WINDOWS 2008 SECURITY TECHNICAL IMPLEMENTATION GUIDE OVERVIEW Version 6, Release 1.

9 26 February 2010

Developed by DISA for the DoD

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

This page is intentionally left blank.

ii

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

TABLE OF CONTENTS
Summary Of Changes............................................................................v 1 Introduction........................................................................................1 1.1 Background...................................................................................1 1.2 Authority.......................................................................................1 1.3 Scope............................................................................................2 1.4 Vulnerability Severity Code Definitions...........................................2 1.5 STIG Distribution...........................................................................2 1.6 Document Revisions.......................................................................2 2 Performing a Windows review.............................................................3 2.1 ACL Deviations..............................................................................4 2.2 Application Exceptions...................................................................4 2.3 Gold Standard...............................................................................4 2.4 Review Tools.................................................................................4 2.4.1 Windows Explorer....................................................................4 2.4.2 Computer Management console................................................5 2.4.3 Control Panel...........................................................................5 2.4.4 Security Configuration and Analysis Snap-In .............................5 2.4.4.1 Updating the Windows Security Options File........................5 2.4.4.2 Performing Analysis with the Security Configuration and Analysis Snap-In............................................................................6 2.4.5 File and Registry Settings.........................................................7 2.4.6 Using DumpSec....................................................................8 2.4.7 MS Group Policy Results Tools..................................................9 Appendix A. Object Permissions...........................................................13 A.1 File and Folder Permissions.........................................................13 A.2 Registry Permissions...................................................................13 Appendix B. references.......................................................................14 B.1 Policy References........................................................................14 B.2 Technical References..................................................................14 Appendix C. VMS Procedures...............................................................15

UNCLASSIFIED

iii

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

This page is intentionally left blank.

iv

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

SUMMARY OF CHANGES This section summarizes the changes made to this document. The change history for one year is included. Version 6.1.9 All Sections February 2010 The STIG format has been changed to be produced in XCCDF format from VMS. This document contains supporting information, the Windows requirements are in the accompanying XML file. See the Readme.txt and STIG Transition to XCCDF for additional information.

V0001073 Approved Service Packs updated to require SP2 V0001074 Virus-Protection Software added note/reference to AV check (V0019910) V0001126 Recycle Bin Configuration added User Admin Template configuration V0001145 Disable Administrator Automatic Logon registry value set by policy added for reference. V0002907 System Configuration Changes (Servers) removed note that HBSS doesnt meet requirement V0004109 Disable Dead Gateway Detection removed, not applicable Added new IAVMs 2009-A-0123, 2009-A-0124, 2009-A-0125, 2009-A-0126, 2009-A-0128, 2009-A-0129, 2009-A-0130, 2009-A-0134, 2009-B-0060, 2009-B-0061, 2009-B-0062, 2009-B0065, 2009-B-0066, 2009-B-0067, 2010-A-0003, 2010-A-0004, 2010-A-0005, 2010-A-0006, 2010-A-0007, 2010-A-0010, 2010-A-0011, 2010-A-0014, 2010-A-0016, 2010-A-0017, 2010-B0002, 2010-B-0003, 2010-B-0004 Removed superseded IAVMs 2008-B-0041, 2008-B-0073, 2009-A-0020, 2009-A-0041, 2009-A0052, 2009-A-0060, 2009-A-0061, 2009-A-0093, 2009-A-0100, 2009-A-0101, 2009-A-0102, 2009A-0103, 2009-A-0104, 2009-A-0108, 2009-A-0111, 2009-B-0056, 2009-T-0031, 2009-T-0051 The following IAVMs were added or removed after VMS reconciliation: Added 2009-A-0039, 2009-T-0030 Removed - 2009-B-0038, 2009-T-0046, 2009-T-0053 2009-A-0071 corrected Vista/2008 file name for manual check. 2009-A-0099 corrected reference to Microsoft Bulletin SRR Results Report This appendix was for recording results of a manual review and has been removed from Windows STIGs for versions supported by automated tools (Gold Disk). Version 6.1.8 All Sections Section 3 December 2009 Updated version numbers and dates. V0001112 Dormant Accounts - updated Dsquery commands

