...
Step | √ | To Do | CIS | UT Note | Cat I | Cat II Cat III | Min Std | |||||||||
|
| Preparation and Installation |
|
|
|
|
| |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 |
| If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened. |
| ! |
| |||||||||||
2 |
| Consider using the Security Configuration Wizard to assist in hardening the host. |
|
|
|
| ||||||||||
|
| Service Packs and Hotfixes |
|
|
|
|
| |||||||||
3 |
| Install the latest service packs and hotfixes from Microsoft. |
| ! | ! | |||||||||||
4 |
| Enable automatic notification of patch availability. | 1.6.1 | ! | ! | |||||||||||
|
| User Account Policies |
|
|
|
|
| |||||||||
5 |
| Set minimum password length. | 1.1.4 | ! |
|
| ||||||||||
6 |
| Enable password complexity requirements. | 1.1.5 | ! |
|
| ||||||||||
7 | Do not store passwords using reversible encryption. | 1.1.6 | § | ! | ||||||||||||
8 | Configure account lockout policy. | 1.2 | § | ! | ! | |||||||||||
User Rights Assignment | ||||||||||||||||
Restrict the ability to access this computer from the network to Administrators and Authenticated Users. | 2.2.2 | |||||||||||||||
Security Settings | Do not grant any users the 'act as part of the operating system' right. (Default) | 2.2.3 | ||||||||||||||
16 | Place the University warning banner in the Message Text for users attempting to log on | Restrict local logon access to Administrators. | 2. | 32. | 7.46 | §! | ! | 5.10 | ||||||||
Disallow users from creating and logging in with Microsoft accounts | Deny guest accounts the ability to logon as a service, a batch job, locally, or via RDP. | 2.3.1.12.18-21 | ! ! | |||||||||||||
Disable the guest account. (Default) | 2.3.1.2Security Settings | ! | ! | |||||||||||||
16 |
| Require Ctrl+Alt+Del for interactive logins. (Default)Place the University warning banner in the Message Text for users attempting to log on. | 2.3.7. | 24 | ! | ! | ||||||||||
Configure machine inactivity limit to protect idle interactive sessions | Disallow users from creating and logging in with Microsoft accounts. | 2.3.71.31 | ! | ! | ||||||||||||
Configure Microsoft Network Client to always digitally sign communications. | Disable the guest account. (Default) | 2.3.81.12 | ! | ! | ||||||||||||
Configure Microsoft Network Client to digitally sign communications if server agreesRequire Ctrl+Alt+Del for interactive logins. (Default) | 2.3.87.2 | ! | ! | |||||||||||||
Disable | the sending of unencrypted password to third party SMB serversConfigure machine inactivity limit to protect idle interactive sessions. | 2.3.87.3 | ! | ! | 5.6 | |||||||||||
Configure Microsoft Network Server Client to always digitally sign communications. | 2.3.98.21 | ! | ||||||||||||||
Configure Microsoft Network Server Client to digitally sign communications if client server agrees. (Default) | 2.3.98.32 | ! | ! | |||||||||||||
Security Settings | Disable the sending of unencrypted password to third party SMB servers. | 2.3.8.3 | ! | ! | 5.6 | |||||||||||
9 | Disable anonymous SID/Name translation. (default) | 1Configure Microsoft Network Server to always digitally sign communications. | 2.3.9. | 62 | ! | |||||||||||
Do not allow Anonymous Enumeration of SAM accounts (Default) | 1Configure Microsoft Network Server to digitally sign communications if client agrees. | 2.3.9. | 373 | ! | ! | |||||||||||
|
| 11 | Network Access Controls |
|
| Do not allow Anonymous Enumeration of SAM accounts and shares. | 1.9.38 |
| ! |
|
| Active Directory Domain Member Security Settings | ||||
9 |
|
| ! |
| 13 |
| Digitally encrypt or sign secure channel data (always). Disable anonymous SID/Name translation. (Default) | 2.3.611.1 |
| ! |
| |||||
1410 |
| Digitally encrypt secure channel data (when possible)Do not allow anonymous enumeration of SAM accounts. (Default) | 2.3.611.2 |
| ! |
| ||||||||||
1511 | Digitally sign secure channel data (when possible). (Default) | Do not allow anonymous enumeration of SAM accounts and shares. | 2.3.611.3 |
| ! |
| ||||||||||
18 |
| Require strong (Windows 2000 or later) session keys.Do not allow Everyone permissions to apply to anonymous users. (Default) | 2.3. | 611. | 64 |
| ! |
| ||||||||
19 |
| Configure the number of previous logons to cacheDo not allow any named pipes to be accessed anonymously. | 2.3. | 711. | 65 |
| ! |
| ||||||||
21 |
| Restrict anonymous access to named pipes and shares. (Default) | 2.3.11.8 |
| ! |
| ||||||||||
16 |
| Place the University warning banner in the Message Text for Users Attempting to log onDo not allow any shares to be accessed anonymously. | 2.3. | 711. | 49 | ! | ! | 17 | ||||||||
22 |
| 18 |
| Do not allow Everyone permissions to apply to anonymous users. (Default) | Require the "Classic" sharing and security model for local accounts. (Default) | 1.9.451.9.40 |
| ! |
| 5.12 19 | ||||||
Do not allow any named pipes to be accessed anonymously. | 1.9.41Network Security Settings | ! | 5.12 | |||||||||||||
Restrict anonymous access to Named Pipes and Shares. | 1.9.43Allow Local System to use computer identity for NTLM | 2.3.12.1 | ! | 5.12 | ||||||||||||
Ensure that no shares can be accessed anonymously. | 1.9.44 |
| ! |
| ||||||||||||
22 |
| Choose "Classic" as the sharing and security model for local accounts. (Default) | 1.9.45 |
