PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

EventSentry

Validation Scripts

Scripts

104

Tag

security-server


Accounts: Administrator accounts must not be enumerated during elevation
f3afb7e7-d38a-42f2-8290-56da3b445913
Accounts: Built-in Administrator account must be renamed
b1981ae3-ba91-4758-a98c-a5937a0498f7
Accounts: Built-in Guest account must be renamed
20dbd0a4-0373-4913-9f75-4ab7f6fcbdb0
Accounts: Local Admin accounts must have their privileged token filtered to prevent elevated privileges used over the network
e4710a99-9bc1-4e34-80ad-5d2f84f57732
Accounts: Local Guest account should be disabled
538d811a-0a0a-4336-8294-63bc2c092ebb
Accounts: Local accounts with blank passwords must be restricted to prevent access from the network
3ef29cdc-8018-48a9-b210-13e18cf14d07
Accounts: Must have the built-in Windows password complexity policy enabled
be6a2756-21d7-452c-b0a1-e6032f14f422
Accounts: Must require passwords
00279417-0255-4ff4-8b5c-dbb7866085e2
Accounts: Reversible password encryption must be disabled
71ebd815-0ca9-44c9-b7b8-c96e155e7afb
Accounts: UIAccess applications must not be allowed to prompt for elevation without using the secure desktop
80e6af5a-3633-408e-b890-8b7581adda66
Accounts: User Account Control (UAC) approval mode for the built-in Administrator must be enabled
b505fc16-70d3-4275-bcc5-02fac2fdb3af
Accounts: User Account Control (UAC) must automatically deny standard user requests for elevation
2a28f305-e508-40e1-80e4-e7702143703b
Accounts: User Account Control (UAC) must be configured to detect application installations and prompt for elevation
ed5ca948-5cbf-431d-a5da-39d02bd64c48
Accounts: User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC
417239de-2859-45e4-9a8f-43c47f4daedb
Accounts: Users must be prompted to authenticate when the system wakes from sleep (on battery)
ef3c9259-d0d3-434a-8e7c-ab945deaa3f0
Accounts: Users must be prompted to authenticate when the system wakes from sleep (plugged in)
bf4a43bc-9605-4596-a562-5e4073fe21d5
Accounts: Users must be required to enter a password to access private keys stored on the computer
c9946229-3c27-4eb5-ae8f-6f777a9ad637
Accounts: must be configured to enable Remote host allows delegation of non-exportable credentials
64e32afe-9577-4372-8f00-81829fd38ebf
Accounts: must disable automatically signing in the last interactive user after a system-initiated restart
30d230a9-ff8e-44a2-ac87-f35b77bff14a
Auditing: Command line data must be included in process creation events
c787dcd2-355b-4ff5-8265-3eb860f11670
Auditing: Event Log / Viewer must be protected from unauthorized modification and deletion
09651036-eca5-4f3a-83fb-0ff12719b201
Auditing: Event Log size for Application log must be at least 32768 KB
b38cea25-93f2-42d7-ac5f-f2c1e93f974a
Auditing: Event Log size for Security log must be at least 196608 KB
f9befa07-2636-4c53-a43f-db2035b9cdff
Auditing: Event Log size for System log must be at least 32768 KB
4decda12-e17d-45d8-bb5e-53f26706acbf
Auditing: Must force audit policy subcategory settings to override audit policy category settings
9929dbd2-a4fb-40ea-9a2d-8a1db39a5729
Auditing: Permissions for the Security event log must prevent access by non-privileged accounts
f67457c3-6d39-425d-9831-b5e44eaf7d6f
Auditing: Permissions for the System event log must prevent access by non-privileged accounts
31096f12-75ea-425b-b416-f0c0b87dc6ff
Auditing: Removable Storage
af074caf-14a4-41f5-9ebd-e2214dc48240
Autoplay: Must be turned off for non-volume devices
