PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

EventSentry

Validation Scripts

Scripts

133

Tag

cmmc2-l2-server


Accounts: Administrator accounts must not be enumerated during elevation
f3afb7e7-d38a-42f2-8290-56da3b445913
Accounts: Local Admin accounts must have their privileged token filtered to prevent elevated privileges used over the network
e4710a99-9bc1-4e34-80ad-5d2f84f57732
Accounts: Local accounts with blank passwords must be restricted to prevent access from the network
3ef29cdc-8018-48a9-b210-13e18cf14d07
Accounts: Lockout duration must be configured to 15 minutes or greater
d9b675fb-1bb2-4ff3-88ea-0e74ab40e2a7
Accounts: Must have the built-in Windows password complexity policy enabled
be6a2756-21d7-452c-b0a1-e6032f14f422
Accounts: Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater
56655e04-3824-4810-9be4-aaa6e1c1c2ac
Accounts: Must require passwords
00279417-0255-4ff4-8b5c-dbb7866085e2
Accounts: Reversible password encryption must be disabled
71ebd815-0ca9-44c9-b7b8-c96e155e7afb
Accounts: The number of allowed bad logon attempts must be configured to three or less
409871a1-6b58-45ab-9dfd-8b40e948ecd2
Accounts: User Account Control (UAC) must be configured to detect application installations and prompt for elevation
ed5ca948-5cbf-431d-a5da-39d02bd64c48
Accounts: Users must be prompted to authenticate when the system wakes from sleep (on battery)
ef3c9259-d0d3-434a-8e7c-ab945deaa3f0
Accounts: Users must be prompted to authenticate when the system wakes from sleep (plugged in)
bf4a43bc-9605-4596-a562-5e4073fe21d5
Auditing: Command line data must be included in process creation events
c787dcd2-355b-4ff5-8265-3eb860f11670
Auditing: Event Log / Viewer must be protected from unauthorized modification and deletion
09651036-eca5-4f3a-83fb-0ff12719b201
Auditing: Event Log size for Application log must be at least 32768 KB
b38cea25-93f2-42d7-ac5f-f2c1e93f974a
Auditing: Event Log size for Security log must be at least 196608 KB
f9befa07-2636-4c53-a43f-db2035b9cdff
Auditing: Event Log size for System log must be at least 32768 KB
4decda12-e17d-45d8-bb5e-53f26706acbf
Auditing: Must force audit policy subcategory settings to override audit policy category settings
9929dbd2-a4fb-40ea-9a2d-8a1db39a5729
Auditing: System must be configured to audit Account Logon - Credential Validation failures
20d10fd0-520a-4b7e-b915-5e2e6649cf99
Auditing: System must be configured to audit Account Logon - Credential Validation successes
82478e12-7206-4b9c-8a68-2ccb6e3fe144
Auditing: System must be configured to audit Account Management - Computer Account Management successes
980236d7-5ee7-436d-83ce-5504b366d913
Auditing: System must be configured to audit Account Management - Other Account Management Events successes
b0fb3bb1-4400-4a94-bea1-8d64d4b170b3
Auditing: System must be configured to audit Account Management - Security Group Management successes
43fd3c2b-daf3-4408-8a5b-d04a79bd3bd4
Auditing: System must be configured to audit Account Management - User Account Management failures
d3e3b256-80cd-4f3a-bd46-487cda3513f2
Auditing: System must be configured to audit Account Management - User Account Management successes
b7a6152d-607d-424f-a0d1-78000be3512a
Auditing: System must be configured to audit DS Access - Directory Service Access failures
2b1b0887-d05b-4ac8-9a4d-622cf9938026
Auditing: System must be configured to audit DS Access - Directory Service Access successes
f9e3c6de-5fe8-4139-9f82-a92cf3ef8b33
Auditing: System must be configured to audit DS Access - Directory Service Changes successes
