SRG-OS-000324-GPOS-00125 Controls

STIG IDVersionTitleProduct
RHEL-08-040400V1R10RHEL 8 must prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.
WN19-00-000170V3R1Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
WN19-DC-000010V3R1Windows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system.
WN19-DC-000070V3R1Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access.
WN19-DC-000080V3R1Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions.
WN19-DC-000090V3R1Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions.
WN19-DC-000100V3R1Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
WN19-DC-000110V3R1Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
WN19-DC-000350V3R1Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
WN19-DC-000420V3R1Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
WN19-MS-000010V3R1Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system.
WN19-MS-000060V3R1Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
WN19-MS-000130V3R1Windows Server 2019 "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.
WN19-UR-000010V3R1Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
WN19-UR-000020V3R1Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts.
WN19-UR-000040V3R1Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group.
WN19-UR-000050V3R1Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group.
WN19-UR-000060V3R1Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts.
WN19-UR-000070V3R1Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN19-UR-000080V3R1Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts.
WN19-UR-000090V3R1Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group.
WN19-UR-000100V3R1Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group.
WN19-UR-000110V3R1Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group.
WN19-UR-000120V3R1Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.
WN19-UR-000130V3R1Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN19-UR-000140V3R1Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.
WN19-UR-000150V3R1Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group.
WN19-UR-000160V3R1Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts.
WN19-UR-000180V3R1Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group.
WN19-UR-000190V3R1Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group.
WN19-UR-000200V3R1Windows Server 2019 Profile single process user right must only be assigned to the Administrators group.
WN19-UR-000210V3R1Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group.
WN19-UR-000220V3R1Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group.
APPL-14-002069V1R1The macOS system must require administrator privileges to modify systemwide settings.
APPL-13-002069V1R5The macOS system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
OL07-00-020020V3R1The Oracle Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
OL07-00-020021V3R1The Oracle Linux operating system must confine SELinux users to roles that conform to least privilege.
OL07-00-020022V3R1The Oracle Linux operating system must not allow privileged accounts to utilize SSH.
OL07-00-020023V3R1The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.
RHEL-07-020020V3R6The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
RHEL-07-020021V3R6The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege.
RHEL-07-020022V3R6The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH.
RHEL-07-020023V3R6The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.
APPL-15-002069V1R1The macOS system must require an administrator password to modify systemwide preferences.
ALMA-09-006620V1R1The systemd Ctrl-Alt-Delete burst key sequence in AlmaLinux OS 9 must be disabled.
ALMA-09-006730V1R1The Ctrl-Alt-Delete key sequence must be disabled on AlmaLinux OS 9.
ALMA-09-006840V1R1AlmaLinux OS 9 must have the sudo package installed.
ALMA-09-006950V1R1The AlmaLinux OS 9 debug-shell systemd service must be disabled.
ALMA-09-007060V1R1AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
ALMA-09-007170V1R1AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.
OL08-00-040400V1R6OL 8 must prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.
OL09-00-000230V1R1OL 9 must have the sudo package installed.
OL09-00-002403V1R1OL 9 debug-shell systemd service must be disabled.
OL09-00-002412V1R1OL 9 must be configured so that the systemd Ctrl-Alt-Delete burst key sequence is disabled.
OL09-00-002413V1R1OL 9 must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled.
WN11-RG-000005V1R6Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
WN11-SO-000167V1R6Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
WN11-UR-000005V1R6The "Access Credential Manager as a trusted caller" user right must not be assigned to any groups or accounts.
WN11-UR-000015V1R6The "Act as part of the operating system" user right must not be assigned to any groups or accounts.
WN11-UR-000030V1R6The "Back up files and directories" user right must only be assigned to the Administrators group.
WN11-UR-000035V1R6The "Change the system time" user right must only be assigned to Administrators and Local Service.
WN11-UR-000040V1R6The "Create a pagefile" user right must only be assigned to the Administrators group.
WN11-UR-000045V1R6The "Create a token object" user right must not be assigned to any groups or accounts.
WN11-UR-000050V1R6The "Create global objects" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN11-UR-000055V1R6The "Create permanent shared objects" user right must not be assigned to any groups or accounts.
WN11-UR-000060V1R6The "Create symbolic links" user right must only be assigned to the Administrators group.