d2ac90ea-b1de-49bb-aa59-fe8b271c7c2b
Autoplay: Should be disabled for all drives
2cb75d59-8ef3-4fa3-90e1-8bec9e51c703
Autorun: behavior must be configured to prevent Autorun commands
746184bf-3f96-4365-8bb4-c7abf8a772ac
Credentials: WDigest Authentication must be disabled
13cb0c87-4b9a-4923-9768-87bafab6ef87
Domain Controller: Must be configured to allow reset of machine account passwords
4d599278-5660-4513-abe4-715f546475bb
Domain Controller: Must require LDAP access signing
9e1e28ee-d597-49db-b33d-cfee0ba15c69
Domain Controller: Permissions on the Active Directory data files must only allow System and Administrators access
1bb127e7-c293-41f4-a937-c9c76d35cb8a
Domain Controller: SYSVOL directory must have proper access control permissions
15074903-9e8a-4d2f-b6d4-4e5ab30e64d7
Domain Controller: The password for the krbtgt account on a domain must be reset at least every 180 days
18ef977d-1c89-4ea7-ac53-0438873cb1db
Domain Member: Must be running Credential Guard on domain-joined members
52b8eaca-e97b-4b7b-bda8-2f67dd947dbc
Domain Member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled
8d6589f4-20fe-4018-bc26-7891353eac40
Domain Member: Digitally encrypt secure channel data (when possible) must be configured to enabled
9a6ea78e-a170-4015-9193-666f003f74f4
Domain Member: Digitally sign secure channel data (when possible) must be configured to Enabled
5ef4fc08-d231-41c5-95c2-1bb8abc26209
Domain Member: Group policy objects must be reprocessed even if they have not changed
0652c1f1-ca23-46d0-a60f-7f62281b866e
Domain Member: Hardened UNC paths must require mutual authentication & integrity for at least \\*\SYSVOL and \\*\NETLOGON shares
7b2d6eab-fc7f-4759-8ad5-ff7e774c5b97
Domain Member: Local users on domain-joined member servers must not be enumerated
a115da09-58b1-40dd-85ca-6f6e4cac977d
Domain Member: Maximum age for machine account passwords must be configured to 30 days or less
ad52728e-be9b-4ab7-b329-5b11001e42de
Domain Member: Windows Server must limit the caching of logon credentials to four or less
95498795-fa0a-428a-8fd8-bbcc31cb79e8
Domain Member: must be configured to at least negotiate signing for LDAP client signing
5c9b1fb7-3d92-4d13-be5f-13d7894e50d0
File System: File Explorer shell protocol must run in protected mode
d7438fe1-eecf-411c-b855-1a03847ac2d7
File System: Windows must prevent Indexing of encrypted files
138956a4-8987-4f7f-b830-bf58e4ca7778
General: AntiVirus/Antimalware Status
6d48a68a-3e44-4a00-8d42-670e41c9942c
General: Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad
a9b5b413-0fc5-49c2-ab77-6761b329950c
General: Machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver
bf06c136-7223-41ac-8288-e0940126a884
General: Windows Defender SmartScreen must be enabled (Server)
4595ee72-d404-4b45-aae4-102fefd1a165
General: Windows firewall status
1f229f09-4c15-4bfe-b9f7-ed63d03cd70e
General: Windows must prevent the display of slide shows on the lock screen
f63c8b4d-8b8d-4327-8c5a-5bc64bf7245c
Internet Browser: Attachments must be prevented from being downloaded from RSS feeds
5ba4fbad-193e-4b62-8326-4bd0705112bd
Internet Browser: Basic authentication for RSS feeds over HTTP must not be used
a140d78e-249b-4c39-9d82-f54aeef02be0
Logon: Network selection UI must not be displayed
3476077b-5d03-4819-9ef0-213402f37eed
Network Access: Do not allow anonymous enumeration of Security Account Manager (SAM) accounts
752e0588-decf-451b-9fef-cc3235765d54
