NIST 800 171 Server Validation Scripts by EventSentry | EventSentry

PingSentry | Blog | System32 | GitHub | Free tools

EventSentry

Validation Scripts

Scripts

50

Tag

nist800-171-server

Accounts: Administrator accounts must not be enumerated during elevation

f3afb7e7-d38a-42f2-8290-56da3b445913

Accounts: Deny log on locally user right must be configured to prevent access from highly privileged domain accounts

fd44a45e-ef9e-4c54-bebf-22bba68a185c

Accounts: Local Guest account should be disabled

538d811a-0a0a-4336-8294-63bc2c092ebb

Accounts: Must require passwords

00279417-0255-4ff4-8b5c-dbb7866085e2

Accounts: Users must be required to enter a password to access private keys stored on the computer

c9946229-3c27-4eb5-ae8f-6f777a9ad637

Auditing: Command line data must be included in process creation events

c787dcd2-355b-4ff5-8265-3eb860f11670

Auditing: Event Log / Viewer must be protected from unauthorized modification and deletion

09651036-eca5-4f3a-83fb-0ff12719b201

Auditing: Event Log size for Application log must be at least 32768 KB

b38cea25-93f2-42d7-ac5f-f2c1e93f974a

Auditing: Event Log size for Security log must be at least 196608 KB

f9befa07-2636-4c53-a43f-db2035b9cdff

Auditing: Event Log size for System log must be at least 32768 KB

4decda12-e17d-45d8-bb5e-53f26706acbf

Auditing: Must force audit policy subcategory settings to override audit policy category settings

9929dbd2-a4fb-40ea-9a2d-8a1db39a5729

Auditing: Removable Storage

af074caf-14a4-41f5-9ebd-e2214dc48240

Autorun: behavior must be configured to prevent Autorun commands

746184bf-3f96-4365-8bb4-c7abf8a772ac

Compliance: BitLocker should be configured in FIPS mode

330f6517-5c88-4086-b456-d3026307c001

Compliance: BitLocker should use AES 256 encryption

77de846e-473b-4c4d-8d70-85d27342fc45

Debug programs: user right must only be assigned to the Administrators group

76794e3a-d350-45a6-adf9-a4a9708271f9

Domain Controller: Must be configured to allow reset of machine account passwords

4d599278-5660-4513-abe4-715f546475bb

Domain Controller: Must require LDAP access signing

9e1e28ee-d597-49db-b33d-cfee0ba15c69

Domain Controller: Permissions on the Active Directory data files must only allow System and Administrators access

1bb127e7-c293-41f4-a937-c9c76d35cb8a

Domain Controller: SYSVOL directory must have proper access control permissions

15074903-9e8a-4d2f-b6d4-4e5ab30e64d7

Domain Controller: The password for the krbtgt account on a domain must be reset at least every 180 days

18ef977d-1c89-4ea7-ac53-0438873cb1db

Domain Controllers: Accounts: Deny log on locally user right must be configured to prevent access from highly privileged domain accounts

8d9748ad-695f-489e-bf31-4d1e8e397a7b

Domain Member: Must be running Credential Guard on domain-joined members

52b8eaca-e97b-4b7b-bda8-2f67dd947dbc

Domain Member: Digitally sign secure channel data (when possible) must be configured to Enabled

5ef4fc08-d231-41c5-95c2-1bb8abc26209

Domain Member: LDAP client signing requirements

5c9b1fb7-3d92-4d13-be5f-13d7894e50d0

Domain Member: local users on domain-joined member servers must not be enumerated

a115da09-58b1-40dd-85ca-6f6e4cac977d

Exchange Server: Build Version Check (Exchange Updated)

7772c56a-ec1f-43d5-b8ce-548359123060

General: AntiVirus/Antimalware Status

6d48a68a-3e44-4a00-8d42-670e41c9942c

General: Machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver

bf06c136-7223-41ac-8288-e0940126a884

General: Windows Defender SmartScreen must be enabled (Server)

