PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

EventSentry

Validation Scripts

Scripts

90

Tag

cmmc


Accounts: Administrator accounts must not be enumerated during elevation
f3afb7e7-d38a-42f2-8290-56da3b445913
Accounts: Automatic logons must be disabled
5db60bfa-0318-430e-ab7e-c2ff3e749ae9
Accounts: Deny log on locally user right must be configured to prevent access from highly privileged domain accounts
fd44a45e-ef9e-4c54-bebf-22bba68a185c
Accounts: Local Admin accounts must have their privileged token filtered to prevent elevated privileges used over the network
e4710a99-9bc1-4e34-80ad-5d2f84f57732
Accounts: Local Guest account should be disabled
538d811a-0a0a-4336-8294-63bc2c092ebb
Accounts: Local accounts with blank passwords must be restricted to prevent access from the network
3ef29cdc-8018-48a9-b210-13e18cf14d07
Accounts: Lockout duration must be configured to 15 minutes or greater
d9b675fb-1bb2-4ff3-88ea-0e74ab40e2a7
Accounts: Must have the built-in Windows password complexity policy enabled
be6a2756-21d7-452c-b0a1-e6032f14f422
Accounts: Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater
56655e04-3824-4810-9be4-aaa6e1c1c2ac
Accounts: Must require passwords
00279417-0255-4ff4-8b5c-dbb7866085e2
Accounts: Reversible password encryption must be disabled
71ebd815-0ca9-44c9-b7b8-c96e155e7afb
Accounts: The number of allowed bad logon attempts must be configured to three or less
409871a1-6b58-45ab-9dfd-8b40e948ecd2
Accounts: User Account Control (UAC) must automatically deny standard user requests for elevation
2a28f305-e508-40e1-80e4-e7702143703b
Accounts: User Account Control (UAC) must be configured to detect application installations and prompt for elevation
ed5ca948-5cbf-431d-a5da-39d02bd64c48
Accounts: Users must be prompted to authenticate when the system wakes from sleep (on battery)
ef3c9259-d0d3-434a-8e7c-ab945deaa3f0
Accounts: Users must be prompted to authenticate when the system wakes from sleep (plugged in)
bf4a43bc-9605-4596-a562-5e4073fe21d5
Accounts: Users must be required to enter a password to access private keys stored on the computer
c9946229-3c27-4eb5-ae8f-6f777a9ad637
Auditing: Command line data must be included in process creation events
c787dcd2-355b-4ff5-8265-3eb860f11670
Auditing: Event Log / Viewer must be protected from unauthorized modification and deletion
09651036-eca5-4f3a-83fb-0ff12719b201
Auditing: Event Log size for Application log must be at least 32768 KB
b38cea25-93f2-42d7-ac5f-f2c1e93f974a
Auditing: Event Log size for Security log must be at least 196608 KB
f9befa07-2636-4c53-a43f-db2035b9cdff
Auditing: Event Log size for System log must be at least 32768 KB
4decda12-e17d-45d8-bb5e-53f26706acbf
Auditing: Must force audit policy subcategory settings to override audit policy category settings
9929dbd2-a4fb-40ea-9a2d-8a1db39a5729
Auditing: Permissions for the Security event log must prevent access by non-privileged accounts
f67457c3-6d39-425d-9831-b5e44eaf7d6f
Auditing: Permissions for the System event log must prevent access by non-privileged accounts
31096f12-75ea-425b-b416-f0c0b87dc6ff
Auditing: Removable Storage
af074caf-14a4-41f5-9ebd-e2214dc48240
Autoplay: Should be disabled for all drives
2cb75d59-8ef3-4fa3-90e1-8bec9e51c703
Autorun: behavior must be configured to prevent Autorun commands
746184bf-3f96-4365-8bb4-c7abf8a772ac
Compliance: BitLocker should be configured in FIPS mode
330f6517-5c88-4086-b456-d3026307c001
Compliance: BitLocker should use AES 256 encryption
77de846e-473b-4c4d-8d70-85d27342fc45
Debug Programs: User right must only be assigned to the Administrators group
76794e3a-d350-45a6-adf9-a4a9708271f9
Domain Controller: Must be configured to allow reset of machine account passwords
4d599278-5660-4513-abe4-715f546475bb
Domain Controller: Must require LDAP access signing
9e1e28ee-d597-49db-b33d-cfee0ba15c69
Domain Controller: Permissions on the Active Directory data files must only allow System and Administrators access
1bb127e7-c293-41f4-a937-c9c76d35cb8a
