Windows Server 2016 Audit Report
Generated by the WindowsServer2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.
Based on Windows Server 2016 Security Technical Implementation Guide V1R5 2018-07-27, CIS.
Generated by the WindowsServer2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.
Based on Windows Server 2016 Security Technical Implementation Guide V1R5 2018-07-27, CIS.
This report was generated at 09/13/2018 08:26:00 on WIN-ALJMCIFOBRC.
| Hostname | WIN-ALJMCIFOBRC |
|---|---|
| Build Number | 14393 |
| Free disk space(GB) | 13.0 |
| Operating System | Microsoft Windows Server 2016 Standard Evaluation |
| Free physical memory (GB) | 1.376 |
Click the link(s) below for quick access to a report section.
| Id | Task | Message | Audit |
|---|---|---|---|
| SV-87875r2_rule | Passwords for the built-in Administrator account must be changed at least every 60 days. | Password for Administrator last set on 07/05/2018 05:48:58 | False |
| SV-87889r1_rule | Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Not in domain | True |
| SV-87891r1_rule | Systems must be maintained at a supported servicing level. | Compliant | True |
| SV-87899r1_rule | Local volumes must use a format that supports NTFS attributes. | Compliant | True |
| SV-87901r1_rule | Permissions for the system drive root directory (usually C:\) must conform to minimum requirements. | Not compliant | False |
| SV-87903r1_rule | Permissions for program file directorie C:\Program Files must conform to minimum requirements. | Compliant | True |
| SV-87903r1_rule | Permissions for program file directorie C:\Program Files (x86) must conform to minimum requirements. | Compliant | True |
| SV-87905r1_rule | Permissions for the Windows installation directory C:\Windows must conform to minimum requirements. | Compliant | True |
| SV-87907r1_rule | Default permissions for the HKEY_LOCAL_MACHINE\Security registry hive must be maintained. | Compliant | True |
| SV-87907r1_rule_2 | Default permissions for the HKEY_LOCAL_MACHINE\Software registry hive must be maintained. | Compliant | True |
| SV-87907r1_rule_3 | Default permissions for the HKEY_LOCAL_MACHINE\System registry hive must be maintained. | Not compliant | False |
| SV-87909r1_rule | Non-administrative accounts or groups must only have print permissions on printer shares. | Compliant | True |
| SV-87911r1_rule | Outdated or unused accounts must be removed from the system or disabled. | Not compliant | False |
| SV-87913r2_rule | Accounts must require passwords. | Compliant | True |
| SV-87915r2_rule | Passwords must be configured to expire. | Not compliant | False |
| SV-87919r1_rule | Non-system-created file shares on a system must limit access to groups that require it. | Shares not as expected | Warning |
| SV-87925r1_rule | Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | Bitlocker not enabled | False |
| SV-87931r1_rule | A host-based firewall must be installed and enabled on the system. | Compliant | True |
| SV-87939r1_rule | The Fax Server role must not be installed. | Compliant | True |
| SV-87941r1_rule | The Microsoft FTP service must not be installed unless required. | Compliant | True |
| SV-87943r1_rule | The Peer Name Resolution Protocol must not be installed. | Compliant | True |
| SV-87945r1_rule | Simple TCP/IP Services must not be installed. | Compliant | True |
| SV-87947r1_rule | The Telnet Client must not be installed. | Compliant | True |
| SV-87949r1_rule | The TFTP Client must not be installed. | Compliant | True |
| SV-87951r1_rule | The Server Message Block (SMB) v1 protocol must be uninstalled. | Not compliant | False |
| SV-87953r1_rule | Windows PowerShell 2.0 must not be installed. | Compliant | True |
| SV-87961r2_rule | Windows 2016 account lockout duration must be configured to 15 minutes or greater. | Not compliant | False |
| SV-87963r1_rule | The number of allowed bad logon attempts must be configured to three or less. | Compliant | True |
| SV-87965r1_rule | The period of time before the bad logon counter is reset must be configured to 15 minutes or greater. | Not compliant | False |
| SV-87967r1_rule | The password history must be configured to 24 passwords remembered. | Not compliant | False |
| SV-87969r1_rule | The maximum password age must be configured to 60 days or less. | Compliant | True |
| SV-87971r1_rule | The minimum password age must be configured to at least one day. | Not compliant | False |
| SV-87973r1_rule | The minimum password length must be configured to 14 characters. | Not compliant | False |
| SV-88057r1_rule | Permissions for the Application event log must prevent access by non-privileged accounts. | Compliant | True |
| SV-88059r1_rule | Permissions for the Security event log must prevent access by non-privileged accounts. | Compliant | True |
