Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Unified CCE Security Hardening for WindowsServer 2012 R2
This topic contains the security baseline for hardening Windows Server 2012 R2 Servers running UnifiedCCE. This baseline is essentially a collection of Microsoft group policy settings which are determined byusing the Microsoft Security Compliance Manager 4.0 tool.
In addition to the GPO settings provided in the table, disable the following settings:
• NetBIOS
• SMBv1
For more details about these configurations, see the Microsoft Windows Server 2012 R2 documentation.Note
The baseline includes only those settings whose severity qualifies as Critical and Important. The settings withOptional and None severity qualification are not included in the baseline.
ComplianceDefault ValueSetting Name
Send NTLMv2 response only.Refuse LM & NTLM
Send NTLMv2 response onlyNetwork security: LANManager authentication level
Not DefinedNot definedNetwork Security: RestrictNTLM: Audit NTLMauthentication in this domain
Not DefinedNot definedNetwork Security: RestrictNTLM: Incoming NTLMtraffic
Not DefinedDisabledInteractive logon: Requiresmart card
Not DefinedNot definedNetwork Security: RestrictNTLM: Add remote serverexceptions for NTLMauthentication
Unified CCE Security Hardening for Windows Server 2012 R21
ComplianceDefault ValueSetting Name
DisabledNot definedNetwork security: AllowLocalSystem NULL sessionfallback
DisabledDisabledMicrosoft network client:Send unencrypted passwordto third-party SMB servers
EnabledNot definedNetwork security: AllowLocal System to use computeridentity for NTLM
EnabledEnabledNetwork security: Do notstore LAN Manager hashvalue on next passwordchange
Not DefinedNot definedNetwork Security: AllowPKU2U authenticationrequests to this computer touse online identities
Require NTLMv2 sessionsecurity,Require 128-bit encryption
No minimumNetwork security: Minimumsession security for NTLMSSP based (including secureRPC) servers
Not DefinedOffMicrosoft network server:Server SPN target namevalidation level
Lock WorkstationNo ActionInteractive logon: Smart cardremoval behavior
Require NTLMv2 sessionsecurity,Require 128-bit encryption
No minimumNetwork security: Minimumsession security for NTLMSSP based (including secureRPC) clients
4 logon(s)10 logonsInteractive logon: Number ofprevious logons to cache (incase domain controller is notavailable)
Not DefinedNot definedNetwork Security: RestrictNTLM:NTLMauthenticationin this domain
Not DefinedNot definedNetwork Security: RestrictNTLM: Outgoing NTLMtraffic to remote servers
Unified CCE Security Hardening for Windows Server 2012 R22
Unified CCE Security Hardening for Windows Server 2012 R2Unified CCE Security Hardening for Windows Server 2012 R2
ComplianceDefault ValueSetting Name
DisabledDisabledNetwork access: LetEveryone permissions applyto anonymous users
Not DefinedNot definedNetwork Security: RestrictNTLM: Add serverexceptions in this domain
Not DefinedNot definedNetwork Security: RestrictNTLM: Audit IncomingNTLM Traffic
EnabledDisabledNetwork access: Do not allowanonymous enumeration ofSAM accounts and shares
EnabledEnabledNetwork access: Do not allowanonymous enumeration ofSAM accounts
DisabledDisabledShutdown: Clear virtualmemory pagefile
System\CurrentControlSet\Control\ProductOptionsSystem\CurrentControlSet\Control\Server ApplicationsSoftware\Microsoft\WindowsNT\CurrentVersion
System\CurrentControlSet\Control\ProductOptionsSystem\CurrentControlSet\Control\Server Applications Software\Microsoft\WindowsNT\CurrentVersion
Network access: Remotelyaccessible registry paths
Not DefinedNot definedNetwork access: Shares thatcan be accessed anonymously
Not ConfiguredNot configuredTurn off the "Publish toWeb"task for files and folders
DisabledEnabledShutdown: Allow system tobe shut down without havingto log on
EnabledEnabledSystem objects: Require caseinsensitivity fornon-Windows subsystems
Classic - local users authenticate asthemselves
