Upload
abhay-kapoor
View
262
Download
21
Embed Size (px)
DESCRIPTION
VODA
Citation preview
© Copyright IBM Corporation, 1997, 2012 - All Rights Reserved
MS Windows 2012 Platforms Technical SpecificationVodafone India Ltd.
Document Template version :
Created ByCreated On
Tech Spec Review
Date Reviewed (mm/dd/yy)21-Mar-14
30-Dec-14
29-Jan-14
Special Considerations for this Tech SpecServer/System name
All Windows 2012 servers
All Windows 2012 serversAll Windows 2012 servers
All Windows 2012 servers
Product Version - Release Levels:
All Windows 2012 servers
Document ControlDocument Name:Current Version:Owner Identification:Document Approver
Review plan:
Previous version:
Distribution:
MS Windows 2012 Platforms Technical SpecificationVodafone India Ltd.
Version 1.0 / 19 March 2014
Mitesh Parikh21-Mar-14
Tech Spec Review
Name(s) of Individuals Review Comments:Mitesh Parikh Initial Version created based on Global Techspec
Dhandapani Palanisamy
Dhandapani Palanisamy
Special Considerations for this Tech SpecCustomer Requirement
Password Requirements: Minimum age- 1
Password Requirements: Lockout- 60 minutes
Microsoft Windows Server 2012 (all editions and releases)
Section Added : ED.1.1.8, ED.1.2.14, ED.1.2.36, ED.1.2.37, ED.1.2.59, ED.1.2.60, ED 1.9.4, ED.5.0.22Section Removed : ED.1.8.13, ED.1.8.14 , ED.1.2.26, ED.20.1.2.27Section Changed From ""health check and baseline"" To ""baseline only" : ED.1.7.2, ED.1.9.2Section Changed "baseline only" to "Process Requirment, no requirement to B or S" : ED.1.9.3
Section Change - ED.1.1.9.4. CLIUSR service id added in PNE Enabled state. Section Added: ED.1.1.11 – Password Complexity
Exception to requirement (tech spec reference)
Password Requirements: Minimum age- 2 daysFor Share ID Min Age can be 0 Days
Password Requirements: Lockout duration- ForeverED.1.2.32 & ED.1.2.33 Advanced Audit Policy - Object Access (Filtering Platform Packet Drop & Filtering Platform Connection ):Failure
ED.1.2.32 & ED.1.2.33 Advanced Audit Policy - Object Access (Filtering Platform Packet Drop & Filtering Platform Connection ):Not ConfiguredTo stop the frequent generation of Filtering Platform connection & packet Drops events which is occupying system drive
ED.20.1.2.x Privileged Monitoring ServiceMust Be enabled
ED.20.1.2.x Privileged Monitoring ServiceNot enabled
Document ControlVIL_Microsoft_Windows_2012_Techspec_V1.2.xls1.2Niranjan M Vinchure
ED 1.9.4: Protecting Resources - User Resources User Account Control:User Account Control featureUAC is to remain as default; turned “on” in Control Panel – User Accounts
ED 1.9.4: Protecting Resources - User Resources User Account Control:User Account Control featureUAC is to remain as default; turned “off” in Control Panel – User Accounts
VIL : Burgess Cooper, IT Security Head or Sameer Wavhal, , IT Security or Krantikumar Sherkhane, IT Security IBM : Vineet Juneja, DPE - Infrastructure or Umang Chokshi, IT Security Head
This document must be reviewed by all parties on a regular basis. The recommended interval is 12 months.
The previous version of this document should be retained until all of the changes in this version are implemented or 3 months elapse, whichever is longer.
Copies of this document may be obsolete. It is the user’s obligation to verify they are using the most current edition. This document should be removed from use when obsolete. Contact the document owner for current level of document
MS Windows 2012 Platforms Technical SpecificationVodafone India Ltd.
Tech Spec Review
Release version Release Date1.0
1.1 Aligned To ISeC Approval
1.2 Aligned To ISeC Approval
Special Considerations for this Tech SpecPotential Threat
Approval Date: 3 Apr 2014Effective Date: 2 Jul 2014
Access controls for a system should be set in such a way that they allow for “least” privilege. Users should only have access to data and operating system resources they Access controls for a system should be set in such a way that they allow for “least” privilege. Users should only have access to data and operating system resources they
Without adequate logging the organization will have little to no knowledge of events that are causing breaches of information security. Likewise, the organization will have no evidence to trace back events to determine what happened, how it happened, and who carried out the activity. Access controls for a system should be set in such a way that they allow for “least” privilege. Users should only have access to data and operating system resources they
Document Control
Access controls for a system should be set in such a way that they allow for “least” privilege. Users should only have access to data and operating system resources they need to conduct their job roles.