Domain Controller: SYSVOL directory must have proper access control permissions
15074903-9e8a-4d2f-b6d4-4e5ab30e64d7
Domain Controller: The password for the krbtgt account on a domain must be reset at least every 180 days
18ef977d-1c89-4ea7-ac53-0438873cb1db
Domain Controllers: Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access
8d9748ad-695f-489e-bf31-4d1e8e397a7b
Domain Member: Must be running Credential Guard on domain-joined members
52b8eaca-e97b-4b7b-bda8-2f67dd947dbc
Domain Member: Caching of logon credentials must be limited
a256ebbf-e5b2-4b73-a375-6587c8d1b0ba
Domain Member: Digitally sign secure channel data (when possible) must be configured to Enabled
5ef4fc08-d231-41c5-95c2-1bb8abc26209
Domain Member: Local users on domain-joined member servers must not be enumerated
a115da09-58b1-40dd-85ca-6f6e4cac977d
Domain Member: must be configured to at least negotiate signing for LDAP client signing
5c9b1fb7-3d92-4d13-be5f-13d7894e50d0
Exchange Server: Build Version Check (Exchange Updated)
7772c56a-ec1f-43d5-b8ce-548359123060
File System: Local volumes must be formatted with NTFS
b6493fb9-ad83-494c-93e3-3dbfaeb9b303
File System: Windows must prevent Indexing of encrypted files
138956a4-8987-4f7f-b830-bf58e4ca7778
General: AntiVirus/Antimalware Status
6d48a68a-3e44-4a00-8d42-670e41c9942c
General: Downloading print driver packages over HTTP must be turned off
925b056c-6bae-4e27-aa19-f8d383455774
General: Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad
a9b5b413-0fc5-49c2-ab77-6761b329950c
General: Machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver
bf06c136-7223-41ac-8288-e0940126a884
General: Printing over HTTP must be turned off
21735bdc-fd91-44a8-beca-9a48b6c5e166
General: Windows Defender SmartScreen must be enabled (Desktop)
4d189e65-af8b-463f-95d1-3880b7c459ec
General: Windows Defender SmartScreen must be enabled (Server)
4595ee72-d404-4b45-aae4-102fefd1a165
General: Windows firewall status
1f229f09-4c15-4bfe-b9f7-ed63d03cd70e
Logon: Network selection UI must not be displayed
3476077b-5d03-4819-9ef0-213402f37eed
Network Access: Do not allow anonymous enumeration of Security Account Manager (SAM) accounts
752e0588-decf-451b-9fef-cc3235765d54
Network Access: Do not allow anonymous enumeration of shares
0d97c353-2198-4a09-a41b-9df3498067dc
Network Access: Insecure logons to an SMB server must be disabled
5b92eab1-8909-4598-8e4c-61eeb308c9f9
Network Access: LAN Manager authentication level must be configured to send NTLMv2 response only and refuse LM and NTLM
2718ea3f-5f25-4e6d-a693-3c426f14357f
Network Access: Microsoft network Client: Digitally sign communications (always) must be configured to Enabled
af452788-473f-4255-bb87-72b7390e187f
Network Access: Microsoft network Client: Digitally sign communications (if server agrees) must be configured to Enabled
a35d34f6-b9b1-4c82-8cac-31a7c4fdbc14
Network Access: Microsoft network Server: Digitally sign communications (always) must be configured to Enabled
707d1ae2-c6f2-46af-966d-d3559db69094
Network Access: Microsoft network Server: Digitally sign communications (if client agrees) must be configured to Enabled
189e99fb-1c5c-43ed-b044-4dcbccf3820f
Network Access: Must Have the Server Message Block (SMB) v1 protocol disabled on the SMB client
78c4c60a-a039-4a47-b614-3138d7bcfe4f
Network Access: Must be configured to prevent anonymous users from having the same permissions as the Everyone group
35f2c214-8c49-47cf-b324-9f7620f8dd16
Network Access: Must have the Server Message Block (SMB) v1 protocol disabled on the SMB server
9a3ba1fc-6a60-4752-9827-152b821e5c0a
Network Access: Must prevent NTLM from falling back to a Null session
793452ad-d37f-461b-a270-cc4e0ea1c2a5
Network Access: Restrict anonymous access to Named Pipes and Shares
e7aa340c-ec27-4603-b780-851d94a0ecbf
Network Access: Services using Local System when reverting to NTLM authentication must use computer identity
0b49395c-beb5-480b-a1b8-1096622607a1