Classic - local users authenticate asthemselves
Network access: Sharing andsecurity model for localaccounts
DisabledDisabledInteractive logon: Do notrequire CTRL+ALT+DEL
Unified CCE Security Hardening for Windows Server 2012 R23
Unified CCE Security Hardening for Windows Server 2012 R2Unified CCE Security Hardening for Windows Server 2012 R2
ComplianceDefault ValueSetting Name
AdministratorsAdministratorsDevices: Allowed to formatand eject removable media
Not ConfiguredNot configuredTurn off the WindowsMessenger CustomerExperience ImprovementProgram
EnabledDisabledSystem settings: UseCertificate Rules onWindowsExecutables for SoftwareRestriction Policies
Not ConfiguredNot configuredTurn off Search Companioncontent file updates
DisabledDisabledNetwork access: Allowanonymous SID/Nametranslation
System\CurrentControlSet\Control\Print\PrintersSystem\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAPServerSoftware\Microsoft\WindowsNT\CurrentVersion\Print Software\Microsoft\WindowsNT\CurrentVersion\WindowsSystem\CurrentControlSet\Control\ContentIndexSystem\CurrentControlSet\Control\Terminal ServerSystem\CurrentControlSet\Control\TerminalServer\UserConfigSystem\CurrentControlSet\Control\Terminal Server\DefaultUserConfigurationSoftware\Microsoft\WindowsNT\CurrentVersion\PerflibSystem\CurrentControlSet\Services\SysmonLog
System\CurrentControlSet\Control\Print\PrintersSystem\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAPServerSoftware\Microsoft\WindowsNT\CurrentVersion\Print Software\Microsoft\WindowsNT\CurrentVersion\WindowsSystem\CurrentControlSet\Control\ContentIndexSystem\CurrentControlSet\Control\Terminal ServerSystem\CurrentControlSet\Control\TerminalServer\UserConfigSystem\CurrentControlSet\Control\Terminal Server\DefaultUserConfigurationSoftware\Microsoft\WindowsNT\CurrentVersion\PerflibSystem\CurrentControlSet\Services\SysmonLog
Network access: Remotelyaccessible registry paths andsub-paths
DisabledDisabledRecovery console: Allowautomatic administrativelogon
EnabledNot configuredTurn off Autoplay
Not ConfiguredDisabledTurn off Windows Updatedevice driver searching
Unified CCE Security Hardening for Windows Server 2012 R24
Unified CCE Security Hardening for Windows Server 2012 R2Unified CCE Security Hardening for Windows Server 2012 R2
ComplianceDefault ValueSetting Name
EnabledEnabledNetwork access: Restrictanonymous access to NamedPipes and Shares
DisabledDisabledRecovery console: Allowfloppy copy and access to alldrives and all folders
Not DefinedNoneNetwork access: Named Pipesthat can be accessedanonymously
Success and FailureNo auditingAudit Policy: System: IPsecDriver
Success and FailureNo auditingAudit Policy: System:Security System Extension
Success and FailureSuccessAudit Policy: AccountManagement: Security GroupManagement
EnabledNot definedAudit: Force audit policysubcategory settings(Windows Vista or later) tooverride audit policy categorysettings
Success and FailureNo auditingAudit Policy: AccountManagement: Other AccountManagement Events
Success and FailureSuccessAudit Policy: System:Security State Change
SuccessNo auditingAudit Policy: DetailedTracking: Process Creation
Success and FailureSuccess and FailureAudit Policy: System: OtherSystem Events
SuccessSuccessAudit Policy: Logon-Logoff:Account Lockout
Success and FailureSuccessAudit Policy: Policy Change:Audit Policy Change
Not DefinedDisabledAudit: Audit the access ofglobal system objects
SuccessSuccessAudit Policy: Logon-Logoff:Special Logon
Unified CCE Security Hardening for Windows Server 2012 R25
Unified CCE Security Hardening for Windows Server 2012 R2Unified CCE Security Hardening for Windows Server 2012 R2
ComplianceDefault ValueSetting Name
Success and FailureSuccessAudit Policy: AccountManagement: User AccountManagement
Success and FailureNo auditingAudit Policy: Account Logon:Credential Validation
Success and FailureSuccessAudit Policy: Logon-Logoff:Logon
SuccessNo auditingAudit Policy: AccountManagement: ComputerAccount Management