Section # Section Heading System Value/Parameter Description Recommended Value Initial Value Agreed to Value Comments 31st March KPMG
S Y ED.1.1.1 Password Requirements Enforce password history Password History 8 passwords remembered 12 12S Y ED.1.1.2 Password Requirements Minimum password age Minimum Age 1 day
S Y ED.1.1.3 Password Requirements Maximum password age Maximum Age 90 days 60 60S Y ED.1.1.4 Password Requirements Minimum password length Password length 8 characters 8 charactersS Y ED.1.1.5 Password Requirements Disabled Disabled
S Y ED.1.1.6 Password Requirements Account lockout threshold Lockout 5 5S Y ED.1.1.7 Password Requirements Account lockout duration Lockout duration 60 min 60 min
S Y ED.1.1.8 Password Requirements Reset account lockout counter after Reset account lockout counter 60 min 60 min
S Y ED.1.1.9.1 Password Requirements Password never expires
S Y ED.1.1.9.2 Password Requirements Replicate Password never expiresS Y ED.1.1.9.3 Password Requirements Guest Password never expiresS Y ED.1.1.9.4 Password Requirements Password never expires
S Y ED.1.1.9.5 Password Requirements Password never expires
P Y ED.1.1.10 Password Requirements
P Y ED.1.1.11 Password Requirements Password Complexity Enabled Enabled
S Y ED.1.2.1 Logging Success & Failure Success & Failure
S Y ED.1.2.2 Logging Success & Failure Success & Failure
S Y ED.1.2.3 Logging Success & Failure Success & Failure
S Y ED.1.2.4 Logging Success & Failure Success & Failure
S Y ED.1.2.5 Logging Success & Failure Success & Failure
S Y ED.1.2.6 Logging Success & Failure Success & Failure
S Y ED.1.2.7 Logging Success & Failure Success & Failure
S Y ED.1.2.8 Logging Success & Failure Success & Failure
S Y ED.1.2.9 Logging Success & Failure Success & Failure
S Y ED.1.2.10 Logging Success & Failure Success & Failure
B=baseline, S=healthcheck and baseline, I=Informational requirement
Foundation (Y/N)
2 days
For Share ID Min Age can be 0 Days
2 days
For Share ID Min Age can be 0 Days
Store password using reversible encryption
Store password using reversible encryption
'0' minutes: Account is locked out until administrator unlocks it.
This policy must be set to a value equal or above “30 minutes”.
User accounts that satisfy all of the following criteria: 1) 'Logon locally' user right is disabled 2) Userid does not have system or security administrative authority (per section 5.0) 3) All interactive login methods (FTP, telnet, rexec, SSH, etc) are disabled for the userid by either: 3a) Denying access to the user rights: 'Access this computer from network' and 'Logon through Terminal Services', or 3b) Another method that disables interactive login methods for the given service or protocol
May have a non-expiring password
May have a non-expiring password (hpadmin is having password never expire setting enabled)
HPADMIN account is having password never expires setting enabled
'Password never expires' may be enabled
Password never expires' may be enabled
HPADMIN account is having password never expires setting enabled
'Password never expires' may be enabled
Password never expires' will be disabled IUSR_{system} and IWAM_{system}
user accounts created by Internet Information Server (IIS) User ID: ITSD, itsd.support, remedy_ad, Discccm, VFSVC-IN-BES, SVCCCR2, SVCCCR7, BackupAdmin, Fimservice, vpxadmin, ctx_sql_service, ctx_sql_vdi, sqlmonitoring, apmadmin, hpapmadm, Ctx_ConfigMgr {Citrix ID}, Ctx_Cpsvcuser {Citrix ID}, Ctx_Cpuuser {Citrix ID} and Ctx_StreamingSvc {Citrix ID}, CLIUSR
'Password never expires' may be enabled
'Password never expires' may be enabled
only hpadmin user account is created
User accounts that are only associated with a started process(es) and are set to 'Disabled' status, so they can not be logged onto. (example: tmersrvd)
'Password never expires' may be enabled
'Password never expires' may be enabled
Required action for: • Creating new userids • Password resets performed where system or support personnel are aware of the password content
Set an initial password and force the user to change it.
The check box 'User Must Change Password at Next Logon' must be selected. (No system security check required)
The check box 'User Must Change Password at Next Logon' must be selected. (No system security check required)
Set Password complexity enabled for all users
Advanced Audit Policy - Account LogonCredential Validation
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Account LogonKerberos Service Ticket Operations
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit policy - Account LogonOther Account Logon Events
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit policy - Account LogonKerberos Authentication Service
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Logon/LogoffLogon
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Logon/LogoffLogoff
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Logon/LogoffAccount Lockout
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Logon/LogoffIPsec Main Mode
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Logon/LogoffIPsec Quick Mode
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Logon/LogoffIPsec Extended Mode
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
S Y ED.1.2.11 Logging Success & Failure Success & Failure
S Y ED.1.2.12 Logging Success & Failure Success & Failure
S Y ED.1.2.13 Logging Success & Failure Success & Failure
S Y ED.1.2.14 Logging Success & Failure Success & Failure
S Y ED.1.2.15 Logging Success & Failure Success & Failure
S Y ED.1.2.16 Logging Success & Failure Success & Failure
S Y ED.1.2.17 Logging Success & Failure Success & Failure
S Y ED.1.2.18 Logging Success & Failure Success & Failure
S Y ED.1.2.19 Logging Success & Failure Success & Failure
S Y ED.1.2.20 Logging Success & Failure Success & Failure
S Y ED.1.2.21 Logging Failure Failure
S Y ED.1.2.22 Logging Failure Failure
S Y ED.1.2.23 Logging Failure Failure
S Y ED.1.2.24 Logging Failure Failure
S Y ED.1.2.25 Logging Failure Failure
S Y ED.1.2.26 Logging Failure Failure
S Y ED.1.2.27 Logging Failure Failure
S Y ED.1.2.28 Logging Failure Failure
S Y ED.1.2.29 Logging Failure Failure
S Y ED.1.2.30 Logging Failure Failure
S Y ED.1.2.31 Logging Failure Failure
S Y ED.1.2.32 Logging Failure Failure
S Y ED.1.2.33 Logging Failure None
S Y ED.1.2.34 Logging Failure None
Advanced Audit Policy - Logon/LogoffSpecial Logon
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Logon/LogoffOther Logon/Logoff Events
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Logon/LogoffNetwork Policy Server
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Logon/Logoff User / Device Claims
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Account ManagementUser Account Management
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Account ManagementComputer Account Management
