Scribd Logo
Upload

Welcome to Scribd!

  • Windows Server 2012 Security Baseline Checklist

    Uploaded by

    ToNY MoNTaNa
    24 views6 pages
    This document provides a baseline checklist for securing a Windows Server 2012 system. It outlines configurations for account policies, user rights assignments, audit policies, and security options that should be complied with and sets baseline values. Compliance with the checklist is marked as yes or no, with remarks required for any non-compliance. The checklist contains over 20 specific security settings that are baseline requirements for internal systems.

    Original Description:

    Security Checklist for Handovers

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides a baseline checklist for securing a Windows Server 2012 system. It outlines configurations for account policies, user rights assignments, audit policies, and security options that should be complied with and sets baseline values. Compliance with the checklist is marked as yes or no, with remarks required for any non-compliance. The checklist contains over 20 specific security settings that are baseline requirements for internal systems.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    24 views6 pages

    Windows Server 2012 Security Baseline Checklist

    Uploaded by

    ToNY MoNTaNa
    This document provides a baseline checklist for securing a Windows Server 2012 system. It outlines configurations for account policies, user rights assignments, audit policies, and security options that should be complied with and sets baseline values. Compliance with the checklist is marked as yes or no, with remarks required for any non-compliance. The checklist contains over 20 specific security settings that are baseline requirements for internal systems.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Updated On: 06.01.2014(Version 1.

    0) INTERNAL USE

    BASELINE CHECKLIST

    No. Baseline Setting Value Comply Remarks


    (Y/N) (if not comply)
    1. FILE SYSTEM
    1.1. Use of secure File System NTFS

    2. ACCOUNT POLICIES
    2.1. Account lockout threshold 3 invalid logon attempts
    2.2. Account lockout duration 0 minutes
    2.3. Reset account lockout counter after 60 minutes
    2.4. Enforce password history 6 passwords remembered
    2.5. Maximum password age 90 days
    2.6. Minimum password age 1 day
    2.7. Minimum password length 8 characters
    2.8. Password must meet complexity requirements Enabled
    2.9. Store password using reversible encryption for all users in the domain Disabled

    3. USER RIGHTS ASSIGNMENT


    3.1. Force shutdown from a remote system Administrators
    Act as part of the operating system
    3.2. No One
    *This rules doesn’t applicable to domain controller & cluster servers
    Add workstations to domain
    3.3. *This control will not applicable to standalone server, as there isn’t any domain available or Domain Administrators, DCS
    the server not design to work with domain controller.
    Allow log on locally
    3.4. *This rules doesn’t applicable to Citrix servers, where the architecture consist level 2 Administrators
    authentication, user access control and Citrix system access requirement
    3.5. Change the System Time LOCAL SERVICE, Administrators
    3.6. Deny log on as a batch job Guests
    3.7. Deny log on through Terminal Services Guests

    4. AUDIT POLICIES
    4.1. Account Logon: Credential Validation Success and Failure
    4.2. Account Management: Computer Account Management Success and Failure
    4.3. Account Management Other Account Management Events Success and Failure
    4.4. Account Management: Security Group Management Success and Failure
    4.5. Account Management: User Account Management Success and Failure

    PETRONAS Windows Server 2012 Security Baseline Page 1 of 6


    Updated On: 06.01.2014(Version 1.0) INTERNAL USE

    No. Baseline Setting Value Comply Remarks


    (Y/N) (if not comply)
    4.6. Logon-Logoff: Logoff Success
    4.7. Logon-Logoff: Logon Success and Failure
    4.8. Logon-Logoff: Special Logon Success and Failure
    4.9. Logon-Logoff: Other Logon/Logoff Events Success and Failure
    4.10. Policy Change: Audit Policy Change Success and Failure
    4.11. Policy Change: Authentication Policy Change Success
    4.12. Policy Change: Authorization Policy Change Success
    4.13. System: IPsec Driver Success and Failure
    4.14. System: Security State Change Success and Failure
    4.15. System: Security System Extension Success and Failure
    4.16. System: System Integrity Success and Failure
    4.17. Privilege Use: Sensitive Privilege Use Success and Failure