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

V0001157 Smart Card Removal Option added documentable V0006840 Passwords Expiration updated Dsquery command V0014271 Application Account Passwords updated Dsquery command Appendix B Added new IAVMs 2009-A-0090, 2009-A-0091, 2009-A-0093, 2009A-0094, 2009-A-0095, 2009-A-0096, 2009-A-0097, 2009-A-0098, 2009A-0099, 2009-A-0100, 2009-A-0101, 2009-A-0102, 2009-A-0103, 2009A-0104, 2009-A-0105, 2009-A-0108, 2009-A-0109, 2009-A-0110, 2009A-0111, 2009-A-0112, 2009-A-0115, 2009-A-0117, 2009-A-0118, 2009A-0119, 2009-A-0120, 2009-A-0121, 2009-A-0122, 2009-B-0047, 2009B-0048, 2009-B-0051, 2009-B-0052, 2009-B-0054, 2009-B-0055, 2009B-0056, 2009-B-0057, 2009-B-0059

Removed superseded IAVMs 2008-A-0063, 2009-A-0023, 2009-A-0042, 2009-A-0051, 2009-A-0053, 2009-A-0054, 2009-A-0055, 2009-A-0056, 2009-A-0059, 2009-A-0062, 2009-A-0063, 2009-A-0066, 2009-A-0081, 2009-B-0034, 2009-T-0026, 2009-T-0038, 2009-T-0050, 2009-T-0052 Version 6.1.7 All Sections Appendix B October 2009 Updated version numbers and dates. Added new IAVMs 2009-A-0061, 2009-A-0062, 2009-A-0063, 2009A-0066, 2009-A-0067, 2009-A-0068, 2009-A-0071, 2009-A-0074, 2009A-0076, 2009-A-0077, 2009-A-0078, 2009-A-0081, 2009-B-0034, 2009B-0035, 2009-B-0036, 2009-B-0037, 2009-B-0038, 2009-B-0042, 2009T-0046, 2009-T-0049, 2009-T-0050, 2009-T-0051, 2009-T-0052

Removed superseded IAVMs 2009-A-0025, 2009-B-0014, 2009-T-0036, 2009-T-0043 Version 6.1.6 All Sections Section 3 August 2009 Updated version numbers and dates.

V0001090 Caching of Logon Credentials removed Disable from title V0002374 Disable Media Autoplay moved to Admin Template configuration, updated reference to CTO V0003375 Domain Controller Authentication to Unlock Workstation removed, Joint Services review decision V0004117 Syn Attack Protection Level removed, identified as not applicable to Windows Vista/2008 during reviews with Microsoft V0004437 TCP Connection Responses identified as not applicable to Windows Vista/2008 during reviews with Microsoft V0014242 UAC Non UAC Compliant Application Virtualization corrected policy name (removed Switch)

