Page History

Step

√

To Do

CIS

UT Note

Cat I

Cat II Cat III

Min Std

1

If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened.

§

!

5.1

2

Consider using the Security Configuration Wizard to assist in hardening the host.

§

3

Install the latest service packs and hotfixes from Microsoft.

§

!

!

5.2

4

Enable automatic notification of patch availability.

1.6.1

§

!

!

5.3

5

Configure Audit policy as describedthe account management audit policy.

 17.2 

§

!

6.1

6

Set minimum password length.

1.1.4

§

!

7

Enable password complexity requirements.

1.1.5

§

!

10

Configure Event Log settings.

§

!

6.1

9

Disable anonymous SID/Name translation. (default)

1.9.6

!

10

Do not allow Anonymous Enumeration of SAM accounts (Default)

1.9.37

!

5.5

11

Do not allow Anonymous Enumeration of SAM accounts and shares.

1.9.38

!

5.5

12

Disable the guest account. (Default)

1.9.5

!

5.12

13

Digitally Encrypt or Sign Secure Channel Data (Always). (Default)

1.9.12

5.6

14

Digitally Encrypt Secure Channel Data (When Possible). (Default)

1.9.13

!

5.6

15

Digitally Sign Secure Channel Data (When Possible). (Default)

1.9.14

!

5.6

16

Place the University warning banner in the Message Text for Users Attempting to log on.

1.9.27-28

§

!

5.10

17

Disable the sending of unencrypted password to connect to Third-Party SMB Servers. (Default)

1.9.32

!

5.6

18

Do not allow Everyone permissions to apply to anonymous users. (Default)

1.9.40

!

5.12

19

Do not allow any named pipes to be accessed anonymously.

1.9.41

!

5.12

20

Restrict anonymous access to Named Pipes and Shares.

1.9.43

!

5.12

21

Ensure that no shares can be accessed anonymously.

1.9.44

!

5.12

22

Choose "Classic" as the sharing and security model for local accounts. (Default)

1.9.45

!

5.12

23

Do not store LAN Manager hash values

1.9.46

!

5.13

24

Set LAN Manager Authentication level to NTLMv2 only

1.9.47

!

5.13

26

5.4

1.81

§

!

Ensure all volumes are using the NTFS file system.

§

!

29

Use the Internet Connection Firewall or other methods to limit connections to the server.

1.5

§

!

5.5

30

Configure file system permissions.

§

!

31

Configure registry permissions.

§

!

25

Disable or uninstall unused services.

!

32

5.4

26

Disable or delete unused users.

Set the system date/time and configure it to synchronize against campus time servers.

§

!

33!

5.4

27

Configure User Rights to be as secure as possible.

1.81

Install and enable anti-virus software.

§

!

!

3.1

34

Install and enable anti-spyware software.

§

!

3.2  

3528

 Configure anti-virus software to update daily

Ensure all volumes are using the NTFS file system.

§

!

3.3  

3629

Configure anti-spyware software to update daily.

Use the Internet Connection Firewall or other methods to limit connections to the server.

1.5 

§

!

35.3 5

3730

Configure a screen-saver to lock the console's screen automatically if the host is left unattendedfile system permissions.

§

!

31

 38

Configure registry permissions.

§

!If the machine is not physically secured against unauthorized tampering, set a BIOS/firmware password to prevent alterations in system startup settings.

 !

4.1

39

4.1 32

Set the system date/time and configure it to synchronize against campus time servers.

§

!

33

Install and enable anti-virus software.

§

!

!

3.1

34

Install and enable anti-spyware software.

§

!

3.2

35

Configure anti-virus software to update daily.

§

!

3.3

36

Configure anti-spyware software to update daily.

§

!

3.3

37

Configure a screen-saver to lock the console's screen automatically if the host is left unattended.

§

38

If the machine is not physically secured against unauthorized tampering, set a BIOS/firmware password to prevent alterations in system startup settings.

!

4.1

39

Configure the device boot order to prevent unauthorized booting from alternate media.

!

4.1

40

Systems will

40

Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate.

§

!

5.7

41

Install software to check the integrity of critical operating system files.

§

!

5.8

42

If RDP is utilized, set RDP connection encryption level to high.

§

!

5.6

1

If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected.

2

The Security Configuration Wizard can greatly simplify the hardening of the server. Once the role for the host is defined, the Security Configuration Wizard can help create a system configuration based specifically on that role. It does not completely get rid of the need to make other configuration changes, though. More information is available at: Security Configuration Wizard.

3

There are several methods available to assist you in applying patches in a timely fashion:

Microsoft Update Service

• Microsoft Update checks your machine to identify missing patches and allows you to download and install them.
• This is different than the "Windows Update" that is the default on Windows. Microsoft Update includes updates for many more Microsoft products, such as Office and Forefront Client Security.
• This service is compatible with Internet Explorer only. 

Windows AutoUpdate via WSUS
ITS offers a Windows Server Update Services Server for campus use using Microsoft's own update servers. It includes updates for additional Microsoft products, just like Microsoft Update, and provides additional administrative control for software deployment.

