Documente Academic
Documente Profesional
Documente Cultură
Domain
1 No Windows services that are critical for
directory server operation must be
configured for automatic startup.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
File System auditing under Object Access is used to enable the recording of events
related to the access and changing of files and directories. Auditing must also be
enabled on the specific file system objects to be audited.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Central Access Policy Staging auditing under Object Access is used to enable the
recording of events related to differences in permissions between central access
policies and proposed policies.
System administrators must log on to systems only using accounts with the minimum
level of authority necessary.
Standard user accounts must not be members of the built-in Administrators group.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detecting attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Audit directory service changes records events related to changes made to objects in
Active Directory Domain Services.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
This setting allows administrators to enable more precise auditing capabilities.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
The "Deny log on through Remote Desktop Services" user right defines the accounts
that are prevented from logging on using Remote Desktop Services.
The Guests group must be assigned this right to prevent unauthenticated access.
A system faces an increased vulnerability threat if the built-in guest account is not
disabled. This account is a known account that exists on all Windows systems and
cannot be deleted. This account is initialized during the installation of the operating
system with no password assigned.
The built-in guest account is a well-known user account on all Windows systems and,
as initially installed, does not require a password. This can allow access to system
resources by unauthorized users. Renaming this account to an unidentified name
improves the protection of this account and the system.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
This setting prevents the system from setting up a default system access control list
for certain system objects, which could create a very large number of security events,
filling the security log in Windows and making it difficult to identify actual issues.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
The "Deny log on locally" user right defines accounts that are prevented from logging
on interactively.
The Guests group must be assigned this right to prevent unauthenticated access.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
The "Create a token object" user right allows a process to create an access token.
This could be used to provide elevated rights and compromise a system.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Create global objects" user right can create objects that are
available to all sessions, which could affect processes in other users' sessions.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Change the time zone" user right can change the time zone of a
system.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Create a pagefile" user right can change the size of a pagefile,
which could affect system performance.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Debug programs" user right can attach a debugger to any process
or to the kernel, providing complete access to sensitive and critical operating system
components. This right is given to Administrators in the default configuration.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Create permanent shared objects" user right could expose
sensitive data by creating shared objects.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Create symbolic links" user right can create pointers to other
objects, which could potentially expose the system to attack.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detecting attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Audit directory service access records events related to users accessing an Active
Directory object.
Named pipes that can be accessed anonymously provide the potential for gaining
unauthorized system access. Pipes are internal system communications processes.
They are identified internally by ID numbers that vary between systems. To make
access to these processes easier, these pipes are given names that do not vary
between systems. This setting controls which of these pipes anonymous users may
access.
Allowing different input methods for sign-in could open different avenues of attack.
User input methods must be restricted to those enabled for the system account at
sign-in.
The classic logon screen requires users to enter a logon name and password to access
a system. The simple logon screen or Welcome screen displays usernames for
selection, providing part of the necessary logon information.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents the Windows Registration Wizard from online registration.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents the Search Companion from automatically downloading content
updates during local and Internet searches.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting ensures the "Order Prints Online" task is not available in File Explorer.
Allowing the option to publish to the web from File and Folder tasks in Windows
folders could allow sensitive information to be exposed.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents Windows Messenger from collecting anonymous information
about how the Windows Messenger software and service is used.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting ensures the Windows Customer Experience Improvement Program is
disabled so information is not passed to the vendor.
This setting controls the reporting of errors to Microsoft and, if defined, a corporate
error reporting site. This does not interfere with the reporting of errors to the local
user. Since the contents of memory are included in this error report, sensitive
information may be transmitted to Microsoft. This feature must be disabled to
prevent the release of such information.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents Windows from searching Windows Update for device drivers
when no local drivers for a device are present.
To ensure secure websites protected with ECA server certificates are properly
validated, the system must trust the ECA Root CA 2. The ECA root certificate will
ensure the trust chain is established for server certificates issued from the External
CA.
To ensure secure DoD websites and DoD signed code are properly validated, the
system must trust the DoD Root CA 2. The DoD root certificate will ensure that the
trust chain is established for server certificates issued from the DoD CA.
Storage of administrative credentials could allow unauthorized access. Disallowing
the storage of RunAs credentials for Windows Remote Management will prevent
them from being used with plug-ins.
Improper modification of the registry can have a significant impact on the security
configuration of a system, as well as potentially rendering a system inoperable.
Failed access attempts may indicate an attack on a system. Auditing for failed access
attempts provides an indicator of such attempts and a method of determining
responsible parties.
Improper modification of system files can have a significant impact on the security
configuration of a system, as well as potentially rendering a system inoperable.
Failed access attempts may indicate an attack on a system. Auditing for failed access
attempts provides an indicator of such attempts and a method of determining
responsible parties.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Security System Extension records events related to extension code being loaded by
the security subsystem.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. This setting will turn on session logging for
Remote Assistance connections.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Process Creation records events related to the creation of a process and the source.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
In a SYN flood attack, the attacker sends a continuous stream of SYN packets to a
server, and the server leaves the half-open connections open until it is overwhelmed
and is no longer able to respond to legitimate requests.
When the audit log reaches a given percent full, an audit event is written to the
security log. It is recorded as a successful audit event under the category of System.
This option may be especially useful if the audit logs are set to be cleared manually.
The Internet Router Discovery Protocol (IRDP) is used to detect and configure default
gateway addresses on the computer. If a router is impersonated on a network, traffic
could be routed through the compromised system.
The default search behavior, when an application calls a function in a Dynamic Link
Library (DLL), is to search the current directory, followed by the directories contained
in the system's path environment variable. An unauthorized DLL, inserted into an
application's working directory, could allow malicious code to be run on the system.
Setting this policy value forces the system to search the %Systemroot% for the DLL
before searching the current directory or the rest of the path.
Allowing more than several seconds makes the computer vulnerable to a potential
attack from someone walking up to the console to attempt to log on to the system
before the lock takes effect.
Configuring Windows to limit the number of times that IPv6 TCP retransmits
unacknowledged data segments before aborting the attempt helps prevent resources
from becoming exhausted.
This setting controls how often TCP sends a keep-alive packet in attempting to verify
that an idle connection is still intact. A higher value could allow an attacker to cause
a denial of service with numerous connections.
IPSec exemption filters allow specific traffic that may be needed by the system for
such things as Kerberos authentication. This setting configures Windows for specific
IPSec exemptions.
Configuring the system to ignore name release requests, except from WINS servers,
prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS
name release request to the server for each entry in the server's cache, causing a
response delay in the normal operation of the servers WINS resolution capability.
Unnecessary services increase the attack surface of a system. Some of these services
may not support required levels of authentication or encryption.
Unnecessary services increase the attack surface of a system. Some of these services
may not support required levels of authentication or encryption.
Unnecessary services increase the attack surface of a system. Some of these services
may not support required levels of authentication or encryption.
The automatic start of the Smart Card Removal Policy service is required to support
the smart card removal behavior requirement.
PKI is a two-factor authentication technique, thus it provides a higher level of trust in
the asserted identity than use of the username/password authentication technique.
Unnecessary services increase the attack surface of a system. Some of these services
may not support required levels of authentication or encryption.
Unnecessary services increase the attack surface of a system. Some of these services
may not support required levels of authentication or encryption.
Allowing unsecure RPC communication exposes the system to man-in-the-middle
attacks and data disclosure attacks. A man-in-the-middle attack occurs when an
intruder captures packets between a client and server and modifies them before
allowing the packets to be exchanged. Usually the attacker will modify the
information in the packets in an attempt to cause either the client or server to reveal
sensitive information.
Preventing the redirection of Remote Desktop session data to a client computer's LPT
ports helps reduce possible exposure of sensitive data.
Enabling the redirection of smart card devices allows their use within Remote
Desktop sessions.
Preventing the redirection of Plug and Play devices in Remote Desktop sessions helps
reduce possible exposure of sensitive data.
Allowing the redirection of only the default client printer to a Remote Desktop
session helps reduce possible exposure of sensitive data.
Removing the Disconnect option from the Shut Down dialog box for Remote Desktop
sessions helps prevent disconnected but active sessions from continuing to run and
using resources.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
When directory service database objects do not have appropriate access control
permissions, it may be possible for malicious users to create, read, update, or delete
the objects and degrade or destroy the integrity of the data. When the directory
service is used for identification, authentication, or authorization functions, a
compromise of the database objects could lead to a compromise of all systems that
rely on the directory service.