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Account ManagementSecurity Group Management
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Account ManagementDistribution Group Management
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Account ManagementApplication Group Management
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Account ManagementOther Account Management Events
Note: Setting for 'success' must not change if Privilege Monitoring is in scope. The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - DS AccessDirectory Service Access
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - DS AccessDirectory Service Changes
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - DS AccessDirectory Service Replication
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - DS AccessDetailed Directory Service Replication
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Object AccessFile System
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Object AccessRegistry
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Object AccessKernel Object
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Object AccessSAM
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Object AccessCertification Services
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Object AccessApplication Generated
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Object AccessHandle Manipulation
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Object AccessFile Share
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Object AccessFiltering Platform Packet Drop
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Object AccessFiltering Platform Connection
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
S Y ED.1.2.35 Logging Failure Failure
S Y ED.1.2.36 Logging Failure Failure
S Y ED.1.2.36 Logging Success & Failure Success & Failure
S Y ED.1.2.37 Logging Success & Failure Success & Failure
S Y ED.1.2.38 Logging Success & Failure Success & Failure
S Y ED.1.2.39 Logging Success & Failure Success & Failure
S Y ED.1.2.40 Logging Success & Failure Success & Failure
S Y ED.1.2.41 Logging Success & Failure Success & Failure
S Y ED.1.2.42 Logging Success & Failure Success & Failure
S Y ED.1.2.43 Logging Success & Failure Success & Failure
S Y ED.1.2.44 Logging Success & Failure Success & Failure
S Y ED.1.2.45 Logging Success & Failure Success & Failure
S Y ED.1.2.46 Logging Success & Failure Success & Failure
S Y ED.1.2.47 Logging (not required to be set) (not required to be set)
S Y ED.1.2.48 Logging (not required to be set) (not required to be set)
S Y ED.1.2.49 Logging (not required to be set) (not required to be set)
S Y ED.1.2.50 Logging (not required to be set) (not required to be set)
S Y ED.1.2.51 Logging Failure Failure
S Y ED.1.2.52 Logging Failure Failure
S Y ED.1.2.53 Logging Audit policy - System - System Integrity Failure Failure
S Y ED.1.2.54 Logging Audit policy - System - IPsec Driver Failure Failure
S Y ED.1.2.55 Logging Failure Failure
S Y ED.1.2.56 Logging
S Y ED.1.2.57 Logging
Advanced Audit Policy - Object AccessOther Object Access Events
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Object AccessDetailed File Share
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Object AccessRemovable Storage
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Object AccessCentral Access Policy Staging
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Policy ChangeAudit Policy Change
Note: The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Policy ChangeAuthentication Policy Change
Note: The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Policy ChangeAuthorization Policy Change
Note: The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Policy ChangeMPSSVC Rule-Level Policy Change
Note: The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Policy ChangeFiltering Platform Policy Change
Note: The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Policy ChangeOther Policy Change Events
Note: The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Privilege UseSensitive Privilege Use
Note: The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Privilege UseNon Sensitive Privilege Use
Note: The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Privilege UseOther Privilege Use Events
Note: The recommended setting listed is the minimum logging requirement.
Advanced Audit Policy - Detailed TrackingProcess Creation
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Detailed TrackingProcess Termination
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Detailed TrackingDPAPI Activity
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Detailed Tracking - RPC Events
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Audit policy - System - Security State Change
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Audit policy - System - Security System Extension
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Audit policy - System - Other System Events
Note: The recommended setting listed is the minimum logging requirement. Stronger controls are compliant.
Advanced Audit Policy - Registry settings -HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Force Advanced Audit Policy subcategory settings to override Audit Policy category settings
Name: SCENoApplyLegacyAuditPolicyType: REG_DWORDValue: 1 (Enabled)
Name: SCENoApplyLegacyAuditPolicyType: REG_DWORDValue: 1 (Enabled)
For each subdirectory that is listed in Section 1.8 as an Operating System Resource
OSR auditing - the recommended setting listed is the minimum required
Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This folder only
Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This folder only
S N ED.1.2.58 Logging
I N ED.1.2.59 Logging Note Registry keys listed in Section 1.8 none none
S 23 ED.1.2.60 Logging Log Retention Log Retention Requirement
S Y ED.1.3.1 AntiVirus AntiVirus Enabled AntiVirus Yes Yes Not Installed
I N ED.1.4.0 System Settings No requirements in this category No requirements in this category No requirements in this category None None
B N ED.1.5.1 Network Settings not running
B N ED.1.5.2 Network Settings X-Windows access control TCP/IP X-Windows not running
B N ED.1.5.3 Network Settings REXD daemon TCP/IP REXD May not be enabled May not be enabled not runningB N ED.1.5.4.1 Network Settings TCP/IP Anonymous FTP not running
B N ED.1.5.4.2 Network Settings TCP/IP Anonymous FTP not running
B N ED.1.5.4.3 Network Settings TCP/IP Anonymous FTP not running
B N ED.1.5.5 Network Settings TCP/IP Trivial FTP (TFTP)
B N ED.1.5.6.1 Network Settings ECHO Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running
B N ED.1.5.6.2 Network Settings CHARGEN Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running