| SV-88061r1_rule | Permissions for the System event log must prevent access by non-privileged accounts. | Compliant | True |
| SV-88139r1_rule | Administrator accounts must not be enumerated during elevation. | Not compliant | False |
| SV-88145r1_rule | The display of slide shows on the lock screen must be disabled. | Registry path to NoLockScreenSlideshow does not exist. | False |
| SV-88147r1_rule | Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. | Not compliant | False |
| SV-88149r1_rule | WDigest Authentication must be disabled. | Not compliant | False |
| SV-88151r1_rule | Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. | Not compliant | False |
| SV-88153r1_rule | Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. | Not compliant | False |
| SV-88155r1_rule | Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. | Not compliant | False |
| SV-88157r1_rule | Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers. | Not compliant | False |
| SV-88159r1_rule | Insecure logons to an SMB server must be disabled. | Not compliant | False |
| SV-88161r1_rule | Hardened UNC paths must be defined to require mutual authentication and integrity for \\*\NETLOGON shares. | Error | False |
| SV-88161r1_rule_2 | Hardened UNC paths must be defined to require mutual authentication and integrity for \\*\SYSVOL shares. | Error | False |
| SV-88163r1_rule | Command line data must be included in process creation events. | Not compliant | False |
| SV-88165r1_rule | Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection (EnableVirtualizationBasedSecurity). | Error | False |
| SV-88165r1_rule_2 | Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection (RequirePlatformSecurityFeatures). | Error | False |
| SV-88165r1_rule_3 | Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection (VirtualizationBasedSecurityStatus Running). | Not compliant | False |
| SV-88167r1_rule | Credential Guard must be running on domain-joined systems. | Error | False |
| SV-88167r1_rule_2 | Credential Guard must be running on domain-joined systems (SecurityServicesRunning). | Not compliant | False |
| SV-88169r1_rule | Virtualization-based protection of code integrity must be enabled on domain-joined systems. | Error | False |
| SV-88169r1_rule_2 | Virtualization-based protection of code integrity must be enabled on domain-joined systems (SecurityServicesRunning). | Not compliant | False |
| SV-88173r1_rule | Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. | Not compliant | False |
| SV-88177r1_rule | Group Policy objects must be reprocessed even if they have not changed. | Not compliant | False |
| SV-88179r1_rule | Downloading print driver packages over HTTP must be prevented. | Not compliant | False |
| SV-88181r1_rule | Printing over HTTP must be prevented. | Not compliant | False |
| SV-88185r1_rule | The network selection user interface (UI) must not be displayed on the logon screen. | Not compliant | False |
| SV-88187r1_rule | Local users on domain-joined computers must not be enumerated. | Not compliant | False |
| SV-88189r1_rule | Windows Server 2016 must be configured to block untrusted fonts from loading. | Not compliant | False |
| SV-88197r1_rule | Users must be prompted to authenticate when the system wakes from sleep (on battery). | Not compliant | False |
| SV-88201r1_rule | Users must be prompted to authenticate when the system wakes from sleep (plugged in). | Not compliant | False |
| SV-88203r1_rule | Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server. | Not compliant | False |
| SV-88207r1_rule | The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. | Not compliant | False |
| SV-88209r1_rule | AutoPlay must be turned off for non-volume devices. | Not compliant | False |
| SV-88211r1_rule | The default AutoRun behavior must be configured to prevent AutoRun commands. | Not compliant | False |
| SV-88213r1_rule | AutoPlay must be disabled for all drives. | Not compliant | False |
| SV-88215r1_rule | Windows Telemetry must be configured to Security or Basic. | Not compliant | False |
| SV-88217r1_rule | The Application event log size must be configured to 32768 KB or greater. | Not compliant | False |
| SV-88219r1_rule | The Security event log size must be configured to 196608 KB or greater. | Not compliant | False |
| SV-88221r1_rule | The System event log size must be configured to 32768 KB or greater. | Not compliant | False |
| SV-88223r1_rule | Windows SmartScreen must be enabled. | Not compliant | False |
| SV-88225r1_rule | Explorer Data Execution Prevention must be enabled. | Not compliant | False |
| SV-88227r1_rule | Turning off File Explorer heap termination on corruption must be disabled. | Not compliant | False |
| SV-88229r1_rule | File Explorer shell protocol must run in protected mode. | Not compliant | False |