For Active Directory (AD), the Organizational Unit (OU) objects require special
attention. In a distributed administration model (i.e., help desk), OU objects are more
likely to have access permissions changed from the secure defaults. If inappropriate
access permissions are defined for OU objects, it could allow an intruder to add or
delete users in the OU. This could result in unauthorized access to data or a Denial of
Service to authorized users.
IPv6 transition technologies, which tunnel packets through other protocols, do not
provide visibility.
IPv6 transition technologies, which tunnel packets through other protocols, do not
provide visibility.
A Network Bridge can connect two or more network segments, allowing
unauthorized access or exposure of sensitive data. This setting prevents a Network
Bridge from being installed and configured.
Routing all Direct Access traffic through the internal network allows monitoring and
prevents split tunneling.
IPv6 transition technologies, which tunnel packets through other protocols, do not
provide visibility.
The Mapper I/O network protocol (LLTDIO) driver allows the discovery of the
connected network and allows various options to be enabled. Disabling this helps
protect the system from potentially discovering and connecting to unauthorized
devices.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Shut down the system" user right can interactively shut down a
system, which could result in a DoS.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Restore files and directories" user right can circumvent file and
directory permissions and could allow access to sensitive data. It could also be used
to overwrite more current data.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Take ownership of files or other objects" user right can take
ownership of objects and make changes.
A PKI implementation depends on the practices established by the Certificate
Authority (CA) to ensure the implementation is secure. Without proper practices, the
certificates issued by a CA have limited value in authentication functions. The use of
multiple CAs from separate PKI implementations results in interoperability issues. If
servers and clients do not have a common set of root CA certificates, they are not
able to authenticate each other.
User Account Control (UAC) is a security mechanism for limiting the elevation of
privileges, including administrative accounts, unless authorized. This setting
configures the built-in Administrator account so that it runs in Admin Approval Mode.
When directory service database objects do not have appropriate access control
permissions, it may be possible for malicious users to create, read, update, or delete
the objects and degrade or destroy the integrity of the data. When the directory
service is used for identification, authentication, or authorization functions, a
compromise of the database objects could lead to a compromise of all systems that
rely on the directory service.
For Active Directory (AD), the Organizational Unit (OU) objects require special
attention. In a distributed administration model (i.e., help desk), OU objects are
more likely to have access permissions changed from the secure defaults. If
inappropriate access permissions are defined for OU objects, it could allow an
intruder to add or delete users in the OU. This could result in unauthorized access to
data or a Denial of Service to authorized users.
Use of software certificates and their accompanying installation files for end users to
access resources is less secure than the use of hardware-based certificates.
Unnecessary services increase the attack surface of a system. Some services may be
run under the local System account, which generally has more permissions than
required by the service. Compromising a service could allow an intruder to obtain
system permissions and open the system to a variety of attacks.
A properly configured host-based Intrusion Detection System provides another level
of defense against unauthorized access to critical servers. With proper configuration
and logging enabled, such a system can stop and/or alert for many attempts to gain
unauthorized access to resources.
The organization (including any contractor to the organization) must promptly install
security-relevant software updates (e.g., patches, service packs, hot fixes). Flaws
discovered during security assessments, continuous monitoring, incident response
activities, or information system error handling must also be addressed.
Failure to verify a certificate's revocation status can result in the system accepting a
revoked, and therefore unauthorized, certificate. This could result in the installation
of unauthorized software or a connection for rogue networks, depending on the use
for which the certificate is intended. Querying for certificate revocation mitigates
the risk that the system will accept an unauthorized certificate.
The FTP (File Transfer Protocol) service allows remote users to access shared files and
directories. Allowing anonymous FTP connections makes user auditing difficult.
Using accounts that have administrator privileges to log on to FTP risks that the
userid and password will be captured on the network and give administrator access
to an unauthorized user.
The FTP service allows remote users to access shared files and directories which
could provide access to system resources and compromise the system, especially if
the user can gain access to the root directory of the boot drive.
A firewall provides a line of defense against attack. To be effective, it must be
enabled and properly configured. Logging of successful connections for a domain
connection will be enabled to maintain an audit trail if issues are discovered.
Attaching malicious files is a known avenue of attack. This setting configures the
system to notify antivirus programs when a user opens a file attachment.
Allowing users to share files in their profiles may provide unauthorized access or
result in the exposure of sensitive data.
Unencrypted access to system services may permit an intruder to intercept user
identification and passwords that are being transmitted in clear text. This could give
an intruder unlimited access to the network.
Shared accounts (accounts where two or more people log in with the same user
identification) do not provide adequate identification and authentication. There is no
way to provide for nonrepudiation or individual accountability for system access and
resource usage. Documentation must include a list of personnel that have access to
each shared account.
Backups shall be consistent with organizational recovery time and recovery point
objectives.
Backups must be consistent with organizational recovery time and recovery point
objectives.
Backups shall be consistent with organizational recovery time and recovery point
objectives.
A system backup will usually include sensitive information such as user accounts that
could be used in an attack. As a valuable system resource, the system backup must
be protected and stored in a physically secure location.
User Account Control (UAC) is a security mechanism for limiting the elevation of
privileges, including administrative accounts, unless authorized. This setting requires
Windows to respond to application installation requests by prompting for credentials.
User Account Control (UAC) is a security mechanism for limiting the elevation of
privileges, including administrative accounts, unless authorized. This setting
configures whether Windows elevates all applications, or only signed ones.
User Account Control (UAC) is a security mechanism for limiting the elevation of
privileges, including administrative accounts, unless authorized. This setting
configures Windows to only allow applications installed in a secure location on the
file system, such as the Program Files or the Windows\System32 folders, to run with
elevated privileges.
User Account Control (UAC) is a security mechanism for limiting the elevation of
privileges, including administrative accounts, unless authorized. This setting enables
UAC.
User Account Control (UAC) is a security mechanism for limiting the elevation of
privileges, including administrative accounts, unless authorized. This setting ensures
that the elevation prompt is only used in secure desktop mode.
User Account Control (UAC) is a security mechanism for limiting the elevation of
privileges, including administrative accounts, unless authorized. This setting
configures non-UAC-compliant applications to run in virtualized file and registry
entries in per-user locations, allowing them to run.
User Account Control (UAC) is a security mechanism for limiting the elevation of
privileges, including administrative accounts, unless authorized. This setting prevents
User Interface Accessibility programs from disabling the secure desktop for elevation
prompts.
Software restriction policies help to protect users and computers from executing
unauthorized code such as viruses and Trojans horses. This setting must be enabled
to enforce certificate rules in software restriction policies.
The POSIX subsystem is an Institute of Electrical and Electronic Engineers (IEEE)
standard that defines a set of operating system services. The POSIX Subsystem is
required if the server supports applications that use that subsystem. The subsystem
introduces a security risk relating to processes that can potentially persist across
logins. That is, if a user starts a process and then logs out, there is a potential that
the next user who logs in to the system could access the previous users process. This
is dangerous because the process started by the first user may retain that users
system privileges, and anything the second user does with that process will be
performed with the privileges of the first user.
Allowing users to install drivers can introduce malware or cause the instability of a
system. This capability should be restricted to administrators.
When inappropriate audit settings are configured for directory service database
objects, it may be possible for a user or process to update the data without
generating any tracking data. The impact of missing audit data is related to the type
of object. A failure to capture audit data for objects used by identification,
authentication, or authorization functions could degrade or eliminate the ability to
track changes to access policy for systems or data.
For Active Directory (AD), there are a number of critical object types in the domain
naming context of the AD database for which auditing is essential. This includes the
AdminSDHolder object. Because changes to these objects can significantly impact
access controls or the availability of systems, the absence of auditing data makes it
impossible to identify the source of changes that impact the confidentiality, integrity,
and availability of data and systems throughout an AD domain. The lack of proper
auditing can result in insufficient forensic evidence needed to investigate an incident
and prosecute the intruder.
A Windows account with the "Synchronize directory service data" right has the ability
to read all information in the AD database. This bypasses the object access
permissions that would otherwise restrict access to the data. The scope of access
granted by this right is too broad for secure usage. Specific object permissions or
other group membership assignments could be used to provide access on an
appropriate scale.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Handle Manipulation auditing under Object Access is needed to correctly enable the
recording of events related to the access and changing of files and directories.
Auditing must also be enabled on the specific file system objects to be audited.
The use of complex passwords increases their strength against guessing and brute-
force attacks. This setting configures the system to verify that newly created
passwords conform to the Windows password complexity policy.