B N ED.1.5.6.3 Network Settings FINGER Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running
B N ED.1.5.6.4 Network Settings DISCARD Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running
B N ED.1.5.6.5 Network Settings SYSTAT Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running
B N ED.1.5.6.6 Network Settings DAYTIME Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running
B N ED.1.5.6.7 Network Settings NETSTAT Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running
B N ED.1.5.6.8 Network Settings WHO Denial of Service Prevention Disabled on all Internet servers Disabled on all Internet servers not running
B N ED.1.5.7.1 Network Settings ECHO Denial of Service Prevention not running
B N ED.1.5.7.2 Network Settings CHARGEN Denial of Service Prevention not running
B N ED.1.5.7.3 Network Settings RSTATD Denial of Service Prevention not running
B N ED.1.5.7.4 Network Settings TFTP Denial of Service Prevention not running
B N ED.1.5.7.5 Network Settings RWALLD Denial of Service Prevention not running
B N ED.1.5.7.6 Network Settings RUSERD Denial of Service Prevention not running
B N ED.1.5.7.7 Network Settings DISCARD Denial of Service Prevention not running
B N ED.1.5.7.8 Network Settings DAYTIME Denial of Service Prevention not running
B N ED.1.5.7.9 Network Settings BOOTPS Denial of Service Prevention not running
B N ED.1.5.7.10 Network Settings FINGER Denial of Service Prevention not running
B N ED.1.5.7.11 Network Settings SPRAYD Denial of Service Prevention not running
B N ED.1.5.7.12 Network Settings PCNFSD Denial of Service Prevention not running
B N ED.1.5.7.13 Network Settings NETSTAT Denial of Service Prevention Running
B N ED.1.5.7.14 Network Settings RWHO Denial of Service Prevention not running
For each file that is listed in Section 1.8 as an Operating System Resource
OSR auditing - the recommended setting listed is the minimum required
Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This object onlyAccess: Select "Failed" for each of these accesses: • Traverse Folder/Execute File • List Folder/Read Data • Read Attributes • Read Extended Attributes • Create Files / Write Data • Create Folders / Append Data • Write Attributes • Write Extended Attributes • Delete • Read Permissions • Change Permissions • Take Ownership
Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This object onlyAccess: Select "Failed" for each of these accesses: • Traverse Folder/Execute File • List Folder/Read Data • Read Attributes • Read Extended Attributes • Create Files / Write Data • Create Folders / Append Data • Write Attributes • Write Extended Attributes • Delete • Read Permissions • Change Permissions • Take Ownership
Object-level auditing is not required at this time
Security Event Log - retained for 90 days. Logs may be retained on the system itself, or on a separate system.
Security Event Log - retained for 90 days for SOX Systems and 60 days for Non-Sox Systems. Logs may be retained on the system itself, or on a separate system.
Security Event Log - retained for 90 days for SOX Systems and 60 days for Non-Sox Systems. Logs may be retained on the system itself, or on a separate system.
20 MB Size configured to store event log size. No Syslog configured
Net News Transfer Protocol (NNTP) authentication & identification
TCP/IP Net News Transfer Protocol (NNTP)
If activated, must be configured to require authentication and identification of all users if any of the newsgroups on the server are classified confidential.
If activated, must be configured to require authentication and identification of all users if any of the newsgroups on the server are classified confidential.
If X-Windows service is active, access control must not be disabled
If X-Windows service is active, access control must not be disabled
Directories enabled for Anonymous FTP access
READ access via anonymous FTP must not be granted to directories containing classified data
READ access via anonymous FTP must not be granted to directories containing classified data
Access permissions for directories accessible via Anonymous FTP
Each directory may allow read access or write access to anonymous users, but not both
Each directory may allow read access or write access to anonymous users, but not both
Process Control: Anonymous FTP, Process for Receiving Files from Anonymous Users
Files that have been stored into a writeable directory must be examined (scanned for viruses, checked for Confidential information, checked for inappropriate material, etc.) before being moved to a readable directory.
Files that have been stored into a writeable directory must be examined (scanned for viruses, checked for Confidential information, checked for inappropriate material, etc.) before being moved to a readable directory.
Directories enabled for TFTP (Trivial File Transfer Protocol) access
Access via TFTP may be granted only to directories containing unclassified data. confidential data is not permitted in directories accessible via TFTP or any subdirectories of the directory.
Access via TFTP may be granted only to directories containing unclassified data. confidential data is not permitted in directories accessible via TFTP or any subdirectories of the directory.
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
B N ED.1.5.7.15 Network Settings CMSD Denial of Service Prevention not running
B N ED.1.5.7.16 Network Settings DTSPCD Denial of Service Prevention not running
B N ED.1.5.7.17 Network Settings TTDBSERVER Denial of Service Prevention not running
B N ED.1.5.7.18 Network Settings Telnet Service Denial of Service Prevention not running
B N ED.1.5.7.19 Network Settings FTP Service Denial of Service Prevention not running
B N ED.1.5.8.1 Network Settings SNMP service SNMP not running
B N ED.1.5.8.2 Network Settings SNMP service SNMP not running
B N ED.1.7.2 Maximum lifetime for user ticket
I N ED.1.8.0 Note none none
S N ED.1.8.1 %SystemRoot% OSRs
S N ED.1.8.2 %SystemRoot%\security OSRs
S N ED.1.8.3 %SystemRoot%\system OSRs
S N ED.1.8.4 %SystemRoot%\system32 OSRs
S N ED.1.8.5 %SystemRoot%\system32\config OSRs
S N ED.1.8.6 %SystemRoot%\system32\drivers OSRs
S N ED.1.8.7 %SystemRoot%\system32\spool OSRs
S N ED.1.8.8 %SystemRoot%\system32\GroupPolicy OSRs No as such folder
S N ED.1.8.9 %WinDir%\WinSxS\Backup OSRs
S N ED.1.8.10 %SystemDrive%\boot\BCD
S N ED.1.8.11 OSRs
S N ED.1.8.12 Folder/file not available
S N ED.1.8.15 %SystemDrive% OSRs
S N ED.1.8.16 %SystemRoot%\syswow64
S N ED.1.8.17 %SystemRoot%\syswow64\drivers
S N ED.1.8.18
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
Disabled if not required to support an application
If Enabled, must comply to YO.1.5.4.1, YO.1.5.4.2YO.1.5.4.3
Community name of 'public' is not permitted if the SNMP service is active.
