PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

EventSentry

Validation Scripts

Scripts

107

Tag

nist800-171-desktop


Accounts: Administrator accounts must not be enumerated during elevation
f3afb7e7-d38a-42f2-8290-56da3b445913
Accounts: Deny log on locally user right must be configured to prevent access from highly privileged domain accounts
fd44a45e-ef9e-4c54-bebf-22bba68a185c
Accounts: Enable computer and user accounts delegation user right not be assigned to any groups or accounts
64f28abd-921c-4d04-b2c0-f047d20d673e
Accounts: Local Guest account should be disabled
538d811a-0a0a-4336-8294-63bc2c092ebb
Accounts: Lockout duration must be configured to 15 minutes or greater
d9b675fb-1bb2-4ff3-88ea-0e74ab40e2a7
Accounts: Must disable automatically signing in the last interactive user after a system-initiated restart
30d230a9-ff8e-44a2-ac87-f35b77bff14a
Accounts: Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater
56655e04-3824-4810-9be4-aaa6e1c1c2ac
Accounts: Reversible password encryption must be disabled
71ebd815-0ca9-44c9-b7b8-c96e155e7afb
Accounts: The number of allowed bad logon attempts must be configured to three or less
409871a1-6b58-45ab-9dfd-8b40e948ecd2
Accounts: User Account Control (UAC) must be configured to detect application installations and prompt for elevation
ed5ca948-5cbf-431d-a5da-39d02bd64c48
Accounts: Users must be prompted to authenticate when the system wakes from sleep (on battery)
ef3c9259-d0d3-434a-8e7c-ab945deaa3f0
Accounts: Users must be prompted to authenticate when the system wakes from sleep (plugged in)
bf4a43bc-9605-4596-a562-5e4073fe21d5
Auditing: Command line data must be included in process creation events
c787dcd2-355b-4ff5-8265-3eb860f11670
Auditing: Event Log size for Application log must be at least 32768 KB
b38cea25-93f2-42d7-ac5f-f2c1e93f974a
Auditing: Event Log size for Security log must be at least 196608 KB
f9befa07-2636-4c53-a43f-db2035b9cdff
Auditing: Event Log size for System log must be at least 32768 KB
4decda12-e17d-45d8-bb5e-53f26706acbf
Auditing: System must be configured to audit Account Logon - Credential Validation failures
20d10fd0-520a-4b7e-b915-5e2e6649cf99
Auditing: System must be configured to audit Account Logon - Credential Validation successes
82478e12-7206-4b9c-8a68-2ccb6e3fe144
Auditing: System must be configured to audit Account Management - Security Group Management successes
43fd3c2b-daf3-4408-8a5b-d04a79bd3bd4
Auditing: System must be configured to audit Account Management - User Account Management failures
d3e3b256-80cd-4f3a-bd46-487cda3513f2
Auditing: System must be configured to audit Account Management - User Account Management successes
b7a6152d-607d-424f-a0d1-78000be3512a
Auditing: System must be configured to audit Detailed Tracking - Process Creation successes
952d2e45-3b08-4224-bc01-6e35aeb38557
Auditing: System must be configured to audit Logon/Logoff - Group Membership successes
52b16e39-5909-4145-a76d-8fa0fc554dab
Auditing: System must be configured to audit Logon/Logoff - Special Logon successes
0a6702c1-b417-4100-b6af-8ee48a5d2f23
Auditing: System must be configured to audit Object Access - Other Object Access Events failures
8110968d-1cd4-430b-909e-52a487b78106
Auditing: System must be configured to audit Object Access - Other Object Access Events successes
81abf498-85f9-4536-a8c4-f6d26fe5f26f
Auditing: System must be configured to audit Object Access - Removable Storage failures
352b582c-c55c-4d71-9a19-4c9448d1c96d
