VIL Microsoft Windows 2012 Techspec V1 2 (3)

© Copyright IBM Corporation, 1997, 2012 - All Rights Reserved

MS Windows 2012 Platforms Technical SpecificationVodafone India Ltd.

Document Template version :

Created ByCreated On

Tech Spec Review

Date Reviewed (mm/dd/yy)21-Mar-14

30-Dec-14

29-Jan-14

Special Considerations for this Tech SpecServer/System name

All Windows 2012 servers

All Windows 2012 serversAll Windows 2012 servers


Product Version - Release Levels:


Document ControlDocument Name:Current Version:Owner Identification:Document Approver

Review plan:

Previous version:

Distribution:


Version 1.0 / 19 March 2014

Mitesh Parikh21-Mar-14

Tech Spec Review

Name(s) of Individuals Review Comments:Mitesh Parikh Initial Version created based on Global Techspec

Dhandapani Palanisamy

Dhandapani Palanisamy

Special Considerations for this Tech SpecCustomer Requirement

Password Requirements: Minimum age- 1

Password Requirements: Lockout- 60 minutes

Microsoft Windows Server 2012 (all editions and releases)

Section Added : ED.1.1.8, ED.1.2.14, ED.1.2.36, ED.1.2.37, ED.1.2.59, ED.1.2.60, ED 1.9.4, ED.5.0.22Section Removed : ED.1.8.13, ED.1.8.14 , ED.1.2.26, ED.20.1.2.27Section Changed From ""health check and baseline"" To ""baseline only" : ED.1.7.2, ED.1.9.2Section Changed "baseline only" to "Process Requirment, no requirement to B or S" : ED.1.9.3

Section Change - ED.1.1.9.4. CLIUSR service id added in PNE Enabled state. Section Added: ED.1.1.11 – Password Complexity

Exception to requirement (tech spec reference)

Password Requirements: Minimum age- 2 daysFor Share ID Min Age can be 0 Days

Password Requirements: Lockout duration- ForeverED.1.2.32 & ED.1.2.33 Advanced Audit Policy - Object Access (Filtering Platform Packet Drop & Filtering Platform Connection ):Failure

ED.1.2.32 & ED.1.2.33 Advanced Audit Policy - Object Access (Filtering Platform Packet Drop & Filtering Platform Connection ):Not ConfiguredTo stop the frequent generation of Filtering Platform connection & packet Drops events which is occupying system drive

ED.20.1.2.x Privileged Monitoring ServiceMust Be enabled

ED.20.1.2.x Privileged Monitoring ServiceNot enabled

Document ControlVIL_Microsoft_Windows_2012_Techspec_V1.2.xls1.2Niranjan M Vinchure

ED 1.9.4: Protecting Resources - User Resources User Account Control:User Account Control featureUAC is to remain as default; turned “on” in Control Panel – User Accounts

ED 1.9.4: Protecting Resources - User Resources User Account Control:User Account Control featureUAC is to remain as default; turned “off” in Control Panel – User Accounts

VIL : Burgess Cooper, IT Security Head or Sameer Wavhal, , IT Security or Krantikumar Sherkhane, IT Security IBM : Vineet Juneja, DPE - Infrastructure or Umang Chokshi, IT Security Head

This document must be reviewed by all parties on a regular basis. The recommended interval is 12 months.

The previous version of this document should be retained until all of the changes in this version are implemented or 3 months elapse, whichever is longer.

Copies of this document may be obsolete. It is the user’s obligation to verify they are using the most current edition. This document should be removed from use when obsolete. Contact the document owner for current level of document


Tech Spec Review

Release version Release Date1.0

1.1 Aligned To ISeC Approval

1.2 Aligned To ISeC Approval

Special Considerations for this Tech SpecPotential Threat

Approval Date: 3 Apr 2014Effective Date: 2 Jul 2014

Access controls for a system should be set in such a way that they allow for “least” privilege. Users should only have access to data and operating system resources they Access controls for a system should be set in such a way that they allow for “least” privilege. Users should only have access to data and operating system resources they

Without adequate logging the organization will have little to no knowledge of events that are causing breaches of information security. Likewise, the organization will have no evidence to trace back events to determine what happened, how it happened, and who carried out the activity. Access controls for a system should be set in such a way that they allow for “least” privilege. Users should only have access to data and operating system resources they

Document Control

Access controls for a system should be set in such a way that they allow for “least” privilege. Users should only have access to data and operating system resources they need to conduct their job roles.

