From f04fe20938543d8819cb66c5f19c033c9dda837d Mon Sep 17 00:00:00 2001 From: Adam Haynes Date: Thu, 7 Jun 2018 07:21:56 +0200 Subject: [PATCH] initial commit --- .codecov.yml | 24 + .gitignore | 290 +- .vscode/launch.json | 36 + .vscode/settings.json | 53 + .vscode/tasks.json | 128 + LICENSE | 34 +- README.md | 5 +- appveyor.yml | 33 + src/Class/OrganizationalSetting.psm1 | 184 + src/Class/SkippedRule.psm1 | 109 + src/Class/SkippedRuleType.psm1 | 115 + src/Class/StigData.psm1 | 506 + src/Class/StigException.psm1 | 161 + src/Class/StigProperty.psm1 | 76 + src/Class/Technology.psm1 | 122 + src/Class/TechnologyRole.psm1 | 150 + src/Class/TechnologyVersion.psm1 | 149 + src/Common/Get-DomainName.ps1 | 214 + src/Common/Get-OrgSettingsObject.ps1 | 56 + src/Common/Get-StigList.ps1 | 26 + .../OrganizationalSettingsPropertyMap.psd1 | 21 + src/Enum/StigRuleType.psm1 | 31 + src/PowerStig.psd1 | 58 + src/PowerStig.psm1 | 17 + src/StigData/Schema/PowerStig.xsd | 502 + ...l-Server2012-Database-1.17.org.default.xml | 8 + src/StigData/Sql-Server2012-Database-1.17.xml | 577 ++ ...l-Server2012-Instance-1.16.org.default.xml | 8 + src/StigData/Sql-Server2012-Instance-1.16.xml | 6693 +++++++++++++ .../WIndows-2012R2-DNS-1.7.org.default.xml | 8 + .../WIndows-2012R2-DNS-1.9.org.default.xml | 8 + .../Windows-2012R2-DC-2.12.org.default.xml | 73 + src/StigData/Windows-2012R2-DC-2.12.xml | 8555 ++++++++++++++++ .../Windows-2012R2-DC-2.9.org.default.xml | 73 + src/StigData/Windows-2012R2-DC-2.9.xml | 8569 +++++++++++++++++ src/StigData/Windows-2012R2-DNS-1.7.xml | 2425 +++++ src/StigData/Windows-2012R2-DNS-1.9.xml | 2445 +++++ ...Windows-2012R2-IISSite-1.2.org.default.xml | 25 + src/StigData/Windows-2012R2-IISSite-1.2.xml | 1376 +++ .../Windows-2012R2-MS-2.12.org.default.xml | 69 + src/StigData/Windows-2012R2-MS-2.12.xml | 7221 ++++++++++++++ .../Windows-2012R2-MS-2.9.org.default.xml | 69 + src/StigData/Windows-2012R2-MS-2.9.xml | 7330 ++++++++++++++ .../Windows-All-ADDomain-2.8.org.default.xml | 8 + src/StigData/Windows-All-ADDomain-2.8.xml | 547 ++ .../Windows-All-ADDomain-2.9.org.default.xml | 8 + src/StigData/Windows-All-ADDomain-2.9.xml | 573 ++ .../Windows-All-ADForest-2.7.org.default.xml | 8 + src/StigData/Windows-All-ADForest-2.7.xml | 154 + .../Windows-All-FW-1.6.org.default.xml | 23 + src/StigData/Windows-All-FW-1.6.xml | 610 ++ .../Windows-All-IE11-1.13.org.default.xml | 8 + src/StigData/Windows-All-IE11-1.13.xml | 1663 ++++ .../Windows-All-IE11-1.15.org.default.xml | 8 + src/StigData/Windows-All-IE11-1.15.xml | 1663 ++++ tests/helper.psm1 | 292 + tests/integration/PowerStig.tests.ps1 | 20 + tests/integration/common.tests.ps1 | 251 + .../Class/OrganizationalSetting.tests.ps1 | 69 + tests/unit/Class/SkippedRule.tests.ps1 | 41 + tests/unit/Class/SkippedRuleType.tests.ps1 | 38 + tests/unit/Class/StigData.tests.ps1 | 296 + tests/unit/Class/StigException.tests.ps1 | 73 + tests/unit/Class/StigProperty.tests.ps1 | 22 + tests/unit/Class/Technology.tests.ps1 | 60 + tests/unit/Class/TechnologyRole.tests.ps1 | 92 + tests/unit/Class/TechnologyVersion.tests.ps1 | 81 + tests/unit/Common/Get-DomainName.tests.ps1 | 95 + .../Common/Get-OrgSettingsObject.tests.ps1 | 126 + tests/unit/Common/Get-StigList.tests.ps1 | 12 + tests/unit/common.tests.ps1 | 292 + tests/unit/stigData/common.tests.ps1 | 23 + 72 files changed, 55479 