Stig tool

AppOptics SaaS-based infrastructure and application performance monitoring, tracing, and custom metrics for hybrid and cloud-custom applications. Loggly Fast and powerful hosted aggregation, analytics and visualization of terabytes of machine data across hybrid applications, cloud applications, and infrastructure.

Papertrail Real-time live tailing, searching, and troubleshooting for cloud applications and environments. Pingdom Real user, and synthetic monitoring of web applications from outside the firewall. Web Performance Monitor Web application performance monitoring from inside the firewall. View All Application Management Products. Remote Monitoring. Be the first to know when your public or private applications are down, slow, or unresponsive.

Renew Maintenance Learn about Auto-Renewal. Access the Success Center Find product guides, documentation, training, onboarding information, and support articles. Technical Support Submit a ticket for technical and product assistance, or get customer service help. Customer Portal Download the latest product versions and hotfixes. Access the Customer Portal.

Orange Matter Get practical advice on managing IT infrastructure from up-and-coming industry voices and well-known tech leaders. View Orange Matter. LogicalRead Blog Into databases? Find articles, code and a community of database experts. View LogicalRead Blog. View Resources. Contact Sales Online Quote. Features Features. View All Features. Technical Resources. Educational Resources. Connect with Us.

View All Resources. Security Event Manager. Oracle Cloud Infrastructure Documentation. All Pages. The script does the following: Makes the base image of the virtual machine DB system compliant with the Oracle Linux 7 STIG Embeds certain STIG rules into the system that can be activated after provisioning when required to meeting security compliance standards Categorizes the embedded rules, allowing you to view and monitor the rules in the following categories: Static: Rules included in the base image DoD: Rules optionally activated after provisioning when needed to meet U.

Department of Defense compliance standards Runtime: Rules activated after provisioning when needed. Intended for use by all users needing to harden security for virtual machine DB systems including users outside of the U. Department of Defense. This aids in preventing tampering with or V Medium Internet connection sharing must be disabled. Internet connection sharing makes it possible for an existing internet connection, such as through wireless, to be shared and used by other systems essentially creating a mobile hotspot.

Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper access. V Medium Run as different user must be removed from context menus. The "Run as different user" selection from context menus allows the use of credentials other than the currently logged on user.

Using privileged credentials in a standard user session can expose V Medium Accounts must be configured to require password expiration.

Passwords that do not expire increase exposure with a greater probability of being discovered or cracked. V Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver. Unattended systems are susceptible to unauthorized use and should be locked when unattended. The screen saver should be set at a maximum of 15 minutes and be password protected.

This protects V Medium The required legal notice must be configured to display before console logon. Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended. The server message block SMB protocol provides the basis for many network operations.

Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the V Medium Windows 10 must be configured to prevent Windows apps from being activated by voice while the system is locked. Allowing Windows apps to be activated by voice from the lock screen could allow for unauthorized use. Requiring logon will ensure the apps are only used by authorized personnel.

V Medium Exploit Protection mitigations in Windows 10 must be configured for java. V Medium Exploit Protection mitigations in Windows 10 must be configured for iexplore. Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.

V Medium Exploit Protection mitigations in Windows 10 must be configured for firefox. V Medium Exploit Protection mitigations in Windows 10 must be configured for chrome. This setting enables UAC. V Medium Exploit Protection mitigations in Windows 10 must be configured for lync. V Low Microsoft consumer experiences must be turned off. Microsoft consumer experiences provides suggestions and notifications to users, which may include the installation of Windows Store apps.

Organizations may control the execution of applications V Low Secure Boot must be enabled on Windows 10 systems. Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security features in Windows 10, including Virtualization Windows 10 allows Windows Update to obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs on the local network as well V Low Turning off File Explorer heap termination on corruption must be disabled.

Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this. V Low The setting to allow Microsoft accounts to be optional for modern style apps must be enabled. Control of credentials and the system must be maintained within the enterprise. Enabling this setting allows enterprise credentials to be used with modern style apps that support this, instead of V Low Unused accounts must be disabled or removed from the system after 35 days of inactivity.

Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disable until needed. V Low Standard local user accounts must not exist on a system in a domain.

To minimize potential points of attack, local user accounts, other than built-in accounts and local administrator accounts, must not exist on a workstation in a domain.

Users must log onto V Low The maximum age for machine account passwords must be configured to 30 days or less. Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This setting must be set to no more than Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first.

Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service DoS attack. V Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. V Low Windows 10 should be configured to prevent users from receiving suggestions for third-party or additional applications.

Windows spotlight features may suggest apps and content from third-party software publishers in addition to Microsoft apps and content. V Low The computer account password must not be prevented from being reset. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes Virtualization Based Security VBS provides the platform for the additional security features, Credential Guard and Virtualization based protection of code integrity.

Secure Boot is the minimum V Low Toast notifications to the lock screen must be turned off. Toast notifications that are displayed on the lock screen could display sensitive information to unauthorized personnel.

V Low The Windows dialog box title for the legal banner must be configured. V Low Caching of logon credentials must be limited. The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's V Low The default permissions of global system objects must be increased. Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores.

Each type of object is created with a default DACL that specifies who can Comments or proposed revisions to this document should be sent via email to the following address: disa. I - Mission Critical Classified. I - Mission Critical Public. I - Mission Critical Sensitive. II - Mission Support Classified. II - Mission Support Public. II - Mission Support Sensitive. III - Administrative Classified. III - Administrative Public. III - Administrative Sensitive. Local volumes must be formatted using NTFS.

Windows 10 systems must be maintained at a supported servicing level. The Windows 10 system must use an anti-virus program. Anonymous access to Named Pipes and Shares must be restricted. Anonymous enumeration of shares must be restricted. The system must be configured to prevent the storage of the LAN Manager hash of passwords. Solicited Remote Assistance must not be allowed. Only accounts responsible for the administration of a system must have Administrator rights on the system.

The default autorun behavior must be configured to prevent autorun commands. The Windows Installer Always install with elevated privileges must be disabled. Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. The Debug programs user right must only be assigned to the Administrators group. The Create a token object user right must not be assigned to any groups or accounts. Autoplay must be turned off for non-volume devices.

Reversible password encryption must be disabled. The Act as part of the operating system user right must not be assigned to any groups or accounts. Credential Guard must be running on Windows 10 domain-joined systems. Anonymous enumeration of SAM accounts must not be allowed. Autoplay must be disabled for all drives. Alternate operating systems must not be permitted on the same system. Enhanced anti-spoofing for facial recognition must be enabled on Window Explorer Data Execution Prevention must be enabled.

Windows Telemetry must not be configured to Full. If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics. Windows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider CNDSP.

Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest. Windows 10 systems must use a BitLocker PIN with a minimum length of 6 digits for pre-boot authentication.

The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. The system must be configured to prevent anonymous users from having the same rights as the Everyone group. PKU2U authentication using online identities must be prevented. NTLM must be prevented from falling back to a Null session. The system must be configured to the required LDAP client signing level. The password history must be configured to 24 passwords remembered.

The Application event log size must be configured to KB or greater. The system must be configured to audit System - System Integrity successes.

The system must be configured to audit Account Logon - Credential Validation failures. The system must be configured to audit System - Security State Change successes. The system must be configured to audit System - Other System Events failures. The system must be configured to audit System - System Integrity failures. The system must be configured to audit System - Security System Extension successes. The system must be configured to audit System - Other System Events successes.

Users must be prompted for a password on resume from sleep on battery. Local users on domain-joined computers must not be enumerated. The user must be prompted for a password on resume from sleep plugged in. Only accounts responsible for the backup operations must be members of the Backup Operators group. Non system-created file shares on a system must limit access to groups that require it.

Permissions for system files and directories must conform to minimum requirements. Only authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems. Exploit Protection mitigations in Windows 10 must be configured for wmplayer. Exploit Protection mitigations in Windows 10 must be configured for wordpad. The built-in administrator account must be disabled.

The built-in guest account must be disabled. The network selection user interface UI must not be displayed on the logon screen. The Restore files and directories user right must only be assigned to the Administrators group. The Take ownership of files or other objects user right must only be assigned to the Administrators group. The Perform volume maintenance tasks user right must only be assigned to the Administrators group.