Section # Section Heading System Value/Parameter Description Recommended Value Initial Value Agreed to Value Comments 31st March KPMG

S Y ED.1.1.1 Password Requirements Enforce password history Password History 8 passwords remembered 12 12S Y ED.1.1.2 Password Requirements Minimum password age Minimum Age 1 day

S Y ED.1.1.3 Password Requirements Maximum password age Maximum Age 90 days 60 60S Y ED.1.1.4 Password Requirements Minimum password length Password length 8 characters 8 charactersS Y ED.1.1.5 Password Requirements Disabled Disabled

S Y ED.1.1.6 Password Requirements Account lockout threshold Lockout 5 5S Y ED.1.1.7 Password Requirements Account lockout duration Lockout duration 60 min 60 min

S Y ED.1.1.8 Password Requirements Reset account lockout counter after Reset account lockout counter 60 min 60 min

S Y ED.1.1.9.1 Password Requirements Password never expires

S Y ED.1.1.9.2 Password Requirements Replicate Password never expiresS Y ED.1.1.9.3 Password Requirements Guest Password never expiresS Y ED.1.1.9.4 Password Requirements Password never expires

S Y ED.1.1.9.5 Password Requirements Password never expires

P Y ED.1.1.10 Password Requirements

P Y ED.1.1.11 Password Requirements Password Complexity Enabled Enabled

S Y ED.1.2.1 Logging Success & Failure Success & Failure










B=baseline, S=healthcheck and baseline, I=Informational requirement

Foundation (Y/N)

2 days

For Share ID Min Age can be 0 Days

2 days

For Share ID Min Age can be 0 Days

Store password using reversible encryption

Store password using reversible encryption

'0' minutes: Account is locked out until administrator unlocks it.

This policy must be set to a value equal or above “30 minutes”.

User accounts that satisfy all of the following criteria: 1) 'Logon locally' user right is disabled 2) Userid does not have system or security administrative authority (per section 5.0) 3) All interactive login methods (FTP, telnet, rexec, SSH, etc) are disabled for the userid by either: 3a) Denying access to the user rights: 'Access this computer from network' and 'Logon through Terminal Services', or 3b) Another method that disables interactive login methods for the given service or protocol

May have a non-expiring password

May have a non-expiring password (hpadmin is having password never expire setting enabled)

HPADMIN account is having password never expires setting enabled

'Password never expires' may be enabled

Password never expires' may be enabled

HPADMIN account is having password never expires setting enabled


Password never expires' will be disabled IUSR_{system} and IWAM_{system}

user accounts created by Internet Information Server (IIS) User ID: ITSD, itsd.support, remedy_ad, Discccm, VFSVC-IN-BES, SVCCCR2, SVCCCR7, BackupAdmin, Fimservice, vpxadmin, ctx_sql_service, ctx_sql_vdi, sqlmonitoring, apmadmin, hpapmadm, Ctx_ConfigMgr {Citrix ID}, Ctx_Cpsvcuser {Citrix ID}, Ctx_Cpuuser {Citrix ID} and Ctx_StreamingSvc {Citrix ID}, CLIUSR



only hpadmin user account is created

User accounts that are only associated with a started process(es) and are set to 'Disabled' status, so they can not be logged onto. (example: tmersrvd)



Required action for: • Creating new userids • Password resets performed where system or support personnel are aware of the password content

Set an initial password and force the user to change it.

The check box 'User Must Change Password at Next Logon' must be selected. (No system security check required)

The check box 'User Must Change Password at Next Logon' must be selected. (No system security check required)

Set Password complexity enabled for all users

Advanced Audit Policy - Account LogonCredential Validation

Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.

Advanced Audit Policy - Account LogonKerberos Service Ticket Operations


Advanced Audit policy - Account LogonOther Account Logon Events

Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.

Advanced Audit policy - Account LogonKerberos Authentication Service


Advanced Audit Policy - Logon/LogoffLogon


Advanced Audit Policy - Logon/LogoffLogoff


Advanced Audit Policy - Logon/LogoffAccount Lockout


Advanced Audit Policy - Logon/LogoffIPsec Main Mode


Advanced Audit Policy - Logon/LogoffIPsec Quick Mode


Advanced Audit Policy - Logon/LogoffIPsec Extended Mode












S Y ED.1.2.21 Logging Failure Failure












S Y ED.1.2.33 Logging Failure None

S Y ED.1.2.34 Logging Failure None

Advanced Audit Policy - Logon/LogoffSpecial Logon


Advanced Audit Policy - Logon/LogoffOther Logon/Logoff Events


Advanced Audit Policy - Logon/LogoffNetwork Policy Server


Advanced Audit Policy - Logon/Logoff User / Device Claims


Advanced Audit Policy - Account ManagementUser Account Management


Advanced Audit Policy - Account ManagementComputer Account Management


Advanced Audit Policy - Account ManagementSecurity Group Management


Advanced Audit Policy - Account ManagementDistribution Group Management


Advanced Audit Policy - Account ManagementApplication Group Management


Advanced Audit Policy - Account ManagementOther Account Management Events


Advanced Audit Policy - DS AccessDirectory Service Access

Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.