4595ee72-d404-4b45-aae4-102fefd1a165

Local volumes must be formatted with NTFS

b6493fb9-ad83-494c-93e3-3dbfaeb9b303

Network Access: Disable SMBv1

78c4c60a-a039-4a47-b614-3138d7bcfe4f

Network Access: Do not allow anonymous enumeration of SAM accounts and shares

752e0588-decf-451b-9fef-cc3235765d54

Network Access: Microsoft network Client: Digitally sign communications (always) must be configured to Enabled

af452788-473f-4255-bb87-72b7390e187f

Network Access: Microsoft network Client: Digitally sign communications (if server agrees) must be configured to Enabled

a35d34f6-b9b1-4c82-8cac-31a7c4fdbc14

Network Access: Microsoft network Server: Digitally sign communications (always) must be configured to Enabled

707d1ae2-c6f2-46af-966d-d3559db69094

Network Access: Microsoft network Server: Digitally sign communications (if client agrees) must be configured to Enabled

189e99fb-1c5c-43ed-b044-4dcbccf3820f

Network Access: Must be configured to prevent anonymous users from having the same permissions as the Everyone group

35f2c214-8c49-47cf-b324-9f7620f8dd16

Network Access: Must prevent NTLM from falling back to a Null session

793452ad-d37f-461b-a270-cc4e0ea1c2a5

Network Access: Restrict anonymous access to Named Pipes and Shares

e7aa340c-ec27-4603-b780-851d94a0ecbf

Network Access: Services using Local System when reverting to NTLM authentication must use computer identity

0b49395c-beb5-480b-a1b8-1096622607a1

Network Access: Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers

9cce3400-f772-4b0c-8f12-11157e102f87

Passwords: Enforce history

d0163b5f-23ab-4377-bc49-709e891a6b2b

Passwords: Maximum Age

794aed82-0f0a-46e0-8135-204c50b12462

Passwords: Minimum Password Age

c3b194cc-701a-43f4-bd84-86caada64337

Passwords: Minimum length

e352dda0-c735-4b4e-ba26-097f5dbab32c

Remote Desktop Services: Idle session time limit

a06670b6-460f-45ae-93ef-02d41f52d45e

TLS/SSL Insecure Ciphers (SCHANNEL)

78fcd8a8-18af-49f4-8a64-bccb901e5557

Windows OS: Build Version Check (End Of Life)

07b6c273-cdb3-4a4d-889d-d1d54dc0eb5f

Windows OS: Build Version Check (OS Updated)

c7b058ab-6360-4b5d-9cd2-45eafef8c489

Full tag list

compliance-server (118) compliance-desktop (100) server (99) stig-medium-server (94) security-server (93) desktop (92) security-desktop (78) stig-medium-desktop (74) nist800-171-server (50) nist800-53-server (45) nist800-171-desktop (36) nist800-53-desktop (36) cmmc2-l2-server (34) bestpractice-desktop (28) cmmc2-l2-desktop (25) bestpractice-server (22) stig-high-desktop (18) stig-high-server (18) cmmc2-l1-server (18) cmmc2-l1-desktop (16) domaincontroller (15) domainmember (13) pci-dss-v4-server (12) cis-csc-server (11) cis-csc-desktop (10) sig-server (8) pci-dss-v4-desktop (8) nist-privacy-server (8) remote-desktop (7) csa-cmm-server (6) privacy-desktop (6) pci-dss-v3.2-server (6) nist-privacy-desktop (6) privacy-server (6) health (6) stig-medium-ie (4) domaincontroller-bestpractices (4) niap-server (4) cmmc2-l3-server (4) stig-low-desktop (4) niap-desktop (4) fips140-2 (3) sig-desktop (3) stig-low-server (3) cve-server (3) threat-intel (3) pci-dss-v3.2-desktop (2) sec-hardening-server (2) sec-hardening-desktop (2) mitre-desktop (2) msoffice (2) threat-intel-server (2) cce-server (2) domaincontroller-health (2) cve-desktop (2) cmmc2-l3-desktop (2) cce-desktop (2) exchange-security (1) threat-intel-desktop (1) csa-cmm-desktop (1) info-desktop (1) csf-desktop (1) csf-server (1) ul2900-1-desktop (1) ul2900-1-server (1) cjis-desktop (1) cjis-server (1) fedramp-desktop (1) fedramp-server (1) mitre-server (1) hyper-v (1) iis-stig-high (1)

CMMC v2.0 Compliance STIG CIS NIST 800-171 Servers Desktops