Microsoft Baseline Security Analyzer
This is a free host-based application that is available to download from Microsoft. In addition to detailing missing patches, this tool also performs checks on basic security settings and provides information on remediating any issues found.

4

Configure Automatic Updates from the Automatic Updates control panel

• On most servers, you should choose either "Download updates for me, but let me choose when to install them," or "Notify me but don't automatically download or install them."
• The campus Windows Server Update Services server can be used as the source of automatic updates.automatic updates.

The audit policy should be configured as follows:

• Audit Computer Account Management — Success and Failure
• Audit Other Account Management Events — Success and Failure
• Audit Security Group Management — Success and Failure
• Audit User Account Management — Success and Failure

6

Configuring the minimum password length settings is important only if another method of ensuring compliance with university password standards is not in place.

7

Configuring the password complexity setting is important only if another method of ensuring compliance with university password standards is not in place.

8

The university requires the following event log settings instead of those recommended by the CIS Benchmark:

• Application: Maximum log size — 32,768 KB
• Security: Maximum log size— 196,608 KB
• Setup: Maximum log size — 32,768 KB
• System: Maximum log size — 32,768 KB

16

The text of the university's official warning banner can be found on the ITS Web site. You may add localized information to the banner as long as the university banner is included.

27

Configure user rights to be as secure as possible. Every attempt should be made to remove Guest, Everyone, and ANONYMOUS LOGON from the user rights lists.

28

Volumes formatted as FAT or FAT32 can be converted to NTFS, by using the convert.exe utility provided by Microsoft. Microsoft has provided instructions on how to perform the conversion. This conversion cannot be reversed.

29

IPSec is one method that can limit connections to the server, and it is another standard method by which communication between servers can be encrypted. IPSec configuration can be managed using the IP Security Policies Snap-In. More information can be found on the Microsoft site.

30

Be extremely careful, as setting incorrect permissions on system files and folders can render a system unusable.

31

Be extremely careful, as setting incorrect permissions on registry entries can render a system unusable.

30

By default, domain members synchronize their time with domain controllers using Microsoft's Windows Time Service. The domain controller should be configured to synchronize its time with an external time source, such as the university's network time servers.

ITS Networking operates two stratum 2 NTPv4 (NTP version 4) servers for network time synchronization services for university network administrators.

31

Download and install Microsoft Forefront Client Security from BevoWare.

32

Anti-spyware software is only required to be installed if the server is used to browse Web sites not specifically related to the administration of the server. ITS provides anti-spyware software for no additional charge. At a minimum, SpyBot Search and Destroy should be installed. We also recommend the installation of a secondary anti-spyware application, such as SpyWare Blaster, EMS Free Surfer, or AdAware. Both SpyWare Blaster and EMS Free Surfer are available from BevoWare.
 
An additional measure that can be taken is to install Firefox with the NoScript and Adblock Plus add-ons.

33

Microsoft Forefront can be configured directly or through the use of GPOs. GPOs can simplify the management of multiple servers.

34

Spyware Blaster - Enabling auto-update functionality requires the purchase of an additional subscription.
SpyBot Search and Destroy - Automatic update tasks can be created inside the program itself and are scheduled using the Windows Task Scheduler.

1. In the Spybot Application, click on Mode --> Advanced View.
2. Click Settings on the left hand side of the window.
3. You should now see an option labeled "Scheduler." Select that option.
4. Adding the task to update automatically is relatively straightforward.
   
   • Click Add to create a task.
   • Click Edit to edit the task schedule.

   • In the Scheduled Task window that pops up, enter the following In the Run field:

     Code Block
     C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /AUTOUPDATE /TASKBARHIDE /AUTOCLOSE

   • Click the Schedule tab and choose a time for it to update. The duration of the update is very brief, but it is processor intensive, so consider scheduling it to occur during periods of low usage. The task should be scheduled daily.

37

1. Open the Display Properties control panel.
2. Select the Screen Saver tab.
3. Select a screen saver from the list. Although there are several available, consider using a simple one such as "Blank."
4. The value for Wait should be no more than 30 minutes.
5. Select the On resume, password protect option.

40

Windows provides the Encrypting File System as a built-in mechanism to allow the encryption of individual users' files and folders. Be aware of the caveats involved in the use of EFS before implementing it for general use, though. Other options such as PGP and GNUPG also exist.

Another encryption option to consider is whole-disk encryption, which encrypts the entire contents of the drive instead of just specific files and folders. Windows Vista and Windows 2008 come with BitLocker for this. ITS provides WinMagic SecureDoc which is recommended for encrypting laptops.

We strongly recommend that, if encryption is being used in conjunction with Category I data, one of the solutions listed in the Approved Encryption Methods (EID required) be implemented.

41

Windows Server 2008 has a feature called Windows Resource Protection which automatically checks certain key files and replaces them if they become corrupted. It is enabled by default.

You can audit in much more in depth using Tripwire. Modern versions of Tripwire require the purchase of licenses in order to use it. The Tripwire management console can be very helpful for managing more complex installations.

42

This setting is configured using the Terminal Services Configuration tool. On the General tab of the properties of the RDP connection, select High from the list next to encryption level.