Windows stig

Container Platform Security Requirements Guide. Database Security Requirements Guide. Firewall Security Requirements Guide. JBoss Enterprise Application Platform 6. LG Android 5.

Layer 2 Switch Security Requirements Guide. Mainframe Product Security Requirements Guide. Microsoft Exchange Mailbox Server Role. Microsoft Exchange Mailbox Server. Microsoft Exchange Edge Transport Server. Microsoft Windows Defender Antivirus. Microsoft Windows Server Domain Controller. Microsoft Windows Server Member Server. Mobile Application Security Requirements Guide. Mobile Policy Security Requirements Guide.

Multifunction Device and Network Printers. A system is more vulnerable to unauthorized access when users can recycle the same password several times without being required to change it to a unique password on a regularly scheduled basis. V Medium Unauthorized accounts must not have the Modify an object label user right. Accounts with the "Modify an object label" user right can change the integrity label V Medium The minimum password age must be configured to at least 1 day.

Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose V Medium The maximum password age must be configured to 60 days or less. The longer passwords are in use, the greater the opportunity for someone to gain unauthorized knowledge of them.

Scheduled changing of passwords hinders the ability of unauthorized users to crack Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously instead of using the computer identity. V Medium The service principal name SPN target name validation level must be configured to Accept if provided by client.

If a service principle name SPN is provided by the client, it is validated against the server's list of SPNs, aiding in the prevention of spoofing. PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts. NTLM sessions that are allowed to fall back to Null unauthenticated sessions may gain unauthorized access. Certain encryption types are no longer considered secure.

This setting configures a minimum encryption type for Kerberos, preventing the use of the DES encryption suites. V Medium Unauthorized accounts must not have the Impersonate a client after authentication user right. The "Impersonate a client after authentication" user right allows a program to V Medium The Application event log must be configured to a minimum size requirement.

V Medium User Account Control is configured for the appropriate elevation prompt for administrators This setting configures the elevation requirements for logged on administrators to complete a task that requires raised privileges.

V Medium User Account Control is configured to detect application installations. This requires Windows to respond to application installation requests by prompting for credentials. V Medium Unauthorized accounts must not have the Create symbolic links user right. Accounts with the "Create symbolic links" user right can create pointers to other This check verifies that the configuration of wireless devices using Windows Connect Now is disabled.

V Medium Unauthorized accounts must not have the Create global objects user right. Accounts with the "Create global objects" user right can create objects that are V Medium Unauthorized accounts must not have the Create permanent shared objects user right. Accounts with the "Create permanent shared objects" user right could expose sensitive If RDS is used, it must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and unauthenticated access on all systems.

The "Deny log on through Remote Desktop Services" right defines the accounts that are V Medium Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right.

The "Enable computer and user accounts to be trusted for delegation" user right allows V Medium The Deny log on as a service user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right. The "Deny log on as a service" right defines accounts that are denied log on as a V Medium The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.

The "Deny log on locally" right defines accounts that are prevented from logging on Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the account or group objects are reanimated, there V Medium Unauthorized accounts must not have the Force shutdown from a remote system user right.

Accounts with the "Force shutdown from a remote system" user right can remotely shut V Medium Unauthorized accounts must not have the Generate security audits user right. The "Generate security audits" user right specifies users and processes that can This check verifies that access to the Windows Connect Now wizards is disabled.

V Medium Turn off indexing of encrypted files. This check verifies that encrypted files are not indexed. V Medium Unauthorized accounts must not have the Profile single process user right. Accounts with the "Profile single process" user right can monitor non-system processes V Medium File share permissions must be reconfigured to remove the Everyone group.

Shares on a system can provide network access, exposing sensitive information. If a share is necessary, permissions must be reconfigured to give the minimum access to those accounts that require it. V Medium Audit policy using subcategories is enabled. This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista and later. V Medium Unauthorized accounts must not have the Take ownership of files or other objects user right.