Storing passwords using reversible encryption is essentially the same as storing clear-
text versions of the passwords. For this reason, this policy must never be enabled.
The account lockout feature, when enabled, prevents brute-force password attacks
on the system. The higher this value is, the less effective the account lockout feature
will be in protecting the local system. The number of bad logon attempts must be
reasonably small to minimize the possibility of a successful password attack, while
allowing for honest errors made during a normal user logon.
The account lockout feature, when enabled, prevents brute-force password attacks
on the system. This parameter specifies the period of time that must pass after failed
logon attempts before the counter is reset to 0. The smaller this value is, the less
effective the account lockout feature will be in protecting the local system.
The account lockout feature, when enabled, prevents brute-force password attacks
on the system. This parameter specifies the period of time that an account will
remain locked after the specified number of failed logon attempts. A value of 0 will
require an administrator to unlock the account.
A system is more vulnerable to unauthorized access when system users recycle the
same password several times without being required to change to a unique password
on a regularly scheduled basis. This enables users to effectively negate the purpose
of mandating periodic password changes.
The longer a password is in use, the greater the opportunity for someone to gain
unauthorized knowledge of the passwords. Scheduled changing of passwords
hinders the ability of unauthorized system users to crack passwords and gain access
to a system.
Requests sent on the secure channel are authenticated, and sensitive information
(such as passwords) is encrypted, but the channel is not integrity checked. If this
policy is enabled, outgoing secure channel traffic will be signed.
Requests sent on the secure channel are authenticated, and sensitive information
(such as passwords) is encrypted, but not all information is encrypted. If this policy is
enabled, outgoing secure channel traffic will be encrypted.
Requests sent on the secure channel are authenticated, and sensitive information
(such as passwords) is encrypted, but not all information is encrypted. If this policy is
enabled, outgoing secure channel traffic will be encrypted and signed.
Removable hard drives, if they are not properly configured, can be formatted and
ejected by users who are not members of the Administrators Group. Formatting and
ejecting removable NTFS media must only be done by administrators.
Displaying the username of the last logged on user provides half of the
userid/password equation that an unauthorized person would need to gain access.
The username of the last user to log on to a system must not be displayed.
To the extent that anonymous access to directory data (outside the root DSE) is
permitted, read access control of the data is effectively disabled. If other means of
controlling access (such as, network restrictions) are compromised, there may be
nothing else to protect the confidentiality of sensitive directory data.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. The System event log may
be susceptible to tampering if proper permissions are not applied.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. The Application event log
may be susceptible to tampering if proper permissions are not applied.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. The Security event log may
disclose sensitive information or be susceptible to tampering if proper permissions
are not applied.
Audit records are essential for investigating system activity after the fact. Retention
periods for audit data are determined based on the sensitivity of the data handled by
the system.
Protection of log data includes assuring the log data is not accidentally lost or
deleted. Backing up audit records to a different system or onto separate media than
the system being audited on an organization defined frequency helps to assure in the
event of a catastrophic system failure, the audit records will be retained.
To be of value, audit logs from critical systems must be reviewed on a regular basis.
Critical systems should be reviewed on a daily basis to identify security breaches and
potential weaknesses in the security structure. This can be done with the use of
monitoring software or other utilities for this purpose.
Audit records are essential for investigating system activity after the fact. Retention
periods for audit data are determined based on the sensitivity of the data handled by
the system.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Access Credential Manager as a trusted caller" user right may be
able to retrieve the credentials of other accounts from Credential Manager.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Act as part of the operating system" user right can assume the
identity of any user and gain access to resources that user is authorized to access.
Any accounts with this right can take complete control of a system.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Allow log on locally" user right can log on interactively to a
system.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Adjust memory quotas for a process" user right can adjust
memory that is available to processes, and could be used in a denial of service (DoS)
attack.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Back up files and directories" user right can circumvent file and
directory permissions and could allow access to sensitive data.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Allow log on through Remote Desktop Services" user right can
access a system through Remote Desktop.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Change the system time" user right can change the system time,
which can impact authentication, as well as affect time stamps on event log entries.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Bypass traverse checking" user right can pass through folders
when browsing even if they do not have the "Traverse Folder" access permission.
They could potentially view sensitive file and folder names. They would not have
additional access to the files and folders unless it is granted through permissions.
Attackers are constantly looking for vulnerabilities in systems and applications. The
Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data
Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and
Structured Exception Handler Overwrite Protection (SEHOP) on the system and
applications, adding additional levels of protection.
Turning off an inactive display supports energy saving initiatives. It may also extend
availability on systems running on a battery.
App notifications that are displayed on the lock screen could display sensitive
information to unauthorized personnel. Turning off this feature will limit access to
the information to a logged on user.
The username is one part of logon credentials that could be used to gain access to a
system. Preventing the enumeration of users limits this information to authorized
personnel.
Remote assistance allows another user to view or take control of the local session of
a user. Solicited assistance is help that is specifically requested by the local user. This
may allow unauthorized parties access to the resources on the computer.
Remote assistance allows another user to view or take control of the local session of
a user. Unsolicited remote assistance is help that is offered by the remote user. This
may allow unauthorized parties access to the resources on the computer.
When inappropriate audit settings are configured for directory service database
objects, it may be possible for a user or process to update the data without
generating any tracking data. The impact of missing audit data is related to the type
of object. A failure to capture audit data for objects used by identification,
authentication, or authorization functions could degrade or eliminate the ability to
track changes to access policy for systems or data.
For Active Directory (AD), there are a number of critical object types in the domain
naming context of the AD database for which auditing is essential. This includes the
Infrastructure object. Because changes to these objects can significantly impact
access controls or the availability of systems, the absence of auditing data makes it
impossible to identify the source of changes that impact the confidentiality, integrity,
and availability of data and systems throughout an AD domain. The lack of proper
auditing can result in insufficient forensic evidence needed to investigate an incident
and prosecute the intruder.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
IPSec Driver records events related to the IPSec Driver such as dropped packets.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Security State Change records events related to changes in the security state, such as
startup and shutdown of the system.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Sensitive Privilege Use records events related to use of sensitive privileges, such as
"Act as part of the operating system" or "Debug programs".
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
IPSec Driver records events related to the IPSec Driver such as dropped packets.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Sensitive Privilege Use records events related to use of sensitive privileges, such as
"Act as part of the operating system" or "Debug programs".
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Security System Extension records events related to extension code being loaded by
the security subsystem.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Security State Change records events related to changes in the security state, such as
startup and shutdown of the system.
When a time synchronization tool executes, it may switch between time sources
according to network or server contention. If switches between time sources are not
logged, it may be difficult or impossible to detect malicious activity or availability
problems.
Anonymous access to network shares provides the potential for gaining unauthorized
system access by network users. This could lead to the exposure or corruption of
sensitive data.
Allowing anonymous access to named pipes or shares provides the potential for
unauthorized system access. This setting restricts access to those defined in
"Network access: Named Pipes that can be accessed anonymously" and "Network
access: Shares that can be accessed anonymously", both of which must be blank
under other requirements.
This setting controls the storage of passwords and credentials for network
authentication on the local system. Such credentials must not be stored on the local
machine, as that may lead to account compromise.
Allowing anonymous logon users (null session connections) to list all account names
and enumerate all shared resources can provide a map of potential points to attack
the system.
The registry is integral to the function, security, and stability of the Windows system.
Some processes may require remote access to the registry. This setting controls
which registry paths are accessible from a remote computer. These registry paths
must be limited, as they could give unauthorized individuals access to the registry.
Allowing anonymous access to the root DSE data on a directory server provides
potential attackers with a number of details about the configuration and data
contents of a directory. For example, the namingContexts attribute indicates the
directory space contained in the directory; the supportedLDAPVersion attribute
indicates which versions of the LDAP protocol the server supports; and the
supportedSASLMechanisms attribute indicates the names of supported
authentication mechanisms. An attacker with this information may be able to select
more precisely targeted attack tools or higher value targets.
Inadequate log size will cause the log to fill up quickly and require frequent clearing
by administrative personnel.
Inadequate log size will cause the log to fill up quickly and require frequent clearing
by administrative personnel.
Improper access permissions for directory data files could allow unauthorized users
to read, modify, or delete directory data.
The SYSVOL directory contains public files (to the domain) such as policies and logon
scripts. Data in shared subdirectories are replicated to all domain controllers in a
domain.
Inadequate log size will cause the log to fill up quickly and require frequent clearing
by administrative personnel.
