Unified CCE Security Compliance for Windows Server 2012 R2

Transcription

1 Unified CCE Security Compliance for Windows Server 2012 R2 This topic contains the security baseline for hardening Windows Server 2012 R2 Servers running Unified CCE. This baseline is essentially a collection of Microsoft recommended group policy settings which are determined by using the Microsoft Security Compliance Manager 3.0 tool. The baseline includes only those settings whose severity qualifies as Critical and Important. The settings with Optional and None severity qualification are not included in the baseline. Network security: LAN Manager authentication level Network security: Allow LocalSystem NULL session fallback Microsoft network client: Send unencrypted password to third-party SMB servers Network security: Allow Local System to use computer identity for NTLM Network security: Do not store LAN Manager hash value on next password change Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Interactive logon: Smart card removal behavior Send NTLMv2 response only Not defined Not defined No minimum No Action Send NTLMv2 response only. Refuse LM & NTLM Require NTLMv2 session security Require 128-bit encryption Lock Workstation 1

2 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Interactive logon: Number of previous logons to cache (in case domain controller is not available) Network access: Let Everyone permissions apply to anonymous users Network access: Do not allow anonymous enumeration of SAM accounts and shares Shutdown: Clear virtual memory pagefile No minimum 10 logons Require NTLMv2 session security Require 128-bit encryption 4 logons Network access: Remotely accessible registry paths Shutdown: Allow system to be shut down without having to log on System objects: Require case insensitivity for non-windows subsystems Network access: Sharing and security model for local accounts Interactive logon: Do not require CTRL+ALT+DEL Devices: Allowed to format and eject removable media System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies* Network access: Allow anonymous SID/Name translation Control\ProductOptions System\ CurrentControlSet\Control\ Server Applications Software\ Microsoft\Windows NT\ CurrentVersion Classic - local users authenticate as themselves Control\ProductOptions System\ CurrentControlSet\ Control\ Server Applications Software\ Microsoft\Windows NT\ CurrentVersion Classic - local users authenticate as themselves 2

3 Network access: Remotely accessible registry paths and sub-paths Control\Print\Printers System\ CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\ Windows NT\CurrentVersion\ Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\ CurrentControlSet\ Control\ContentIndex System\ CurrentControlSet\Control\Terminal Server Control\Terminal Server\UserConfig Control\Terminal Server\ DefaultUserConfiguration Software\ Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet \Services\SysmonLog Control\Print\Printers System\ CurrentControlSet\Services\Eventlog Software\ Microsoft\OLAP Server Software\ Microsoft\Windows NT\CurrentVersion\Print Software\ Microsoft\Windows NT\CurrentVersion\Windows Control\ContentIndex System\ CurrentControlSet\Control\ Terminal Server System\ CurrentControlSet\Control\ Terminal Server\UserConfig Control\Terminal Server\ DefaultUserConfiguration Software\Microsoft\ Windows NT\CurrentVersion\ Perflib Services\SysmonLog Recovery console: Allow automatic administrative logon Turn off Autoplay Network access: Restrict anonymous access to Named Pipes and Shares Recovery console: Allow floppy copy and access to all drives and all folders Audit Policy: System: IPsec Driver Audit Policy: System: Security System Extension Audit Policy: Account Management: Security Group Management Not Configured Turn off Autoplay on: All drives and Failure and Failure and Failure 3

4 Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Audit Policy: Account Management: Other Account Management Events Audit Policy: System: Security State Change Audit Policy: Detailed Tracking: Process Creation Not defined and Failure and Failure Audit Policy: System: Other System Events Audit Policy: Logon-Logoff: Account Lockout Audit Policy: Policy Change: Audit Policy Change Audit Policy: Logon-Logoff: Special Logon Audit Policy: Account Management: User Account Management Audit Policy: Account Logon: Credential Validation Audit Policy: Logon-Logoff: Logon Audit Policy: Account Management: Computer Account Management Audit Policy: Privilege Use: Sensitive Privilege Use Audit Policy: Logon-Logoff: Logoff Audit Policy: Policy Change: Authentication Policy Change Audit Policy: System: System Integrity and Failure and Failure and Failure and Failure and Failure and Failure and Failure and Failure and Failure 4

5 Turn off toast notifications on the lock screen Microsoft network server: Amount of idle time required before suspending session Interactive logon: Machine inactivity limit Microsoft network server: Disconnect clients when logon hours expire Network security: Force logoff when logon hours expire Sign-in last interactive user automatically after a system-initiated restart Interactive logon: Do not display last user name Interactive logon: Machine account lockout threshold Devices: Prevent users from installing printer drivers Create global objects Access this computer from the network Modify an object label Generate security audits Increase scheduling priority Force shutdown from a remote system Allow log on through Remote Desktop Services* Change the system time 15 minutes Not defined Not defined, Service, Local Service, Network Service Everyone,, Users, Backup Operators None Local Service, Network Service, Remote Desktop Users, Local Service 15 minutes 900 seconds 10 invalid logon attempts, Service, Local Service, Network Service, Authenticated Users Local Service, Network Service, Remote Desktop Users, Local Service 5

6 Create a pagefile Profile single process Deny log as a batch job Act as part of the operating system Guests Change time zone Lock pages in memory Access Credential Manager as a trusted caller Create a token object Debug programs Deny log on as a service Deny access to this computer from the network Back up files and directories Shut down the system Deny log on locally Replace a process level token Modify firmware environment values Allow log on locally* Restore files and directories Profile system performance Perform volume maintenance tasks Manage auditing and security log, Local Service Guests, Backup Operators, Backup Operators, Users Guests Local Service, Network Service Guests,, Users, Backup Operators, Backup Operators, NT SERVICE\ WdiServiceHost, Local Service Guests Guests, NT AUTHORITY\Local account, and members of group Guests Local Service, Network Service, Users, NT SERVICE\ WdiServiceHost 6

7 Enable computer and user accounts to be trusted for delegation Impersonate a client after authentication Load and unload device drivers Take ownership of files or other objects Adjust memory quotas for a process Create symbolic links Create permanent shared objects Domain member: Require strong (Windows 2000 or later) session key Password protect the screen saver WDigest Authentication (disabling may require KB ) System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Enable screen saver Force specific screen saver Microsoft network client: Digitally sign communications (if server agrees) Network security: LDAP client signing requirements Microsoft network client: Digitally sign communications (always) Microsoft network server: Digitally sign communications (always), Service, Local Service, Network Service, Local Service, Network Service Negotiate signing, Service, Local Service, Network Service, Local Service, Network Service Screen saver executable name : scrnsave.scr Negotiate signing 7

8 Domain member: Digitally sign secure channel data (when possible) Domain member: Digitally encrypt or sign secure channel data (always) Microsoft network server: Digitally sign communications (if client agrees) Domain member: Digitally encrypt secure channel data (when possible) Specify the maximum log file size (KB) - Application Specify the maximum log file size (KB) - System Specify the maximum log file size (KB) - Security Audit: Shut down system immediately if unable to log security audits Accounts: Limit local account use of blank passwords to console logon only Domain member: Disable machine account password changes Domain member: Maximum machine account password age Interactive logon: Prompt user to change password before expiration Allow indexing of encrypted files Do not display network selection UI Allow Microsoft accounts to be optional Accounts: Guest account status KB KB KB 30 days 14 days Maximum Log Size (KB) = Maximum Log Size (KB) = Maximum Log Size (KB) = days 14 days 8

9 Prevent enabling lock screen slide show Prevent enabling lock screen camera Settings marked with an asterix (*) are a deviation from Microsoft recommended values because they disrupt some functionalities of Unified CCE. 9

10 10