Advanced Audit Policy - DS AccessDirectory Service Changes


Advanced Audit Policy - DS AccessDirectory Service Replication


Advanced Audit Policy - DS AccessDetailed Directory Service Replication


Advanced Audit Policy - Object AccessFile System


Advanced Audit Policy - Object AccessRegistry


Advanced Audit Policy - Object AccessKernel Object


Advanced Audit Policy - Object AccessSAM


Advanced Audit Policy - Object AccessCertification Services


Advanced Audit Policy - Object AccessApplication Generated


Advanced Audit Policy - Object AccessHandle Manipulation


Advanced Audit Policy - Object AccessFile Share


Advanced Audit Policy - Object AccessFiltering Platform Packet Drop


Advanced Audit Policy - Object AccessFiltering Platform Connection















S Y ED.1.2.47 Logging (not required to be set) (not required to be set)






S Y ED.1.2.53 Logging Audit policy - System - System Integrity Failure Failure

S Y ED.1.2.54 Logging Audit policy - System - IPsec Driver Failure Failure


S Y ED.1.2.56 Logging

S Y ED.1.2.57 Logging

Advanced Audit Policy - Object AccessOther Object Access Events


Advanced Audit Policy - Object AccessDetailed File Share


Advanced Audit Policy - Object AccessRemovable Storage


Advanced Audit Policy - Object AccessCentral Access Policy Staging


Advanced Audit Policy - Policy ChangeAudit Policy Change

Note: The recommended setting listed is the minimum logging requirement.

Advanced Audit Policy - Policy ChangeAuthentication Policy Change


Advanced Audit Policy - Policy ChangeAuthorization Policy Change


Advanced Audit Policy - Policy ChangeMPSSVC Rule-Level Policy Change


Advanced Audit Policy - Policy ChangeFiltering Platform Policy Change


Advanced Audit Policy - Policy ChangeOther Policy Change Events


Advanced Audit Policy - Privilege UseSensitive Privilege Use


Advanced Audit Policy - Privilege UseNon Sensitive Privilege Use


Advanced Audit Policy - Privilege UseOther Privilege Use Events


Advanced Audit Policy - Detailed TrackingProcess Creation


Advanced Audit Policy - Detailed TrackingProcess Termination


Advanced Audit Policy - Detailed TrackingDPAPI Activity


Advanced Audit Policy - Detailed Tracking - RPC Events


Audit policy - System - Security State Change


Audit policy - System - Security System Extension




Audit policy - System - Other System Events


Advanced Audit Policy - Registry settings -HKLM\SYSTEM\CurrentControlSet\Control\Lsa

Force Advanced Audit Policy subcategory settings to override Audit Policy category settings

Name: SCENoApplyLegacyAuditPolicyType: REG_DWORDValue: 1 (Enabled)

Name: SCENoApplyLegacyAuditPolicyType: REG_DWORDValue: 1 (Enabled)

For each subdirectory that is listed in Section 1.8 as an Operating System Resource

OSR auditing - the recommended setting listed is the minimum required

Enable Auditing on the OSR object, with the following specifications:

Name: EveryoneApply onto: This folder only


Name: EveryoneApply onto: This folder only

S N ED.1.2.58 Logging

I N ED.1.2.59 Logging Note Registry keys listed in Section 1.8 none none

S 23 ED.1.2.60 Logging Log Retention Log Retention Requirement

S Y ED.1.3.1 AntiVirus AntiVirus Enabled AntiVirus Yes Yes Not Installed

I N ED.1.4.0 System Settings No requirements in this category No requirements in this category No requirements in this category None None

B N ED.1.5.1 Network Settings not running

B N ED.1.5.2 Network Settings X-Windows access control TCP/IP X-Windows not running

B N ED.1.5.3 Network Settings REXD daemon TCP/IP REXD May not be enabled May not be enabled not runningB N ED.1.5.4.1 Network Settings TCP/IP Anonymous FTP not running

B N ED.1.5.4.2 Network Settings TCP/IP Anonymous FTP not running

B N ED.1.5.4.3 Network Settings TCP/IP Anonymous FTP not running

B N ED.1.5.5 Network Settings TCP/IP Trivial FTP (TFTP)

B N ED.1.5.6.1 Network Settings ECHO Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running

B N ED.1.5.6.2 Network Settings CHARGEN Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running