vi

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

V0014249 Terminal Services Drive Redirection registry value name corrected in VMS to fDisableCdm (checklist was correct) V0015672 Event Viewer Events.asp Links added to align with DoD consensus V0015711 Search Encrypted Files Indexing corrected registry path (space between Windows and Search) V0015712 Search Exchange Folder Indexing updated to reflect change in policy name and value from Vista/2008 SP2 or Search 4.0 installation; corrected registry path (space between Windows and Search) V0017900 Disallow AutoPlay/AutoRun from Autorun.inf updated reference to CTO Appendix B Various added note to IAVMs fixed by Vista/2008 SP2 Added new IAVMs 2009-A-0042, 2009-A-0044, 2009-A-0046, 2009A-0051, 2009-A-0052, 2009-A-0053, 2009-A-0054, 2009-A-0055, 2009A-0056, 2009-A-0057, 2009-A-0058, 2009-A-0059, 2009-A-0060, 2009B-0021, 2009-B-0023, 2009-B-0024, 2009-B-0025, 2009-B-0028, 2009B-0030, 2009-B-0033, 2009-T-0031, 2009-T-0034, 2009-T-0036, 2009-T0038, 2009-T-0043 Removed superseded IAVMs 2008-B-0033, 2008-T-0024, 2009-A-0008, 2009-A-0021, 2009-A-0027, 2009-A-0028, 2009-A-0029, 2009-A-0030, 2009-A-0031, 2009-A-0035, 2009-A-0036, 2009-A-0040, 2009-B-0063, 2009-T-0015, 2009-T-0018, 2009-T-0029 Appendix F V0015673 Internet Connection Wizard ISP Downloads corrected policy name referenced. V0003379 LAN Manager Hash Value corrected Cat to I June 2009 Updated version numbers and dates. 1.9 Referenced Documents Note added regarding checklist references and Windows Server 2008 Security Compliance Toolkit. V0001122 Password Protected Screen Savers Removed requirement for screen saver executable name to be specified. Removed note referring to Desktop configuration.

Version 6.1.5 All Sections Section 1 Section 3

Appendix B 2008-A-0086 corrected file version number 2008-B-0075 added note to manual check on IIS and Internet printing requirement 2009-A-0013 added Exchange Server MAPI Client and Collaboration Data Objects 1.2.1

UNCLASSIFIED

vii

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

Added new IAVMs 2009-A-0023, 2009-A-0025, 2009-A-0027, 2009-A0028, 2009-A-0029, 2009-A-0030, 2009-A-0031, 2009-A-0032, 2009-A0034, 2009-A-0035, 2009-A-0036, 2009-A-0037, 2009-A-0039, 2009-A0040, 2009-A-0041, 2009-B-0015, 2009-B-0016, 2009-B-0018, 2009-B0019, 2009-T-0010, 2009-T-0018, 2009-T-0019, 2009-T-0021, 2009-T0022, 2009-T-0023, 2009-T-0025, 2009-T-0026, 2009-T-0029 Removed superseded IAVMs 2008-A-0042, 2008-A-0051, 2008-A-0076, 2008-A-0083, 2008-B-0084, 2008-B-0086, 2009-A-0001, 2009-A-0005, 2009-A-0007, 2009-A-0014, 2009-B-0010, 2009-B-0013, 2009-T-0011, 2009-T-0013 Version 6.1.4 All Sections Section 3 April 2009 Updated version numbers and dates. V0001089 Display Legal Notice added note on short version V0015505 CMA Agent corrected Confidentiality level to match VMS (removed C) 2008-T-0032 removed Windows 2000 SP4 SQL Server 2000 Desktop Engine (WMSDE) from Vulnerable Applications Added new IAVMs 2009-A-0012, 2009-A-0013, 2009-A-0014, 2009-A0016, 2009-A-0017, 2009-A-0018, 2009-A-0019, 2009-A-0020, 2009-A0021, 2009-B-0008, 2009-B-0009, 2009-B-0010, 2009-B-0013, 2009-B-0014, 2009-T-0011, 2009-T-0013, 2009-T-0014, 2009-T-0015 Removed superseded IAVMs 2008-A-0080, 2008-B-0077, 2008-T-0057, 2008-T-0065, 2008-T-0067, 2009-B-0005, 2009-B-0007

Appendix B

viii

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

INTRODUCTION

1.1 Background The Windows 2008 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements were developed from Federal and DoD consensus, as well as the Windows 2008 Security Guide and security templates published by Microsoft Corporation. The vulnerabilities discussed in this document are applicable to Windows 2008 (all versions). The requirements are detailed in the accompanying xml files. Two versions may be included; one marked manual includes all of the requirements. The second marked benchmark includes only checks that have OVAL content for use in scanning tools. This document is meant for use in conjunction with other applicable STIGs and Checklists such as Directory Services, Web, DNS, Database, Secure Remote Computing, and Desktop Applications. 1.2 Authority