Network Access: Do not allow anonymous enumeration of shares
0d97c353-2198-4a09-a41b-9df3498067dc
Network Access: LAN Manager authentication level must be configured to send NTLMv2 response only and refuse LM and NTLM
2718ea3f-5f25-4e6d-a693-3c426f14357f
Network Access: Microsoft network Client: Digitally sign communications (always) must be configured to Enabled
af452788-473f-4255-bb87-72b7390e187f
Network Access: Microsoft network Client: Digitally sign communications (if server agrees) must be configured to Enabled
a35d34f6-b9b1-4c82-8cac-31a7c4fdbc14
Network Access: Microsoft network Server: Digitally sign communications (always) must be configured to Enabled
707d1ae2-c6f2-46af-966d-d3559db69094
Network Access: Microsoft network Server: Digitally sign communications (if client agrees) must be configured to Enabled
189e99fb-1c5c-43ed-b044-4dcbccf3820f
Network Access: Must be configured to prevent anonymous users from having the same permissions as the Everyone group
35f2c214-8c49-47cf-b324-9f7620f8dd16
Network Access: Must prevent NTLM from falling back to a Null session
793452ad-d37f-461b-a270-cc4e0ea1c2a5
Network Access: Restrict remote calls to the Security Account Manager [SAM] to Administrators
6f17b478-ef66-4c12-8e61-0ffaae9cd6b4
Network Access: Services using Local System when reverting to NTLM authentication must use computer identity
0b49395c-beb5-480b-a1b8-1096622607a1
Network Access: Session security for NTLM SSP-based CLIENTS must require NTLMv2 session security and 128-bit encryption
0316290c-8617-4662-b2a6-637e043717a8
Network Access: Session security for NTLM SSP-based SERVERS must require NTLMv2 session security and 128-bit encryption
53cdfc2e-4826-4d65-89d1-454fbdd6aa8c
Network Access: Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers
9cce3400-f772-4b0c-8f12-11157e102f87
Passwords: Windows must be configured to prevent the storage of the LAN Manager hash of passwords
8fbc83d9-7409-41aa-bf3c-a2360a8d9749
Passwords: must, at a minimum, be 14 characters
e352dda0-c735-4b4e-ba26-097f5dbab32c
PowerShell: v2 should not be installed / enabled
f69ae077-386f-4543-9036-30e5b3377f62
Printing: Prevent users from installing printer drivers
889cec97-07a1-4c83-b5cb-c4d92203aa17
Privacy: Application Compatibility Program Inventory must not collect and send data to Microsoft
554ca683-aaaa-43da-9a97-e093af29457e
Privacy: The location feature must be turned off
b5e9fae5-f161-4c39-a915-7282a3896dd9
Remote Desktop Services: Idle session time limit
a06670b6-460f-45ae-93ef-02d41f52d45e
Remote Desktop Services: Must always prompt a client for passwords upon connection
8cbb9955-eb5c-4bcf-9352-3bbc31f7ed71
Remote Desktop Services: Must be configured to set a time limit for disconnected sessions
d47a831c-3a18-43bd-996d-12c3002cd98e
Remote Desktop Services: Must be configured with the client connection encryption set to High Level
0cf4a80a-705e-4831-9e1d-bc91c93e4625
Remote Desktop Services: Must not save passwords in the Remote Desktop Client
bfb98113-cc94-400b-a385-af36657755f6
Remote Desktop Services: Must prevent drive redirection
f412c653-14b4-4829-8fd8-0263d996cf04
Remote Desktop Services: Must require secure Remote Procedure Call (RPC) communications
20a8c861-e142-4e51-bf82-b0ef8bd1343c
Remote Management: Unauthenticated RPC clients must be restricted from connecting to the RPC server
56db7e62-0a85-4531-9e71-97528bd04e43
Remote Management: Windows Remote Management (WinRM) client must not allow unencrypted traffic
0ccb829b-b4e0-45eb-9ba8-82a643949d74