Attackers are constantly looking for vulnerabilities in systems and applications. The
Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data
Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and
Structured Exception Handler Overwrite Protection (SEHOP) on the system and
applications, adding additional levels of protection.
Attackers are constantly looking for vulnerabilities in systems and applications. The
Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data
Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and
Structured Exception Handler Overwrite Protection (SEHOP) on the system and
applications, adding additional levels of protection.
Uncontrolled system updates can introduce issues to a system. The system must be
configured to prevent Automatic Updates from being run unless directed to a DoD
Windows Server Update Services (WSUS) server.
Attackers are constantly looking for vulnerabilities in systems and applications. The
Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data
Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and
Structured Exception Handler Overwrite Protection (SEHOP) on the system and
applications, adding additional levels of protection.
Basic authentication uses plain text passwords that could be used to compromise a
system.
Digest authentication is not as strong as other options and may be subject to man-in-
the-middle attacks.
Basic authentication uses plain text passwords that could be used to compromise a
system.
Uncontrolled system updates can introduce issues to a system. The automatic check
for updates performed by Windows Media Player must be disabled to ensure a
constant platform and to prevent the introduction of unknown\untested software on
the system.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents users from being presented with Privacy and Installation options
on first use of Windows Media Player, which could enable some communication with
the vendor.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This check verifies that Windows Media DRM will be prevented from accessing the
Internet.
In Kerberos, there are 2 types of tickets: Ticket Granting Tickets (TGTs) and Service
Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to
implement an attack is limited. This policy controls how long TGTs can be renewed.
With Kerberos, the user's initial authentication to the domain controller results in a
TGT which is then used to request Service Tickets to resources. Upon startup, each
computer gets a TGT before requesting a service ticket to the domain controller and
any other computers it needs to access. For services that startup under a specified
user account, users must always get a TGT first, then get Service Tickets to all
computers and services accessed.
The server message block (SMB) protocol provides the basis for many network
operations. Digitally signed SMB packets aid in preventing man-in-the-middle
attacks. If this policy is enabled, the SMB client will only communicate with an SMB
server that performs SMB packet signing.
The server message block (SMB) protocol provides the basis for many network
operations. If this policy is enabled, the SMB client will request packet signing when
communicating with an SMB server that is enabled or required to perform SMB
packet signing.
Creating strong passwords that can be remembered by users requires some thought.
By giving the user advance warning, the user has time to construct a sufficiently
strong password. This setting configures the system to display a warning to users
telling them how many days are left before their password expires.
Failure to display the logon banner prior to a logon attempt will negate legal
proceedings resulting from unauthorized access to system resources.
Failure to display the logon banner prior to a logon attempt will negate legal
proceedings resulting from unauthorized access to system resources.
The account lockout feature, when enabled, prevents brute-force password attacks
on the system. The higher this value is, the less effective the account lockout feature
will be in protecting the local system. The number of bad logon attempts should be
reasonably small to minimize the possibility of a successful password attack, while
allowing for honest errors made during a normal user logon.
Unattended systems are susceptible to unauthorized use and should be locked when
unattended. The screen saver should be set at a maximum of 15 minutes and be
password protected. This protects critical and sensitive data from exposure to
unauthorized personnel with physical access to the computer.
Remote access to the Plug and Play interface could potentially allow connections by
unauthorized devices. This setting configures remote access to the Plug and Play
interface and must be disabled.
Uncontrolled system updates can introduce issues to a system. Obtaining update
components from an outside source may also potentially provide sensitive
information outside of the enterprise. Optional component installation or repair
must be obtained from an internal source.
Windows Connect Now provides wizards for tasks such as "Set up a wireless router or
access point" and must not be available to users. Functions such as these may allow
unauthorized connections to a system and the potential for sensitive information to
be compromised.
Windows Connect Now allows the discovery and configuration of devices over
wireless. Wireless devices must be managed. If a rogue device is connected to a
system, there is potential for sensitive information to be compromised.
IPv6 transition technologies, which tunnel packets through other protocols, do not
provide visibility.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting will prevent Windows from searching Windows Update for point and
print drivers. Only the local driver store and server driver cache will be searched.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents responsiveness events from being aggregated and sent to
Microsoft.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents the MSDT from communicating with and sending collected data
to Microsoft, the default support provider.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents users from searching troubleshooting content on Microsoft
servers. Only local content will be available.
Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC
server will prevent anonymous connections.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detecting attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Audit directory service access records events related to users accessing an Active
Directory object.
Configuring RPC to require authentication to the RPC Endpoint Mapper will force
clients to provide authentication before RPC communication is established.
When directory service data files, especially for directories used for identification,
authentication, or authorization, reside on the same logical partition as user-owned
files, the directory service data may be more vulnerable to unauthorized access or
other availability compromises. Directory service and user-owned data files sharing a
partition may be configured with less restrictive permissions in order to allow access
to the user data.
The directory service may be vulnerable to a denial of service attack when user-
owned files on a common partition are expanded to an extent preventing the
directory service from acquiring more space for directory or audit data.
This setting determines the period of time (in days) during which a user's TGT may be
renewed. This security configuration limits the amount of time an attacker has to
crack the TGT and gain access.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detecting attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Audit directory service changes records events related to changes made to objects in
Active Directory Domain Services.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Logon records user logons. If this is an interactive logon, it is recorded on the local
system. If it is to a network share, it is recorded on the system accessed.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Logoff records user logoffs. If this is an interactive logoff, it is recorded on the local
system. If it is to a network share, it is recorded on the system accessed.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Logon records user logons. If this is an interactive logon, it is recorded on the local
system. If it is to a network share, it is recorded on the system accessed.
NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may
gain unauthorized access.
The lack of synchronized time could lead to audit log data that is misleading,
inconclusive, or unusable. In cases of intrusion this may invalidate the audit data as a
source of forensic evidence in an incident investigation.
In AD, the lack of synchronized time could prevent clients from logging on or
accessing server resources as a result of Kerberos requirements related to time
variance.
Windows includes two network-sharing security models - Classic and Guest only.
With the Classic model, local accounts must be password protected; otherwise,
anyone can use guest user accounts to access shared system resources.
Services using Local System that use Negotiate when reverting to NTLM
authentication may gain unauthorized access if allowed to authenticate anonymously
vs. using the computer identity.
Limiting logon hours can help protect data by only allowing access during specified
times. This setting controls whether or not users are forced to log off when their
allowed logon hours expire. If logon hours are set for users, this must be enforced.
Certain encryption types are no longer considered secure. This setting configures a
minimum encryption type for Kerberos, preventing the use of the DES encryption
suites.
The LAN Manager hash uses a weak encryption algorithm and there are several tools
available that use this hash to retrieve account passwords. This setting controls
whether or not a LAN Manager hash of the password is stored in the SAM the next
time the password is changed.
This setting controls the signing requirements for LDAP clients. This setting must be
set to Negotiate signing or Require signing, depending on the environment and type
of LDAP server in use.
Microsoft has implemented a variety of security support providers for use with RPC
sessions. All of the options must be enabled to ensure the maximum security level.
Standard user accounts must not be granted elevated privileges. Enabling Windows
Installer to elevate privileges when installing applications can allow malicious persons
and applications to gain full control of a system.
Users must be aware of attempted program installations. This setting ensures users
are notified if a web-based program attempts to install software.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents additional data requests in response to Error Reporting.
Installation options for applications are typically controlled by administrators. This
setting prevents users from changing installation options that may bypass security
features.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. This setting ensures that Error Reporting events
will be logged in the system event log.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
The "Replace a process level token" user right allows one process or service to start
another process or service with a different security access token. A user with this
right could use this to impersonate another account.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting disables Microsoft Active Protection Service membership and reporting.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Modify firmware environment values" user right can change
hardware configuration environment variables. This could result in hardware failures
or a DoS.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Perform volume maintenance tasks" user right can manage
volume and disk configurations. They could potentially delete volumes, resulting in
data loss or a DoS.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Profile single process" user right can monitor nonsystem
processes performance. An attacker could potentially use this to identify processes
to attack.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Profile system performance" user right can monitor system
processes performance. An attacker could potentially use this to identify processes
to attack.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
The "Log on as a batch job" user right allows accounts to log on using the task
scheduler service, which must be restricted.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Manage auditing and security log" user right can manage the
security log and change auditing configurations. This could be used to clear evidence
of tampering.
Notifying a user whether cached credentials were used may make them aware of
connection issues.