Success and FailureNo auditingAudit Policy: Privilege Use:Sensitive Privilege Use
SuccessSuccessAudit Policy: Logon-Logoff:Logoff
SuccessSuccessAudit Policy: Policy Change:Authentication Policy Change
Not DefinedDisabledAudit: Audit the use ofBackup and Restore privilege
Success and FailureSuccess and FailureAudit Policy: System: SystemIntegrity
EnabledNoneTurn off toast notifications onthe lock screen
15 minute(s)15 minutesMicrosoft network server:Amount of idle time requiredbefore suspending session
Not DefinedNot definedInteractive logon: Messagetext for users attempting tolog on
900 secondsNot definedInteractive logon: Machineinactivity limit
EnabledEnabledMicrosoft network server:Disconnect clients whenlogon hours expire
Not DefinedNot definedInteractive logon: Messagetitle for users attempting tolog on
Unified CCE Security Hardening for Windows Server 2012 R26
Unified CCE Security Hardening for Windows Server 2012 R2Unified CCE Security Hardening for Windows Server 2012 R2
ComplianceDefault ValueSetting Name
EnabledDisabledNetwork security: Forcelogoff when logon hoursexpire
DisabledNoneSign-in last interactive userautomatically after asystem-initiated restart
Not DefinedNot definedInteractive logon: Displayuser information when thesession is locked
EnabledDisabledInteractive logon: Do notdisplay last user name
10 invalid logon attemptsNot definedInteractive logon: Machineaccount lockout threshold
Not ConfiguredNot configuredAllow Remote Shell Access
EnabledDisabledDevices: Prevent users frominstalling printer drivers
Administrators, Service, LocalService, Network Service
Administrators, Service, Local Service,Network Service
Create global objects
Administrators, AuthenticatedUsersEveryone, Administrators, Users,Backup Operators
Access this computer fromthe network
Not DefinedNot definedDomain controller: Allowserver operators to scheduletasks
No OneNoneModify an object label
Local Service, Network ServiceLocal Service, Network ServiceGenerate security audits
AdministratorsAdministratorsIncrease scheduling priority
AdministratorsAdministratorsForce shutdown from aremote system
AdministratorsAdministrators, Remote Desktop UsersAllow log on through RemoteDesktop Services
Local Service, AdministratorsLocal Service, AdministratorsChange the system time
Not DefinedNot defined (Authenticated Users fordomain controllers)
Add workstations to domain
AdministratorsAdministratorsCreate a pagefile
AdministratorsAdministratorsProfile single process
Unified CCE Security Hardening for Windows Server 2012 R27
Unified CCE Security Hardening for Windows Server 2012 R2Unified CCE Security Hardening for Windows Server 2012 R2
ComplianceDefault ValueSetting Name
GuestsNo oneDeny log on as a batch job
No OneNo oneAct as part of the operatingsystem
Local Service, AdministratorsLocal Service, AdministratorsChange the time zone
Not DefinedNot definedSynchronize directory servicedata
No OneNo oneLock pages in memory
No OneNo oneAccess Credential Manageras a trusted caller
No OneNo oneCreate a token object
AdministratorsAdministratorsDebug programs
GuestsNo oneDeny log on as a service
Guests, NT AUTHORITY\Localaccount and member ofAdministrators group
GuestsDeny access to this computerfrom the network
AdministratorsAdministrators, Backup OperatorsBack up files and directories
AdministratorsAdministrators, Backup Operators,Users
Shut down the system
GuestsGuestsDeny log on locally
Local Service, Network ServiceLocal Service, Network ServiceReplace a process level token
AdministratorsAdministratorsModify firmwareenvironment values
AdministratorsGuest, Administrators, Users, BackupOperators
Allow log on locally
AdministratorsAdministrators, Backup OperatorsRestore files and directories
Administrators,NTService\WdiServiceHost
Administrators,NTService\WdiServiceHost
Profile system performance
Not DefinedAdministrators, Backup OperatorsLog on as a batch job
AdministratorsAdministratorsPerform volumemaintenancetasks