Community name of 'public' is not permitted if the SNMP service is active.
Community name of 'private' is not permitted if the SNMP service is active.
Community name of 'private' is not permitted if the SNMP service is active.
Identify and Authenticate Users
Only applies if Kerberos authentication is enabled
If Kerberos authentication is enabled, the following are the maximum lifetimes permitted for user accounts at creation time: * 30 hours (general user accounts) * 12 hours (system & security administrative user accounts)
If this is enabled at a policy level which implements a single maximum lifetime across all userids, then that must be set to 12 hours (so both general users and administrative users are compliant).
If Kerberos authentication is not enabled, there is no requirement for this item.
If Kerberos authentication is enabled, the following are the maximum lifetimes permitted for user accounts at creation time: * 30 hours (general user accounts) * 12 hours (system & security administrative user accounts)
If this is enabled at a policy level which implements a single maximum lifetime across all userids, then that must be set to 12 hours (so both general users and administrative users are compliant).
If Kerberos authentication is not enabled, there is no requirement for this item.
Protecting Resources –OSRs
The following objects are designated as OSRs. The access listed in the 'Recommended Setting' column is the maximum authority permitted to general users
The access listed in the 'Agreed to Vlaue' column is the maximum authority permitted to general users (e.g. Everyone, Users, Authenticated Users, or other groups containing general users). Users with system or security administrative authority (per section 5.0) and TrustedInstaller are not in scope of the OSR requirements and may have permissions greater
Protecting Resources –OSRs
Read & ExecuteList Folder ContentsRead
Read & ExecuteList Folder ContentsRead
Protecting Resources –OSRs
Read & ExecuteList Folder ContentsRead
Read & ExecuteList Folder ContentsRead
Protecting Resources –OSRs
Read & ExecuteList Folder ContentsRead
Read & ExecuteList Folder ContentsRead
Protecting Resources –OSRs
Read & ExecuteList Folder ContentsRead
Read & ExecuteList Folder ContentsRead
Protecting Resources –OSRs
no general user authorizations permitted
no general user authorizations permitted
Protecting Resources –OSRs
Read & ExecuteList Folder ContentsRead
Read & ExecuteList Folder ContentsRead
Protecting Resources –OSRs
Read & ExecuteList Folder ContentsRead
Read & ExecuteList Folder ContentsRead
Protecting Resources –OSRs
Read & ExecuteList Folder ContentsRead
Read & ExecuteList Folder ContentsRead
Protecting Resources –OSRs
Read & ExecuteList Folder ContentsRead
Read & ExecuteList Folder ContentsRead Protecting Resources –
OSRsOSRs - Note: On servers where this file does not exist it must be located on the system reserve partition (SRP) in the location \boot\BCD. OSR file permissions and OSR auditing are not required if the file is on the SRP. If the system is based on UEFI then ignore this control
Read & ExecuteRead
Read & ExecuteRead
Protecting Resources –OSRs
%SystemRoot%\system32\winload.exeor %SystemRoot%\system32\winload.efi
Read & ExecuteRead
Read & ExecuteRead
Protecting Resources –OSRs %SystemDrive%\bootmgr
or\EFI\Microsoft\Boot\bootmgfw.efi
Note: On servers where this file does not exist it must be located on the system reserve partition (SRP) in the location \bootmgr. OSR file permissions and OSR auditing are not required if the file is on the SRP.
Read & ExecuteRead
Read & ExecuteRead
Protecting Resources –OSRs
Read & ExecuteList Folder ContentsReadCreate folders/append data
Read & ExecuteList Folder ContentsReadCreate folders/append data
Protecting Resources –OSRs
Note: On servers where this file does not exist, no action is required.
Read & ExecuteList Folder ContentsRead
Read & ExecuteList Folder ContentsRead
Protecting Resources –OSRs
Note: On servers where this file does not exist, no action is required.
Read & ExecuteList Folder ContentsRead
Read & ExecuteList Folder ContentsRead
Protecting Resources –OSRs
%SystemRoot%\System32\Winevt\Logs\Security.evtx
(or the Security log file whose location/name is defined in the HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security subkey, if the log has been moved from the default location)
Note: LOCAL SERVICE is permitted to have full access to this OSR.
