Microsoft Windows Server 2012/2012 R2 Domain Controller STIG

Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide

ID Vuln ID Title Cat Status
WN12-UR-000025 V-226389 The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. Cat II
WN12-SO-000030 V-226295 Unencrypted passwords must not be sent to third-party SMB Servers. Cat II
WN12-UR-000019-DC V-226383 The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers. Cat II
WN12-UR-000032 V-226393 The Manage auditing and security log user right must only be assigned to the Administrators group. Cat II
WN12-SO-000077 V-226338 User Account Control approval mode for the built-in Administrator must be enabled. Cat II
WN12-SO-000033 V-226298 The Windows SMB server must perform SMB packet signing when possible. Cat II
WN12-AU-000107 V-226117 The system must be configured to audit System - Security State Change successes. Cat II
WN12-SO-000078 V-226339 User Account Control must, at minimum, prompt administrators for consent. Cat II
WN12-UR-000002-DC V-226371 Unauthorized accounts must not have the Access this computer from the network user right on domain controllers. Cat II
WN12-AU-000208-DC V-226129 The Active Directory Domain object must be configured with proper audit settings. Cat II
WN12-SO-000060 V-226323 The system must be configured to use the Classic security model. Cat II
WN12-UR-000016 V-226380 The Debug programs user right must only be assigned to the Administrators group. Cat I
WN12-UR-000020-DC V-226384 The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access. Cat II
WN12-SO-000075 V-226336 The system must be configured to require case insensitivity for non-Windows subsystems. Cat II
WN12-00-000018 V-226045 The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. Cat II

Print

Display this benchmark in a printer-friendly format for off-line reference. This display does not include any commands.
Print

Version Changes

If there are multiple versions of this benchmark, Xylok can display the differences between any changes in the checks.
Changes