AdministratorsAdministratorsManage auditing and securitylog
Unified CCE Security Hardening for Windows Server 2012 R28
Unified CCE Security Hardening for Windows Server 2012 R2Unified CCE Security Hardening for Windows Server 2012 R2
ComplianceDefault ValueSetting Name
No OneNo oneEnable computer and useraccounts to be trusted fordelegation
Administrators, Service, LocalService, Network Service
Administrators, Service, Local Service,Network Service
Impersonate a client afterauthentication
AdministratorsAdministratorsLoad and unload devicedrivers
AdministratorsAdministratorsTake ownership of files orother objects
Administrators, Local Service,Network Service
Local Service, Network Service,Administrators
Adjust memory quotas for aprocess
Not DefinedNo oneLog on as a service
AdministratorsAdministratorsCreate symbolic links
No OneNo oneCreate permanent sharedobjects
Not DefinedDisabledSystem cryptography: Forcestrong key protection for userkeys stored on the computer
EnabledDisabledDomain member: Requirestrong (Windows 2000 orlater) session key
NoYesWindows Firewall: Domain:Allow unicast response
Yes (default)YesWindows Firewall: Domain:Apply local firewall rules
EnabledBlockWindows Firewall: Domain:Inbound connections
OnOnWindows Firewall: Private:Firewall state
Yes (default)YesWindows Firewall: Private:Apply local connectionsecurity rules
NoYesWindows Firewall: Private:Allow unicast response
Yes (default)YesWindows Firewall: Public:Apply local firewall rules
Unified CCE Security Hardening for Windows Server 2012 R29
Unified CCE Security Hardening for Windows Server 2012 R2Unified CCE Security Hardening for Windows Server 2012 R2
ComplianceDefault ValueSetting Name
YesYesWindows Firewall: Public:Apply local connectionsecurity rules
OnOnWindows Firewall: Public:Firewall state
Allow (default)AllowWindows Firewall: Private:Outbound connections
Allow (default)AllowWindows Firewall: Domain:Outbound connections
OnOnWindows Firewall: Domain:Firewall state
NoYesWindows Firewall: Public:Allow unicast response
EnabledBlockWindows Firewall: Public:Inbound connections
Yes (default)YesWindows Firewall: Domain:Apply local connectionsecurity rules
Yes (default)YesWindows Firewall: Private:Display a notification
Yes (default)YesWindows Firewall: Domain:Display a notification
YesYesWindows Firewall: Public:Display a notification
Allow (default)AllowWindows Firewall: Public:Outbound connections
EnabledBlockWindows Firewall: Private:Inbound connections
Yes (default)YesWindows Firewall: Private:Apply local firewall rules
EnabledNoneDefault Protections forInternet Explorer
EnabledNot ConfiguredPassword protect the screensaver
Unified CCE Security Hardening for Windows Server 2012 R210
Unified CCE Security Hardening for Windows Server 2012 R2Unified CCE Security Hardening for Windows Server 2012 R2
ComplianceDefault ValueSetting Name
EnabledDisabledUserAccount Control: AdminApproval Mode for theBuilt-in Administratoraccount
EnabledNoneDefault Protections forSoftware
EnabledEnabledUser Account Control: Onlyelevate UIAccess applicationsthat are installed in securelocations
EnabledNoneDefault Protections forPopular Software
EnabledNoneApply UAC restrictions tolocal accounts on networklogons
Prompt for consent on the securedesktop
Prompt for consent for non-Windowsbinaries
User Account Control:Behavior of the elevationprompt for administrators inAdmin Approval Mode
DisabledDisabledUser Account Control: AllowUIAccess applications toprompt for elevation withoutusing the secure desktop
EnabledEnabledUser Account Control:Virtualize file and registrywrite failures to per-userlocations
EnabledEnabledUser Account Control: Switchto the secure desktop whenprompting for elevation
EnabledEnabledUser Account Control: Runall administrators in AdminApproval Mode
DisabledNoneWDigest Authentication(disabling may requireKB2871997)
Automatically deny elevationrequests
Prompt for credentialsUser Account Control:Behavior of the elevationprompt for standard users
EnabledNoneSystem ASLR
