Checklist Summary:

The Windows Server 2008 R2 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements were developed from Federal and DoD consensus, as well as the Windows Server 2008 R2 Security Guide and security templates published by Microsoft Corporation. The vulnerabilities discussed in this document are applicable to Windows Server 2008 R2 (all versions). This STIG is for a Windows Server 2008 R2 baseline. It is meant for use in conjunction with other applicable STIGs and Checklists including such topics as Active Directory, Web Services, Domain Name Service (DNS), Database, Secure Remote Computing, and Desktop Applications. For example, Domain Controller reviews will also need to include the Active Directory STIG.

Checklist Role:

• Server Operating System
• Operating System

Known Issues:

Not provided

Target Audience:

This document is a requirement for all DoD-administered systems and all systems connected to DoD networks. These requirements are designed to assist Security Managers (SMs), Information Assurance Managers (IAMs), IAOs, and System Administrators (SAs) with configuring and maintaining security controls. This guidance supports DoD system design, development, implementation, and certification and accreditation (C&A) efforts.

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

The vulnerabilities discussed in this document are applicable to Windows Server 2008 R2 (all versions).

Regulatory Compliance:

DoD Directive (DoDD) 8500.1 DoD Directive (DoDD) 8500.2

Comments/Warnings/Miscellaneous:

Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Disclaimer:

Not provided

Product Support:

Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

DoD

Licensing:

Not provided

Change History:

Standalone Version 1, Release 16 - 07 August 2015
Benchmark Version 1, Release 18 - 07 August 2015
Updated status from "Under Review" to "Final" - 1 July 2015
Version 1, Release 14 - 25 July 2014 (SCAP 1.0)
Version 1, Release 13 - 25 April 2014
Version 1, Release 12 - 13 March 2014
Version 1, Release 11 - 24 January 2014
Version 1, Release 10 - 23 December 2013
Version 1, Release 9 - 25 October 2013
Version 1, Release 8 - 24 July 2013
Version 1, Release 7 - 29 March 2013
Version 1, Release 6 - 26 October 2012
Version 1, Release 5 - July 27, 2012
Version 1, Release 4 - April 27, 2012
Version 1, Release 3 - January 27, 2012
Version 1, Release 2 - October 28, 2011
Version 1, Release 1 - May 25, 2011
Updated "Point of Contact", "Product Support" and "Comments" Sectons - 15 January 2015
Version 1, Release 14 for MS and DC - 28 January 2015
Version 1, Release 15 for Benchmark MS and DC - 28 January 2015
Changed status from "under review" to "final" - 14 September 2015
Version 1, Release 17 - 29 October 2015
Version 1, Release 19 Benchmark - 29 October 2015
Changed status from "Under Review" to "Final" - 29 December 2015
5/2/2016 - Version 1, Release 18
moved to FINAL - 6/7/2016
updated to - v1, r19 - 07/22/2016
Updated to FINAL - 09/12/2016
Updated STIG to v1, r20 - 10/28/2016
updated to FINAL - 12/07/2016
Updated to Ver 1, Rel 21 - 01/27/2017
Updated to FINAL - 03/13/2017
Updated to FINAL - 03/16/2017
Updated to Version 1, Release 22 - 04/28/2017
Updated to FINAL - 05/30/2017
null
Updated URL to reflect change to the DISA website - http --> https
Updated to FINAL - 09/07/2017
Updated - 11/01/2017
Updated to FINAL - 11/27/2017
corrected resource title - 1/24/2018
Updated to Version 1, Release 25 - 02/16/2018
Updated to FINAL - 3/18/2018
updated to v1,r26 - 4/25/18
Updated to FINAL - 5/25/18
updated to Version 1, Release 27 - 7/24/18
Added GPOs - 8/6/18
Updated to FINAL - 9/6/2018
Updated to Version 1, Release 28 - 10/25/18
Updated to FINAL - 11/26/18
Updated GPO Resource - 11/29/2018
Corrected SHA for GPO file - 12/19/2018
updated to Version 1, Release 29 - 1/28/19
updated GPO file - 2/8/19
Status Updated to FINAL - 3/8/19
Updated to Version 1, Release 29 - 4/30/19
Updated GPO resource - 5/2/19
Updated to FINAL  - 6/4/19
Updated benchmarks - 6/25/19
Added audit file - 6/26/19
Updated URLs - 7/12/19
Updated URLs - 8/12/2019
Updated URL - 8/15/19
Added Reference - 9/20/19
Updated GPO file - 10/31/19
updated URLs - 1/30/2020
sunset per DISA - 1/30/2020
sunset per DISA - 3/3/2020
Updated URLs per DISA - 6/8/2020
updated URLs per DISA - 7/7/2020

Dependency/Requirements:

URL	Description

References:

Reference URL	Description
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/Win2k8R2Audit.zip	Sunset - Microsoft Windows 2008 R2 Audit Benchmark

NIST checklist record last modified on 07/07/2020