DoD Directive 8500.1 requires that all IA and IA-enabled IT products incorporated into DoD information systems shall be configured in accordance with DoD-approved security configuration guidelines and tasks Defense Information Systems Agency (DISA) to develop and provide security configuration guidance for IA and IA-enabled IT products in coordination with Director, NSA. This document is provided under the authority of DoD Directive 8500.1. Although the use of the principles and guidelines in this STIG provide an environment that contributes to the security requirements of DoD systems operating at Mission Assurance Categories (MAC) I through III, applicable DoDI 8500.2 IA controls need to be applied to all systems and architectures. The Information Operations Condition (INFOCON) for the DoD recommends actions during periods when a heightened defensive posture is required to protect DoD computer networks from attack. The Information Assurance Officer (IAO) will ensure compliance with the security requirements of the current INFOCON level and will modify security requirements to comply with this guidance. The Joint Task Force - Global Network Operations (JTF-GNO) has also established requirements (i.e., timelines) for training, verification, installation, and progress reporting. These guidelines can be found on their Web site: https://www.jtfgno.mil. Initially, these directives are discussed and released as Warning Orders (WARNORDs) and feedback to the JTF-GNO is encouraged. The JTF-GNO may then upgrade these orders to directives; they are then called Communication Tasking Orders (CTOs). It is each organization's responsibility to take action by complying with the CTOs and reporting compliance via their respective Computer Network Defense Service Provider (CNDSP).

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

1.3

Scope

This document is a requirement for all DoD administered systems and all systems connected to DoD networks. These requirements are designed to assist Security Managers (SMs), Information Assurance Managers (IAMs), IAOs, and System Administrators (SAs) with configuring and maintaining security controls. This guidance supports DoD system design, development, implementation, certification, and accreditation efforts. 1.4 Vulnerability Severity Code Definitions

Severity Category Codes (CAT) are a measure of risk used to assess a facility or system security posture. Each security policy specified in this document is assigned a Severity Code of CAT I, II, or III. Each policy is evaluated based on the probability of a realized threat occurring and the expected loss associated with an attack exploiting the resulting vulnerability. Vulnerability Severity Codes Vulnerabilities that allow an attacker immediate access into a machine, allow superuser access, or bypass a firewall. i.e. Granting unnecessary accounts the User Right Act as Part of the Operating System as an example with Windows. Vulnerabilities that provide information that have a high potential of giving access to an intruder. i.e. Not requiring password complexity would increase the risk of an intruder gaining access. Vulnerabilities that provide information that potentially could lead to compromise. i.e. Allowing users to install printer drivers could potentially lead to compromise with unapproved drivers.

Category I

Category II Category III

1.5

STIG Distribution

Parties within the DoD and Federal Government's computing environments can obtain the applicable STIG from the Information Assurance Support Environment (IASE) Web site. This site contains the latest copies of any STIGs and Checklists, scripts, and other related security information. The Non-classified Internet Protocol Router Network (NIPRNet) Uniform Resource Locator (URL) for the IASE site is http://iase.disa.mil/. 1.6 Document Revisions

Comments or proposed revisions to this document should be sent via e-mail to the following address: fso_spt@disa.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