| ! |
| ||||||||||
Disable Local System NULL session fallback | 2.3.12.2 | |||||||||||||||
Configure allowable encryption types for Kerberos | 2.3.12.4 | |||||||||||||||
23 |
| Do not store LAN Manager hash values | 12.3.912.465 |
| ! |
| ||||||||||
24 |
| Set LAN Manager Authentication authentication level to NTLMv2 onlyonly allow NTLMv2 and refuse LM and NTLM | 2.3.12.71.9.47 |
| ! |
| ||||||||||
Audit Policy |
|
| Enable the Windows Firewall in all profiles (domain, private, public) | 9.[1-3].1 | 5.5 | |||||||||||
Configure Account Logon audit policythe Windows Firewall in all profiles to block inbound traffic by default. (Default) | 9.[1-3].217.1 | |||||||||||||||
|
| Configure Account Management audit policy | 17.2Active Directory Domain Member Security Settings |
|
| ! |
| |||||||||
13 |
| Configure Logon/Logoff audit policy | 17.5Digitally encrypt or sign secure channel data (always). (Default) | 2.3.6.1 |
| ! |
| |||||||||
14 |
| Configure Policy Change audit policy | 17.7Digitally encrypt secure channel data (when possible). (Default) | 2.3.6.2 |
| ! |
| |||||||||
15 |
| Configure Privilege Use audit policy | 17.8Digitally sign secure channel data (when possible). (Default) | 2.3.6.3 |
| ! |
| |||||||||
Event Logging | Require strong (Windows 2000 or later) session keys. | 2.3.6.6 | ! | |||||||||||||
9 | Configure | Event Log retention method and size.the number of previous logons to cache. | 2.3 | 18.7. | 196 | §! | ! | 10 | Configure log shipping (e.g. to Splunk). | |||||||
|
| Audit Policy |
|
|
| Additional Security Protection
|
| |||||||||
| 25Configure Account Logon audit policy | 17.1 | Disable or uninstall unused services. | |||||||||||||
26 |
| Configure Account Management audit policy | 17.2 | |||||||||||||
Configure Logon/Logoff audit policy | 17.5 | Disable or delete unused users.! | ||||||||||||||
Configure | User Rights to be as secure as possible.Policy Change audit policy | 17.7 | 1.81 | ! | ||||||||||||
Ensure all volumes are using the NTFS file system. | Configure Privilege Use audit policy | 17.8 | § | ! | ||||||||||||
29 | Use the Internet Connection Firewall or other methods to limit connections to the server. | 1.5 | ! |
| Event Logging | |||||||||||
9 |
| Configure Event Log retention method and size. | 18.7.19 | 30 |
| Configure file system permissions. |
| ! | ! | 6.1 31 | ||||||
10 | Configure registry permissionslog shipping (e.g. to Splunk). | § | ! | |||||||||||||
|
| AdditionalStepsSecurity Protection |
|
|
|
|
| |||||||||
3225 | Set | the system date/time and configure it to synchronize against campus time serversDisable or uninstall unused services. |
| ! |
| |||||||||||
26 |
| Disable or delete unused users. |
|
| ! |
| ||||||||||
27 |
| Configure User Rights to be as secure as possible | 33 |
| Install and enable anti-virus software. |
| !! |
| ||||||||
3428 | Install and enable anti-spyware software | Ensure all volumes are using the NTFS file system. |
| ! |
| |||||||||||
3530 |
| Configure anti-virus software to update dailyfile system permissions. |
| ! |
| |||||||||||
3631 |
| Configure anti-spyware software to update dailyregistry permissions. |
| ! |
| 3.3 37 | ||||||||||
Configure a screen-saver to lock the console's screen automatically if the host is left unattended. |
| § Disallow remote registry access if not required. | 2.3.11.6 | |||||||||||||
|
| Additional Steps |
| 38
|
| If the machine is not physically secured against unauthorized tampering, set a BIOS/firmware password to prevent alterations in system startup settings. |
|
| ||||||||
!32 |
| 39 |
| Configure the device boot order to prevent unauthorized booting from alternate mediaSet the system date/time and configure it to synchronize against campus time servers. |
| ! |
| |||||||||
4033 | Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed | appropriate.Install and enable anti-virus software. |
| ! | ! | |||||||||||
34 |
| |||||||||||||||
41 |
| Install software to check the integrity of critical operating system files. |
| ! |
| |||||||||||
Install and enable anti-spyware software. |
| ! |
| |||||||||||||
35 |
| Configure anti-virus software to update daily. |
| ! |
| |||||||||||
36 |
| Configure anti-spyware software to update daily. |
| ! |
| |||||||||||
40 |
| Provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate. |
| ! |
| |||||||||||
41 |
| Install software to check the integrity of critical operating system files. |
| ! |
| |||||||||||
42 |
| If RDP is utilized, set RDP connection encryption level to high. |
| ! |
| |||||||||||
Physical Security | ||||||||||||||||
38 |
| Set a BIOS/firmware password to prevent alterations in system start up settings. |
|
| ! |
| ||||||||||
Disable automatic administrative logon to recovery console. | 2.3.13.1 | |||||||||||||||
Do not allow the system to be shut down without having to log on. (Default) | 2.3.14.1 | |||||||||||||||
39 |
| Configure the device boot order to prevent unauthorized booting from alternate media. |
|
| ! |
| ||||||||||
37 |
| Configure a screen-saver to lock the console's screen automatically if the host is left unattended | 42 |
| If RDP is utilized, set RDP connection encryption level to high. |
| ! |
|
Anchor | ||||
---|---|---|---|---|
|
...