Accounts with the "Take ownership of files or other objects" user right can take Recovery of a damaged or compromised system in a timely basis is difficult without a system information backup. A system backup will usually include sensitive information such as user accounts V Low The system allows shutdown from the logon dialog box.

Preventing display of the shutdown button in the logon dialog box may encourage a hard shut down with the power button. However, displaying the shutdown button may allow individuals to shut down V Low The amount of idle time required before suspending a session must be properly set. Open sessions can increase the avenues of attack on a system. This setting is used to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is V Low The default permissions of global system objects are not increased.

Windows system maintains a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default DACL that specifies who can V Low The Windows dialog box title for the legal banner must be configured. V Low Domain Controller authentication is not required to unlock the workstation. This setting controls the behavior of the system when you attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller if in a V Low The computer account password is prevented from being reset.

Computer account passwords are changed automatically on a regular basis. Enabling this policy to disable automatic password changes can make the system more vulnerable to malicious access. V Low Enable restore points for device driver installations. This check verifies that a system restore point will be created when a new device driver is installed.

V Low The system is configured to use an unauthorized time server. The Windows Time Service controls time synchronization settings. Time synchronization is essential for authentication and auditing purposes. If the Windows Time Service is used, it should V Low System pagefile is cleared upon shutdown. This check verifies that Windows is configured to not wipe clean the system pagefile during a controlled system shutdown.

V Low Floppy media devices are not allocated upon user logon. This check verifies that Windows is configured to not limit access to floppy drives when a user is logged on locally. V Low The system is configured to allow the display of the last user name on the logon screen. The user name of the last user to log onto a system will not be displayed. V Low Print driver installation privilege must be restricted to administrators.

The print spooler allows users to add and to delete printer drivers on the local system. This capability must be restricted to privileged groups to ensure only stable, non-malicious drivers are used. V Low Caching of logon credentials must be limited. The default Windows configuration caches the last logon credentials for users who log on interactively to a system.

This feature is provided for system availability reasons, such as the user's V Low The maximum age for machine account passwords is not set to requirements. This setting controls the maximum password age that a machine account may have. This setting should be set to no more than 30 days, ensuring the machine changes its password monthly.

V Low Prevent users from installing vendor signed updates. This check verifies that users are prevented applying vendor signed updates. This check verifies that users are not presented with Privacy and Installation options on first use of Windows Media Player. V Low Local users must not exist on a system in a domain.

To minimize potential points of attack, local users, other than built-in accounts such as Administrator and Guest accounts, should not exist on a workstation in a domain. Users must always log V Low The system is configured for a greater keep-alive time than recommended. Controls how often TCP sends a keep-alive packet in attempting to verify that an idle connection is still intact. V Low Users are not forcibly disconnected when logon hours expire.

Users should not be permitted to remain logged on to the network after they have exceeded their permitted logon hours. In many cases, this indicates that a user forgot to log off before leaving V Low Printer share permissions must be restricted to Print for non administrators. Improperly configured share permissions on printers can permit the addition of unauthorized print devices on the network.

Windows shares are a means by which files, folders, printers, and other V Low Order Prints Online is blocked. V Low Users are not warned in advance that their passwords will expire. This setting configures the system to display a warning to users telling them how many days are left before their password expires.

By giving the user advanced warning, the user has time to V Low Event Viewer events. This check verifies that Events. V Low The classic logon screen must be required for user logons.

The classic logon screen requires users to enter a logon name and password to access a system. The simple logon screen or Welcome screen displays usernames for selection, providing part of the In a SYN flood attack, the attacker sends a continuous stream of SYN packets to a server, and the server leaves the half-open connections open until it is overwhelmed and no longer is able to V Low The system is configured to detect and configure default gateway addresses.

V Low The system must generate an audit event when the audit log reaches a percentage of full threshold. Audit records may be lost if the security log becomes full. When the audit log reaches a given percent full, an audit event is written to the security log. An event is recorded as a success V Low Security configuration tools are not being used to configure platforms for security compliance.