Auditing: System must be configured to audit Policy Change - Authentication Policy Change successes
48e1aa69-0cc4-44e2-8f00-8db93be2cdc1
Auditing: System must be configured to audit Policy Change - Authorization Policy Change successes
7338cb96-3198-4665-8c6e-755e05005b58
Auditing: System must be configured to audit System - System Integrity failures
0634f6e9-e443-4576-b0a2-e7013116b350
Auditing: System must be configured to audit System - System Integrity successes
14903b11-6904-4913-a981-5f3422dafaa4
Auditing: System must be configured to audit logoff successes
282bb2eb-115f-483f-85fb-637124552335
Auditing: System must be configured to audit logon failures
b052b9fc-5f3e-45e6-94f6-e0823790f14c
Auditing: System must be configured to audit logon successes
d46bf70a-28b8-489a-bb63-b549d576fc4f
Auditing: Windows must be configured to audit Logon/Logoff - Account Lockout Failures
bdab6cee-183b-4d5c-a916-853606d1a192
Autoplay: Should be disabled for all drives
2cb75d59-8ef3-4fa3-90e1-8bec9e51c703
Autorun: behavior must be configured to prevent Autorun commands
746184bf-3f96-4365-8bb4-c7abf8a772ac
Compliance: BitLocker should use AES 256 encryption
77de846e-473b-4c4d-8d70-85d27342fc45
Compliance: System must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing
330f6517-5c88-4086-b456-d3026307c001
Debug Programs: User right must only be assigned to the Administrators group
76794e3a-d350-45a6-adf9-a4a9708271f9
Domain Controllers: Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access
8d9748ad-695f-489e-bf31-4d1e8e397a7b
Domain Member: Must be running Credential Guard on domain-joined members
52b8eaca-e97b-4b7b-bda8-2f67dd947dbc
Domain Member: Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use
b7074672-cbee-4409-a64a-9b03894fcf2f
Domain Member: Group policy objects must be reprocessed even if they have not changed
0652c1f1-ca23-46d0-a60f-7f62281b866e
Domain Member: Local users on domain-joined member servers must not be enumerated
a115da09-58b1-40dd-85ca-6f6e4cac977d
Domain Member: Maximum age for machine account passwords must be configured to 30 days or less
ad52728e-be9b-4ab7-b329-5b11001e42de
Domain Member: must be configured to at least negotiate signing for LDAP client signing
5c9b1fb7-3d92-4d13-be5f-13d7894e50d0
Exploit Protection: Structured Exception Handling Overwrite Protection (SEHOP) must be enabled
d50f88d1-0103-4194-9add-21f3846dc0d2
FIPS 140: Security Requirements for Cryptographic Modules
b6109218-a32b-479a-8465-055340a1759c
File System: Local volumes must be formatted with NTFS
b6493fb9-ad83-494c-93e3-3dbfaeb9b303
File System: Turning off File Explorer heap termination on corruption must be disabled
c7d4943e-c832-42d8-9b4b-423fb7c7dd37
General: AntiVirus/Antimalware Status
6d48a68a-3e44-4a00-8d42-670e41c9942c
General: Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad
a9b5b413-0fc5-49c2-ab77-6761b329950c
General: Internet Information System (IIS) or its subcomponents must not be installed on a workstation
06778df5-6411-408f-9ea9-6637a3f5aab2
General: Machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver
bf06c136-7223-41ac-8288-e0940126a884
General: Solicited Remote Assistance must not be allowed
ac242343-8a24-414b-8615-7de95dffd90d
General: The Microsoft Defender SmartScreen for Explorer must be enabled (Desktop)
4d189e65-af8b-463f-95d1-3880b7c459ec
General: Windows firewall status
1f229f09-4c15-4bfe-b9f7-ed63d03cd70e
Internet Browser: Attachments must be prevented from being downloaded from RSS feeds