no general user authorizations permitted
no general user authorizations permitted
S N ED.1.8.19
I N ED.1.8.20 Note none none none
I N ED.1.8.21 Note none none none
S N ED.1.8.22 hkey_classes_root Registry Settings required on all servers:
S N ED.1.8.23 Registry Settings required on all servers:
S N ED.1.8.24 Registry Settings required on all servers:
S N ED.1.8.25 Registry Settings required on all servers:
S N ED.1.8.26 Registry Settings required on all servers:
S N ED.1.8.27
I N ED.1.8.28.0 Task Scheduler Service Windows task scheduler service none none
S N ED.1.8.28.1 Task Scheduler Service No task assigned
S N ED.1.8.28.2 Task Scheduler Service
S N ED.1.8.29 Disable the AutoRun functionality
S N ED.1.8.30
S N ED.1.8.31
S N ED.1.8.32
S N ED.1.8.33
S N ED.1.8.34
S N ED.1.8.35
P N ED.1.9.1 Creating new user home directories
Protecting Resources –OSRs
%SystemRoot%\System32\Winevt\Logs\DNS Server.evtx
(or the DNS Server log file whose location/name is defined in the HKLM\SYSTEM\CurrentControlSet\Services\EventLog\DNS Server subkey, if the log has been moved from the default location)
OSRs - Note: On servers where this file does not exist, no action is required.
no general user authorizations permitted
no general user authorizations permitted
Protecting Resources –OSRs
The above permissions are required on the specified directories and files listed only; not subfolders and files under them.
Protecting Resources –OSRs
Creator Owner, TrustedInstaller, and SYSTEM are permitted to have full access to the OSRs above.Protecting Resources –
OSRsMaximum authorization allowed for general userids or general user groups is Read
Maximum authorization allowed for general userids or general user groups is Read
Protecting Resources –OSRs
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security
General users may not be granted access to this subkey
Maximum authorization allowed for general userids or general user groups is Read
Protecting Resources –OSRs
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application
Name: RestrictGuestAccessType: REG_DWORDValue: 1
Name: RestrictGuestAccessType: REG_DWORDValue: 1
Protecting Resources –OSRs
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security
Name: RestrictGuestAccessType: REG_DWORDValue: 1
Name: RestrictGuestAccessType: REG_DWORDValue: 1
Protecting Resources –OSRs
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System
Name: RestrictGuestAccessType: REG_DWORDValue: 1
Name: RestrictGuestAccessType: REG_DWORDValue: 1
Protecting Resources –OSRs
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\DNS Server
Registry Settings required on all servers: Note: On servers where the DNS Server subkey does not exist, no action is required.
Name: RestrictGuestAccessType: REG_DWORDValue: 1
Name: RestrictGuestAccessType: REG_DWORDValue: 1
Protecting Resources -OSR's
Files/scripts/commands listed in active entries must meet all the requirements belowExceptions: Files/commands executed that are OSR's and meet applicable OSR requirements are compliant and do not have to meet the requirements below.Files/commands/scripts executed are not required to exist as long as all the existing directories in it's path meet all the requirements below.
Protecting Resources -OSR's
Protection requirements for system facility entries executing with privilege authority.
Each active entry must specify the full path of the file/command/script to be executed.
Each active entry must specify the full path of the file/command/script to be executed.
Protecting Resources -OSR's
Protection requirements for system facility entries executing with privilege authority.
For each active entry's file/command/script executed, and all directories in its path, the maximum authority permitted to general users (unless otherwise specified in the OSR section of this tech spec) is:
Files/commands/scripts:- Read & Execute- Read
Directories:- Read & Execute- List Folder Contents- Read
For each active entry's file/command/script executed, and its immediate parent directory, the maximum authority permitted to general users (unless otherwise specified in the OSR section of this tech spec) is:
Files/commands/scripts:- Read & Execute- Read
Directories:- Read & Execute- List Folder Contents- Read
Protecting Resources -OSR's
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Name:NoDriveTypeAutoRun Type: REG_DWORDValue: 0xFF (Hex)
Name:NoDriveTypeAutoRun Type: REG_DWORDValue: 0xFF (Hex)
Protecting Resources -OSR's
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security
NOTE on systems where setting is set through Group policies the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security\AutoBackupLogfiles is used instead of this key
Name: AutoBackupLogFilesType: REG_DWORDValue: 0x1
Name: AutoBackupLogFilesType: REG_DWORDValue: 0x1
Protecting Resources -OSR's
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System
NOTE on systems where setting is set through Group policies the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Eventlog\System\AutoBackupLogfiles is used instead of this key
Name: AutoBackupLogFilesType: REG_DWORDValue: 0
Name: AutoBackupLogFilesType: REG_DWORDValue: 0
Protecting Resources -OSR's
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application
NOTE on systems where setting is set through Group policies the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Application\AutoBackupLogfiles is used instead of this key
Name: AutoBackupLogFilesType: REG_DWORDValue: 0
Name: AutoBackupLogFilesType: REG_DWORDValue: 0
Protecting Resources -OSR's
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security
NOTE on systems where setting is set through Group policies the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security\Retention is used instead of this key
Name: RetentionType: REG_DWORDValue: -1 (0xffffffff)
Name: RetentionType: REG_DWORDValue: 7776000 (0x0076A700)(equal to 90 days)
Protecting Resources -OSR's
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System
NOTE on systems where setting is set through Group policies the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Eventlog\System\Retention is used instead of this key
Name: RetentionType: REG_DWORDValue: (not required to be set)
Name: RetentionType: REG_DWORDValue: (not required to be set)
Protecting Resources -OSR's
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application
NOTE on systems where setting is set through Group policies the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Application\Retention is used instead of this key
Name: RetentionType: REG_DWORDValue: (not required to be set)
Name: RetentionType: REG_DWORDValue: (not required to be set)
Protecting Resources - User Resources
If home directories are designed with subdirectories under them such as a 'public' folder or a folder for storing web pages that are readable by general users, the above permissions would be needed for users to traverse through and access the subdirectories. Otherwise granting no access to general users would be the more common approach for initial home directory permission settings set by the Provider of Service.