Inadequate log size will cause the log to fill up quickly and require frequent clearing
by administrative personnel.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
The "Deny access to this computer from the network" user right defines the accounts
that are prevented from logging on from the network.
The Guests group must be assigned this right to prevent unauthenticated access.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting will prevent Windows from retrieving device metadata from the Internet.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting will prevent Windows from sending an error report to Microsoft when a
device driver requests additional software during installation.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents an error report from being sent when a generic device driver is
installed.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents users from being prompted to search Windows Update for
device drivers.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting will prevent the system from searching Windows Update for device
drivers.
Enabling this setting and then selecting the "Process even if the Group Policy objects
have not changed" option ensures that the policies will be reprocessed even if none
have been changed. This way, any unauthorized changes are forced to match the
domain-based group policy settings again.
If this setting is enabled, then Group Policy settings are not refreshed while a user is
currently logged on. This could lead to instances when a user does not have the
latest changes to a policy applied and is therefore operating in an insecure context.
Uncontrolled system updates can introduce issues to a system. This setting will
prevent users from applying vendor-signed updates (though they may be from a
trusted source).
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
The "Load and unload device drivers" user right allows device drivers to dynamically
be loaded on a system by a user. This could potentially be used to install malicious
code by an attacker.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Modify an object label" user right can change the integrity label
of an object. This could potentially be used to execute code at a higher privilege.
Some features may send system information to the vendor. Turning off this capability
will prevent potentially sensitive information from being sent outside the enterprise.
The default permissions are adequate when the Security Option "Network access: Let
everyone permissions apply to anonymous users" is set to "Disabled" (V-3377).
Changing the system's file and directory permissions allows the possibility of
unauthorized and anonymous modification to the operating system and installed
applications.
The default permissions are adequate when the Security Option "Network access: Let
everyone permissions apply to anonymous users" is set to "Disabled" (V-3377).
The ability to set access permissions and auditing is critical to maintaining the
security and proper access controls of a system. To support this, volumes must be
formatted using the NTFS file system.
Virus scan programs are a primary line of defense against the introduction of viruses
and malicious code that can destroy data and even render a computer inoperable.
Utilizing a virus scan program provides the ability to detect malicious code before
extensive damage occurs.
Virus scan programs are a primary line of defense against the introduction of viruses
and malicious code that can destroy data and even render a computer inoperable.
Utilizing the virus scan program provides the ability to detect malicious code before
extensive damage occurs. Updated virus scan data files help protect a system, as
new malware is identified by the software vendors on a regular basis.
When inappropriate audit settings are configured for directory service database
objects, it may be possible for a user or process to update the data without
generating any tracking data. The impact of missing audit data is related to the type
of object. A failure to capture audit data for objects used by identification,
authentication, or authorization functions could degrade or eliminate the ability to
track changes to access policy for systems or data.
For Active Directory (AD), there are a number of critical object types in the domain
naming context of the AD database for which auditing is essential. This includes
Group Policy objects. Because changes to these objects can significantly impact
access controls or the availability of systems, the absence of auditing data makes it
impossible to identify the source of changes that impact the confidentiality, integrity,
and availability of data and systems throughout an AD domain. The lack of proper
auditing can result in insufficient forensic evidence needed to investigate an incident
and prosecute the intruder.
Systems at unsupported service packs or releases will not receive security updates
for new vulnerabilities, which leaves them subject to exploitation. Systems must be
maintained at a service pack level supported by the vendor with new security
updates.
Changing the system's file and directory permissions allows the possibility of
unauthorized and anonymous modification to the operating system and installed
applications.
The default permissions are adequate when the Security Option "Network access: Let
everyone permissions apply to anonymous users" is set to "Disabled" (V-3377).
Passwords must contain a case-sensitive character mix with at least one of each of
the following: uppercase letters, lowercase letters, numbers, and special characters.
Sites are responsible for installing password complexity software that complies with
current DoD requirements.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
For Active Directory (AD), the Group Policy objects require special attention. In a
distributed administration model (i.e., help desk), Group Policy objects are more
likely to have access permissions changed from the secure defaults. If inappropriate
access permissions are defined for Group Policy Objects, this could allow an intruder
to change the security policy applied to all domain client computers (workstations
and servers).
Attackers are constantly looking for vulnerabilities in systems and applications. The
Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data
Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and
Structured Exception Handler Overwrite Protection (SEHOP) on the system and
applications, adding additional levels of protection.
The shell protocol will limit the set of folders applications can open when run in
protected mode. Restricting files an application can open to a limited set of folders
increases the security of Windows.
Legacy plug-in applications may continue to function when a File Explorer session has
become corrupt. Disabling this feature will prevent this.
Saving passwords in the Remote Desktop Client could allow an unauthorized user to
establish a remote desktop session to another system. The system must be
configured to prevent users from saving passwords in the Remote Desktop Client.
The location service on systems may allow sensitive data to be used by applications
on the system. This should be turned off unless explicitly allowed for approved
systems/applications.
This setting controls the ability of users to supply passwords automatically as part of
their remote desktop connection. Disabling this setting would allow anyone to use
the stored credentials in a connection item to connect to the terminal server.
Preventing users from sharing the local drives on their client computers to Remote
Session Hosts that they access helps reduce possible exposure of sensitive data.
Allowing ICMP redirect of routes can lead to traffic not being routed properly. When
disabled, this forces ICMP to be routed via shortest path first.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Add workstations to domain" right may add computers to a
domain. This could result in unapproved or incorrectly configured systems being
added to a domain.
If a service principle name (SPN) is provided by the client, it is validated against the
server's list of SPNs. Implementation may disrupt file and print sharing capabilities.
Users must not be permitted to remain logged on to the network after they have
exceeded their permitted logon hours. In many cases, this indicates that a user
forgot to log off before leaving for the day. However, it may also indicate that a user
is attempting unauthorized access at a time when the system may be less closely
monitored. Forcibly disconnecting users when logon hours expire protects critical
and sensitive network data from exposure to unauthorized personnel with physical
access to the computer.
Configuring the system to disable IPv6 source routing protects against spoofing.
Allowing a system to automatically log on when the machine is booted could give
access to any unauthorized individual who restarts the computer. Automatic logon
with administrator privileges would give full access to an unauthorized individual.
Open sessions can increase the avenues of attack on a system. This setting is used to
control when a computer disconnects an inactive SMB session. If client activity
resumes, the session is automatically reestablished. This protects critical and
sensitive network data from exposure to unauthorized personnel with physical access
to the computer.
Some non-Microsoft SMB servers only support unencrypted (plain text) password
authentication. Sending plain text passwords across the network, when
authenticating to an SMB server, reduces the overall security of the environment.
Check with the vendor of the SMB server to see if there is a way to support
encrypted password authentication.
The server message block (SMB) protocol provides the basis for many network
operations. Digitally signed SMB packets aid in preventing man-in-the-middle
attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as
requested by the client.
The server message block (SMB) protocol provides the basis for many network
operations. Digitally signed SMB packets aid in preventing man-in-the-middle
attacks. If this policy is enabled, the SMB server will only communicate with an SMB
client that performs SMB packet signing.
This setting determines the maximum time difference (in minutes) that Kerberos will
tolerate between the time on a client's clock and the time on a server's clock while
still considering the two clocks synchronous. In order to prevent replay attacks,
Kerberos uses timestamps as part of its protocol definition. For timestamps to work
properly, the clocks of the client and the server need to be in sync as much as
possible.
Improper access permissions for directory data related files could allow unauthorized
users to read, modify, or delete directory data or audit trails.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Increase scheduling priority" user right can change a scheduling
priority causing performance issues or a DoS.
Attackers are constantly looking for vulnerabilities in systems and applications. The
Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data
Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and
Structured Exception Handler Overwrite Protection (SEHOP) on the system and
applications, adding additional levels of protection.
Attackers are constantly looking for vulnerabilities in systems and applications. The
Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data
Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and
Structured Exception Handler Overwrite Protection (SEHOP) on the system and
applications, adding additional levels of protection.
Enabling trusted app installation allows for enterprise line of business Windows 8
type apps. A trusted app package is one that is signed with a certificate chain that
can be successfully validated in the enterprise. Configuring this ensures enterprise
line of business apps are accessible.
When inappropriate audit settings are configured for directory service database
objects, it may be possible for a user or process to update the data without
generating any tracking data. The impact of missing audit data is related to the type
of object. A failure to capture audit data for objects used by identification,
authentication, or authorization functions could degrade or eliminate the ability to
track changes to access policy for systems or data.
