SRG-OS-000324-GPOS-00125 Controls

STIG IDVersionTitleProduct
ALMA-09-006620V1R1The systemd Ctrl-Alt-Delete burst key sequence in AlmaLinux OS 9 must be disabled.
ALMA-09-006730V1R1The Ctrl-Alt-Delete key sequence must be disabled on AlmaLinux OS 9.
ALMA-09-006840V1R1AlmaLinux OS 9 must have the sudo package installed.
ALMA-09-006950V1R1The AlmaLinux OS 9 debug-shell systemd service must be disabled.
ALMA-09-007060V1R1AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
ALMA-09-007170V1R1AlmaLinux OS 9 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.
WN22-00-000170V2R1Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
WN22-DC-000010V2R1Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system.
WN22-DC-000070V2R1Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access.
WN22-DC-000080V2R1Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions.
WN22-DC-000090V2R1Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions.
WN22-DC-000100V2R1Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
WN22-DC-000110V2R1Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
WN22-DC-000350V2R1Windows Server 2022 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
WN22-DC-000420V2R1Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
WN22-MS-000010V2R1Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system.
WN22-MS-000060V2R1Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
WN22-MS-000130V2R1Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.
WN22-UR-000010V2R1Windows Server 2022 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
WN22-UR-000020V2R1Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts.
WN22-UR-000040V2R1Windows Server 2022 back up files and directories user right must only be assigned to the Administrators group.
WN22-UR-000050V2R1Windows Server 2022 create a pagefile user right must only be assigned to the Administrators group.
WN22-UR-000060V2R1Windows Server 2022 create a token object user right must not be assigned to any groups or accounts.
WN22-UR-000070V2R1Windows Server 2022 create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN22-UR-000080V2R1Windows Server 2022 create permanent shared objects user right must not be assigned to any groups or accounts.
WN22-UR-000090V2R1Windows Server 2022 create symbolic links user right must only be assigned to the Administrators group.
WN22-UR-000100V2R1Windows Server 2022 debug programs user right must only be assigned to the Administrators group.
WN22-UR-000110V2R1Windows Server 2022 force shutdown from a remote system user right must only be assigned to the Administrators group.
WN22-UR-000120V2R1Windows Server 2022 generate security audits user right must only be assigned to Local Service and Network Service.
WN22-UR-000130V2R1Windows Server 2022 impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN22-UR-000140V2R1Windows Server 2022 increase scheduling priority: user right must only be assigned to the Administrators group.
WN22-UR-000150V2R1Windows Server 2022 load and unload device drivers user right must only be assigned to the Administrators group.
WN22-UR-000160V2R1Windows Server 2022 lock pages in memory user right must not be assigned to any groups or accounts.
WN22-UR-000180V2R1Windows Server 2022 modify firmware environment values user right must only be assigned to the Administrators group.
WN22-UR-000190V2R1Windows Server 2022 perform volume maintenance tasks user right must only be assigned to the Administrators group.
WN22-UR-000200V2R1Windows Server 2022 profile single process user right must only be assigned to the Administrators group.
WN22-UR-000210V2R1Windows Server 2022 restore files and directories user right must only be assigned to the Administrators group.
WN22-UR-000220V2R1Windows Server 2022 take ownership of files or other objects user right must only be assigned to the Administrators group.
WN10-00-000070V2R8Only accounts responsible for the administration of a system must have Administrator rights on the system.
WN10-RG-000005V2R8Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
WN10-SO-000167V2R8Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
WN10-UR-000005V2R8The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
WN10-UR-000015V2R8The Act as part of the operating system user right must not be assigned to any groups or accounts.
WN10-UR-000030V2R8The Back up files and directories user right must only be assigned to the Administrators group.
WN10-UR-000035V2R8The Change the system time user right must only be assigned to Administrators and Local Service and NT SERVICE\autotimesvc.
WN10-UR-000040V2R8The Create a pagefile user right must only be assigned to the Administrators group.
WN10-UR-000045V2R8The Create a token object user right must not be assigned to any groups or accounts.
WN10-UR-000050V2R8The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN10-UR-000055V2R8The Create permanent shared objects user right must not be assigned to any groups or accounts.
