...
1
| If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected. | ||||||||||
2
| The Security Configuration Wizard can greatly simplify the hardening of the server. Once the role for the host is defined, the Security Configuration Wizard can help create a system configuration based specifically on that role. It does not completely get rid of the need to make other configuration changes, though. More information is available at: Security Configuration Wizard. | ||||||||||
3
| There are several methods available to assist you in applying patches in a timely fashion: Microsoft Update Service
| ||||||||||
4
| Configure Automatic Updates from the Automatic Updates control panel
| ||||||||||
5
| Configuring the minimum password length settings is important only if another method of ensuring compliance with university password standards is not in place. The Information Resources Use and Security Policy requires passwords be a minimum of 8 characters in length. It is strongly recommended that passwords be at least 14 characters in length (which is also the recommendation of CIS). | ||||||||||
6
| Configuring the password complexity setting is important only if another method of ensuring compliance with university password standards is not in place. The Information Resources Use and Security Policy requires that passwords contain letters, numbers, and special characters. | ||||||||||
7
| If this option is enabled, the system will store passwords using a weak form of encryption that is susceptible to compromise. This configuration is disabled by default. | ||||||||||
8
| Instead of the CIS recommended values, the account lockout policy should be configured as follows:
| ||||||||||
11
| Any account with this role is permitted to log in to the console. By default, this includes users in the Administrators, Users, and Backup Operators groups. It's unlikely that non-administrative users require this level of access and, in cases where the server is not physically secured, granting this right may facilitate a compromise of the device. | ||||||||||
13
| The text of the university's official warning banner can be found on the ITS Web site. You may add localized information to the banner as long as the university banner is included. | ||||||||||
14
| The use of Microsoft accounts can be blocked by configuring the group policy object at:
This setting can be verified by auditing the registry key:
| ||||||||||
15 | |||||||||||
16 | |||||||||||
17 | |||||||||||
18 | |||||||||||
19 | |||||||||||
20 | |||||||||||
21 | |||||||||||
22 | |||||||||||
23 | |||||||||||
24 | |||||||||||
25 | |||||||||||
26 | |||||||||||
27 | |||||||||||
28 | |||||||||||
29 | |||||||||||
30 | |||||||||||
| The university requires the following event log settings instead of those recommended by the CIS Benchmark:
The recommended retention method for all logs is: Overwrite events older than 14 days
These are minimum requirements. The most important log here is the security log. 100 MB is a suggested minimum, but if you have a high-volume service, make the file as large as necessary to make sure at least 14 days of security logs are available. You may increase the number of days that you keep, or you may set the log files to not overwrite events. Note that if the event log reaches its maximum size and no events older than the number of days you specified exist to be deleted, or if you have disabled overwriting of events, no new events will be logged. This may happen deliberately as an attempt by an attacker to cover his tracks. For critical services working with Cat 1 or other sensitive data, you should use syslog, Splunk, Intrust, or a similar service to ship logs to another device. This helps to ensure that logs are preserved and unaltered in the event of a compromise. Another option is to configure Windows to rotate event log files automatically when an event log reaches its maximum size as described in the article http://support.microsoft.com/kb/312571 using the the AutoBackupLogFiles registry entry. | ||||||||||
16
|
| ||||||||||
27
| Configure user rights to be as secure as possible. Every attempt should be made to remove Guest, Everyone, and ANONYMOUS LOGON from the user rights lists. | ||||||||||
28
| Volumes formatted as FAT or FAT32 can be converted to NTFS, by using the convert.exe utility provided by Microsoft. Microsoft has provided instructions on how to perform the conversion. This conversion cannot be reversed. | ||||||||||
29
| IPSec is one method that can limit connections to the server, and it is another standard method by which communication between servers can be encrypted. IPSec configuration can be managed using the IP Security Policies Snap-In. More information can be found on the Microsoft site. | ||||||||||
30
| Be extremely careful, as setting incorrect permissions on system files and folders can render a system unusable. | ||||||||||
31
| Be extremely careful, as setting incorrect permissions on registry entries can render a system unusable. | ||||||||||
30
| By default, domain members synchronize their time with domain controllers using Microsoft's Windows Time Service. The domain controller should be configured to synchronize its time with an external time source, such as the university's network time servers. | ||||||||||
31
| Download and install Microsoft Forefront Client Security from BevoWare. | ||||||||||
32
| Anti-spyware software is only required to be installed if the server is used to browse Web sites not specifically related to the administration of the server. ITS provides anti-spyware software for no additional charge. At a minimum, SpyBot Search and Destroy should be installed. We also recommend the installation of a secondary anti-spyware application, such as SpyWare Blaster, EMS Free Surfer, or AdAware. Both SpyWare Blaster and EMS Free Surfer are available from BevoWare. | ||||||||||
33
| Microsoft Forefront can be configured directly or through the use of GPOs. GPOs can simplify the management of multiple servers. | ||||||||||
34
| Spyware Blaster - Enabling auto-update functionality requires the purchase of an additional subscription.
| ||||||||||
37
|
| ||||||||||
40
| Windows provides the Encrypting File System as a built-in mechanism to allow the encryption of individual users' files and folders. Be aware of the caveats involved in the use of EFS before implementing it for general use, though. Other options such as PGP and GNUPG also exist. | ||||||||||
41
| Windows Server 2008 has a feature called Windows Resource Protection which automatically checks certain key files and replaces them if they become corrupted. It is enabled by default. | ||||||||||
42
| This setting is configured using the Terminal Services Configuration tool. On the General tab of the properties of the RDP connection, select High from the list next to encryption level. |
...