insertions(+), 309 deletions(-) create mode 100644 .codecov.yml create mode 100644 .vscode/launch.json create mode 100644 .vscode/settings.json create mode 100644 .vscode/tasks.json create mode 100644 appveyor.yml create mode 100644 src/Class/OrganizationalSetting.psm1 create mode 100644 src/Class/SkippedRule.psm1 create mode 100644 src/Class/SkippedRuleType.psm1 create mode 100644 src/Class/StigData.psm1 create mode 100644 src/Class/StigException.psm1 create mode 100644 src/Class/StigProperty.psm1 create mode 100644 src/Class/Technology.psm1 create mode 100644 src/Class/TechnologyRole.psm1 create mode 100644 src/Class/TechnologyVersion.psm1 create mode 100644 src/Common/Get-DomainName.ps1 create mode 100644 src/Common/Get-OrgSettingsObject.ps1 create mode 100644 src/Common/Get-StigList.ps1 create mode 100644 src/Common/OrganizationalSettingsPropertyMap.psd1 create mode 100644 src/Enum/StigRuleType.psm1 create mode 100644 src/PowerStig.psd1 create mode 100644 src/PowerStig.psm1 create mode 100644 src/StigData/Schema/PowerStig.xsd create mode 100644 src/StigData/Sql-Server2012-Database-1.17.org.default.xml create mode 100644 src/StigData/Sql-Server2012-Database-1.17.xml create mode 100644 src/StigData/Sql-Server2012-Instance-1.16.org.default.xml create mode 100644 src/StigData/Sql-Server2012-Instance-1.16.xml create mode 100644 src/StigData/WIndows-2012R2-DNS-1.7.org.default.xml create mode 100644 src/StigData/WIndows-2012R2-DNS-1.9.org.default.xml create mode 100644 src/StigData/Windows-2012R2-DC-2.12.org.default.xml create mode 100644 src/StigData/Windows-2012R2-DC-2.12.xml create mode 100644 src/StigData/Windows-2012R2-DC-2.9.org.default.xml create mode 100644 src/StigData/Windows-2012R2-DC-2.9.xml create mode 100644 src/StigData/Windows-2012R2-DNS-1.7.xml create mode 100644 src/StigData/Windows-2012R2-DNS-1.9.xml create mode 100644 src/StigData/Windows-2012R2-IISSite-1.2.org.default.xml create mode 100644 src/StigData/Windows-2012R2-IISSite-1.2.xml create mode 100644 src/StigData/Windows-2012R2-MS-2.12.org.default.xml create mode 100644 src/StigData/Windows-2012R2-MS-2.12.xml create mode 100644 src/StigData/Windows-2012R2-MS-2.9.org.default.xml create mode 100644 src/StigData/Windows-2012R2-MS-2.9.xml create mode 100644 src/StigData/Windows-All-ADDomain-2.8.org.default.xml create mode 100644 src/StigData/Windows-All-ADDomain-2.8.xml create mode 100644 src/StigData/Windows-All-ADDomain-2.9.org.default.xml create mode 100644 src/StigData/Windows-All-ADDomain-2.9.xml create mode 100644 src/StigData/Windows-All-ADForest-2.7.org.default.xml create mode 100644 src/StigData/Windows-All-ADForest-2.7.xml create mode 100644 src/StigData/Windows-All-FW-1.6.org.default.xml create mode 100644 src/StigData/Windows-All-FW-1.6.xml create mode 100644 src/StigData/Windows-All-IE11-1.13.org.default.xml create mode 100644 src/StigData/Windows-All-IE11-1.13.xml create mode 100644 src/StigData/Windows-All-IE11-1.15.org.default.xml create mode 100644 src/StigData/Windows-All-IE11-1.15.xml create mode 100644 tests/helper.psm1 create mode 100644 tests/integration/PowerStig.tests.ps1 create mode 100644 tests/integration/common.tests.ps1 create mode 100644 tests/unit/Class/OrganizationalSetting.tests.ps1 create mode 100644 tests/unit/Class/SkippedRule.tests.ps1 create mode 100644 tests/unit/Class/SkippedRuleType.tests.ps1 