At creation time, the home directory must be owned by the resource owner, and the maximum allowed permissions granted on the home directory to anyone other than the resource owner and administrators is: • Traverse Folder / Execute File • Read Attributes • Read Permissions
At creation time, the home directory must be owned by the resource owner, and the maximum allowed permissions granted on the home directory to anyone other than the resource owner and administrators is: • Traverse Folder / Execute File • Read Attributes • Read Permissions
B N ED.1.9.2 Guest Accounts
P N ED.1.9.3 Shared Folders No Share Folder
P N ED 1.9.4 User Account Control User Account Control feature Off Off
B N ED.2.0.1 Business Use Notice Business Use Notice Business Use Notice
B N ED.2.1.1 Encryption Data Transmission Encryption
B N ED.2.1.2 Encryption File/Database Storage Encryption
I N ED.2.1.3 Encryption File/Database Storage None None
I Y ED.3.0.0 Process Exceptions No requirements in this category No requirements in this category No requirements in this category None None
I Y ED.5.0.0 Note No value to be set No value to be set
B Y ED.5.0.1 Privileged Authorizations Administrators No value to be set No value to be set
B Y ED.5.0.2 Privileged Authorizations Domain Admins No value to be set No value to be set not in domain
B Y ED.5.0.3 Privileged Authorizations Enterprise Admins No value to be set No value to be set
B Y ED.5.0.4 Privileged Authorizations Power Users No value to be set No value to be set
B Y ED.5.0.5 Privileged Authorizations Backup Operators No value to be set No value to be set
B Y ED.5.0.6 Privileged Authorizations Print Operators No value to be set No value to be set
B Y ED.5.0.7 Privileged Authorizations Network Configuration Operators No value to be set No value to be set
B Y ED.5.0.8 Privileged Authorizations DHCP Administrators No value to be set No value to be set
B Y ED.5.0.9 Privileged Authorizations Account Operators No value to be set No value to be set No Such Group
B Y ED.5.0.11 Privileged Authorizations Server Operators No value to be set No value to be set No Such Group
B Y ED.5.0.12 Privileged Authorizations Group Policy Creator Owners No value to be set No value to be set No Such Group
B Y ED.5.0.13 Privileged Authorizations Schema Admins No value to be set No value to be set No Such Group
B Y ED.5.0.14 Privileged Authorizations Group Policy Owners No value to be set No value to be set No Such Group
B Y ED.5.0.15 Privileged Authorizations Enterprise Operators No value to be set No value to be set No Such Group
B Y ED.5.0.16 Privileged Authorizations Certificate Service DCOM Access No value to be set No value to be set
B Y ED.5.0.17 Privileged Authorizations Distributed COM Users No value to be set No value to be set
B Y ED.5.0.18 Privileged Authorizations Event Log Readers No value to be set No value to be setB Y ED.5.0.19 Privileged Authorizations Performance Log Users No value to be set No value to be set
B Y ED.5.0.20 Privileged Authorizations Performance Monitor Users No value to be set No value to be set
B Y ED.5.0.21 Privileged Authorizations Eventlog (note: this is a specific userid) No value to be set No value to be set
B Y ED.5.0.22 All Application Packages (SID: S-1-15-2-1) No value to be set No value to be set
To be deleted if not using Privileged Monitoring ServiceThis section details additional requirements for Privilege Monitoring only
B N ED.20.1.2.1 Logging Object access Privilege Monitoring Logging Success NA
Protecting Resources - User Resources
Guest accounts which allow system login without entry of a specific password. (examples: Guest accounts)
If a guest account is enabled, it must comply with the following: • No access to confidential data • It may not be a member of the following groups: o Domain Users o Users o Any group in scope of Section 5.0 of this technical specification
If a guest account is enabled, it must comply with the following: • No access to confidential data • It may not be a member of the following groups: o Domain Users o Users o Any group in scope of Section 5.0 of this technical specification
Protecting Resources - User Resources
Additional Account data security audit requirement
The 'everyone' group must not be used in share permissions
The 'everyone' group must not be used in share permissions
Protecting Resources - User Resources
UAC is to remain as default; turned “on” in Control Panel – User Accounts
Set via the following registry values:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaptionHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext
Set via the following registry values:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaptionHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetextWindows Server 2012 provides
encryption support for some services, including Kerberos, remote access, Remote Procedure Call (RPC), Secure Sockets Layer/Transport Layer Security (SSL/TLS), Terminal Services Remote Desktop
Windows Server 2012 provides encryption support for some services, including Kerberos, remote access, Remote Procedure Call (RPC), Secure Sockets Layer/Transport Layer Security (SSL/TLS), Terminal Services Remote Desktop Windows Server 2012 editions
supports encryption of folders/files with the Encrypting File System (EFS). EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key by default; a 3DES algorithm option is also available.
Vendor software that supports encryption requirements of the main standard may also be used
Windows Server 2012 editions supports encryption of folders/files with the Encrypting File System (EFS). EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key by default; a 3DES algorithm option is also available.
Vendor software that supports encryption requirements of the main standard may also be used
Add-on product options from Microsoft and IBM (not a comprehensive list or tested)
Secure File Encryption for Desktops (SFED) is supported
Privileged Authorizations/Userids
Description of privileged Ids : The rows in section 5 below describe the list of UserIDs or groups that have Privileged authority.