    5. SECURITY OPTIONS
    5.1. Accounts: Guest Account Status Disabled
    5.2. Accounts: Limit local accounts use of blank passwords to the console only Enabled
    5.3. Accounts: Rename Guest account Verify that Guest account is renamed
    5.4. Accounts: Rename administrator account Verify that Administrator account is renamed
    5.5. Audit: Audit use of backup and restore privilege Enabled
    5.6. Audit: Audit the access of global system objects Disabled
    5.7. Audit: Shutdown system immediately if unable to log security audits Disabled
    5.8. Audit: Force audit policy subcategory settings to override audit policy category settings Enabled
    5.9. Devices: Restrict CD-ROM access to locally logged-on user only Enabled
    5.10. Devices: Restrict floppy access to locally logged-on user only Enabled
    5.11. Domain member: Digitally encrypt or sign secure channel data (always) setting. Enabled
    5.12. Domain member: Digitally encrypt secure channel data (when possible) setting. Enabled
    5.13. Domain member: Digitally sign secure channel data (when possible) setting. Enabled
    5.14. Domain member: Disable machine account password changes Disabled
    5.15. Domain member: Require strong session key Enabled
    5.16. Microsoft network client: Digitally sign communications (always) Enabled
    5.17. Microsoft network client: Digitally sign communications (if server agrees) Enabled
    5.18. Microsoft network client: Send unencrypted password to third-party SMB Servers Disabled
    5.19. Microsoft network server: Amount of idle time required before suspending session 15 minutes

    PETRONAS Windows Server 2012 Security Baseline Page 2 of 6


    Updated On: 06.01.2014(Version 1.0) INTERNAL USE

    No. Baseline Setting Value Comply Remarks


    (Y/N) (if not comply)
    5.20. Microsoft network server: Digitally sign communications (always) Enabled
    5.21. Microsoft network server: Digitally sign communications (if client agrees) Enabled
    5.22. MSS: (AutoAdminLogon) Enable Automatic Logon Disabled
    5.23. MSS: (DisableIPSourceRouting) IP source routing protection level Highest protection, source routing is completely disabled
    5.24. MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Disabled
    5.25. MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds 300000 or 5 minutes
    MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway
    5.26. Disabled
    addresses
    5.27. MSS: (SafeDllSearchMode) Enable Safe DLL search mode Enabled
    MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period
    5.28. 0
    expires
    5.29. MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted 3
    MSS: (WarningLevel) Percentage threshold for the security event log at which the system will
    5.30. 90%
    generate a warning
    5.31. Network access: Allow anonymous SID/Name translation Disabled
    5.32. Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
    Network access: Do not allow storage of passwords and credentials for network
    5.33. Enabled
    authentication
    5.34. Network access: Let Everyone permissions apply to anonymous users Disabled
    5.35. Network access: Sharing and security model for local accounts Classic – Local users authenticate as themselves
    5.36. Network security: LDAP client signing requirements Require Signing
    5.37. Network security: Force logoff when logon hours expire Enabled
    5.38. Network security: Do not store LAN Manager hash value on next password change Enabled
    5.39. System objects: Strengthen Default permissions on Internal System Objects Enabled
    5.40. Interactive Logon: Do not display last username Enabled
    This system is restricted to PETRONAS authorised users
    5.41. Interactive Logon: Message Title for users attempting to logon
    only.
    This system is restricted to PETRONAS authorised users
    only. Illegal and/or unauthorised access is strictly
    5.42. Interactive Logon: Message Text for users attempting to logon prohibited. All activities on this system will be monitored
    and appropriate action will be taken against
    unauthorised users.
    5.43. Interactive logon: Do not require CTRL + ALT + DEL Disabled
    5.44. Recovery console: Allow automatic administrative logon Disabled
    5.45. Recovery console: Allow floppy copy and access to all drives and all folders Disabled
    5.46. Shutdown: Allow system to be shut down without having to log on Disabled
    5.47. User Account Control: Admin Approval Mode for the Built-in Administrator account Enabled