36178a14-eb8f-4e76-b554-c694324ae9de
Auditing: System must be configured to audit Detailed Tracking - Plug and Play Events successes
f5278646-f9f7-41df-b807-b1fd1c57cdfa
Auditing: System must be configured to audit Detailed Tracking - Process Creation successes
952d2e45-3b08-4224-bc01-6e35aeb38557
Auditing: System must be configured to audit Logon/Logoff - Group Membership successes
52b16e39-5909-4145-a76d-8fa0fc554dab
Auditing: System must be configured to audit Logon/Logoff - Special Logon successes
0a6702c1-b417-4100-b6af-8ee48a5d2f23
Auditing: System must be configured to audit Object Access - Other Object Access Events failures
8110968d-1cd4-430b-909e-52a487b78106
Auditing: System must be configured to audit Object Access - Other Object Access Events successes
81abf498-85f9-4536-a8c4-f6d26fe5f26f
Auditing: System must be configured to audit Object Access - Removable Storage failures
352b582c-c55c-4d71-9a19-4c9448d1c96d
Auditing: System must be configured to audit Object Access - Removable Storage successes
af074caf-14a4-41f5-9ebd-e2214dc48240
Auditing: System must be configured to audit Policy Change - Audit Policy Change failures
d7a89b74-da6a-4b5b-a3f7-1ead34cbc837
Auditing: System must be configured to audit Policy Change - Audit Policy Change successes
23e1491c-ff4e-45b1-be08-fe8c2a6209da
Auditing: System must be configured to audit Policy Change - Authentication Policy Change successes
48e1aa69-0cc4-44e2-8f00-8db93be2cdc1
Auditing: System must be configured to audit Policy Change - Authorization Policy Change successes
7338cb96-3198-4665-8c6e-755e05005b58
Auditing: System must be configured to audit Privilege Use - Sensitive Privilege Use failures
9345b515-8295-47a6-a353-fcdc72ff45ea
Auditing: System must be configured to audit Privilege Use - Sensitive Privilege Use successes
cc84129b-345b-4e6d-91d4-39bc1e8ee328
Auditing: System must be configured to audit System - Other System Events failures
501bae98-8af9-4dd4-b71e-30fc202958d5
Auditing: System must be configured to audit System - Other System Events successes
ffcd14a5-06ae-44e3-846b-c0661de732a6
Auditing: System must be configured to audit System - Security State Change successes
38e08d5e-0bc4-41e9-aec3-d30e8b243af6
Auditing: System must be configured to audit System - Security System Extension successes
cac02598-d29e-489c-afe0-8349bd676bf6
Auditing: System must be configured to audit System - System Integrity failures
0634f6e9-e443-4576-b0a2-e7013116b350
Auditing: System must be configured to audit System - System Integrity successes
14903b11-6904-4913-a981-5f3422dafaa4
Auditing: System must be configured to audit logoff successes
282bb2eb-115f-483f-85fb-637124552335
Auditing: System must be configured to audit logon failures
b052b9fc-5f3e-45e6-94f6-e0823790f14c
Auditing: System must be configured to audit logon successes
d46bf70a-28b8-489a-bb63-b549d576fc4f
Auditing: Windows must be configured to audit Logon/Logoff - Account Lockout Failures
bdab6cee-183b-4d5c-a916-853606d1a192
Auditing: Windows must be configured to audit System - IPsec Driver failures
2189409b-e597-47c5-a781-728c637258ae
Auditing: Windows must be configured to audit System - IPsec Driver successes
b67f6feb-ff6f-4e4c-a9d4-1d6cc8fd3fbd
Autoplay: Should be disabled for all drives
2cb75d59-8ef3-4fa3-90e1-8bec9e51c703
Compliance: BitLocker should use AES 256 encryption
77de846e-473b-4c4d-8d70-85d27342fc45
Debug Programs: User right must only be assigned to the Administrators group
76794e3a-d350-45a6-adf9-a4a9708271f9
