Child pages
  • Windows Server 2012 R2 Hardening Checklist

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Step

To Do

CIS

UT Note

Cat I

Cat II Cat III

Min Std

 

 

Preparation and Installation

 

 

 

 

 

1

 

If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened.

 

§

!

 !

5.1

2

 

Consider using the Security Configuration Wizard to assist in hardening the host.

 

§

 

 

 

 

 

Service Packs and Hotfixes

 

 

 

 

 

3

 

Install the latest service packs and hotfixes from Microsoft.

 

§

!

!

5.2

4

 

Enable automatic notification of patch availability.

 

§

!

!

5.3

 

 

User Account Policies

 

 

 

 

 

5

 

Set minimum password length.

1.1.4

§

!

!

 

6

 

Enable password complexity requirements.

1.1.5

§

!

 

 

7 Do not store passwords using reversible encryption. (Default)1.1.6§!! 
8 Configure account lockout policy.1.2§!! 
  User Rights Assignment     
9 Restrict the ability to access this computer from the network to Administrators and Authenticated Users.2.2.2    
10 Do not grant any users the 'act as part of the operating system' right. (Default)2.2.3 !! 
11 Restrict local logon access to Administrators.2.2.6§   
12 Deny guest accounts the ability to logon as a service, a batch job, locally, or via RDP.2.2.18-21 !  
  Security Settings     

13

 

Place the University warning banner in the Message Text for users attempting to log on.

2.3.7.4

§

!

!

5.10

14 Disallow users from creating and logging in with Microsoft accounts.2.3.1.1§!! 
15 Disable the guest account. (Default)2.3.1.2 !! 
16 Require Ctrl+Alt+Del for interactive logins. (Default)2.3.7.2 !! 
17 Configure machine inactivity limit to protect idle interactive sessions.2.3.7.3 !! 
18 Configure Microsoft Network Client to always digitally sign communications.2.3.8.1 !  
19 Configure Microsoft Network Client to digitally sign communications if server agrees. (Default)2.3.8.2 !! 
20 Disable the sending of unencrypted passwords to third party SMB servers.2.3.8.3 !!5.6
21 Configure Microsoft Network Server to always digitally sign communications.2.3.9.2 !  
22 Configure Microsoft Network Server to digitally sign communications if client agrees.2.3.9.3 !  

 

 

Network Access Controls

 

 

 

 

 

23

 

Disable anonymous SID/Name translation. (Default)

2.3.11.1

 

!

!

 

24

 

Do not allow anonymous enumeration of SAM accounts. (Default)

2.3.11.2

 

!

!

5.5

25

 

Do not allow anonymous enumeration of SAM accounts and shares.

2.3.11.3

 

!

 

5.5

26

 

Do not allow Everyone permissions to apply to anonymous users. (Default)

2.3.11.4

 

!

!

5.12

27

 

Do not allow any named pipes to be accessed anonymously.

2.3.11.5

 

!

 

5.12

28

 

Restrict anonymous access to named pipes and shares. (Default)

2.3.11.8

 

!

!

5.12

29 Do not allow any shares to be accessed anonymously.2.3.11.9 !  

30

 

Require the "Classic" sharing and security model for local accounts. (Default)

2.3.11.10

 

!

!

5.12

  Network Security Settings     
31 Allow Local System to use computer identity for NTLM.2.3.12.1    
32 Disable Local System NULL session fallback.2.3.12.2    
33 Configure allowable encryption types for Kerberos.2.3.12.4    

34

 

Do not store LAN Manager hash values.

2.3.12.5

 

!

!

5.13

35

 

Set LAN Manager authentication level to only allow NTLMv2 and refuse LM and NTLM.

2.3.12.7

 

!

 

5.13

36 Enable the Windows Firewall in all profiles (domain, private, public). (Default)9.[1-3].1 !!5.5
37 Configure the Windows Firewall in all profiles to block inbound traffic by default. (Default)9.[1-3].2 !! 

 

 

Active Directory Domain Member Security Settings

 

 

!

 

5.12

38

 

Digitally encrypt or sign secure channel data (always). (Default)

2.3.6.1

 

!

 

5.6

39

 

Digitally encrypt secure channel data (when possible). (Default)

2.3.6.2

 

!

!

5.6

40

 

Digitally sign secure channel data (when possible). (Default)

2.3.6.3

 

!

!

5.6

41 Require strong (Windows 2000 or later) session keys.2.3.6.6 !  
42 Configure the number of previous logons to cache.2.3.7.6§   

 

 

Audit Policy Settings

 

 

 

 

 

43 Configure Account Logon audit policy.17.1§!  
44 Configure Account Management audit policy.17.2§!! 
45 Configure Logon/Logoff audit policy.17.5§!! 
46 Configure Policy Change audit policy.17.7§!! 
47 Configure Privilege Use audit policy.17.8§!  
  Event Log Settings
     

48

 

Configure Event Log retention method and size.

18.7.19

§

!

 !

6.1

49 Configure log shipping (e.g. to Splunk). §   

 

 

Additional Security Protection

 

 

 

 

 

50

 

Disable or uninstall unused services.

 

 

!

 

5.4

51

 

Disable or delete unused users.

 

 

!

 

5.4

52

 

Configure User Rights to be as secure as possible.

 

§

!

 

 

53

 

Ensure all volumes are using the NTFS file system.

 

§

!

 

 

54

 

Configure file system permissions.

 

§

!

 

 

55

 

Configure registry permissions.

 

§

!

 

 

56 Disallow remote registry access if not required.2.3.11.6§   

 

 

Additional Steps

 

 

 

 

 

57

 

Set the system date/time and configure it to synchronize against campus time servers.

 

§

!

 

 

58

 

Install and enable anti-virus software.

 

§

!

!

3.1

59

 

Install and enable anti-spyware software.

 

§

!

 

3.2

60

 

Configure anti-virus software to update daily.

 

§

!

!

3.3

61

 

Configure anti-spyware software to update daily.

 

§

!

 

3.3

62

 

Provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate.

 

§

!

 

5.7

63

 

Install software to check the integrity of critical operating system files.

 

§

!

 

5.8

64

 

If RDP is utilized, set RDP connection encryption level to high.

 

§

!

 

5.6

  Physical Security     

65

 

Set a BIOS/firmware password to prevent alterations in system start up settings.

 

 

 

 

4.1

66 Disable automatic administrative logon to recovery console.2.3.13.1 !  
67 Do not allow the system to be shut down without having to log on. (Default)2.3.14.1 !! 

68

 

Configure the device boot order to prevent unauthorized booting from alternate media.

 

 

!

 

4.1

69

 

Configure a screen-saver to lock the console's screen automatically if the host is left unattended.

 

§

!

!

 

...