5ba4fbad-193e-4b62-8326-4bd0705112bd
Internet Browser: Basic authentication for RSS feeds over HTTP must not be used
a140d78e-249b-4c39-9d82-f54aeef02be0
Logon: Network selection UI must not be displayed
3476077b-5d03-4819-9ef0-213402f37eed
Logon: Required legal notice must be configured to display before console logon
80422550-1cbd-4710-adcc-957dec2da87d
Logon: Smart Card removal option must be configured to Force Logoff or Lock Workstation
1cf17a56-a4f1-419e-9a3a-295b06486df5
Logon: Title for legal banner dialog box must be configured with the appropriate text
dbb83450-8da5-4977-9e2c-d87307f92015
Network Access: Do not allow anonymous enumeration of Security Account Manager (SAM) accounts
752e0588-decf-451b-9fef-cc3235765d54
Network Access: Do not allow anonymous enumeration of shares
0d97c353-2198-4a09-a41b-9df3498067dc
Network Access: Insecure logons to an SMB server must be disabled
5b92eab1-8909-4598-8e4c-61eeb308c9f9
Network Access: LAN Manager authentication level must be configured to send NTLMv2 response only and refuse LM and NTLM
2718ea3f-5f25-4e6d-a693-3c426f14357f
Network Access: Must Have the Server Message Block (SMB) v1 protocol disabled on the SMB client
78c4c60a-a039-4a47-b614-3138d7bcfe4f
Network Access: Must be configured to prevent anonymous users from having the same permissions as the Everyone group
35f2c214-8c49-47cf-b324-9f7620f8dd16
Network Access: Must have the Server Message Block (SMB) v1 protocol disabled on the SMB server
9a3ba1fc-6a60-4752-9827-152b821e5c0a
Network Access: Must prevent NTLM from falling back to a Null session
793452ad-d37f-461b-a270-cc4e0ea1c2a5
Network Access: Restrict anonymous access to Named Pipes and Shares
e7aa340c-ec27-4603-b780-851d94a0ecbf
Network Access: Services using Local System when reverting to NTLM authentication must use computer identity
0b49395c-beb5-480b-a1b8-1096622607a1
Network Access: System must not allow anonymous SID/Name translation
d31fa8ca-fc90-4361-9438-6a070d064974
Network Access: System must prevent PKU2U authentication using online identities
62385837-ef10-43ae-b1db-590f32a082c8
Network: Internet Protocol version 6 (IPv6) source routing must use highest protection level to prevent IP source routing
d5030382-fcd1-4d7c-88e3-f1defebc7cf0
Network: Simple TCP/IP Services must not be installed on the system
d0f0e951-4cca-4ca9-9b9e-e9e13e39ca99
Network: System be configured to prevent ICMP redirects from overriding Open Shortest Path First (OSPF)-generated
20d9022d-7c47-4bd5-9748-c910f27509d0
Network: System must be configured to ignore NetBIOS name release requests except from WINS servers
26cbf73b-1296-4dfa-bad1-8d0d4c9a2954
Passwords: Maximum Password Age
794aed82-0f0a-46e0-8135-204c50b12462
Passwords: Minimum Password Age
c3b194cc-701a-43f4-bd84-86caada64337
Passwords: Windows must be configured to prevent the storage of the LAN Manager hash of passwords
8fbc83d9-7409-41aa-bf3c-a2360a8d9749
Passwords: history must be configured to 24 passwords remembered
d0163b5f-23ab-4377-bc49-709e891a6b2b
Passwords: must be configured to expire
89d6a5d0-bc9a-4c29-9a58-3764c36677ab
Passwords: must, at a minimum, be 14 characters
e352dda0-c735-4b4e-ba26-097f5dbab32c
PowerShell: v2 should not be installed / enabled
f69ae077-386f-4543-9036-30e5b3377f62
Privacy: Windows Telemetry must not be set to Full
0001b667-c79a-4486-802c-32d860cae99e
Remote Desktop: Access this computer from the network user right must only be assigned to the Admins and RD Users groups