Network Access: Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers
9cce3400-f772-4b0c-8f12-11157e102f87
Network Access: Windows must not have the Server Message Block (SMB) v1 protocol installed
934a1499-9d7e-407b-86ab-9a58e10f4ed1
Network: Internet Protocol version 6 (IPv6) source routing must use highest protection level to prevent IP source routing
d5030382-fcd1-4d7c-88e3-f1defebc7cf0
Network: Simple TCP/IP Services must not be installed on the system
d0f0e951-4cca-4ca9-9b9e-e9e13e39ca99
Network: Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing
655d213f-bed4-43aa-9bbf-f4bf77a2defd
Passwords: Maximum Password Age
794aed82-0f0a-46e0-8135-204c50b12462
Passwords: Minimum Password Age
c3b194cc-701a-43f4-bd84-86caada64337
Passwords: Windows must be configured to prevent the storage of the LAN Manager hash of passwords
8fbc83d9-7409-41aa-bf3c-a2360a8d9749
Passwords: history must be configured to 24 passwords remembered
d0163b5f-23ab-4377-bc49-709e891a6b2b
Passwords: must be configured to expire
89d6a5d0-bc9a-4c29-9a58-3764c36677ab
Passwords: must, at a minimum, be 14 characters
e352dda0-c735-4b4e-ba26-097f5dbab32c
Remote Desktop Services: Must require secure Remote Procedure Call (RPC) communications
20a8c861-e142-4e51-bf82-b0ef8bd1343c
Remote Management: Unauthenticated RPC clients must be restricted from connecting to the RPC server
56db7e62-0a85-4531-9e71-97528bd04e43
Remote Management: Windows Remote Management (WinRM) client must not use Basic authentication
e4dd3ff4-f585-4e08-b91e-8bb3e02737c5
Remote Management: Windows Remote Management (WinRM) service must not use Basic authentication
4edbaac6-37f7-4a8f-a4d1-d5dd241d1c6d
Security: TLS/SSL Insecure Ciphers (SCHANNEL)
78fcd8a8-18af-49f4-8a64-bccb901e5557
Windows Installer: Disable -Always install with elevated privileges- option
a6d113ff-fd83-4631-84b3-f58e266b4976
Windows OS: Build Version Check (End Of Life)
07b6c273-cdb3-4a4d-889d-d1d54dc0eb5f
Windows OS: Build Version Check (OS Updated)
c7b058ab-6360-4b5d-9cd2-45eafef8c489
Windows OS: Data Execution Prevention (DEP) must be configured to at least OptOut
df8e6841-1dd4-42ce-b374-28f997e12b6d
Windows OS: Explorer Data Execution Prevention must be enabled
c4e3c7a1-5b63-407a-8eb9-c6a4b52b9f93
Windows OS: Windows Update must not obtain updates from other PCs on the internet
133e9e0a-de38-477b-a29c-3451f6c505ec
Full tag list
compliance-server (133) server (112) compliance-desktop (112) stig-medium-server (110) desktop (108) security-server (104) nist800-53-server (100) nist800-53-desktop (96) security-desktop (87) stig-medium-desktop (86) nist800-171-server (85) nist800-171-desktop (69) cmmc2-l2-server (64) cmmc2-l2-desktop (54) pci-dss-v4-server (37) cis-csc-server (37) cis-csc-desktop (33) bestpractice-desktop (30) pci-dss-v4-desktop (30) mitre-att-server (29) mitre-att-desktop (28) bestpractice-server (25) stig-high-desktop (22) cmmc2-l1-server (22) stig-high-server (21) cmmc2-l1-desktop (19) pci-dss-v3.2-server (18) domaincontroller (16) tisax (16) domainmember (16) pci-dss-v3.2-desktop (13) cmmc2-l3-server (12) sig-server (10) nist-privacy-server (10) threat-intel-server (9) threat-intel-desktop (8) sec-hardening-server (8) sec-hardening-desktop (8) cmmc2-l3-desktop (8) remote-desktop (7) health (7) nist-privacy-desktop (7) csa-cmm-server (7) privacy-server (6) privacy-desktop (6) owasptop-server (6) stig-low-desktop (6) stig-low-server (5) owasptop-desktop (5) stig-medium-ie (4) cce-desktop (3) cce-server (3) niap-server (3) niap-desktop (3) bestpractice-domaincontroller (3) fips140-2 (3) sig-desktop (3) msoffice (2) hyper-v (1) iis-stig-high (1) bitlocker-security-desktop (1) fedramp-server (1) fedramp-desktop (1) cjis-server (1) cjis-desktop (1) ul2900-1-server (1) ul2900-1-desktop (1) csf-server (1) csf-desktop (1) info-desktop (1) csa-cmm-desktop (1) exchange-security (1) domainmember-health (1) domaincontroller-health (1)

CMMC v2.0 Compliance STIG CIS NIST 800-171 Servers Desktops

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.