Domain Controller: Add workstations to domain user right must only be assigned to the Administrators group on domain controllers
e88ec1dd-3e44-424f-930e-fde45ff8192b
Domain Controller: Allow log on through RD Services user right must only be assigned to the Adminis group
2d18c798-214a-4d1a-bbcc-282823e624a9
Domain Controller: Computer clock synchronization tolerance must be limited to five minutes or less
7b0ab870-00dd-4b1a-ac97-c297ae40215e
Domain Controller: Deny access to this computer from the network user right on DC must be configured to prevent unauth access
80a51e10-6e8d-4c26-9493-d3a41e531df0
Domain Controller: Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less
dd26607b-dc40-4958-9506-1bda6ee1de47
Domain Controller: Kerberos service ticket maximum lifetime must be limited to 600 minutes or less
62124d83-b9c6-4b9b-a580-eafd2c103cef
Domain Controller: Kerberos user logon restrictions must be enforced
4ba38a42-507b-4cf9-842d-d8ea09801e59
Domain Controller: Kerberos user ticket lifetime must be limited to 10 hours or less
b3bcdbc8-dfe2-4660-92f6-390d677ffb38
Domain Controller: Must be configured to allow reset of machine account passwords
4d599278-5660-4513-abe4-715f546475bb
Domain Controller: Must require LDAP access signing
9e1e28ee-d597-49db-b33d-cfee0ba15c69
Domain Controller: Network access must be limited to Admins, Authenticated Users, and Enterprise Domain Controllers
8963a7ff-817a-456e-9e65-fc6ecc10147e
Domain Controller: Permissions on the Active Directory data files must only allow System and Administrators access
1bb127e7-c293-41f4-a937-c9c76d35cb8a
Domain Controller: System must be configured for certificate-based authentication for domain controllers
7b08353a-c241-4eb7-b1fd-872b7cf5528e
Domain Controller: The password for the krbtgt account on a domain must be reset at least every 180 days
18ef977d-1c89-4ea7-ac53-0438873cb1db
Domain Member: Must be running Credential Guard on domain-joined members
52b8eaca-e97b-4b7b-bda8-2f67dd947dbc
Domain Member: Digitally encrypt or sign secure channel data (always) must be set to Enabled
8d6589f4-20fe-4018-bc26-7891353eac40
Domain Member: Digitally encrypt secure channel data (when possible) must be set to Enabled
9a6ea78e-a170-4015-9193-666f003f74f4
Domain Member: Digitally sign secure channel data (when possible) must be set to Enabled
5ef4fc08-d231-41c5-95c2-1bb8abc26209
Domain Member: Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use
b7074672-cbee-4409-a64a-9b03894fcf2f
Domain Member: Local users on domain-joined member servers must not be enumerated
a115da09-58b1-40dd-85ca-6f6e4cac977d
Domain Member: Maximum age for machine account passwords must be configured to 30 days or less
ad52728e-be9b-4ab7-b329-5b11001e42de
Domain Member: must be configured to at least negotiate signing for LDAP client signing
5c9b1fb7-3d92-4d13-be5f-13d7894e50d0
File System: Turning off File Explorer heap termination on corruption must be disabled
c7d4943e-c832-42d8-9b4b-423fb7c7dd37
File System: Windows must prevent Indexing of encrypted files
138956a4-8987-4f7f-b830-bf58e4ca7778
General: Downloading print driver packages over HTTP must be turned off
925b056c-6bae-4e27-aa19-f8d383455774
General: Machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver
bf06c136-7223-41ac-8288-e0940126a884
General: Printing over HTTP must be turned off
21735bdc-fd91-44a8-beca-9a48b6c5e166
General: Windows must prevent the display of slide shows on the lock screen
f63c8b4d-8b8d-4327-8c5a-5bc64bf7245c
Internet Browser: Basic authentication for RSS feeds over HTTP must not be used
a140d78e-249b-4c39-9d82-f54aeef02be0