| SV-88231r1_rule | Passwords must not be saved in the Remote Desktop Client. | Not compliant | False |
| SV-88233r1_rule | Local drives must be prevented from sharing with Remote Desktop Session Hosts. | Not compliant | False |
| SV-88235r1_rule | Remote Desktop Services must always prompt a client for passwords upon connection. | Not compliant | False |
| SV-88237r1_rule | The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications. | Not compliant | False |
| SV-88239r1_rule | Remote Desktop Services must be configured with the client connection encryption set to High Level. | Not compliant | False |
| SV-88241r1_rule | Attachments must be prevented from being downloaded from RSS feeds. | Not compliant | False |
| SV-88243r1_rule | Basic authentication for RSS feeds over HTTP must not be used. | Not compliant | False |
| SV-88245r1_rule | Indexing of encrypted files must be turned off. | Not compliant | False |
| SV-88247r1_rule | Users must be prevented from changing installation options. | Not compliant | False |
| SV-88249r1_rule | The Windows Installer Always install with elevated privileges option must be disabled. | Not compliant | False |
| SV-88251r1_rule | Users must be notified if a web-based program attempts to install software. | Not compliant | False |
| SV-88253r1_rule | Automatically signing in the last interactive user after a system-initiated restart must be disabled. | Compliant | True |
| SV-88255r1_rule | PowerShell script block logging must be enabled. | Not compliant | False |
| SV-88257r1_rule | The Windows Remote Management (WinRM) client must not use Basic authentication. | Not compliant | False |
| SV-88259r1_rule | The Windows Remote Management (WinRM) client must not allow unencrypted traffic. | Not compliant | False |
| SV-88261r1_rule | The Windows Remote Management (WinRM) client must not use Digest authentication. | Not compliant | False |
| SV-88263r1_rule | The Windows Remote Management (WinRM) service must not use Basic authentication. | Not compliant | False |
| SV-88265r1_rule | The Windows Remote Management (WinRM) service must not allow unencrypted traffic. | Not compliant | False |
| SV-88267r1_rule | The Windows Remote Management (WinRM) service must not store RunAs credentials. | Not compliant | False |
| SV-88285r1_rule | Local accounts with blank passwords must be restricted to prevent access from the network. | Compliant | True |
| SV-88287r1_rule | The built-in administrator account must be renamed. | Built-in Administrator account is not renamed. | False |
| SV-88289r1_rule | The built-in guest account must be renamed. | Not compliant | False |
| SV-88291r1_rule | Audit policy using subcategories must be enabled. | Not compliant | False |
| SV-88293r1_rule | Domain controllers must require LDAP access signing. | Not compliant | False |
| SV-88295r1_rule | Domain controllers must be configured to allow reset of machine account passwords. | Not compliant | False |
| SV-88297r1_rule | The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled. | Compliant | True |
| SV-88299r1_rule | The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled. | Compliant | True |
| SV-88301r1_rule | The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled. | Compliant | True |
| SV-88303r1_rule | The computer account password must not be prevented from being reset. | Compliant | True |
| SV-88305r1_rule | The maximum age for machine account passwords must be configured to 30 days or less. | Compliant | True |
| SV-88307r1_rule | Windows Server 2016 must be configured to require a strong session key. | Compliant | True |
| SV-88309r1_rule | The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver. | Compliant | True |
| SV-88311r1_rule | The required legal notice must be configured to display before console logon. | Not compliant | False |
| SV-88313r1_rule | The Windows dialog box title for the legal banner must be configured with the appropriate text. | Not compliant | False |
| SV-88315r1_rule | Caching of logon credentials must be limited. | Compliant | True |
| SV-88317r1_rule | The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled. | Not compliant | False |
| SV-88319r1_rule | The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled. | Compliant | True |
| SV-88321r1_rule | Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers. | Compliant | True |
| SV-88323r1_rule | The amount of idle time required before suspending a session must be configured to 15 minutes or less. | Compliant | True |
| SV-88325r1_rule | The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled. | Not compliant | False |
| SV-88327r1_rule | The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled. | Not compliant | False |