The Profile single process user right must only be assigned to the Administrators group. The Security event log size must be configured to KB or greater. The System event log size must be configured to KB or greater. Windows 10 permissions for the Application event log must prevent access by non-privileged accounts. Windows 10 permissions for the Security event log must prevent access by non-privileged accounts. Windows 10 permissions for the System event log must prevent access by non-privileged accounts.

Windows 10 must be configured to audit Detailed File Share Failures. File Explorer shell protocol must run in protected mode. The system must be configured to require a strong session key.

The Windows PowerShell 2. A host-based firewall must be installed and enabled on the system. Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts. Outgoing secure channel traffic must be encrypted when possible. Outgoing secure channel traffic must be encrypted or signed. The Telnet Client must not be installed on the system. Remote Desktop Services must always prompt a client for passwords upon connection.

Remote Desktop Services must be configured with the client connection encryption set to the required level. Attachments must be prevented from being downloaded from RSS feeds.

Indexing of encrypted files must be turned off. Users must be prevented from changing installation options. Users must be notified if a web-based program attempts to install software. Automatically signing in the last interactive user after a system-initiated restart must be disabled. Bluetooth must be turned off unless approved by the organization. Windows 10 must cover or disable the built-in or attached camera when not in use.

Camera access from the lock screen must be disabled. The system must be configured to prevent IP source routing. IPv6 source routing must be configured to highest protection. The display of slide shows on the lock screen must be disabled. Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. Orphaned security identifiers SIDs must be removed from user rights on Windows The Secondary Logon service must be disabled on Windows Bluetooth must be turned off when not in use.

The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. The system must notify the user when a Bluetooth device attempts to connect. Windows 10 account lockout duration must be configured to 15 minutes or greater. Windows 10 non-persistent VM sessions should not exceed 24 hours.

The Create symbolic links user right must only be assigned to the Administrators group. The Back up files and directories user right must only be assigned to the Administrators group. The Create a pagefile user right must only be assigned to the Administrators group. The password manager function in the Edge browser must be disabled.

Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge. Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge. Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.

Windows 10 must be configured to require a minimum pin length of six characters or greater. The use of a hardware security device with Windows Hello for Business must be enabled. Windows 10 must be configured to disable Windows Game Recording and Broadcasting. Local drives must be prevented from sharing with Remote Desktop Session Hosts. Passwords must not be saved in the Remote Desktop Client.

Unencrypted passwords must not be sent to third-party SMB Servers. Administrator accounts must not be enumerated during elevation.

The minimum password age must be configured to at least 1 day. Passwords must, at a minimum, be 14 characters. The built-in Microsoft password complexity filter must be enabled. The number of allowed bad logon attempts must be configured to 3 or less. The period of time before the bad logon counter is reset must be configured to 15 minutes. The Modify firmware environment values user right must only be assigned to the Administrators group.

The Manage auditing and security log user right must only be assigned to the Administrators group. The Lock pages in memory user right must not be assigned to any groups or accounts. The Load and unload device drivers user right must only be assigned to the Administrators group. The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. The Force shutdown from a remote system user right must only be assigned to the Administrators group.

The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts. The system must be configured to audit Account Logon - Credential Validation successes. The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.

The Deny log on as a service user right on Windows 10 domain-joined workstations must be configured to prevent access from highly privileged domain accounts. Windows 10 Exploit Protection system-level mitigation, Validate heap integrity, must be on. The convenience PIN for Windows 10 must be disabled. Windows Ink Workspace must be configured to disallow access above the lock. Systems must at least attempt device authentication using certificates.

Exploit Protection mitigations in Windows 10 must be configured for Acrobat. Exploit Protection mitigations in Windows 10 must be configured for AcroRd WDigest Authentication must be disabled. The built-in administrator account must be renamed.

Local accounts with blank passwords must be restricted to prevent access from the network. Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.

Audit policy using subcategories must be enabled. The Windows Explorer Preview pane must be disabled for Windows