create mode 100644 tests/unit/Class/StigData.tests.ps1 create mode 100644 tests/unit/Class/StigException.tests.ps1 create mode 100644 tests/unit/Class/StigProperty.tests.ps1 create mode 100644 tests/unit/Class/Technology.tests.ps1 create mode 100644 tests/unit/Class/TechnologyRole.tests.ps1 create mode 100644 tests/unit/Class/TechnologyVersion.tests.ps1 create mode 100644 tests/unit/Common/Get-DomainName.tests.ps1 create mode 100644 tests/unit/Common/Get-OrgSettingsObject.tests.ps1 create mode 100644 tests/unit/Common/Get-StigList.tests.ps1 create mode 100644 tests/unit/common.tests.ps1 create mode 100644 tests/unit/stigData/common.tests.ps1 diff --git a/.codecov.yml b/.codecov.yml new file mode 100644 index 000000000..29a05dd15 --- /dev/null +++ b/.codecov.yml @@ -0,0 +1,24 @@ +codecov: + notify: + require_ci_to_pass: no + +comment: + layout: "reach, diff" + behavior: default + +coverage: + range: 50..80 + round: down + precision: 0 + + status: + project: + default: + # Set the overall project code coverage requirement to 70% + target: 70 + patch: + default: + # Set the pull request requirement to not regress overall coverage by more than 5% + # and let codecov.io set the goal for the code changed in the patch. + target: auto + threshold: 5 diff --git a/.gitignore b/.gitignore index 940794e60..00e77d2c1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,288 +1,4 @@ -## Ignore Visual Studio temporary files, build results, and -## files generated by popular Visual Studio add-ons. -## -## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore +# .vscode -# User-specific files -*.suo -*.user -*.userosscache -*.sln.docstates - -# User-specific files (MonoDevelop/Xamarin Studio) -*.userprefs - -# Build results -[Dd]ebug/ -[Dd]ebugPublic/ -[Rr]elease/ -[Rr]eleases/ -x64/ -x86/ -bld/ -[Bb]in/ -[Oo]bj/ -[Ll]og/ - -# Visual Studio 2015 cache/options directory -.vs/ -# Uncomment if you have tasks that create the project's static files in wwwroot -#wwwroot/ - -# MSTest test Results -[Tt]est[Rr]esult*/ -[Bb]uild[Ll]og.* - -# NUNIT -*.VisualState.xml -TestResult.xml - -# Build Results of an ATL Project -[Dd]ebugPS/ -[Rr]eleasePS/ -dlldata.c - -# .NET Core -project.lock.json -project.fragment.lock.json -artifacts/ -**/Properties/launchSettings.json - -*_i.c -*_p.c -*_i.h -*.ilk -*.meta -*.obj -*.pch -*.pdb -*.pgc -*.pgd -*.rsp -*.sbr -*.tlb -*.tli -*.tlh -*.tmp -*.tmp_proj -*.log -*.vspscc -*.vssscc -.builds -*.pidb -*.svclog -*.scc - -# Chutzpah Test files -_Chutzpah* - -# Visual C++ cache files -ipch/ -*.aps -*.ncb -*.opendb -*.opensdf -*.sdf -*.cachefile -*.VC.db -*.VC.VC.opendb - -# Visual Studio profiler -*.psess -*.vsp -*.vspx -*.sap - -# TFS 2012 Local Workspace -$tf/ - -# Guidance Automation Toolkit -*.gpState - -# ReSharper is a .NET coding add-in -_ReSharper*/ -*.[Rr]e[Ss]harper -*.DotSettings.user - -# JustCode is a .NET coding add-in -.JustCode - -# TeamCity is a build add-in -_TeamCity* - -# DotCover is a Code Coverage Tool -*.dotCover - -# Visual Studio code coverage results -*.coverage -*.coveragexml - -# NCrunch -_NCrunch_* -.*crunch*.local.xml -nCrunchTemp_* - -# MightyMoose -*.mm.