B N ED.1.5.6.3 Network Settings FINGER Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running

B N ED.1.5.6.4 Network Settings DISCARD Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running

B N ED.1.5.6.5 Network Settings SYSTAT Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running

B N ED.1.5.6.6 Network Settings DAYTIME Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running

B N ED.1.5.6.7 Network Settings NETSTAT Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running

B N ED.1.5.6.8 Network Settings WHO Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running

B N ED.1.5.7.1 Network Settings ECHO Denial of Service Prevention not running

B N ED.1.5.7.2 Network Settings CHARGEN Denial of Service Prevention not running

B N ED.1.5.7.3 Network Settings RSTATD Denial of Service Prevention not running

B N ED.1.5.7.4 Network Settings TFTP Denial of Service Prevention not running

B N ED.1.5.7.5 Network Settings RWALLD Denial of Service Prevention not running

B N ED.1.5.7.6 Network Settings RUSERD Denial of Service Prevention not running

B N ED.1.5.7.7 Network Settings DISCARD Denial of Service Prevention not running

B N ED.1.5.7.8 Network Settings DAYTIME Denial of Service Prevention not running

B N ED.1.5.7.9 Network Settings BOOTPS Denial of Service Prevention not running

B N ED.1.5.7.10 Network Settings FINGER Denial of Service Prevention not running

B N ED.1.5.7.11 Network Settings SPRAYD Denial of Service Prevention not running

B N ED.1.5.7.12 Network Settings PCNFSD Denial of Service Prevention not running

B N ED.1.5.7.13 Network Settings NETSTAT Denial of Service Prevention Running

B N ED.1.5.7.14 Network Settings RWHO Denial of Service Prevention not running

For each file that is listed in Section 1.8 as an Operating System Resource

OSR auditing - the recommended setting listed is the minimum required


Name: EveryoneApply onto: This object onlyAccess: Select "Failed" for each of these accesses: • Traverse Folder/Execute File • List Folder/Read Data • Read Attributes • Read Extended Attributes • Create Files / Write Data • Create Folders / Append Data • Write Attributes • Write Extended Attributes • Delete • Read Permissions • Change Permissions • Take Ownership


Name: EveryoneApply onto: This object onlyAccess: Select "Failed" for each of these accesses: • Traverse Folder/Execute File • List Folder/Read Data • Read Attributes • Read Extended Attributes • Create Files / Write Data • Create Folders / Append Data • Write Attributes • Write Extended Attributes • Delete • Read Permissions • Change Permissions • Take Ownership

Object-level auditing is not required at this time

Security Event Log - retained for 90 days. Logs may be retained on the system itself, or on a separate system.

Security Event Log - retained for 90 days for SOX Systems and 60 days for Non-Sox Systems. Logs may be retained on the system itself, or on a separate system.

Security Event Log - retained for 90 days for SOX Systems and 60 days for Non-Sox Systems. Logs may be retained on the system itself, or on a separate system.

20 MB Size configured to store event log size. No Syslog configured

Net News Transfer Protocol (NNTP) authentication & identification

TCP/IP Net News Transfer Protocol (NNTP)

If activated, must be configured to require authentication and identification of all users if any of the newsgroups on the server are classified confidential.

If activated, must be configured to require authentication and identification of all users if any of the newsgroups on the server are classified confidential.

If X-Windows service is active, access control must not be disabled

If X-Windows service is active, access control must not be disabled

Directories enabled for Anonymous FTP access

READ access via anonymous FTP must not be granted to directories containing classified data

READ access via anonymous FTP must not be granted to directories containing classified data

Access permissions for directories accessible via Anonymous FTP

Each directory may allow read access or write access to anonymous users, but not both

Each directory may allow read access or write access to anonymous users, but not both

Process Control: Anonymous FTP, Process for Receiving Files from Anonymous Users

Files that have been stored into a writeable directory must be examined (scanned for viruses, checked for Confidential information, checked for inappropriate material, etc.) before being moved to a readable directory.

Files that have been stored into a writeable directory must be examined (scanned for viruses, checked for Confidential information, checked for inappropriate material, etc.) before being moved to a readable directory.

Directories enabled for TFTP (Trivial File Transfer Protocol) access

Access via TFTP may be granted only to directories containing unclassified data. confidential data is not permitted in directories accessible via TFTP or any subdirectories of the directory.

Access via TFTP may be granted only to directories containing unclassified data. confidential data is not permitted in directories accessible via TFTP or any subdirectories of the directory.