Security configuration tools such as Security Templates and Group Policy allow system administrators to consolidate all security related system settings into a single configuration file.

V Low Turn off downloading of game updates. This setting will prevent the system from downloading game update information from Windows Metadata Services. V Low Outdated or unused accounts must be removed from the system. Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disable until needed.

This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft. This setting prevents responsiveness events from being aggregated and sent to Microsoft. V Low Windows Anytime Upgrade is not disabled. This setting will prevent Windows Anytime Upgrade from running. When disabled, forces ICMP to be routed via shortest path first. V Low The system is configured to allow IP source routing. Protects against IP source routing spoofing.

Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service DoS attack. V Low This check verifies that Windows is configured to have password protection take effect within a limited time frame when the screen saver becomes active.

Allowing more than several seconds makes the computer vulnerable to a potential attack from someone walking up to the console to attempt to log onto the system before the lock takes effect. V Low Device metadata retrieval from the Internet must be prevented. Some features may communicate with the vendor, sending system information or downloading data or components for the feature.

Turning off this capability will prevent potentially sensitive V Low Prevent Windows Update for device driver search This setting will prevent from searching Windows Update for device drivers. V Low Prevent handwriting personalization data sharing with Microsoft.

This setting prevents data from the handwriting recognition personalization tool being shared with Microsoft. This setting prevents the MSDT from communicating with and sending collected data to Microsoft, the default support provider.

V Low Route all Direct Access traffic through internal network. This setting ensures all traffic is routed through the internal network, allowing monitoring and preventing split tunneling. V Low Prevent searching Windows Update for point and print drivers. This setting will prevent Windows from searching Windows Update for point and print drivers.

Only the local driver store and server driver cache will be searched. This setting prevents users from searching troubleshooting content on Microsoft servers. Only local content will be available.

V Low Users will not be prompted to search Windows Update for device drivers. This check verifies that users will not be prompted to search Windows Updated for device drivers. V Low A Windows error report is not sent when a generic driver is installed. This check verifies that an error report will not be sent when a generic device driver is installed.

V Low Session logging for Remote Assistance is enabled. This check verifies that Remote Assistance log files will be generated. This check verifies that errors in handwriting recognition on Tablet PCs are not reported to Microsoft. V Low Disable Game Explorer information downloads. This check verifies that game information is not downloaded from Windows Metadata Services. V Low The touch keyboard or input panel must not highlight keys as passwords are entered.

The touch keyboard or input panel may highlight keys as passwords are entered, providing visibility to nearby persons, and compromising them. V Low IPv6 source routing must be configured to highest protection. Configuring the system to disable IPv6 source routing protects against spoofing. Configuring Windows to limit the number of times that IPv6 TCP retransmits unacknowledged data segments before aborting the attempt helps prevent resources from becoming exhausted.

V Low The system must be configured to hide the computer from the browse list. Identifying the computer name on a network could provide an attacker with information useful in gaining access. This setting prevents the computer name from displaying in the browse list.

V Low IPSec exemptions are limited. This check verifies that Windows is configured to limit IPSec exemptions. V Low Indexing of mail items in Exchange folders when Outlook is running in uncached mode must be turned off.

Indexing of encrypted items may expose sensitive data. This setting prevents mail items in a Microsoft Exchange folder from being indexed when Outlook is running in uncached mode.

V Low Disable heap termination on corruption in Windows Explorer. This check verifies that heap termination on corruption is disabled. This may prevent Windows Explorer from terminating immediately from certain legacy plug-in applications. The requirements were developed from DoD consensus, as well as the Windows 7 Security Guide and security templates published by Microsoft Corporation.

Comments or proposed revisions to this document should be sent via e-mail to the following address: disa. I - Mission Critical Classified.

I - Mission Critical Public. I - Mission Critical Sensitive. II - Mission Support Classified. II - Mission Support Public. II - Mission Support Sensitive. III - Administrative Classified. III - Administrative Public. III - Administrative Sensitive.