For Active Directory (AD), there are a number of critical object types in the domain
naming context of the AD database for which auditing is essential. This includes the
RID Manager$ object. Because changes to these objects can significantly impact
access controls or the availability of systems, the absence of auditing data makes it
impossible to identify the source of changes that impact the confidentiality, integrity,
and availability of data and systems throughout an AD domain. The lack of proper
auditing can result in insufficient forensic evidence needed to investigate an incident
and prosecute the intruder.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
For Active Directory (AD), there are a number of critical object types in the domain
naming context of the AD database for which auditing is essential. This includes the
Domain object. Because changes to these objects can significantly impact access
controls or the availability of systems, the absence of auditing data makes it
impossible to identify the source of changes that impact the confidentiality, integrity,
and availability of data and systems throughout an AD domain. The lack of proper
auditing can result in insufficient forensic evidence needed to investigate an incident
and prosecute the intruder.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Other Account Management Events records events such as the access of a password
hash or the Password Policy Checking API being called.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Special Logon records special logons which have administrative privileges and can be
used to elevate processes.
Central Access Policy Staging auditing under Object Access is used to enable the
recording of events related to differences in permissions between central access
policies and proposed policies.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
The "Enable computer and user accounts to be trusted for delegation" user right
allows the "Trusted for Delegation" setting to be changed. This could potentially
allow unauthorized users to impersonate other users.
If this option is enabled, the Recovery Console does not require a password and
automatically logs on to the system. This could allow unauthorized administrative
access to the system.
Microsoft has implemented a variety of security support providers for use with RPC
sessions. All of the options must be enabled to ensure the maximum security level.
Displaying the shutdown button may allow individuals to shut down a system
anonymously. Only authenticated users should be allowed to shut down the system.
Preventing display of this button in the logon dialog box ensures that individuals who
shut down the system are authorized and tracked in the system's Security event log.
The Recovery Console SET command allows environment variables to be set in the
Recovery Console. This permits access to all drives and folders and the copying of
files to removable media, which could expose sensitive information.
This setting controls the behavior of non-Windows subsystems when dealing with the
case of arguments or commands. Case sensitivity could lead to the access of files or
commands that must be restricted. To prevent this from happening, case
insensitivity restrictions must be required.
This setting ensures that the system uses algorithms that are FIPS-compliant for
encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards
established by the U.S. Government and must be the algorithms used for all OS
encryption functions.
This policy setting determines whether the Kerberos Key Distribution Center (KDC)
validates every request for a session ticket against the user rights policy of the target
computer. The policy is enabled by default which is the most secure setting for
validating access to target resources is not circumvented.
Windows systems maintain a global list of shared system resources such as DOS
device names, mutexes, and semaphores. Each type of object is created with a
default DACL that specifies who can access the objects with what permissions. If this
policy is enabled, the default DACL is stronger, allowing nonadministrative users to
read shared objects, but not modify shared objects that they did not create.
User Account Control (UAC) is a security mechanism for limiting the elevation of
privileges, including administrative accounts, unless authorized. This setting controls
the behavior of elevation when requested by a standard user account.
User Account Control (UAC) is a security mechanism for limiting the elevation of
privileges, including administrative accounts, unless authorized. This setting
configures the elevation requirements for logged on administrators to complete a
task that requires raised privileges.
Enabling this setting on all domain controllers in a domain prevents domain members
from changing their computer account passwords. If these passwords are weak or
compromised, the inability to change them may leave these computers vulnerable.
Attachments from RSS feeds may not be secure. This setting will prevent
attachments from being downloaded from RSS feeds.
If a communal temporary folder is used for remote desktop sessions, it might be
possible for users to access other users' temporary folders. If this setting is enabled,
only one temporary folder is used for all remote desktop sessions. Per session
temporary folders must be established.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
The "Lock pages in memory" user right allows physical memory to be assigned to
processes, which could cause performance issues or a DoS.
Basic authentication uses plain text passwords that could be used to compromise a
system.
This setting controls how long a session may be idle before it is automatically
disconnected from the server. Users must disconnect if they plan on being away
from their terminals for extended periods of time. Idle sessions must be
disconnected after 15 minutes.
Remote desktop session temporary folders must always be deleted after a session is
over to prevent hard disk clutter and potential leakage of information. This setting
controls the deletion of the temporary folders when the session is terminated.
This setting controls how long a session will remain open if it is unexpectedly
terminated. Such sessions use system resources and must be terminated as soon as
possible.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Force shutdown from a remote system" user right can remotely
shut down a system, which could result in a DoS.
Accounts with the "Increase a process working set" user right can change the size of
a process's working set, potentially causing performance issues or a DoS.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
The "Generate security audits" user right specifies users and processes that can
generate Security Log audit records, which must only be the system service accounts
defined.
For Active Directory (AD), there are a number of critical object types in the domain
naming context of the AD database for which auditing is essential. This includes the
Domain Controller OU object. Because changes to these objects can significantly
impact access controls or the availability of systems, the absence of auditing data
makes it impossible to identify the source of changes that impact the confidentiality,
integrity, and availability of data and systems throughout an AD domain. The lack of
proper auditing can result in insufficient forensic evidence needed to investigate an
incident and prosecute the intruder.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
Accounts with the "Access this computer from the network" right may access
resources on the system and should be limited to those requiring it.
Permissions on the Winlogon registry key must only allow privileged accounts to
change registry values. If standard users have this capability, there is a potential for
programs to run with elevated privileges when a privileged user logs on to the
system.
A compromised local administrator account can provide means for an attacker to
move laterally between domain systems.
With User Account Control enabled, filtering the privileged token for local
administrator accounts will prevent the elevated privileges of these accounts from
being used over the network.
Permissions on the Active Setup\Installed Components registry key must only allow
privileged accounts to add or change registry values. If standard user accounts have
this capability, there is a potential for programs to run with elevated privileges when
a privileged user logs on to the system.
The registry is integral to the function, security, and stability of the Windows system.
Some processes may require anonymous access to the registry. This must be limited
to properly protect the system.
This setting determines the maximum amount of time (in minutes) that a granted
session ticket can be used to access a particular service. Session tickets are used only
to authenticate new connections with servers. Ongoing operations are not
interrupted if the session ticket used to authenticate the connection expires during
the connection.
Viewing events is a function of administrators, who must not access the Internet with
privileged accounts. This setting will disable Events.asp hyperlinks in Event Viewer to
prevent links to the Internet from within events.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents the computer from downloading print driver packages over
HTTP.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents errors in handwriting recognition on tablet PCs from being
reported to Microsoft.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents Windows from downloading a list of providers for the Web
publishing and online ordering wizards.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents the Internet Connection Wizard from downloading a list of
Internet Service Providers (ISPs) from Microsoft.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents the client computer from printing over HTTP, which allows the
computer to print to printers on the intranet as well as the Internet.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents unhandled file associations from using the Microsoft Web
service to find an application.
Executing application servers on the same host machine with a directory server may
substantially weaken the security of the directory server. Web or database server
applications usually require the addition of many programs and accounts increasing
the attack surface of the computer.
The "Deny log on as a batch job" user right defines accounts that are prevented from
logging on to the system as a batch job, such as Task Scheduler.
The lack of password protection enables anyone to gain access to the information
system, which opens a backdoor opportunity for intruders to compromise the system
as well as other resources. Accounts on a system must require passwords.
Virtual guest operating systems share the same vulnerabilities as operating systems
running on dedicated hardware and must be individually assessed for security
guidance compliance. The VMS used may be DISA VMS or a similar vulnerability and
asset management system.
Allowing a system to boot into multiple operating systems (dual-booting) may allow
security to be circumvented on a secure system.
To minimize potential points of attack, local users, other than built-in accounts such
as Administrator and Guest accounts, must not exist on a workstation in a domain.
Users must log onto workstations in a domain with their domain accounts.
Windows shares are a means by which files, folders, printers, and other resources
can be published for network users to access. Improper configuration can permit
access to devices and data beyond a user's need.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting ensures users cannot provide ratings feedback to Microsoft for Help
content.
The Windows Push Notification Service (WNS) allows third-party vendors to send
updates for toasts, tiles, and badges.
Unattended systems are susceptible to unauthorized use and must be locked when
unattended. Enabling a password-protected screen saver to engage after a specified
period of time helps protects critical and sensitive data from exposure to
unauthorized personnel with physical access to the computer.