Disabled if not required to support an application




























B N ED.1.5.7.15 Network Settings CMSD Denial of Service Prevention not running

B N ED.1.5.7.16 Network Settings DTSPCD Denial of Service Prevention not running

B N ED.1.5.7.17 Network Settings TTDBSERVER Denial of Service Prevention not running

B N ED.1.5.7.18 Network Settings Telnet Service Denial of Service Prevention not running

B N ED.1.5.7.19 Network Settings FTP Service Denial of Service Prevention not running

B N ED.1.5.8.1 Network Settings SNMP service SNMP not running

B N ED.1.5.8.2 Network Settings SNMP service SNMP not running

B N ED.1.7.2 Maximum lifetime for user ticket

I N ED.1.8.0 Note none none

S N ED.1.8.1 %SystemRoot% OSRs

S N ED.1.8.2 %SystemRoot%\security OSRs

S N ED.1.8.3 %SystemRoot%\system OSRs

S N ED.1.8.4 %SystemRoot%\system32 OSRs

S N ED.1.8.5 %SystemRoot%\system32\config OSRs

S N ED.1.8.6 %SystemRoot%\system32\drivers OSRs

S N ED.1.8.7 %SystemRoot%\system32\spool OSRs

S N ED.1.8.8 %SystemRoot%\system32\GroupPolicy OSRs No as such folder

S N ED.1.8.9 %WinDir%\WinSxS\Backup OSRs

S N ED.1.8.10 %SystemDrive%\boot\BCD

S N ED.1.8.11 OSRs

S N ED.1.8.12 Folder/file not available

S N ED.1.8.15 %SystemDrive% OSRs

S N ED.1.8.16 %SystemRoot%\syswow64

S N ED.1.8.17 %SystemRoot%\syswow64\drivers

S N ED.1.8.18











If Enabled, must comply to YO.1.5.4.1, YO.1.5.4.2YO.1.5.4.3

Community name of 'public' is not permitted if the SNMP service is active.

Community name of 'public' is not permitted if the SNMP service is active.

Community name of 'private' is not permitted if the SNMP service is active.

Community name of 'private' is not permitted if the SNMP service is active.

Identify and Authenticate Users

Only applies if Kerberos authentication is enabled

If Kerberos authentication is enabled, the following are the maximum lifetimes permitted for user accounts at creation time: * 30 hours (general user accounts) * 12 hours (system & security administrative user accounts)

If this is enabled at a policy level which implements a single maximum lifetime across all userids, then that must be set to 12 hours (so both general users and administrative users are compliant).

If Kerberos authentication is not enabled, there is no requirement for this item.

If Kerberos authentication is enabled, the following are the maximum lifetimes permitted for user accounts at creation time: * 30 hours (general user accounts) * 12 hours (system & security administrative user accounts)

If this is enabled at a policy level which implements a single maximum lifetime across all userids, then that must be set to 12 hours (so both general users and administrative users are compliant).

If Kerberos authentication is not enabled, there is no requirement for this item.

Protecting Resources –OSRs

The following objects are designated as OSRs. The access listed in the 'Recommended Setting' column is the maximum authority permitted to general users

The access listed in the 'Agreed to Vlaue' column is the maximum authority permitted to general users (e.g. Everyone, Users, Authenticated Users, or other groups containing general users). Users with system or security administrative authority (per section 5.0) and TrustedInstaller are not in scope of the OSR requirements and may have permissions greater


Read & ExecuteList Folder ContentsRead












no general user authorizations permitted













Read & ExecuteList Folder ContentsRead Protecting Resources –

OSRsOSRs - Note: On servers where this file does not exist it must be located on the system reserve partition (SRP) in the location \boot\BCD. OSR file permissions and OSR auditing are not required if the file is on the SRP. If the system is based on UEFI then ignore this control

Read & ExecuteRead

Read & ExecuteRead


%SystemRoot%\system32\winload.exeor %SystemRoot%\system32\winload.efi

Read & ExecuteRead

Read & ExecuteRead

Protecting Resources –OSRs %SystemDrive%\bootmgr

or\EFI\Microsoft\Boot\bootmgfw.efi

Note: On servers where this file does not exist it must be located on the system reserve partition (SRP) in the location \bootmgr. OSR file permissions and OSR auditing are not required if the file is on the SRP.

Read & ExecuteRead

Read & ExecuteRead


Read & ExecuteList Folder ContentsReadCreate folders/append data

Read & ExecuteList Folder ContentsReadCreate folders/append data


Note: On servers where this file does not exist, no action is required.




Note: On servers where this file does not exist, no action is required.




%SystemRoot%\System32\Winevt\Logs\Security.evtx

(or the Security log file whose location/name is defined in the HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security subkey, if the log has been moved from the default location)

Note: LOCAL SERVICE is permitted to have full access to this OSR.



