Page History

...

91.9.6 10 145.6

		Preparation and Installation
Step	√	To Do	CIS	UT Note	Cat I	Cat II Cat III	Min Std
1		If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened.		§	!		5.1
2		Consider using the Security Configuration Wizard to assist in hardening the host.		§
		Service Packs and Hotfixes
3		Install the latest service packs and hotfixes from Microsoft.		§	!	!	5.2
4		Enable automatic notification of patch availability.	1.6.1	§	!	!	5.3
		User Account Policies
5		Set minimum password length.	1.1.4	§	!
6		Enable password complexity requirements.	1.1.5	§	!
7		Do not store passwords using reversible encryption.	1.1.6	§	!
8		Configure account lockout policy.	1.2	§	!	!
		User Rights Assignment

		Security Settings
16		Place the University warning banner in the Message Text for users attempting to log on.	2.3.7.4	§	!	!	5.10
		Disallow users from creating and logging in with Microsoft accounts.	2.3.1.1		!	!
		Disable the guest account. (Default)	2.3.1.2		!	!
		Security Settings			Require Ctrl+Alt+Del for interactive logins. (Default)	2.3.7.2		!	!
			Disable anonymous SID/Name translation. (default)	Configure machine inactivity limit to protect idle interactive sessions.	2.3.7.3		!	!
			Configure Microsoft Network Client to always digitally sign communications.	2.3.8.1		!
		Configure Microsoft Network Client to digitally sign communications if server agrees. (Default)	2.3.8.2		!	!
		Disable the sending of unencrypted password to third party SMB servers.	2.3.8.3		!	!	5.6
		Configure Microsoft Network Server to always digitally sign communications.	2.3.9.2		!
		Configure Microsoft Network Server to digitally sign communications if client agrees.	2.3.9.3		!	!
		Security Settings
9		Disable anonymous SID/Name translation. (default)	1.9.6		!
10		Do not allow Anonymous Enumeration of SAM accounts (Default)	1.9.37		!		5.5
11		Do not allow Anonymous Enumeration of SAM accounts and shares.	1.9.38		!		5.5
		Active Directory Domain Member Security Settings			!		5.12
13		Digitally encrypt or sign secure channel data (always). (Default)	2.3.6.1		!		5.6
14		Digitally encrypt secure channel data (when possible). (Default)	2.3.6.2	Do not allow Anonymous Enumeration of SAM accounts (Default)	1.9.37		!		5.5	11		Do not allow Anonymous Enumeration of SAM accounts and shares.	1.9.38	!		5.5 6
1215			Digitally sign secure channel data (when possible). (Default)	2.3.6.3		!		5.12 6 13
		Digitally Encrypt or Sign Secure Channel Data (Always). (Default)	1.9.12	Require strong (Windows 2000 or later) session keys.	2.3.6.6		!				5.6
		Digitally Encrypt Secure Channel Data (When Possible). (Default)	1.9.13		!		5.6	15		Digitally Sign Secure Channel Data (When Possible). (Default)	1.9.14		!	Configure the number of previous logons to cache.	2.3.7.6

16		Place the University warning banner in the Message Text for Users Attempting to log on.	12.3.97.27-284	§	!	!	5.10
17		Disable the sending of unencrypted password to connect to Third-Party SMB Servers. (Default)		1.9.32			!	5.6
18		Do not allow Everyone permissions to apply to anonymous users. (Default)	1.9.40		!		5.12
19		Do not allow any named pipes to be accessed anonymously.	1.9.41		!		5.12
20		Restrict anonymous access to Named Pipes and Shares.	1.9.43		!		5.12
21		Ensure that no shares can be accessed anonymously.	1.9.44		!		5.12
22		Choose "Classic" as the sharing and security model for local accounts. (Default)	1.9.45		!		5.12
23		Do not store LAN Manager hash values	1.9.46		!		5.13
24		Set LAN Manager Authentication level to NTLMv2 only	1.9.47		!		5.13
		Audit Policy
		Configure Account Logon audit policy	17.1
		Configure Account Management audit policy	17.2
		Configure Logon/Logoff audit policy	17.5
		Configure Policy Change audit policy	17.7
		Configure Privilege Use audit policy	17.8
		Event Logging
9		Configure Event Log retention method and size.	18.7.19	§	!	!	6.1
10		Configure log shipping (e.g. to Splunk).
		Additional Security Protection
25		Disable or uninstall unused services.			!		5.4
26		Disable or delete unused users.			!		5.4
27		Configure User Rights to be as secure as possible.	1.81	§	!
28		Ensure all volumes are using the NTFS file system.		§	!
29		Use the Internet Connection Firewall or other methods to limit connections to the server.	1.5	§	!		5.5
30		Configure file system permissions.		§	!
31		Configure registry permissions.		§	!
		Additional Steps
32		Set the system date/time and configure it to synchronize against campus time servers.		§	!
33		Install and enable anti-virus software.		§	!	!	3.1
34		Install and enable anti-spyware software.		§	!		3.2
35		Configure anti-virus software to update daily.		§	!		3.3
36		Configure anti-spyware software to update daily.		§	!		3.3
37		Configure a screen-saver to lock the console's screen automatically if the host is left unattended.		§
38		If the machine is not physically secured against unauthorized tampering, set a BIOS/firmware password to prevent alterations in system startup settings.			!		4.1
39		Configure the device boot order to prevent unauthorized booting from alternate media.			!		4.1
40		Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate.		§	!		5.7
41		Install software to check the integrity of critical operating system files.		§	!		5.8
42		If RDP is utilized, set RDP connection encryption level to high.		§	!		5.6

...

Child pages

Versions Compared

Old Version 26

New Version 27

Key

Preparation and Installation

Service Packs and Hotfixes

User Account Policies

Security Settings

Security Settings

Audit Policy

Additional Security Protection

Additional Steps