WN11-UR-000065V1R6The "Debug programs" user right must only be assigned to the Administrators group.
WN11-UR-000095V1R6The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts.
WN11-UR-000100V1R6The "Force shutdown from a remote system" user right must only be assigned to the Administrators group.
WN11-UR-000110V1R6The "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN11-UR-000120V1R6The "Load and unload device drivers" user right must only be assigned to the Administrators group.
WN11-UR-000125V1R6The "Lock pages in memory" user right must not be assigned to any groups or accounts.
WN11-UR-000140V1R6The "Modify firmware environment values" user right must only be assigned to the Administrators group.
WN11-UR-000145V1R6The "Perform volume maintenance tasks" user right must only be assigned to the Administrators group.
WN11-UR-000150V1R6The "Profile single process" user right must only be assigned to the Administrators group.
WN11-UR-000160V1R6The "Restore files and directories" user right must only be assigned to the Administrators group.
WN11-UR-000165V1R6The "Take ownership of files or other objects" user right must only be assigned to the Administrators group.
RHEL-09-211045V2R5The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.
RHEL-09-211050V2R5The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.
RHEL-09-211055V2R5RHEL 9 debug-shell systemd service must be disabled.
RHEL-09-432010V2R5RHEL 9 must have the sudo package installed.
WN10-00-000070V3R1Only accounts responsible for the administration of a system must have Administrator rights on the system.
WN10-RG-000005V3R1Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
WN10-SO-000167V3R1Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
WN10-UR-000005V3R1The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
WN10-UR-000015V3R1The Act as part of the operating system user right must not be assigned to any groups or accounts.
WN10-UR-000030V3R1The Back up files and directories user right must only be assigned to the Administrators group.
WN10-UR-000035V3R1The Change the system time user right must only be assigned to Administrators and Local Service and NT SERVICE\autotimesvc.
WN10-UR-000040V3R1The Create a pagefile user right must only be assigned to the Administrators group.
WN10-UR-000045V3R1The Create a token object user right must not be assigned to any groups or accounts.
WN10-UR-000050V3R1The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN10-UR-000055V3R1The Create permanent shared objects user right must not be assigned to any groups or accounts.
WN10-UR-000060V3R1The Create symbolic links user right must only be assigned to the Administrators group.
WN10-UR-000065V3R1The Debug programs user right must only be assigned to the Administrators group.
WN10-UR-000095V3R1The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.
WN10-UR-000100V3R1The Force shutdown from a remote system user right must only be assigned to the Administrators group.
WN10-UR-000110V3R1The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN10-UR-000120V3R1The Load and unload device drivers user right must only be assigned to the Administrators group.
WN10-UR-000125V3R1The Lock pages in memory user right must not be assigned to any groups or accounts.
WN10-UR-000140V3R1The Modify firmware environment values user right must only be assigned to the Administrators group.
WN10-UR-000145V3R1The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
WN10-UR-000150V3R1The Profile single process user right must only be assigned to the Administrators group.
WN10-UR-000160V3R1The Restore files and directories user right must only be assigned to the Administrators group.
WN10-UR-000165V3R1The Take ownership of files or other objects user right must only be assigned to the Administrators group.
WN16-00-000190V2R9Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
WN16-DC-000010V2R9Only administrators responsible for the domain controller must have Administrator rights on the system.
WN16-DC-000070V2R9Permissions on the Active Directory data files must only allow System and Administrators access.
WN16-DC-000080V2R9The Active Directory SYSVOL directory must have the proper access control permissions.
WN16-DC-000090V2R9Active Directory Group Policy objects must have proper access control permissions.
WN16-DC-000100V2R9The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
WN16-DC-000110V2R9Domain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
WN16-DC-000350V2R9The Add workstations to domain user right must only be assigned to the Administrators group.
WN16-DC-000420V2R9The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
WN16-MS-000010V2R9Only administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system.
WN16-MS-000310V2R9Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
WN16-MS-000420V2R9The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on member servers.
WN16-UR-000010V2R9The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
WN16-UR-000030V2R9The Act as part of the operating system user right must not be assigned to any groups or accounts.