S N ED.1.8.19

I N ED.1.8.20 Note none none none

I N ED.1.8.21 Note none none none

S N ED.1.8.22 hkey_classes_root Registry Settings required on all servers:

S N ED.1.8.23 Registry Settings required on all servers:




S N ED.1.8.27

I N ED.1.8.28.0 Task Scheduler Service Windows task scheduler service none none

S N ED.1.8.28.1 Task Scheduler Service No task assigned

S N ED.1.8.28.2 Task Scheduler Service

S N ED.1.8.29 Disable the AutoRun functionality

S N ED.1.8.30

S N ED.1.8.31

S N ED.1.8.32

S N ED.1.8.33

S N ED.1.8.34

S N ED.1.8.35

P N ED.1.9.1 Creating new user home directories


%SystemRoot%\System32\Winevt\Logs\DNS Server.evtx

(or the DNS Server log file whose location/name is defined in the HKLM\SYSTEM\CurrentControlSet\Services\EventLog\DNS Server subkey, if the log has been moved from the default location)

OSRs - Note: On servers where this file does not exist, no action is required.




The above permissions are required on the specified directories and files listed only; not subfolders and files under them.


Creator Owner, TrustedInstaller, and SYSTEM are permitted to have full access to the OSRs above.Protecting Resources –

OSRsMaximum authorization allowed for general userids or general user groups is Read

Maximum authorization allowed for general userids or general user groups is Read


HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security

General users may not be granted access to this subkey

Maximum authorization allowed for general userids or general user groups is Read


HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application

Name: RestrictGuestAccessType: REG_DWORDValue: 1







HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System




HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\DNS Server

Registry Settings required on all servers: Note: On servers where the DNS Server subkey does not exist, no action is required.



Protecting Resources -OSR's

Files/scripts/commands listed in active entries must meet all the requirements belowExceptions: Files/commands executed that are OSR's and meet applicable OSR requirements are compliant and do not have to meet the requirements below.Files/commands/scripts executed are not required to exist as long as all the existing directories in it's path meet all the requirements below.


Protection requirements for system facility entries executing with privilege authority.

Each active entry must specify the full path of the file/command/script to be executed.

Each active entry must specify the full path of the file/command/script to be executed.


Protection requirements for system facility entries executing with privilege authority.

For each active entry's file/command/script executed, and all directories in its path, the maximum authority permitted to general users (unless otherwise specified in the OSR section of this tech spec) is:

Files/commands/scripts:- Read & Execute- Read

Directories:- Read & Execute- List Folder Contents- Read

For each active entry's file/command/script executed, and its immediate parent directory, the maximum authority permitted to general users (unless otherwise specified in the OSR section of this tech spec) is:

Files/commands/scripts:- Read & Execute- Read

Directories:- Read & Execute- List Folder Contents- Read


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

Name:NoDriveTypeAutoRun Type: REG_DWORDValue: 0xFF (Hex)

Name:NoDriveTypeAutoRun Type: REG_DWORDValue: 0xFF (Hex)



NOTE on systems where setting is set through Group policies the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security\AutoBackupLogfiles is used instead of this key

Name: AutoBackupLogFilesType: REG_DWORDValue: 0x1

Name: AutoBackupLogFilesType: REG_DWORDValue: 0x1



NOTE on systems where setting is set through Group policies the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Eventlog\System\AutoBackupLogfiles is used instead of this key

Name: AutoBackupLogFilesType: REG_DWORDValue: 0




NOTE on systems where setting is set through Group policies the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Application\AutoBackupLogfiles is used instead of this key





NOTE on systems where setting is set through Group policies the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security\Retention is used instead of this key

Name: RetentionType: REG_DWORDValue: -1 (0xffffffff)

Name: RetentionType: REG_DWORDValue: 7776000 (0x0076A700)(equal to 90 days)



NOTE on systems where setting is set through Group policies the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Eventlog\System\Retention is used instead of this key

Name: RetentionType: REG_DWORDValue: (not required to be set)




NOTE on systems where setting is set through Group policies the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Application\Retention is used instead of this key



Protecting Resources - User Resources

If home directories are designed with subdirectories under them such as a 'public' folder or a folder for storing web pages that are readable by general users, the above permissions would be needed for users to traverse through and access the subdirectories. Otherwise granting no access to general users would be the more common approach for initial home directory permission settings set by the Provider of Service.