WN10-UR-000060V2R8The Create symbolic links user right must only be assigned to the Administrators group.
WN10-UR-000065V2R8The Debug programs user right must only be assigned to the Administrators group.
WN10-UR-000095V2R8The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.
WN10-UR-000100V2R8The Force shutdown from a remote system user right must only be assigned to the Administrators group.
WN10-UR-000110V2R8The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN10-UR-000120V2R8The Load and unload device drivers user right must only be assigned to the Administrators group.
WN10-UR-000125V2R8The Lock pages in memory user right must not be assigned to any groups or accounts.
WN10-UR-000140V2R8The Modify firmware environment values user right must only be assigned to the Administrators group.
WN10-UR-000145V2R8The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
WN10-UR-000150V2R8The Profile single process user right must only be assigned to the Administrators group.
WN10-UR-000160V2R8The Restore files and directories user right must only be assigned to the Administrators group.
WN10-UR-000165V2R8The Take ownership of files or other objects user right must only be assigned to the Administrators group.
APPL-15-002069V1R1The macOS system must require an administrator password to modify systemwide preferences.
APPL-14-002069V2R1The macOS system must require administrator privileges to modify systemwide settings.
WN11-RG-000005V2R1Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
WN11-SO-000167V2R1Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
WN11-UR-000005V2R1The "Access Credential Manager as a trusted caller" user right must not be assigned to any groups or accounts.
WN11-UR-000015V2R1The "Act as part of the operating system" user right must not be assigned to any groups or accounts.
WN11-UR-000030V2R1The "Back up files and directories" user right must only be assigned to the Administrators group.
WN11-UR-000035V2R1The "Change the system time" user right must only be assigned to Administrators and Local Service.
WN11-UR-000040V2R1The "Create a pagefile" user right must only be assigned to the Administrators group.
WN11-UR-000045V2R1The "Create a token object" user right must not be assigned to any groups or accounts.
WN11-UR-000050V2R1The "Create global objects" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN11-UR-000055V2R1The "Create permanent shared objects" user right must not be assigned to any groups or accounts.
WN11-UR-000060V2R1The "Create symbolic links" user right must only be assigned to the Administrators group.
WN11-UR-000065V2R1The "Debug programs" user right must only be assigned to the Administrators group.
WN11-UR-000095V2R1The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts.
WN11-UR-000100V2R1The "Force shutdown from a remote system" user right must only be assigned to the Administrators group.
WN11-UR-000110V2R1The "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN11-UR-000120V2R1The "Load and unload device drivers" user right must only be assigned to the Administrators group.
WN11-UR-000125V2R1The "Lock pages in memory" user right must not be assigned to any groups or accounts.
WN11-UR-000140V2R1The "Modify firmware environment values" user right must only be assigned to the Administrators group.
WN11-UR-000145V2R1The "Perform volume maintenance tasks" user right must only be assigned to the Administrators group.
WN11-UR-000150V2R1The "Profile single process" user right must only be assigned to the Administrators group.
WN11-UR-000160V2R1The "Restore files and directories" user right must only be assigned to the Administrators group.
WN11-UR-000165V2R1The "Take ownership of files or other objects" user right must only be assigned to the Administrators group.
RHEL-08-040400V1R9RHEL 8 must prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.
RHEL-07-020020V3R8The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
RHEL-07-020021V3R8The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege.
RHEL-07-020022V3R8The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH.
RHEL-07-020023V3R8The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.
RHEL-09-211045V2R1The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.
RHEL-09-211050V2R1The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.
RHEL-09-211055V2R1RHEL 9 debug-shell systemd service must be disabled.
RHEL-09-412030V2R1RHEL 9 must prevent users from disabling session control mechanisms.
RHEL-09-432010V2R1RHEL 9 must have the sudo package installed.
OL09-00-000230V1R1OL 9 must have the sudo package installed.
OL09-00-002403V1R1OL 9 debug-shell systemd service must be disabled.
OL09-00-002412V1R1OL 9 must be configured so that the systemd Ctrl-Alt-Delete burst key sequence is disabled.
OL09-00-002413V1R1OL 9 must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled.
WN16-00-000190V2R10Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
WN16-DC-000010V2R10Only administrators responsible for the domain controller must have Administrator rights on the system.