Logon: Network selection UI must not be displayed
3476077b-5d03-4819-9ef0-213402f37eed
Logon: Smart Card removal option must be configured to Force Logoff or Lock Workstation
1cf17a56-a4f1-419e-9a3a-295b06486df5
Logon: Title for legal banner dialog box must be configured with the appropriate text
dbb83450-8da5-4977-9e2c-d87307f92015
Network Access: Do not allow anonymous enumeration of Security Account Manager (SAM) accounts
752e0588-decf-451b-9fef-cc3235765d54
Network Access: Do not allow anonymous enumeration of shares
0d97c353-2198-4a09-a41b-9df3498067dc
Network Access: Insecure logons to an SMB server must be disabled
5b92eab1-8909-4598-8e4c-61eeb308c9f9
Network Access: LAN Manager authentication level must be configured to send NTLMv2 response only and refuse LM and NTLM
2718ea3f-5f25-4e6d-a693-3c426f14357f
Network Access: Microsoft network Client: Digitally sign communications (always) must be configured to Enabled
af452788-473f-4255-bb87-72b7390e187f
Network Access: Microsoft network Client: Digitally sign communications (if server agrees) must be configured to Enabled
a35d34f6-b9b1-4c82-8cac-31a7c4fdbc14
Network Access: Microsoft network Server: Digitally sign communications (always) must be configured to Enabled
707d1ae2-c6f2-46af-966d-d3559db69094
Network Access: Microsoft network Server: Digitally sign communications (if client agrees) must be configured to Enabled
189e99fb-1c5c-43ed-b044-4dcbccf3820f
Network Access: Must Have the Server Message Block (SMB) v1 protocol disabled on the SMB client
78c4c60a-a039-4a47-b614-3138d7bcfe4f
Network Access: Must be configured to prevent anonymous users from having the same permissions as the Everyone group
35f2c214-8c49-47cf-b324-9f7620f8dd16
Network Access: Must have the Server Message Block (SMB) v1 protocol disabled on the SMB server
9a3ba1fc-6a60-4752-9827-152b821e5c0a
Network Access: Must prevent NTLM from falling back to a Null session
793452ad-d37f-461b-a270-cc4e0ea1c2a5
Network Access: Services using Local System when reverting to NTLM authentication must use computer identity
0b49395c-beb5-480b-a1b8-1096622607a1
Network Access: System must be configured to require a strong session key
4332cad0-613a-47fb-ba71-a0ad576651b5
Network Access: System must not allow anonymous SID/Name translation
d31fa8ca-fc90-4361-9438-6a070d064974
Network Access: System must prevent PKU2U authentication using online identities
62385837-ef10-43ae-b1db-590f32a082c8
Network Access: Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers
9cce3400-f772-4b0c-8f12-11157e102f87
Network Access: Windows must not have the Server Message Block (SMB) v1 protocol installed
934a1499-9d7e-407b-86ab-9a58e10f4ed1
Network: Internet Protocol version 6 (IPv6) source routing must use highest protection level to prevent IP source routing
d5030382-fcd1-4d7c-88e3-f1defebc7cf0
Network: Simple TCP/IP Services must not be installed on the system
d0f0e951-4cca-4ca9-9b9e-e9e13e39ca99
Network: Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing
655d213f-bed4-43aa-9bbf-f4bf77a2defd
Network: System be configured to prevent ICMP redirects from overriding Open Shortest Path First (OSPF)-generated
20d9022d-7c47-4bd5-9748-c910f27509d0
Network: System must be configured to ignore NetBIOS name release requests except from WINS servers
26cbf73b-1296-4dfa-bad1-8d0d4c9a2954
Passwords: Maximum Password Age
794aed82-0f0a-46e0-8135-204c50b12462
Passwords: Windows must be configured to prevent the storage of the LAN Manager hash of passwords
8fbc83d9-7409-41aa-bf3c-a2360a8d9749
Passwords: must be configured to expire