At creation time, the home directory must be owned by the resource owner, and the maximum allowed permissions granted on the home directory to anyone other than the resource owner and administrators is: • Traverse Folder / Execute File • Read Attributes • Read Permissions

At creation time, the home directory must be owned by the resource owner, and the maximum allowed permissions granted on the home directory to anyone other than the resource owner and administrators is: • Traverse Folder / Execute File • Read Attributes • Read Permissions

B N ED.1.9.2 Guest Accounts

P N ED.1.9.3 Shared Folders No Share Folder

P N ED 1.9.4 User Account Control User Account Control feature Off Off

B N ED.2.0.1 Business Use Notice Business Use Notice Business Use Notice

B N ED.2.1.1 Encryption Data Transmission Encryption

B N ED.2.1.2 Encryption File/Database Storage Encryption

I N ED.2.1.3 Encryption File/Database Storage None None

I Y ED.3.0.0 Process Exceptions No requirements in this category No requirements in this category No requirements in this category None None

I Y ED.5.0.0 Note No value to be set No value to be set

B Y ED.5.0.1 Privileged Authorizations Administrators No value to be set No value to be set

B Y ED.5.0.2 Privileged Authorizations Domain Admins No value to be set No value to be set not in domain

B Y ED.5.0.3 Privileged Authorizations Enterprise Admins No value to be set No value to be set

B Y ED.5.0.4 Privileged Authorizations Power Users No value to be set No value to be set

B Y ED.5.0.5 Privileged Authorizations Backup Operators No value to be set No value to be set

B Y ED.5.0.6 Privileged Authorizations Print Operators No value to be set No value to be set

B Y ED.5.0.7 Privileged Authorizations Network Configuration Operators No value to be set No value to be set

B Y ED.5.0.8 Privileged Authorizations DHCP Administrators No value to be set No value to be set

B Y ED.5.0.9 Privileged Authorizations Account Operators No value to be set No value to be set No Such Group

B Y ED.5.0.11 Privileged Authorizations Server Operators No value to be set No value to be set No Such Group

B Y ED.5.0.12 Privileged Authorizations Group Policy Creator Owners No value to be set No value to be set No Such Group

B Y ED.5.0.13 Privileged Authorizations Schema Admins No value to be set No value to be set No Such Group

B Y ED.5.0.14 Privileged Authorizations Group Policy Owners No value to be set No value to be set No Such Group

B Y ED.5.0.15 Privileged Authorizations Enterprise Operators No value to be set No value to be set No Such Group

B Y ED.5.0.16 Privileged Authorizations Certificate Service DCOM Access No value to be set No value to be set

B Y ED.5.0.17 Privileged Authorizations Distributed COM Users No value to be set No value to be set

B Y ED.5.0.18 Privileged Authorizations Event Log Readers No value to be set No value to be setB Y ED.5.0.19 Privileged Authorizations Performance Log Users No value to be set No value to be set

B Y ED.5.0.20 Privileged Authorizations Performance Monitor Users No value to be set No value to be set

B Y ED.5.0.21 Privileged Authorizations Eventlog (note: this is a specific userid) No value to be set No value to be set

B Y ED.5.0.22 All Application Packages (SID: S-1-15-2-1) No value to be set No value to be set

To be deleted if not using Privileged Monitoring ServiceThis section details additional requirements for Privilege Monitoring only

B N ED.20.1.2.1 Logging Object access Privilege Monitoring Logging Success NA


Guest accounts which allow system login without entry of a specific password. (examples: Guest accounts)

If a guest account is enabled, it must comply with the following: • No access to confidential data • It may not be a member of the following groups: o Domain Users o Users o Any group in scope of Section 5.0 of this technical specification

If a guest account is enabled, it must comply with the following: • No access to confidential data • It may not be a member of the following groups: o Domain Users o Users o Any group in scope of Section 5.0 of this technical specification


Additional Account data security audit requirement

The 'everyone' group must not be used in share permissions

The 'everyone' group must not be used in share permissions


UAC is to remain as default; turned “on” in Control Panel – User Accounts

Set via the following registry values:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaptionHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext

Set via the following registry values:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaptionHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetextWindows Server 2012 provides

encryption support for some services, including Kerberos, remote access, Remote Procedure Call (RPC), Secure Sockets Layer/Transport Layer Security (SSL/TLS), Terminal Services Remote Desktop

Windows Server 2012 provides encryption support for some services, including Kerberos, remote access, Remote Procedure Call (RPC), Secure Sockets Layer/Transport Layer Security (SSL/TLS), Terminal Services Remote Desktop Windows Server 2012 editions

supports encryption of folders/files with the Encrypting File System (EFS). EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key by default; a 3DES algorithm option is also available.

Vendor software that supports encryption requirements of the main standard may also be used

Windows Server 2012 editions supports encryption of folders/files with the Encrypting File System (EFS). EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key by default; a 3DES algorithm option is also available.