PERFORMING A WINDOWS REVIEW

The review of Windows 2008 is supported by the Gold Disk. The Gold Disk Users Guide is available in the Documentation directory of Gold Disk #1. It should thoroughly be reviewed prior to executing scans, in particular the Warnings section. The manual contains detailed information on the use of the various windows and the expected output. In a Windows Domain, the review should be done with the reviewer logged on to the domain. The review will then reveal the actual effective settings on the box that may result from a combination of Group and Local policies. Note: The Windows Server checklists apply to both member servers and domain controllers. The following requirements apply only to domain controllers: V-2373 V-2376 V-2377 V-2378 V-2379 V-2380 V-2906 V-4407 V-4408 V-15488 Warning: The settings in this STIG are directed towards securing a native Windows environment (i.e. Windows 2000 or later OSs). If the environment is a mixed one, with downlevel OSs, or maintains trusts with down-level OSs, then the following checks should be reviewed. Configuring them to the required setting could cause compatibility problems. 3.113 / V0006831 3.043 / V0001163 4.044 / V0003374 3.114 / V0006832 3.115 / V0006833 3.062 / V0003337 3.018 / V0001093 3.071 / V0003377 3.073 / V0003379 3.031 / V0001153 3.076 / V0003382 Clients 3.089 / V0003666 servers 3.077 / V0003383 Encryption and Signing of Secure Channel Traffic Encryption of Secure Channel Traffic Strong Session Key (WIN2K/W2K3 Native Domains) SMB Client Packet Signing (Always) SMB Server Packet Signing (Always) Anonymous SID/Name Translation Restrict Anonymous Network Shares Everyone Permissions Apply to Anonymous Users LAN Manager Hash Value LanMan Authentication Level Minimum Session Security for NTLM SSP-based (including secure RPC) Minimum Session Security for NTLM SSP-based (including secure RPC) FIPS compliant Algorithms

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

2.1 ACL Deviations The Access Control Lists (ACLs) on a system under review may differ from the recommendations specified in these requirements. If the reviewed ACL is more restrictive, or if an equivalent user group is identified, there is no problem. If a specific application requires less restrictive settings, these must be documented with the site IAO. 2.2 Application Exceptions Site-approved Applications may require specific exceptions to the requirements in this document, for proper functioning. Exceptions should be justified and clearly documented with the IAO. When exceptions are made for requirements rated as Category 1s, the site needs to document, and receive documentation from the vendor that the exception is necessary. It should also include any additional action that the site is taking to mitigate the risk (e.g., ACL settings, Group membership, Firewall, etc.). 2.3 Gold Standard The Gold Standard is the minimum level of security configuration that a system must meet in order to be connected to the network. The Platinum standard is the security level that must be reached to achieve certification and accreditation. This STIG measures a systems security configuration against the Platinum Standard. 2.4 Review Tools

2.4.1 Windows Explorer Windows Explorer permits users and administrators to search for files and also manage the permissions and audit configuration of file objects on NTFS volumes. Right Click on the Start button. Select Explore Change Folder Options to expose hidden and protected operating system files. Select Folder and search options from the Organize menu Select the View tab Select the radio-button labeled, Show hidden files, folders and drives Uncheck the box labeled Hide protected operating system files Uncheck the box labeled Hide extensions of known file types Click on the OK button to continue. Searching for files When performing searches from Windows Explorer, select Advanced Search and ensure the Location is Local Hard Drives and Include non-indexed, hidden, and system files (might be slow) is checked.

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

2.4.2 Computer Management console The Computer Management console is used to configure a variety of system-related features for the local environment such as Shared folders, Local users and groups and Services among others. Select Administrative Tools > Computer Management from the Start Menu (or Programs first in Classic View) 2.4.3 Control Panel The Control Panel is used to configure a variety of features for the local environment such as Display settings (screen saver), Installed Programs (including updates and patches) and System. Select Control Panel from the Start Menu Alternately, select Control Panel on the Desktop (assumes Classic View) 2.4.4 Security Configuration and Analysis Snap-In The Microsoft Management Console (MMC) is the primary system configuration tool for Windows. It utilizes Snap-in functions to configure the various parts of the system. The Security Configuration and Analysis snap-in is used to determine the composite effect of Local policy and of Group Policy for such as Account Policy, System Auditing and Security Options. 2.4.4.1 Updating the Windows Security Options File Some of the requirements in this STIG depend upon the use of a Microsoft security options file that has been updated to include some additional security checks (MSS settings) that are not visible in policies by default. Note: The procedure for viewing hidden folders and files in Windows Explorer, earlier in this section, may need to be performed prior to completing this task. To load the updated Security Options file, do the following (Due to changes in Windows security, the administrator must first take ownership of the file before changes are made): Open a command prompt with elevated privileges Run as administrator Take ownership of the file with the command takeown /f c:\windows\inf\sceregvl.inf Add Full permissions with the command icacls c:\windows\inf\sceregvl.inf /grant username:f where username is the administrator account. Rename the sceregvl.inf file in the %SystemRoot%\inf directory. Copy the updated sceregvl.inf file from the media provided to the %SystemRoot%\inf directory. The file can be found Templates directory included in the STIG zip file. Re-register scecli.dll by executing regsvr32 scecli.dll in the command prompt with elevated privileges.