The Windows 7 system must use an anti-virus program. Systems must be at supported service pack SP or release levels. The Windows Installer Always install with elevated privileges must be disabled. Unauthorized accounts must not have the Create a token object user right. Local volumes must be formatted using NTFS. Named pipes and shares can be accessed anonymously. Unauthorized accounts must not have the Debug programs user right. Anonymous access to the registry must be restricted.

The system is configured to autoplay removable media. Anonymous enumeration of shares must be restricted. Users with administrative privilege must be documented and have separate accounts for administrative duties and normal operational tasks. Anonymous enumeration of SAM accounts will not be allowed.

Unencrypted remote access to system services must not be permitted. Policy must require that administrative user accounts not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.

Only administrators responsible for the system must have Administrator rights on the system. Unauthorized remotely accessible registry paths must not be configured. DoD information system access does not require the use of a password. The default autorun behavior must be configured to prevent autorun commands.

Standard user accounts must only have Read permissions to the Winlogon registry key. Solicited Remote Assistance is allowed. Unauthorized shares can be accessed anonymously.

The use of local accounts with blank passwords is not restricted to console logons only. Unauthorized remotely accessible registry paths and sub-paths must not be configured.

Named pipes that can be accessed anonymously must be configured to contain no values. The Act as part of the operating system user right must be granted to no accounts. Permissions for event logs must conform to minimum requirements. Shared user accounts must not be permitted on the system.

Unauthorized accounts must not have the Perform volume maintenance tasks user right. Prevent printing over HTTP. The 6to4 IPv6 transition technology will be disabled. The system is not configured to use FIPS compliant algorithms for encryption, hashing, and signing.

The system is not configured to recommended LDAP client signing requirements. The system must be configured to force users to log off when their allowed logon hours expire. Unauthorized accounts must not have the Create a pagefile user right.

Unauthorized accounts must not have the Change the system time user right. Require username and password to elevate a running application. Group Policies must be refreshed in the background if the user is logged on.

Unauthorized accounts must not have the Allow log on through Remote Desktop Services user right. Unauthorized accounts will not have the "Allow log on locally" user right. The Access this computer from the network user right must only be assigned to the Administrators group. The More Gadgets link must be disabled. Unsigned gadgets must not be installed. Prevent users from sharing files from within their profiles.

User-installed gadgets must be turned off. Software certificate installation files must be removed from a system. The system must not have unnecessary features installed. User Account Control must automatically deny elevation requests for standard users.

UAC - All application are elevated. Unauthorized accounts must not have the Replace a process level token user right. Unauthorized accounts must not have the Profile system performance user right. The required legal notice must be configured to display before console logon. The Deny log on as a batch job user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.

Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. Unauthorized accounts must not have the Restore files and directories user right.

Outgoing secure channel traffic is not signed when possible. Outgoing secure channel traffic is not encrypted when possible. The system must be configured to prevent unsolicited remote assistance offers. Unauthorized accounts must not have the Access Credential Manager as a trusted caller user right. The system is not configured to use Safe DLL search mode. The System event log must be configured to a minimum size requirement. To learn about availability sets, see Availability sets overview.

Select the Virtual Network. Either use existing virtual network or select Create new note RDP inbound is disallowed. For Diagnostic settings select Storage account optional, required to store diagnostic logs. Once the creation process is started, the Deployment process page will be displayed:.

Deployment Overview tab displays the deployment process including any errors that may occur. Once deployment is complete, this tab provides information on the deployment and provides the opportunity to download the deployment details. Template tab provides downloadable access to the JSON scripts used in the template. The deployed virtual machine can be found in the resource group used for the deployment. Our solution template creates a single instance virtual machine using premium or standard operating system disk, which supports SLA for Virtual Machines.

As an organization you need to adopt a business continuity and disaster recovery BCDR strategy that keeps your data safe, and your apps and workloads online, when planned and unplanned outages occur. Azure Site Recovery helps ensure business continuity by keeping business apps and workloads running during outages. Site Recovery replicates workloads running on physical and virtual machines from a primary site to a secondary location.