81b2dce5-a703-4bc0-a9e8-a8f59959c1e1
Remote Desktop: Idle session time limit
a06670b6-460f-45ae-93ef-02d41f52d45e
Remote Management: Windows Remote Management (WinRM) client must not use Basic authentication
e4dd3ff4-f585-4e08-b91e-8bb3e02737c5
Remote Management: Windows Remote Management (WinRM) client must not use Digest authentication
1a0eb6a5-9009-4dc3-b12f-bed65052c49d
Remote Management: Windows Remote Management (WinRM) service must not use Basic authentication
4edbaac6-37f7-4a8f-a4d1-d5dd241d1c6d
Security: Act as part of the operating system user right must not be assigned to any groups or accounts
5d1e7771-206b-47d5-b12c-287ccd360164
Security: Create a token object user right must not be assigned to any groups or accounts
95b6abcc-8651-42e0-83e8-1397a9df5442
Security: System default permissions of global system objects must be strengthened
5e582017-d8f1-44dd-8d33-24a7d8ef496e
Security: System must have orphaned security identifiers (SIDs) removed from user rights
2b73adc9-8ed0-41c7-8ffe-30e59930865f
Security: TLS/SSL Insecure Ciphers (SCHANNEL)
78fcd8a8-18af-49f4-8a64-bccb901e5557
Windows Installer: Disable -Always install with elevated privileges- option
a6d113ff-fd83-4631-84b3-f58e266b4976
Windows Installer: Must prevent users from changing installation options
938832a1-8ded-48d6-99b6-2b783cd2d3ae
Windows OS: Build Version Check (End Of Life)
07b6c273-cdb3-4a4d-889d-d1d54dc0eb5f
Windows OS: Build Version Check (OS Updated)
c7b058ab-6360-4b5d-9cd2-45eafef8c489
Windows OS: Data Execution Prevention (DEP) must be configured to at least OptOut
df8e6841-1dd4-42ce-b374-28f997e12b6d
Windows OS: Explorer Data Execution Prevention must be enabled
c4e3c7a1-5b63-407a-8eb9-c6a4b52b9f93
Windows OS: Must not have the TFTP Client Installed
a5eca000-8a44-410e-ab8d-9f7eeae34216
Windows OS: Must not have the Telnet Client Installed
8fbc28fc-2d54-4b3c-af3f-9ec8d62e959b
Windows OS: Windows Activation Status
de96957d-bcf1-4d41-be46-aa14b00135f3
Full tag list
nist800-53-server (177) stig-medium-server (173) nist800-171-server (150) nist800-53-desktop (149) cmmc2-l2-server (135) stig-medium-desktop (128) security-server (121) nist800-171-desktop (108) pci-dss-v4-server (104) cmmc2-l2-desktop (99) security-desktop (95) hipaa-server (69) pci-dss-v4-desktop (68) hipaa-desktop (45) bestpractice-desktop (39) cis-csc-server (38) bestpractice-server (35) cis-csc-desktop (34) mitre-att-server (32) mitre-att-desktop (30) cmmc2-l1-server (24) stig-high-desktop (22) stig-high-server (21) cmmc2-l1-desktop (21) pci-dss-v3.2-server (20) bestpractice-domaincontroller (17) tisax (16) cmmc2-l3-server (16) pci-dss-v3.2-desktop (15) threat-intel-server (13) cmmc2-l3-desktop (12) threat-intel-desktop (12) sec-hardening-desktop (10) sec-hardening-server (10) nist-privacy-server (10) sig-server (9) stig-low-desktop (8) health (8) csa-cmm-server (7) nist-privacy-desktop (7) stig-low-server (6) privacy-server (6) privacy-desktop (6) owasptop-server (6) owasptop-desktop (5) desktop (4) cce-server (4) cce-desktop (4) stig-medium-ie (4) sig-desktop (3) niap-desktop (3) fips140-2 (3) niap-server (3) msoffice (2) vm-guest-host (2) compliance-desktop (2) info-desktop (1) csa-cmm-desktop (1) server (1) domaincontroller-health (1) bitlocker-security-desktop (1) iis-stig-high (1) hyper-v (1) exchange-security (1)

CMMC v2.0 Compliance STIG CIS NIST 800-171 Servers Desktops

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.