The additional options will now appear in Windows policy tools such as the Security Configuration and Analysis tool (a restart of the tool may be required.)

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

2.4.4.2 Performing Analysis with the Security Configuration and Analysis Snap-In Use the following procedure to load the Security Configuration and Analysis snap-in and analyze the system: Select Start Enter MMC in the Search programs and files field and Enter Select File from the MMC menu bar. Select Add/Remove snap-in from the drop-down menu. Select the Security Configuration and Analysis snap-in and click the Add button. Click OK. Right-click on the Security Configuration and Analysis object in the left window. Select Open Database (this will create the database file if one does not exist) Enter C:\temp\scan\srr.sdb for the database name. In the Import Template window select the appropriate file name for the type of system. o The security templates can be found in th Templates directory included in the STIG zip file. o FSOWinVersion_Analyze_Only.inf Check the box to Clear the database before importing. Select Open. Right-click on the Security Configuration and Analysis object in the left window. Select Analyze Computer Now (DO NOT select Configure Computer Now) Enter C:\temp\scan\srr.log for the log name in the Error log file path window and click OK. The Analyzing System Security windows will appear When the analysis is complete, the Security Configuration and Analysis node can be expanded to view current configurations Database Settings are the required settings imported from the analysis template file Computer Settings are the effective settings on the system

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

2.4.5

File and Registry Settings

File and Registry Permissions and Auditing can be viewed using Windows Explorer for files and directories and the Registry Editor (Regedit.exe) for registry keys. To open Windows Explorer: Right click the Start button and select Explore To open Registry Editor: Click the Start button and select Run (Classic view) Type Regedit and Enter To investigate a possible ACL discrepancy: File ACLs Navigate in Windows Explorer to the file or directory being investigated Right click and select Properties Select the Security Tab Registry ACLS Navigate in Registry Editor to the key being investigated Right click the key and select Permissions Highlight each group in turn to view effective settings. To investigate a possible File Auditing discrepancy: Navigate in Windows Explorer to the file or directory being investigated Right click and select Properties Select the Security tab Click on the Advanced button Select the Auditing tab Highlight an Auditing Entry and click the edit button.

To investigate a possible Registry Auditing discrepancy: Navigate in Registry Editor to the key being investigated Right-click the registry key and select Permissions Click on the Advanced button Select the Auditing tab Highlight an Auditing Entry and click the edit button.

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

2.4.6 Using DumpSec The DumpSec application is an analysis tool that permits the user to systematically review ACL, audit, and user information from the local system. This tool is not included with Windows, but may be acquired or downloaded from SomarSoft, Inc. (www.somarsoft.com). It is also available on Disk #1 of the Gold Disk in the folder Files needed for manual review. Navigate to the folder that contains the application and double click on DumpSec Select Dump Users as Table from the Report menu. Select the available fields in the following sequence, and click on the Add button for each entry: UserName SID PswdRequired PswdExpires PswdLastSetTime LastLogonTime AcctDisabled Groups Click OK to proceed. Some user accounts may appear repetitively, because Groups is included in the report.

The data from DumpSec can be copied to another program such as a spreadsheet for analysis by selecting Copy all items from the Edit menu and pasting in to the other program.