WN16-UR-000070V2R9The Back up files and directories user right must only be assigned to the Administrators group.
WN16-UR-000080V2R9The Create a pagefile user right must only be assigned to the Administrators group.
WN16-UR-000100V2R9The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN16-UR-000110V2R9The Create permanent shared objects user right must not be assigned to any groups or accounts.
WN16-UR-000120V2R9The Create symbolic links user right must only be assigned to the Administrators group.
WN16-UR-000130V2R9The Debug programs user right must only be assigned to the Administrators group.
WN16-UR-000200V2R9The Force shutdown from a remote system user right must only be assigned to the Administrators group.
WN16-UR-000210V2R9The Generate security audits user right must only be assigned to Local Service and Network Service.
WN16-UR-000220V2R9The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN16-UR-000230V2R9The Increase scheduling priority user right must only be assigned to the Administrators group.
WN16-UR-000240V2R9The Load and unload device drivers user right must only be assigned to the Administrators group.
WN16-UR-000250V2R9The Lock pages in memory user right must not be assigned to any groups or accounts.
WN16-UR-000270V2R9The Modify firmware environment values user right must only be assigned to the Administrators group.
WN16-UR-000280V2R9The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
WN16-UR-000290V2R9The Profile single process user right must only be assigned to the Administrators group.
WN16-UR-000090V2R9The Create a token object user right must not be assigned to any groups or accounts.
WN16-UR-000300V2R9The Restore files and directories user right must only be assigned to the Administrators group.
WN16-UR-000310V2R9The Take ownership of files or other objects user right must only be assigned to the Administrators group.
WN22-00-000170V2R5Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
WN22-DC-000010V2R5Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system.
WN22-DC-000070V2R5Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access.
WN22-DC-000080V2R5Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions.
WN22-DC-000090V2R5Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions.
WN22-DC-000100V2R5Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
WN22-DC-000110V2R5Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
WN22-DC-000350V2R5Windows Server 2022 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
WN22-DC-000420V2R5Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
WN22-MS-000010V2R5Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system.
WN22-MS-000060V2R5Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
WN22-MS-000130V2R5Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.
WN22-UR-000010V2R5Windows Server 2022 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
WN22-UR-000020V2R5Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts.
WN22-UR-000040V2R5Windows Server 2022 back up files and directories user right must only be assigned to the Administrators group.
WN22-UR-000050V2R5Windows Server 2022 create a pagefile user right must only be assigned to the Administrators group.
WN22-UR-000060V2R5Windows Server 2022 create a token object user right must not be assigned to any groups or accounts.
WN22-UR-000070V2R5Windows Server 2022 create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN22-UR-000080V2R5Windows Server 2022 create permanent shared objects user right must not be assigned to any groups or accounts.
WN22-UR-000090V2R5Windows Server 2022 create symbolic links user right must only be assigned to the Administrators group.
WN22-UR-000100V2R5Windows Server 2022 debug programs user right must only be assigned to the Administrators group.
WN22-UR-000110V2R5Windows Server 2022 force shutdown from a remote system user right must only be assigned to the Administrators group.
WN22-UR-000120V2R5Windows Server 2022 generate security audits user right must only be assigned to Local Service and Network Service.
WN22-UR-000130V2R5Windows Server 2022 impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN22-UR-000140V2R5Windows Server 2022 increase scheduling priority: user right must only be assigned to the Administrators group.
WN22-UR-000150V2R5Windows Server 2022 load and unload device drivers user right must only be assigned to the Administrators group.
WN22-UR-000160V2R5Windows Server 2022 lock pages in memory user right must not be assigned to any groups or accounts.
WN22-UR-000180V2R5Windows Server 2022 modify firmware environment values user right must only be assigned to the Administrators group.
WN22-UR-000190V2R5Windows Server 2022 perform volume maintenance tasks user right must only be assigned to the Administrators group.
WN22-UR-000200V2R5Windows Server 2022 profile single process user right must only be assigned to the Administrators group.
WN22-UR-000210V2R5Windows Server 2022 restore files and directories user right must only be assigned to the Administrators group.
WN22-UR-000220V2R5Windows Server 2022 take ownership of files or other objects user right must only be assigned to the Administrators group.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.