Unattended systems are susceptible to unauthorized use and must be locked when
unattended. Enabling a password-protected screen saver to engage after a specified
period of time helps protects critical and sensitive data from exposure to
unauthorized personnel with physical access to the computer.
Using applications that access the Internet or have potential Internet sources using
administrative privileges exposes a system to compromise. If a flaw in an application
is exploited while running as a privileged user, the entire system could be
compromised. Web browsers and email are common attack vectors for introducing
malicious code and must not be run with an administrative user account.
Since administrative user accounts may generally change or work around technical
restrictions for running a web browser or other applications, it is essential that policy
requires administrative users to not access the Internet or use applications, such as
email.
The policy should define specific exceptions for local service administration. These
exceptions may include HTTP(S)-based tools that are used for the administration of
the local system, services, or attached devices.
Backup Operators are able to read and write to any file in the system, regardless of
the rights assigned to it. Backup and restore rights permit users to circumvent the
file access restrictions present on NTFS disk drives for backup and restore purposes.
Members of the Backup Operators group must have separate logon accounts for
performing backup duties.
A system's BIOS or system controller handles the initial startup of a system, and its
configuration must be protected from unauthorized modification. When the BIOS or
system controller supports the creation of user accounts or passwords, such
protections must be used and accounts/passwords only assigned to system
administrators. Failure to protect BIOS or system controller settings could result in
Denial of Service or compromise of the system resulting from unauthorized
configuration changes.
Malicious users with removable boot media can gain access to a system configured to
use removable media as the boot loader.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Computer Account Management records events such as creating, changing, deleting,
renaming, disabling, or enabling computer accounts.
Inadequate physical protection can undermine all other security precautions utilized
to protect the system. This can jeopardize the confidentiality, availability, and
integrity of the system. Physical security is the first line of protection of any system.
If SAs are assigned to systems running operating systems for which they have no
training, these systems are at additional risk of unintentional misconfiguration that
may result in vulnerabilities or decreased availability of the system.
The longer a password is in use, the greater the opportunity for someone to gain
unauthorized knowledge of the password. Passwords for the built-in Administrator
account must be changed at least annually or when any member of the
administrative team leaves the organization.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Other Account Management Events records events such as the access of a password
hash or the Password Policy Checking API being called.
The "Deny log on as a service" user right defines accounts that are denied log on as a
service.
Incorrect configurations could prevent services from starting and result in a DoS.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Registry auditing under Object Access is used to enable the recording of events
related to the access and changing of the registry. Auditing must also be enabled on
the specific registry objects to be audited.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Removable Storage auditing under Object Access records events related to access
attempts on file system objects on removable storage devices.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
Removable Storage auditing under Object Access records events related to access
attempts on file system objects on removable storage devices.
Recommendation
Ensure the following services that are critical for directory server
operation are configured for automatic startup.
Guests Group
Guests Group
Administrators
Service
Local Service
Network Service
Administrators
Local Service
Administrators
Configure the policy value for Computer Configuration -> Windows
Settings -> Security Settings -> Local Policies -> User Rights Assignment ->
"Debug programs" to only include the following accounts or groups:
Administrators
Administrators
Principal: Everyone
Type: Fail
Permissions: all categories selected
Principal: Everyone
Type: Fail
Permissions: all categories selected
(See "Updating the Windows Security Options File" in the STIG Overview
document if MSS settings are not visible in the system's policy tools.)
(See "Updating the Windows Security Options File" in the STIG Overview
document if MSS settings are not visible in the system's policy tools.)
(See "Updating the Windows Security Options File" in the STIG Overview
document if MSS settings are not visible in the system's policy tools.)
Configure the policy value for Computer Configuration -> Windows
Settings -> Security Settings -> Local Policies -> Security Options -> "MSS:
(ScreenSaverGracePeriod) The time in seconds before the screen saver
grace period expires (0 recommended)" to "5" or less.
(See "Updating the Windows Security Options File" in the STIG Overview
document if MSS settings are not visible in the system's policy tools.)
(See "Updating the Windows Security Options File" in the STIG Overview
document if MSS settings are not visible in the system's policy tools.)
(See "Updating the Windows Security Options File" in the STIG Overview
document if MSS settings are not visible in the system's policy tools.)
(See "Updating the Windows Security Options File" in the STIG Overview
document if MSS settings are not visible in the system's policy tools.)
(See "Updating the Windows Security Options File" in the STIG Overview
document if MSS settings are not visible in the system's policy tools.)
Configure the Startup Type for the Smart Card Removal Policy service to
"Automatic".
Configure all user accounts, including administrator accounts, in Active
Directory to enable the option "Smart card is required for interactive
logon".
Domain Admins - Read, Write, Create all child objects, Generate resultant
set of policy (logging), Generate resultant set of policy (planning), Special
permissions
Note: "IPHTTPS URL:" must be entered in the policy even if set to Disabled
State. Enter "about:blank".
Administrators
Administrators
Obtain PKI certificates issued by the DoD PKI or an approved External
Certificate Authority (ECA).
Type - Fail
Principal - Everyone
Access - Full Control
Inherited from - None
Applies to - This object only
The success types listed below are defaults. Where Special is listed in the
summary screens for Access, detailed Permissions are provided for
reference, various Properties selections may also exist by default.
Type - Success
Principal - Everyone
Access - Special
Inherited from - None
Applies to - This object only
(Access - Special = Write all properties, Modify permissions, Modify
owner)
For AD, there are multiple configuration items that could enable
anonymous access.
If the location of the logs has been changed, when adding Eventlog to the
permissions, it must be entered as "NT Service\Eventlog".
If the location of the logs has been changed, when adding Eventlog to the
permissions, it must be entered as "NT Service\Eventlog".
If the location of the logs has been changed, when adding Eventlog to the
permissions, it must be entered as "NT Service\Eventlog".
Establish a policy that will ensure the retention of SAMI audit data for at
least five years. Ensure the audit retention policy is implemented.
Establish a policy that will ensure the retention of audit data for at least
one year. Ensure the audit retention policy is implemented.
Administrators
Local Service
Network Service
Administrators
Administrators
Configure the policy value for Computer Configuration -> Windows
Settings -> Security Settings -> Local Policies -> User Rights Assignment ->
"Change the system time" to only include the following accounts or
groups:
Administrators
Local Service
Administrators
Authenticated Users
Local Service
Network Service
Window Manager\Window Manager Group
Install EMET V4.0 or later on the system. EMET is available for download
from Microsoft.
Type - Fail
Principal - Everyone
Access - Full Control
Inherited from - None
The success types listed below are defaults. Where Special is listed in the
summary screens for Access, detailed Permissions are provided for
reference, various Properties selections may also exist by default.
Type - Success
Principal - Everyone
Access - Special
Inherited from - None
(Access - Special = Permissions: Write all properties, All extended rights,
Change infrastructure master)
Ensure the policy value for Computer Configuration -> Windows Settings
-> Security Settings -> Local Policies -> Security Options -> "Network
access: Shares that can be accessed anonymously" contains no entries
(blank).
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Perflib
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
System\CurrentControlSet\Services\Eventlog
System\CurrentControlSet\Services\Sysmonlog
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
Type - Allow
Principal - Authenticated Users
Access - Read & execute
Inherited from - None
Applies to - This folder, subfolder and files
Type - Allow
Principal - Server Operators
Access - Read & execute
Inherited from - None
Applies to - This folder, subfolder and files
Type - Allow
Principal - Administrators
Access - Special
Inherited from - None
Applies to - This folder only
(Access - Special - Basic Permissions: all selected except Full control)
Type - Allow
Principal - CREATOR OWNER
Access - Full control
Inherited from - None
Applies to - Subfolders and files only
Type - Allow
Principal - Administrators
Access - Full control
Inherited from - None
Applies to - Subfolders and files only
Type - Allow
Principal - SYSTEM
Access - Full
Configure thecontrol
policy value for Computer Configuration -> Administrative
Templates -> Windows Components -> Event Log Service -> System ->
"Specify the maximum log size (KB)" to at minimum "Enabled:32768".
EMET 4.0
Configure the policy value for Computer Configuration -> Administrative
Templates -> Windows Components -> EMET -> "Default Protections for
Recommended Software" to "Enabled".
EMET 4.0
Configure the policy value for Computer Configuration -> Administrative
Templates -> Windows Components -> EMET -> "Default Protections for
Popular Software" to "Enabled".