Unified CCE Security Hardening for Windows Server 2012 R211
Unified CCE Security Hardening for Windows Server 2012 R2Unified CCE Security Hardening for Windows Server 2012 R2
ComplianceDefault ValueSetting Name
EnabledEnabled: Application Opt-OutSystem DEP
EnabledEnabledSystem objects: Strengthendefault permissions of internalsystem objects (e.g. SymbolicLinks)
EnabledNot ConfiguredEnable screen saver
EnabledNot ConfiguredForce specific screen saver
Not DefinedUsersIncrease a process workingset
EnabledEnabledUser Account Control: Detectapplication installations andprompt for elevation
EnabledEnabled: Application Opt-OutSystem SEHOP
Not DefinedNot definedNetwork Security: Configureencryption types allowed forKerberos
Not ConfiguredNot configuredSet client connectionencryption level
EnabledEnabledMicrosoft network client:Digitally signcommunications (if serveragrees)
Not DefinedNot definedDomain controller: LDAPserver signing requirements
Negotiate signingNegotiate signingNetwork security: LDAPclient signing requirements
EnabledDisabledMicrosoft network client:Digitally signcommunications (always)
EnabledDisabledMicrosoft network server:Digitally signcommunications (always)
EnabledEnabledDomain member: Digitallysign secure channel data(when possible)
Unified CCE Security Hardening for Windows Server 2012 R212
Unified CCE Security Hardening for Windows Server 2012 R2Unified CCE Security Hardening for Windows Server 2012 R2
ComplianceDefault ValueSetting Name
EnabledEnabledDomain member: Digitallyencrypt or sign secure channeldata (always)
EnabledDisabledMicrosoft network server:Digitally signcommunications (if clientagrees)
EnabledEnabledDomain member: Digitallyencrypt secure channel data(when possible)
Enabled20480 KBSpecify the maximum log filesize (KB)
Enabled20480 KBSpecify the maximum log filesize (KB)
Enabled20480 KBSpecify the maximum log filesize (KB)
DisabledDisabledAudit: Shut down systemimmediately if unable to logsecurity audits
EnabledEnabledAccounts: Limit local accountuse of blank passwords toconsole logon only
Not DefinedNot definedDomain controller: Refusemachine account passwordchanges
DisabledDisabledDomain member: Disablemachine account passwordchanges
30 day(s)30 daysDomain member: Maximummachine account passwordage
Not DefinedDisabledNetwork access: Do not allowstorage of passwords andcredentials for networkauthentication
14 day(s)14 daysInteractive logon: Prompt userto change password beforeexpiration
Unified CCE Security Hardening for Windows Server 2012 R213
Unified CCE Security Hardening for Windows Server 2012 R2Unified CCE Security Hardening for Windows Server 2012 R2
ComplianceDefault ValueSetting Name
DisabledNoneAllow indexing of encryptedfiles
Not DefinedAdministratorAccounts: Renameadministrator account
EnabledNoneDo not display networkselection UI
EnabledNoneAllow Microsoft accounts tobe optional
Not DefinedEnabledAccounts: Administratoraccount status
DisabledDisabledAccounts: Guest accountstatus
Not DefinedGuestAccounts: Rename guestaccount
EnabledNonePrevent enabling lock screenslide show
EnabledNonePrevent enabling lock screencamera
DisabledNot DefinedIRC Ports
DisabledNot DefinedOutgoing Email Port 25
Other Windows Hardening Considerations
The following table lists the IIS settings and their corresponding default and possible values.
Supported ValuesDefaultValue
Setting Name
• On: The system displays custom errors to both remotesystems and the local host.
• Off: The system displays ASP.NET errors to both remotesystems and the local host.
• RemoteOnly: The system displays custom errors to theremote systems and ASP.NET errors to the local host.
You can use any of the possible options availablewithout impacting the system functionality.
Note
RemoteOnlyASP.NET ApplicationCustom Error
OffOffHTTPOnlyCookie
Unified CCE Security Hardening for Windows Server 2012 R214
Unified CCE Security Hardening for Windows Server 2012 R2Unified CCE Security Hardening for Windows Server 2012 R2