89d6a5d0-bc9a-4c29-9a58-3764c36677ab
Privacy: Windows Telemetry must not be set to Full
0001b667-c79a-4486-802c-32d860cae99e
Remote Desktop: Must require secure Remote Procedure Call (RPC) communications
20a8c861-e142-4e51-bf82-b0ef8bd1343c
Remote Management: Unauthenticated RPC clients must be restricted from connecting to the RPC server
56db7e62-0a85-4531-9e71-97528bd04e43
Remote Management: Windows Remote Management (WinRM) client must not use Basic authentication
e4dd3ff4-f585-4e08-b91e-8bb3e02737c5
Remote Management: Windows Remote Management (WinRM) service must not use Basic authentication
4edbaac6-37f7-4a8f-a4d1-d5dd241d1c6d
Security: Access this computer from the network must be limited to Admins and Authenticated Users
961bf729-aa12-43fa-ab18-cd299df655b7
Security: Act as part of the operating system user right must not be assigned to any groups or accounts
5d1e7771-206b-47d5-b12c-287ccd360164
Security: Create a token object user right must not be assigned to any groups or accounts
95b6abcc-8651-42e0-83e8-1397a9df5442
Security: System default permissions of global system objects must be strengthened
5e582017-d8f1-44dd-8d33-24a7d8ef496e
Security: System must have orphaned security identifiers (SIDs) removed from user rights
2b73adc9-8ed0-41c7-8ffe-30e59930865f
Security: System must preserve zone information when saving attachments
3e0b99c8-17de-4faa-8330-9b82090603ff
Windows Installer: Disable -Always install with elevated privileges- option
a6d113ff-fd83-4631-84b3-f58e266b4976
Windows OS: Explorer Data Execution Prevention must be enabled
c4e3c7a1-5b63-407a-8eb9-c6a4b52b9f93
Windows OS: Must not have the Fax Server role installed
f5e7d547-a431-4a6e-b4bd-b95e6e8cac99
Windows OS: Must not have the Microsoft FTP service installed
b9695d6b-88c2-41e6-9fd9-611790f33f59
Windows OS: Must not have the Peer Name Resolution Protocol installed
58ca06da-2c01-47dc-8d37-ff0afe984eed
Windows OS: Must not have the TFTP Client Installed
a5eca000-8a44-410e-ab8d-9f7eeae34216
Windows OS: Must not have the Telnet Client Installed
8fbc28fc-2d54-4b3c-af3f-9ec8d62e959b
Full tag list
nist800-53-server (177) stig-medium-server (173) nist800-171-server (150) nist800-53-desktop (149) cmmc2-l2-server (135) stig-medium-desktop (128) security-server (121) nist800-171-desktop (108) pci-dss-v4-server (104) cmmc2-l2-desktop (99) security-desktop (95) hipaa-server (69) pci-dss-v4-desktop (68) hipaa-desktop (45) bestpractice-desktop (39) cis-csc-server (38) bestpractice-server (35) cis-csc-desktop (34) mitre-att-server (32) mitre-att-desktop (30) cmmc2-l1-server (24) stig-high-desktop (22) stig-high-server (21) cmmc2-l1-desktop (21) pci-dss-v3.2-server (20) bestpractice-domaincontroller (17) tisax (16) cmmc2-l3-server (16) pci-dss-v3.2-desktop (15) threat-intel-server (13) cmmc2-l3-desktop (12) threat-intel-desktop (12) sec-hardening-desktop (10) sec-hardening-server (10) nist-privacy-server (10) sig-server (9) stig-low-desktop (8) health (8) csa-cmm-server (7) nist-privacy-desktop (7) stig-low-server (6) privacy-server (6) privacy-desktop (6) owasptop-server (6) owasptop-desktop (5) desktop (4) cce-server (4) cce-desktop (4) stig-medium-ie (4) sig-desktop (3) niap-desktop (3) fips140-2 (3) niap-server (3) msoffice (2) vm-guest-host (2) compliance-desktop (2) info-desktop (1) csa-cmm-desktop (1) server (1) domaincontroller-health (1) bitlocker-security-desktop (1) iis-stig-high (1) hyper-v (1) exchange-security (1)

CMMC v2.0 Compliance STIG CIS NIST 800-171 Servers Desktops

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.