If the site is using a DoD WSUS server to distribute software updates, the
policy setting to configure the WSUS URL is Computer Configuration ->
Administrative Templates -> Windows Components -> Windows Update ->
"Specify intranet Microsoft update service location".
Configure the policy value in the Default Domain Policy for Computer
Configuration -> Policies -> Windows Settings -> Security Settings ->
Account Policies -> Kerberos Policy -> "Maximum lifetime for user ticket"
to a maximum of 10 hours, but not 0 which equates to "Ticket doesn't
expire".
You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent
to the following conditions:
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are
subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
Configure the policy value in the Default Domain Policy for Computer
Configuration -> Policies -> Windows Settings -> Security Settings ->
Account Policies -> Kerberos Policy -> "Maximum lifetime for user ticket
renewal" to a maximum of 7 days or less.
Registry Path:
\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\
Value Name: Enabled
Type: REG_DWORD
Value: 1
DES_CBC_CRC
DES_CBC_MD5
If the policy for Computer Configuration -> Windows Settings -> Security
Settings -> Local Policies -> Security Options -> "Network security:
Configure encryption types allowed for Kerberos" is configured, only the
following selections are allowed:
RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types
Local Service
Network Service
Administrators
Administrators
Administrators
Configure the policy value for Computer Configuration -> Windows
Settings -> Security Settings -> Local Policies -> User Rights Assignment ->
"Profile system performance" to only include the following accounts or
groups:
Administrators
NT Service\WdiServiceHost
Administrators
Administrators
Guests Group
Administrators
Default Permissions
C:\
Type - "Allow" for all
Inherited from - "None" for all
Default Permissions:
\Program Files and \Program Files (x86)
Type - "Allow" for all
Inherited from - "None" for all
Configure the antivirus program to update the signature file at least every
7 days. More frequent (daily) updates are recommended.
Configure the audit settings for Group Policy objects to include the
following.
Type - Fail
Principal - Everyone
Access - Full Control
Inherited from - None
Applies to - This object and all descendant objects
The three Success types listed below are defaults inherited from the
Parent Object. Where Special is listed in the summary screens for Access,
detailed Permissions are provided for reference, various Properties
selections may also exist by default.
Type - Success
Principal - Everyone
Access - Special
Inherited from - Parent Object
Applies to - Descendant Organization Unit Objects
(Access - Special = Permissions: Write all properties, Modify permissions)
Default Permissions:
Type - "Allow" for all
Inherited from - "None" for all
Ensure the permissions on Group Policy objects do not allow greater than
Read and Apply group policy for standard user accounts our groups. The
defaults below meet this requirement.
SYSTEM - Read, Write, Create all child objects, Delete all child objects,
Special permissions
Domain Admins - Read, Write, Create all child objects, Delete all child
objects, Special permissions
Enterprise Admins - Read, Write, Create all child objects, Delete all child
objects, Special permissions
Applications that are opted out are configured in the window below this
selection.
Configure the policy value for Computer Configuration -> Administrative
Templates -> Windows Components -> File Explorer -> "Turn off shell
protocol protected mode" to "Disabled".
Configure the policy value for Computer Configuration -> Administrative
Templates -> Windows Components -> File Explorer -> "Turn off heap
termination on corruption" to "Disabled".
Configure the policy value for Computer Configuration -> Administrative
Templates -> Windows Components -> Remote Desktop Services ->
Remote Desktop Connection Client -> "Do not allow passwords to be
saved" to "Enabled".
If location services are approved by the organization for a device, this must
be documented.
(See "Updating the Windows Security Options File" in the STIG Overview
document if MSS settings are not visible in the system's policy tools.)
(See "Updating the Windows Security Options File" in the STIG Overview
document if MSS settings are not visible in the system's policy tools.)
Administrators
Configure the policy value for Computer Configuration -> Windows
Settings -> Security Settings -> Local Policies -> Security Options ->
"Microsoft network server: Server SPN target name validation level" to
"Off".
(See "Updating the Windows Security Options File" in the STIG Overview
document if MSS settings are not visible in the system's policy tools.)
(See "Updating the Windows Security Options File" in the STIG Overview
document if MSS settings are not visible in the system's policy tools.)
Configure the policy value in the Default Domain Policy for Computer
Configuration -> Windows Settings -> Security Settings -> Account Policies
-> Kerberos Policy -> "Maximum tolerance for computer clock
synchronization" to a maximum of 5 minutes or less.
Ensure the permissions on NTDS database and log files are maintained as
follows.
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
Administrators
Configure the audit settings for RID Manager$ object to include the
following.
Type - Fail
Principal - Everyone
Access - Full Control
Inherited from - None
The success types listed below are defaults. Where Special is listed in the
summary screens for Access, detailed Permissions are provided for
reference, various Properties selections may also exist by default.
Type - Success
Principal - Everyone
Access - Special
Inherited from - None
(Access - Special = Write all properties, All extended writes, Change RID
master)
Type - Fail
Principal - Everyone
Access - Full Control
Inherited from - None
Applies to - This object only
The success types listed below are defaults. Where Special is listed in the
summary screens for Access, detailed Permissions are provided for
reference, various Properties selections may also exist by default.
Type - Success
Principal - Domain Users
Access - All extended rights
Inherited from - None
Applies to - This object only
Type - Success
Principal - Administrators
Access - All extended rights
Inherited from - None
Applies to - This object only
Type - Success
Principal - Everyone
Access - Special
Inherited from - None
Applies to - This object only
(Access - Special = Permissions: Write all properties, Modify permissions,
Modify owner.)
Configure the policy value for Computer Configuration -> Windows
Settings -> Security Settings -> Advanced Audit Policy Configuration ->
System Audit Policies -> Account Management -> "Audit Computer
Account Management" with "Failure" selected.
Administrators
Configure the policy value in the Default Domain Policy for Computer
Configuration -> Policies -> Windows Settings -> Security Settings ->
Account Policies -> Kerberos Policy -> "Enforce user logon restrictions" to
"Enabled".
Administrators
Administrators
Local Service
Window Manager\Window Manager Group
Administrators
Service
Local Service
Network Service
Local Service
Network Service
Type - Fail
Principal - Everyone
Access - Full Control
Inherited from - None
The success types listed below are defaults. Where Special is listed in the
summary screens for Access, detailed Permissions are provided for
reference, various Properties selections may also exist by default.
Type - Success
Principal - Everyone
Access - Special
Inherited from - None
Applies to - This object only
(Access - Special = Permissions: all create, delete and modify permissions)
Type - Success
Principal - Everyone
Access - Write all properties
Inherited from - None
Applies to - This object and all descendant objects
Ensure only Read permissions are assigned to standard user accounts and
groups for the following registry key. The default configuration satisfies
this requirement.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon
Configure the following registry value:
Type: REG_DWORD
Value: 0
Ensure only Read permissions are assigned to standard user accounts and
groups for the following registry keys. The default configuration satisfies
this requirement.
All systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components
64-bit systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active
Setup\Installed Components
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeSe
rvers\Winreg\
Administrators - Full
Backup Operators - Read(QENR)
Local Service - Read
Configure the policy value in the Default Domain Policy for Computer
Configuration -> Policies -> Windows Settings -> Security Settings ->
Account Policies -> Kerberos Policy -> "Maximum lifetime for service
ticket" to a maximum of 600 minutes, but not 0 which equates to "Ticket
doesn't expire".
Guests Group
Implement a tool to compare system files (e.g., *.exe, *.bat, *.com, *.cmd,
and *.dll) on servers against a baseline on a weekly basis.
Configure all passwords to expire. Ensure "Password never expires" is not
checked on any accounts. Document any exceptions with the IAO.
Ensure Windows Server 2012 is the only operating system installed for the
system to boot into. Remove alternate operating systems.
Configure domain-joined systems to restrict the existence of local user
accounts. Remove any unauthorized local accounts.
Establish a site policy to prohibit the use of applications that access the
Internet, such as web browsers, or with potential Internet sources, such as
email, by administrative user accounts. Ensure the policy is enforced.
Ensure that each member of the Backup Operators group has separate
accounts for backup functions and standard user functions. Create the
necessary documentation that identifies the members of the Backup
Operators group.
Establish site policy that requires SAs be trained for all operating systems
running on systems under their control.
Ensure each user with administrative privileges has a separate account for
user duties and one for privileged duties.
Configure the policy value for Computer Configuration -> Windows
Settings -> Security Settings -> Local Policies -> User Rights Assignment ->
"Deny log on as a service" to include no entries (blank):