Remote Management: Windows Remote Management (WinRM) client must not use Basic authentication
e4dd3ff4-f585-4e08-b91e-8bb3e02737c5
Remote Management: Windows Remote Management (WinRM) client must not use Digest authentication
1a0eb6a5-9009-4dc3-b12f-bed65052c49d
Remote Management: Windows Remote Management (WinRM) service must not use Basic authentication
4edbaac6-37f7-4a8f-a4d1-d5dd241d1c6d
Security: TLS/SSL Insecure Ciphers (SCHANNEL)
78fcd8a8-18af-49f4-8a64-bccb901e5557
Security: Virtualization-based security must be enabled with platform security level set to Secure Boot
b056102b-3477-4a44-bda9-536330033264
Services: List services containing a space in service path not enclosed in quotes
ac341c51-3c29-4437-92a5-9b1e8506b2c8
Threat Intel: Attack Vector: Credential dumping protections using LSA Protection
368b50e1-18bd-4cc8-a296-b42030468dbe
Threat Intel: Attack Vector: Disable Windows Event Logging
f1bc38dc-fbda-45cd-9ec9-7f69dfd7b00e
Threat Intel: Attack Vector: Windows downgrade attacks
87e9a8db-ba56-4e89-829f-ecc5fc01f848
Threat Intel: Persistence - AppInit DLLs
bf92b536-95cc-4060-bea3-a61ba1e4c9bb
Tracking: Windows Telemetry must not be set to Full
0001b667-c79a-4486-802c-32d860cae99e
Windows Installer: Disable -Always install with elevated privileges- option
a6d113ff-fd83-4631-84b3-f58e266b4976
Windows Installer: Must prevent users from changing installation options
938832a1-8ded-48d6-99b6-2b783cd2d3ae
Windows Installer: Users must be notified if a web-based program attempts to install software
1a13721a-4304-4286-a89d-243a4f41f192
Windows OS: Build Version Check (End Of Life)
07b6c273-cdb3-4a4d-889d-d1d54dc0eb5f
Windows OS: Build Version Check (OS Updated)
c7b058ab-6360-4b5d-9cd2-45eafef8c489
Windows OS: Secure Boot must be enabled
e8bb4b60-e081-427e-924e-e99a1aacf387
Full tag list
compliance-server (133) server (112) compliance-desktop (112) stig-medium-server (110) desktop (108) security-server (104) nist800-53-server (100) nist800-53-desktop (96) security-desktop (87) stig-medium-desktop (86) nist800-171-server (85) nist800-171-desktop (69) cmmc2-l2-server (64) cmmc2-l2-desktop (54) pci-dss-v4-server (37) cis-csc-server (37) cis-csc-desktop (33) bestpractice-desktop (30) pci-dss-v4-desktop (30) mitre-att-server (29) mitre-att-desktop (28) bestpractice-server (25) stig-high-desktop (22) cmmc2-l1-server (22) stig-high-server (21) cmmc2-l1-desktop (19) pci-dss-v3.2-server (18) domaincontroller (16) tisax (16) domainmember (16) pci-dss-v3.2-desktop (13) cmmc2-l3-server (12) sig-server (10) nist-privacy-server (10) threat-intel-server (9) threat-intel-desktop (8) sec-hardening-server (8) sec-hardening-desktop (8) cmmc2-l3-desktop (8) remote-desktop (7) health (7) nist-privacy-desktop (7) csa-cmm-server (7) privacy-server (6) privacy-desktop (6) owasptop-server (6) stig-low-desktop (6) stig-low-server (5) owasptop-desktop (5) stig-medium-ie (4) cce-desktop (3) cce-server (3) niap-server (3) niap-desktop (3) bestpractice-domaincontroller (3) fips140-2 (3) sig-desktop (3) msoffice (2) hyper-v (1) iis-stig-high (1) bitlocker-security-desktop (1) fedramp-server (1) fedramp-desktop (1) cjis-server (1) cjis-desktop (1) ul2900-1-server (1) ul2900-1-desktop (1) csf-server (1) csf-desktop (1) info-desktop (1) csa-cmm-desktop (1) exchange-security (1) domainmember-health (1) domaincontroller-health (1)

CMMC v2.0 Compliance STIG CIS NIST 800-171 Servers Desktops

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.