| SV-88329r1_rule | Anonymous SID/Name translation must not be allowed. | Compliant | True |
| SV-88331r1_rule | Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed. | Compliant | True |
| SV-88333r1_rule | Anonymous enumeration of shares must not be allowed. | Not compliant | False |
| SV-88335r1_rule | Windows Server 2016 must be configured to prevent the storage of passwords and credentials. | Not compliant | False |
| SV-88337r1_rule | Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group. | Compliant | True |
| SV-88339r1_rule | Anonymous access to Named Pipes and Shares must be restricted. | Compliant | True |
| SV-88341r1_rule | Remote calls to the Security Account Manager (SAM) must be restricted to Administrators. | Not compliant | False |
| SV-88343r1_rule | Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously. | Not compliant | False |
| SV-88345r1_rule | NTLM must be prevented from falling back to a Null session. | Not compliant | False |
| SV-88347r1_rule | PKU2U authentication using online identities must be prevented. | Not compliant | False |
| SV-88349r1_rule | Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. | Not compliant | False |
| SV-88351r1_rule | Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords. | Compliant | True |
| SV-88353r1_rule | Windows Server 2016 must be configured to force users to log off when their allowed logon hours expire. | Not compliant | False |
| SV-88355r1_rule | The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM. | Not compliant | False |
| SV-88357r1_rule | Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing. | Compliant | True |
| SV-88359r1_rule | Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption. | Not compliant | False |
| SV-88361r1_rule | Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption. | Not compliant | False |
| SV-88363r1_rule | Users must be required to enter a password to access private keys stored on the computer. | Not compliant | False |
| SV-88365r1_rule | Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. | Not compliant | False |
| SV-88367r1_rule | Windows Server 2016 must be configured to require case insensitivity for non-Windows subsystems. | Compliant | True |
| SV-88369r1_rule | The default permissions of global system objects must be strengthened. | Compliant | True |
| SV-88371r1_rule | User Account Control approval mode for the built-in Administrator must be enabled. | Not compliant | False |
| SV-88373r1_rule | UIAccess applications must not be allowed to prompt for elevation without using the secure desktop. | Compliant | True |
| SV-88375r1_rule | User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. | Not compliant | False |
| SV-88377r1_rule | User Account Control must automatically deny standard user requests for elevation. | Not compliant | False |
| SV-88379r1_rule | User Account Control must be configured to detect application installations and prompt for elevation. | Compliant | True |
| SV-88381r1_rule | User Account Control must only elevate UIAccess applications that are installed in secure locations. | Compliant | True |
| SV-88383r1_rule | User Account Control must run all administrators in Admin Approval Mode, enabling UAC. | Compliant | True |
| SV-88385r1_rule | User Account Control must virtualize file and registry write failures to per-user locations. | Compliant | True |
| SV-88387r1_rule | A screen saver must be enabled on the system. | Not compliant | False |
| SV-88389r1_rule | The screen saver must be password protected. | Not compliant | False |
| SV-88391r1_rule | Zone information must be preserved when saving attachments. | Not compliant | False |
| SV-88393r1_rule | The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. | Not compliant | False |
| SV-88397r1_rule | The Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers. | Not compliant | False |
| SV-88399r1_rule | The Act as part of the operating system user right must not be assigned to any groups or accounts. | Not compliant | False |
| SV-88403r1_rule | The Allow log on locally user right must only be assigned to the Administrators group. | Not compliant | False |
| SV-88407r1_rule | The Back up files and directories user right must only be assigned to the Administrators group. | Not compliant | False |
| SV-88409r1_rule | The Create a pagefile user right must only be assigned to the Administrators group. | Compliant | True |
| SV-88411r1_rule | The Create a token object user right must not be assigned to any groups or accounts. | Not compliant | False |
| SV-88413r1_rule | The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. | Compliant | True |
| SV-88415r1_rule | The Create permanent shared objects user right must not be assigned to any groups or accounts. | Not compliant | False |