Vendor software that supports encryption requirements of the main standard may also be used

Add-on product options from Microsoft and IBM (not a comprehensive list or tested)

Secure File Encryption for Desktops (SFED) is supported

Privileged Authorizations/Userids

Description of privileged Ids : The rows in section 5 below describe the list of UserIDs or groups that have Privileged authority.

No value to be set

System & Security Administrative userids include accounts within the following groups

No value to be set

hpadmin and default administrator exist


No value to be set


No value to be set


No value to be set


No value to be set


No value to be set


No value to be set


No value to be set


No value to be set


No value to be set


No value to be set


No value to be set


No value to be set


No value to be set


No value to be set


No value to be set


No value to be setSystem & Security Administrative

userids include accounts within the following groups

No value to be set


No value to be set


No value to be set

Privileged Authorizations/Userids


No value to be set

B N ED.20.1.2.2 Logging Privilege Monitoring Logging NA

B N ED.20.1.2.3 Logging %SystemRoot%\Repair Privilege Monitoring Logging NA








B N ED.20.1.2.11 Logging %SystemRoot%\system32\dllcache Privilege Monitoring Logging NA

B N ED.20.1.2.12 Logging %WinDir%\WinSxS\Backup Privilege Monitoring Logging NA

%SystemRoot% +E187:E191


Name: EveryoneApply onto: This folder onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership



%SystemRoot%\Security Enable Auditing on the OSR object, with the following specifications:


%SystemRoot%\System Enable Auditing on the OSR object, with the following specifications:


%SystemRoot%\System32 Enable Auditing on the OSR object, with the following specifications:


%SystemRoot%\System32\Config Enable Auditing on the OSR object, with the following specifications:


%SystemRoot%\System32\Drivers Enable Auditing on the OSR object, with the following specifications:


%SystemRoot%\System32\Spool Enable Auditing on the OSR object, with the following specifications:


%SystemRoot%\system32\GroupPolicy Enable Auditing on the OSR object, with the following specifications:






B N ED.20.1.2.13 Logging %SystemDrive%\Boot.Ini Privilege Monitoring Logging NA

B N ED.20.1.2.14 Logging %SystemDrive%\NTDetect.Com Privilege Monitoring Logging NA

B N ED.20.1.2.15 Logging %SystemDrive%\NTLDR Privilege Monitoring Logging NA

B N ED.20.1.2.16 Logging %SystemDrive% Privilege Monitoring Logging NA

B N ED.20.1.2.17 Logging %SystemRoot%\syswow64 Privilege Monitoring Logging NA

B N ED.20.1.2.18 Logging %SystemRoot%\syswow64\drivers Privilege Monitoring Logging NA



B N ED.20.1.2.21 Logging %SystemDrive%\boot\BCD Privilege Monitoring Logging NA



Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership











%SystemRoot%\system32\config\SecEvent.Evt



%SystemRoot%\system32\config\DnsEvent.Evt





%SystemDrive%\bootmgror \EFI\Microsoft\Boot\bootmgfw.efi






%SystemRoot%\system32\winload.exeor %SystemRoot%\system32\winload.efi

"Enable Auditing on the OSR object, with the following specifications:

Name: Everyone Apply onto: This object onlyAccess: Select ""Success"" for each of these accesses: • Change Permissions • Take OwnershipOSRs - Note: On servers where this file does not exist it must be located on the system reserve partition (SRP) in the location \boot\BCD. OSR file permissions and OSR auditing are not required if the file is on the SRP. If the system is based on UEFI then ignore this control."

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security


Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take OwnershipNote: On servers where this file does not exist it must be located on the system reserve partition (SRP) in the location \bootmgr. OSR file permissions and OSR auditing are not required if the file is on the SRP.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA


Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take OwnershipNote: On servers where this file does not exist it must be located on the system reserve partition (SRP) in the location \bootmgr. OSR file permissions and OSR auditing are not required if the file is on the SRP.

Run on 3/31/2015 15:08

Minor loss of fidelity # of occurrences

1

Compatibility Report for Copy of VIL_Microsoft_Windows_2012_Techspec_V1 2.xls

The following features in this workbook are not supported by earlier versions of Excel. These features may be lost or degraded when opening this workbook in an earlier version of Excel or if you save this workbook in an earlier file format.

Some formulas in this workbook are linked to other workbooks that are closed. When these formulas are recalculated in earlier versions of Excel without opening the linked workbooks, characters beyond the 255-character limit cannot be returned.

2Defined Names

Some cells or styles in this workbook contain formatting that is not supported by the selected file format. These formats will be converted to the closest format available.

Version

Excel 97-2003

Excel 97-2003

Documents

VIL Microsoft Windows 2012 Techspec V1 2 (3)