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
hpadmin and default administrator exist
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be setSystem & Security Administrative
userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
System & Security Administrative userids include accounts within the following groups
No value to be set
Privileged Authorizations/Userids
System & Security Administrative userids include accounts within the following groups
No value to be set
B N ED.20.1.2.2 Logging Privilege Monitoring Logging NA
B N ED.20.1.2.3 Logging %SystemRoot%\Repair Privilege Monitoring Logging NA
B N ED.20.1.2.4 Logging Privilege Monitoring Logging NA
B N ED.20.1.2.5 Logging Privilege Monitoring Logging NA
B N ED.20.1.2.6 Logging Privilege Monitoring Logging NA
B N ED.20.1.2.7 Logging Privilege Monitoring Logging NA
B N ED.20.1.2.8 Logging Privilege Monitoring Logging NA
B N ED.20.1.2.9 Logging Privilege Monitoring Logging NA
B N ED.20.1.2.10 Logging Privilege Monitoring Logging NA
B N ED.20.1.2.11 Logging %SystemRoot%\system32\dllcache Privilege Monitoring Logging NA
B N ED.20.1.2.12 Logging %WinDir%\WinSxS\Backup Privilege Monitoring Logging NA
%SystemRoot% +E187:E191
Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This folder onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This folder onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
%SystemRoot%\Security Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This folder onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
%SystemRoot%\System Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This folder onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
%SystemRoot%\System32 Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This folder onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
%SystemRoot%\System32\Config Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This folder onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
%SystemRoot%\System32\Drivers Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This folder onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
%SystemRoot%\System32\Spool Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This folder onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
%SystemRoot%\system32\GroupPolicy Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This folder onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This folder onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
Enable Auditing on the OSR object, with the following specifications:
Name: EveryoneApply onto: This folder onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
B N ED.20.1.2.13 Logging %SystemDrive%\Boot.Ini Privilege Monitoring Logging NA
B N ED.20.1.2.14 Logging %SystemDrive%\NTDetect.Com Privilege Monitoring Logging NA
B N ED.20.1.2.15 Logging %SystemDrive%\NTLDR Privilege Monitoring Logging NA
B N ED.20.1.2.16 Logging %SystemDrive% Privilege Monitoring Logging NA
B N ED.20.1.2.17 Logging %SystemRoot%\syswow64 Privilege Monitoring Logging NA
B N ED.20.1.2.18 Logging %SystemRoot%\syswow64\drivers Privilege Monitoring Logging NA
B N ED.20.1.2.19 Logging Privilege Monitoring Logging NA
B N ED.20.1.2.20 Logging Privilege Monitoring Logging NA
B N ED.20.1.2.21 Logging %SystemDrive%\boot\BCD Privilege Monitoring Logging NA
B N ED.20.1.2.22 Logging Privilege Monitoring Logging NA
Enable Auditing on the OSR object, with the following specifications:
Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
Enable Auditing on the OSR object, with the following specifications:
Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
Enable Auditing on the OSR object, with the following specifications:
Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
Enable Auditing on the OSR object, with the following specifications:
Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
Enable Auditing on the OSR object, with the following specifications:
Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
Enable Auditing on the OSR object, with the following specifications:
Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
%SystemRoot%\system32\config\SecEvent.Evt
Enable Auditing on the OSR object, with the following specifications:
Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
%SystemRoot%\system32\config\DnsEvent.Evt
Enable Auditing on the OSR object, with the following specifications:
Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
Enable Auditing on the OSR object, with the following specifications:
Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
%SystemDrive%\bootmgror \EFI\Microsoft\Boot\bootmgfw.efi
Enable Auditing on the OSR object, with the following specifications:
Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take Ownership
B N ED.20.1.2.23 Logging Privilege Monitoring Logging NA
B N ED.20.1.2.24 Logging Privilege Monitoring Logging NA
B N ED.20.1.2.25 Logging Privilege Monitoring Logging NA
%SystemRoot%\system32\winload.exeor %SystemRoot%\system32\winload.efi
"Enable Auditing on the OSR object, with the following specifications:
Name: Everyone Apply onto: This object onlyAccess: Select ""Success"" for each of these accesses: • Change Permissions • Take OwnershipOSRs - Note: On servers where this file does not exist it must be located on the system reserve partition (SRP) in the location \boot\BCD. OSR file permissions and OSR auditing are not required if the file is on the SRP. If the system is based on UEFI then ignore this control."
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security
Enable Auditing on the OSR object, with the following specifications:
Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take OwnershipNote: On servers where this file does not exist it must be located on the system reserve partition (SRP) in the location \bootmgr. OSR file permissions and OSR auditing are not required if the file is on the SRP.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Enable Auditing on the OSR object, with the following specifications:
Name: Everyone Apply onto: This object onlyAccess: Select "Success" for each of these accesses: • Change Permissions • Take OwnershipNote: On servers where this file does not exist it must be located on the system reserve partition (SRP) in the location \bootmgr. OSR file permissions and OSR auditing are not required if the file is on the SRP.
Run on 3/31/2015 15:08
Minor loss of fidelity # of occurrences
1
Compatibility Report for Copy of VIL_Microsoft_Windows_2012_Techspec_V1 2.xls
The following features in this workbook are not supported by earlier versions of Excel. These features may be lost or degraded when opening this workbook in an earlier version of Excel or if you save this workbook in an earlier file format.
Some formulas in this workbook are linked to other workbooks that are closed. When these formulas are recalculated in earlier versions of Excel without opening the linked workbooks, characters beyond the 255-character limit cannot be returned.
2Defined Names
Some cells or styles in this workbook contain formatting that is not supported by the selected file format. These formats will be converted to the closest format available.
Version
Excel 97-2003
Excel 97-2003