| SV-88417r1_rule | The Create symbolic links user right must only be assigned to the Administrators group. | Compliant | True |
| SV-88419r1_rule | The Debug programs user right must only be assigned to the Administrators group. | Compliant | True |
| SV-88423r1_rule | The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems. | Not compliant | False |
| SV-88427r1_rule | The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access. | Not compliant | False |
| SV-88431r1_rule | The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right. | Not compliant | False |
| SV-88435r1_rule | The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems. | Not compliant | False |
| SV-88439r1_rule | The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems. | Not compliant | False |
| SV-88443r1_rule | The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on member servers. | Not compliant | False |
| SV-88445r1_rule | The Force shutdown from a remote system user right must only be assigned to the Administrators group. | Compliant | True |
| SV-88447r1_rule | The Generate security audits user right must only be assigned to Local Service and Network Service. | Not compliant | False |
| SV-88449r1_rule | The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. | Not compliant | False |
| SV-88451r1_rule | The Increase scheduling priority user right must only be assigned to the Administrators group. | Compliant | True |
| SV-88453r1_rule | The Load and unload device drivers user right must only be assigned to the Administrators group. | Compliant | True |
| SV-88455r1_rule | The Lock pages in memory user right must not be assigned to any groups or accounts. | Not compliant | False |
| SV-88457r1_rule | The Manage auditing and security log user right must only be assigned to the Administrators group. | Compliant | True |
| SV-88459r1_rule | The Modify firmware environment values user right must only be assigned to the Administrators group. | Compliant | True |
| SV-88461r1_rule | The Perform volume maintenance tasks user right must only be assigned to the Administrators group. | Compliant | True |
| SV-88463r1_rule | The Profile single process user right must only be assigned to the Administrators group. | Compliant | True |
| SV-88465r1_rule | The Restore files and directories user right must only be assigned to the Administrators group. | Not compliant | False |
| SV-88467r1_rule | The Take ownership of files or other objects user right must only be assigned to the Administrators group. | Compliant | True |
| SV-88473r1_rule | The Smart Card removal option must be configured to Force Logoff or Lock Workstation. | Not compliant | False |
| SV-88475r1_rule | The built-in guest account must be disabled. | Compliant | True |
| Id | Task | Message | Audit |
|---|---|---|---|
| CIS 17.1.1 | Credential Validation is set to Success and Failure | Success | False |
| CIS 17.2.1 | Application Group Management is set to Success and Failure | No Auditing | False |
| CIS 17.2.2 | Computer Account Management is set to Success and Failure | Success | False |
| CIS 17.2.4 | Other Account Management Events is set to Success and Failure | No Auditing | False |
| CIS 17.2.5 | Security Group Management is set to Success and Failure | Success | False |
| CIS 17.2.5 | User Account Management is set to Success and Failure | Success | False |
| CIS 17.3.1 | Plug and Play Events is set to Success | No Auditing | False |
| CIS 17.3.2 | Process Creation is set to Success | No Auditing | False |
| CIS 17.5.1 | Account Lockout is set to Success and Failure | Success | False |
| CIS 17.5.2 | Group Membership is set to Success | No Auditing | False |
| CIS 17.5.3 | Logoff is set to Success | Compliant | True |
| CIS 17.5.4 | Logon is set to Success and Failure | Compliant | True |
| CIS 17.5.5 | Other Logon/Logoff Events is set to Success and Failure | No Auditing | False |
| CIS 17.5.6 | Special Logon is set to Success | Compliant | True |
| CIS 17.6.1 | Removable Storage is set to Success and Failure | No Auditing | False |
| CIS 17.7.1 | Audit Policy Change is set to Success and Failure | Success | False |
| CIS 17.7.2 | Authentication Policy Change is set to Success | Compliant | True |
| CIS 17.7.3 | Authorization Policy Change is set to Success | No Auditing | False |
| CIS 17.8.1 | Sensitive Privilege Use is set to Success and Failure | No Auditing | False |
| CIS 17.9.1 | IPsec Driver is set to Success and Failure | No Auditing | False |
| CIS 17.9.2 | Other System Events is set to Success and Failure | Compliant | True |
| CIS 17.9.3 | Security State Change is set to Success | Compliant | True |
| CIS 17.9.4 | Security System Extension is set to Success and Failure | No Auditing | False |
| CIS 17.9.5 | System Integrity is set to Success and Failure | Compliant | True |