WN16-DC-000070V2R10Permissions on the Active Directory data files must only allow System and Administrators access.
WN16-DC-000080V2R10The Active Directory SYSVOL directory must have the proper access control permissions.
WN16-DC-000090V2R10Active Directory Group Policy objects must have proper access control permissions.
WN16-DC-000100V2R10The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
WN16-DC-000110V2R10Domain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
WN16-DC-000350V2R10The Add workstations to domain user right must only be assigned to the Administrators group.
WN16-DC-000420V2R10The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
WN16-MS-000010V2R10Only administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system.
WN16-MS-000310V2R10Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
WN16-MS-000420V2R10The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on member servers.
WN16-UR-000010V2R10The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
WN16-UR-000030V2R10The Act as part of the operating system user right must not be assigned to any groups or accounts.
WN16-UR-000070V2R10The Back up files and directories user right must only be assigned to the Administrators group.
WN16-UR-000080V2R10The Create a pagefile user right must only be assigned to the Administrators group.
WN16-UR-000100V2R10The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN16-UR-000110V2R10The Create permanent shared objects user right must not be assigned to any groups or accounts.
WN16-UR-000120V2R10The Create symbolic links user right must only be assigned to the Administrators group.
WN16-UR-000130V2R10The Debug programs user right must only be assigned to the Administrators group.
WN16-UR-000200V2R10The Force shutdown from a remote system user right must only be assigned to the Administrators group.
WN16-UR-000210V2R10The Generate security audits user right must only be assigned to Local Service and Network Service.
WN16-UR-000220V2R10The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN16-UR-000230V2R10The Increase scheduling priority user right must only be assigned to the Administrators group.
WN16-UR-000240V2R10The Load and unload device drivers user right must only be assigned to the Administrators group.
WN16-UR-000250V2R10The Lock pages in memory user right must not be assigned to any groups or accounts.
WN16-UR-000270V2R10The Modify firmware environment values user right must only be assigned to the Administrators group.
WN16-UR-000280V2R10The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
WN16-UR-000290V2R10The Profile single process user right must only be assigned to the Administrators group.
WN16-UR-000090V2R10The Create a token object user right must not be assigned to any groups or accounts.
WN16-UR-000300V2R10The Restore files and directories user right must only be assigned to the Administrators group.
WN16-UR-000310V2R10The Take ownership of files or other objects user right must only be assigned to the Administrators group.
OL07-00-020020V2R14The Oracle Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
OL07-00-020021V2R14The Oracle Linux operating system must confine SELinux users to roles that conform to least privilege.
OL07-00-020022V2R14The Oracle Linux operating system must not allow privileged accounts to utilize SSH.
OL07-00-020023V2R14The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.
WN19-00-000170V2R8Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
WN19-DC-000010V2R8Windows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system.
WN19-DC-000070V2R8Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access.
WN19-DC-000080V2R8Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions.
WN19-DC-000090V2R8Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions.
WN19-DC-000100V2R8Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
WN19-DC-000110V2R8Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
WN19-DC-000350V2R8Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
WN19-DC-000420V2R8Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
WN19-MS-000010V2R8Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system.
WN19-MS-000060V2R8Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems.
WN19-MS-000130V2R8Windows Server 2019 "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems.
WN19-UR-000010V2R8Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
WN19-UR-000020V2R8Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts.
WN19-UR-000040V2R8Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group.
WN19-UR-000050V2R8Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group.
WN19-UR-000060V2R8Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts.
WN19-UR-000070V2R8Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN19-UR-000080V2R8Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts.
WN19-UR-000090V2R8Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group.
WN19-UR-000100V2R8Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group.
WN19-UR-000110V2R8Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group.
WN19-UR-000120V2R8Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.
WN19-UR-000130V2R8Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN19-UR-000140V2R8Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.
WN19-UR-000150V2R8Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group.
WN19-UR-000160V2R8Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts.
WN19-UR-000180V2R8Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group.
WN19-UR-000190V2R8Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group.
WN19-UR-000200V2R8Windows Server 2019 Profile single process user right must only be assigned to the Administrators group.
WN19-UR-000210V2R8Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group.
WN19-UR-000220V2R8Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group.
OL08-00-040400V1R9OL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.