    PETRONAS Windows Server 2012 Security Baseline Page 3 of 6


    Updated On: 06.01.2014(Version 1.0) INTERNAL USE

    No. Baseline Setting Value Comply Remarks


    (Y/N) (if not comply)
    User Account Control: Allow UIAccess applications to prompt for elevation without using the
    5.48. Disabled
    secure desktop
    5.49. User Account Control: Behaviour of the elevation prompt for standard users Prompt for credentials
    Remote Procedure Call: Enable restrictions for unauthenticated RPC clients
    5.50. Enabled - Authenticated
    *This rules doesn’t applicable to domain controller & cluster servers
    Remote Procedure Call: RPC Endpoint Mapper client authentication
    5.51. Enabled
    *This rules doesn’t applicable to domain controller & cluster servers
    MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style
    5.52. Enabled
    filenames
    System cryptography: Use FIPS140 compliant cryptographic algorithms, including encryption,
    5.53. Enabled
    hashing and signing algorithms

    6. WINDOWS COMPONENTS
    6.1. Event Log Service\Application: Maximum log size (KB) 250 MB
    6.2. Event Log Service\Application: Retain old events Disabled
    6.3. Event Log Service\Security: Maximum log size (KB) 250 MB
    6.4. Event Log Service\Security: Retain old events Disabled
    6.5. Event Log Service\System: Maximum log size (KB) 250 MB
    6.6. Event Log Service\System: Retain old events Disabled
    Remote Desktop Services: Do not allow passwords to be saved
    6.7. *This rules doesn’t applicable to Citrix servers, where the architecture consist level 2 Enabled
    authentication, user access control and Citrix system access requirement access
    Remote Desktop Services: Always prompt for password upon connection
    6.8. *This rules doesn’t applicable to Citrix servers, where the architecture consist level 2 Enabled
    authentication, user access control and Citrix system access requirement access
    Remote Desktop Services: Set client connection encryption level
    6.9. *This rules doesn’t applicable to Citrix servers, where the architecture consist level 2 High
    authentication, user access control and Citrix system access requirement access
    6.10. Remote Desktop Services: Sets a time limit for active but idle Terminal Service sessions 15 minutes
    6.11. MK Protocol Restriction: Internet Explorer Processes Enabled
    6.12. Required user authentication for remote connections by using Network Level Authentication Enabled

    7. SERVICES
    7.1. Microsoft iSCSI Initiator Service Disabled
    7.2. Network Access Protection Agent Disabled
    7.3. Remote Procedure Call (RPC) Locator Disabled
    7.4. Smart Card Disabled
    7.5. Smart Card Removal Policy Disabled

    PETRONAS Windows Server 2012 Security Baseline Page 4 of 6


    Updated On: 06.01.2014(Version 1.0) INTERNAL USE

    No. Baseline Setting Value Comply Remarks


    (Y/N) (if not comply)
    7.6. SNMP Trap Disabled
    7.7. Telnet Disabled
    7.8. Microsoft FTP Server Services Disabled

    8. CONTROL PANEL
    8.1. Display: Enable Screen Saver Enabled
    8.2. Display: Screen Saver Timeout 600 seconds
    8.3. Display: Password Protect the screen saver Enabled

    9. INTERNET COMMUNICATION SETTINGS


    9.1. Turn off downloading of print drivers over HTTP Enabled
    9.2. Turn off printing over HTTP Enabled
    9.3. Turn off Internet download for Web publishing and online ordering wizards Enabled
    9.4. Turn off Search Companion content file updates Enabled
    9.5. Turn off the “Publish to Web” task for files and folders Enabled
    9.6. Turn off the Windows Messenger Customer Experience Improvement Program Enabled

    10. AUTOPLAY
    10.1. Turn off Autoplay Enabled

    11. CREDENTIAL USER INTERFACE


    11.1. Enumerate administrator accounts on elevation Enabled

    PETRONAS Windows Server 2012 Security Baseline Page 5 of 6


    Updated On: 06.01.2014(Version 1.0) INTERNAL USE

    Task Details: Date:

    Server/Workstation/Device Details:

    IP Address: Hostname:

    Remarks:

    Implemented Verified By:


    By:
    Signature: Signature:
    Name: Name:
    Date: Date:

    PETRONAS Windows Server 2012 Security Baseline Page 6 of 6

    You might also like