/Logoff - Group Membership successes. Cat II
WN10-CC-000280 V-220850 Remote Desktop Services must always prompt a client for passwords upon connection. Cat II
WN10-00-000110 V-220720 Simple TCP/IP Services must not be installed on the system. Cat II
WN10-SO-000110 V-220926 Unencrypted passwords must not be sent to third-party SMB Servers. Cat II
WN10-UR-000125 V-220977 The Lock pages in memory user right must not be assigned to any groups or accounts. Cat II
WN10-CC-000200 V-220832 Administrator accounts must not be enumerated during elevation. Cat II


Display this benchmark in a printer-friendly format for off-line reference. This display does not include any commands.

Version Changes

If there are multiple versions of this benchmark, Xylok can display the differences between any changes in the checks.