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

2.4.7

MS Group Policy Results Tools

This section contains information for using Microsoft tools to analyze group policy. In an Active Directory environment, these utilities help Administrators determine the source of the effective security configuration settings that are in force on a system. The Manual SRR review procedures in of this STIG report the security policy related settings that are in effect on a system, but do not identify the source of that setting. An effective setting can come from any number of sources: Local Computer Policy, multiple Domain Group Policies or Group Policies associated with Organizational Units. The Security Configuration and Analysis MMC snap-in permits the analysis of Account Policy, System Auditing, Local Policies, Event Logs, Services, Registry ACLs and Auditing, and File ACLs and Auditing. The tool provides a comparison of effective settings (Computer Settings) to a Security Template (Database Settings). Directions for loading this tool are provided in a previous section. The Resultant Set of Policy (RSoP) MMC snap-in and GPResult.exe will report the source policy for security settings that are enforced on the system. This will allow an Administrator to determine which policy must be changed to fix a specific setting that is the cause or a finding on the system. (Note: these tools do not report if a settings is configured in the Local Policy). This will assist an Administrator in determining which policy must be changed to fix a specific setting that is the cause or a finding on the system. The Group Policy Management Console (GPMC) MMC snap-in is another tool that combines the features of the RSOP and Group Policy Object Editor. The GPMC can be downloaded from Microsoft. Resultant Set of Policy The RSoP snap-in provides the source of effective settings at the setting level. Use the following procedure to use the MMC and load the Resultant Set of Policy snap-in: Select Start and Run from the desktop. Type mmc.exe in the Run dialog. Select File from the MMC menu bar. Select Add/Remove snap-in from the drop-down menu. Click the Add button on the Standalone tab. Select the Resultant Set of Policy snap-in and click the Add button. Click Close. Click OK. Right-click on the Resultant Set of Policy object in the left window. Select Generate RSoP Data, click Next Select Logging Mode, click Next

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

Select This Computer, click Next Select option for User Policy settings, click Next Click Next Click Finish

GPResult.exe This command-line tool displays information about the result Group Policy has had but does not provide detail at the settings level for Security Options. The default is for the local computer and locally logged on user. The following information comes from Microsofts documentation. GPResult provides the following general information: Operating System Type (Professional, Server, Domain Controller). Build number and Service Pack details. Whether Terminal Services is installed and, if so, the mode it is using. User Information User name and location in Active Directory (if applicable). Whether the user has a local or roaming profile and location of the profile. Security group membership. Security privileges. Computer Information Computer name and location in Active Directory (if applicable). Domain name and type Site name.

GPResult also provides the following information about Group Policy: The last time policy was applied and the domain controller that applied policy, for the user and computer. The complete list of applied Group Policy objects and their details, including a summary of the extensions that each Group Policy object contains. Registry settings that were applied and their details. Folders that are re-directed and their details. Software management information detailing assigned and published applications. Disk quota information. IP Security settings. Scripts.

GPResult Syntax gpresult [/s] [/u] [/p] [/user] [/scope] [/v] [/z] [/?]

10

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

/s computer Specifies the name or IP address of a remote computer. The default is the local computer. /u domain\user Runs the command with the account permissions of the user specified. The default is the permissions of currently logged on user. /p password Specifies the password of the user account that is specified with the /u parameter. /user TargetUserName Specifies the user name whose RSoP data is to be displayed /scope {user|computer} Displays either the user settings or computer settings. If scope is omitted, both will be displayed. /V Runs GPResult in verbose mode. /Z Specifies that the output display all available Group Policy information. It is recommended that output be redirected to a text file (i.e. gpresult /z>policy.txt) /? displays a command-line syntax screen. Group Policy Management Console The GPMC should appear in the Administrative Tools menu after it has been installed on a system. It can also be loaded in an MMC with the following steps: Select Start and Run from the desktop. Type mmc.exe in the Run dialog. Select File from the MMC menu bar. Select Add/Remove snap-in from the drop-down menu. Click the Add button on the Standalone tab. Select the Group Policy Management snap-in and click the Add button. Click Close. Click OK.

Select a domain in the left panel to view the applied Group Policies. Additional information can be obtained from Microsofts website.

UNCLASSIFIED

11

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

This page is intentionally left blank.

12

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

APPENDIX A. OBJECT PERMISSIONS NSA has determined that the default file ACL settings are adequate when the Security Option: Network access: Let everyone permissions apply to anonymous users is set to Disabled and Power User Group Membership for client systems is restricted to no members. Discrepancies may occur if either of the two following conditions are true: The objects security posture is more restrictive than specified in this document. The objects security posture is configured in direct support of the systems mission.

Note: If an ACL setting prevents a sites applications from performing properly, the site can modify that specific setting. Settings should only be changed to the minimum necessary for the application to function. Each exception to the recommended settings should be documented and kept on file by the IAO. A.1 File and Folder Permissions

No additional changes are required to file and folder permissions at this time. A.2 Registry Permissions

No additional changes are required to registry permissions other than those specified in specific requirements of the STIG at this time.

UNCLASSIFIED

13

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

APPENDIX B. REFERENCES B.1 Policy References DoD Directive 8500.1, Information Assurance, October 24, 2002 DoD Instruction 8500.2, Information Assurance (IA) Implementation, February 6, 2003 CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), March 25, 2003 DISA Windows 2003/XP/2000/Vista Addendum, Version 6.1, May 21, 2007

a. b. c. d.

a. b. c.

B.2 Technical References Microsoft Corporation Microsoft Solutions for Security, Windows Server 2008 Security Guide, 2008 Microsoft Corporation Windows Vista Security Guide, 2006 Microsoft Corporation Microsoft Solutions for Security, Threats, and Countermeasures: Security Settings in Windows Server 2003 and Windows XP V2.0, December 2005

Note: Microsoft recently updated the Windows Server 2008 Security Guide which is now part of the Windows Server 2008 Security Compliance Toolkit. References in this checklist to Appendix A of the Windows Server 2008 Security Guide are now in the Security Baseline Settings workbook of the Compliance Toolkit. The references in the checklist will be updated in a future release.

14

UNCLASSIFIED

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

APPENDIX C. VMS PROCEDURES Asset Creation If the asset has not been created by another process (i.e. Gold Disk results import) then you must create the asset. Access VMS 6.0 Web Application - Click Asset Finding Maint. - Click Assets / Findings - Expand Visits or By Location - Expand the correct Folder under your selection - Continue expanding folders until you reach the Computing folder - Click the yellow folder icon located at the right of Computing - Input data on General tab - Click the Asset Identification tab o Enter I.P. Address, which must match the import file. o Click Add o Enter MAC Address, which must match the import file. o Click Add - Click the Asset Posture tab o Expand Computing o Expand Operating System, Roles and Applications o Expand each and select the appropriate choices o Click >> o Click Save After successful asset creation, in addition to the expected Windows check, there will also be Desktop General checks and IE Checks. This is expected. With VMS 6.0, these vulnerabilities from the Desktop STIG are shown on Windows Assets. Asset Findings Update Import the results from the scan tool such as the Gold Disk into VMS. To update manually follow the procedures below. Access VMS 6.0 Web Application - Click Asset Finding Maint. - Click Assets / Findings - Expand Visits or By Location - Expand the correct Folder under your selection - Continue expanding folders until you reach the Computing folder - Expand Computing - Expand Must Review - Expand the correct asset
UNCLASSIFIED

15

Windows 2008 STIG V6 R1.9 26 February 2010

Field Security Operations Defense Information Systems Agency

o o o

- Select the Windows Operating System - Click the vulnerability to be modified Edit desired data Click Save (Repeat as necessary)

16

UNCLASSIFIED