* -AutoTest.Net/ - -# Web workbench (sass) -.sass-cache/ - -# Installshield output folder -[Ee]xpress/ - -# DocProject is a documentation generator add-in -DocProject/buildhelp/ -DocProject/Help/*.HxT -DocProject/Help/*.HxC -DocProject/Help/*.hhc -DocProject/Help/*.hhk -DocProject/Help/*.hhp -DocProject/Help/Html2 -DocProject/Help/html - -# Click-Once directory -publish/ - -# Publish Web Output -*.[Pp]ublish.xml -*.azurePubxml -# TODO: Comment the next line if you want to checkin your web deploy settings -# but database connection strings (with potential passwords) will be unencrypted -*.pubxml -*.publishproj - -# Microsoft Azure Web App publish settings. Comment the next line if you want to -# checkin your Azure Web App publish settings, but sensitive information contained -# in these scripts will be unencrypted -PublishScripts/ - -# NuGet Packages -*.nupkg -# The packages folder can be ignored because of Package Restore -**/packages/* -# except build/, which is used as an MSBuild target. -!**/packages/build/ -# Uncomment if necessary however generally it will be regenerated when needed -#!**/packages/repositories.config -# NuGet v3's project.json files produces more ignorable files -*.nuget.props -*.nuget.targets - -# Microsoft Azure Build Output -csx/ -*.build.csdef - -# Microsoft Azure Emulator -ecf/ -rcf/ - -# Windows Store app package directories and files -AppPackages/ -BundleArtifacts/ -Package.StoreAssociation.xml -_pkginfo.txt - -# Visual Studio cache files -# files ending in .cache can be ignored -*.[Cc]ache -# but keep track of directories ending in .cache -!*.[Cc]ache/ - -# Others -ClientBin/ -~$* -*~ -*.dbmdl -*.dbproj.schemaview -*.jfm -*.pfx -*.publishsettings -orleans.codegen.cs - -# Since there are multiple workflows, uncomment next line to ignore bower_components -# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) -#bower_components/ - -# RIA/Silverlight projects -Generated_Code/ - -# Backup & report files from converting an old project file -# to a newer Visual Studio version. Backup files are not needed, -# because we have git ;-) -_UpgradeReport_Files/ -Backup*/ -UpgradeLog*.XML -UpgradeLog*.htm - -# SQL Server files -*.mdf -*.ldf -*.ndf - -# Business Intelligence projects -*.rdl.data -*.bim.layout -*.bim_*.settings - -# Microsoft Fakes -FakesAssemblies/ - -# GhostDoc plugin setting file -*.GhostDoc.xml - -# Node.js Tools for Visual Studio -.ntvs_analysis.dat -node_modules/ - -# Typescript v1 declaration files -typings/ - -# Visual Studio 6 build log -*.plg - -# Visual Studio 6 workspace options file -*.opt - -# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) -*.vbw - -# Visual Studio LightSwitch build output -**/*.HTMLClient/GeneratedArtifacts -**/*.DesktopClient/GeneratedArtifacts -**/*.DesktopClient/ModelManifest.xml -**/*.Server/GeneratedArtifacts -**/*.Server/ModelManifest.xml -_Pvt_Extensions - -# Paket dependency manager -.paket/paket.exe -paket-files/ - -# FAKE - F# Make -.fake/ - -# JetBrains Rider -.idea/ -*.sln.iml - -# CodeRush -.cr/ - -# Python Tools for Visual Studio (PTVS) -__pycache__/ -*.pyc - -# Cake - Uncomment if you are using it -# tools/** -# !tools/packages.config - -# Telerik's JustMock configuration file -*.jmconfig - -# BizTalk build output -*.btp.cs -*.btm.cs -*.odx.cs -*.xsd.cs +/release +tests/*/TEST-* \ No newline at end of file diff --git a/.vscode/launch.json b/.vscode/launch.json new file mode 100644 index 000000000..caf3325c6 --- /dev/null +++ b/.vscode/launch.json @@ -0,0 +1,36 @@ +{ + "version": "0.2.0", + "configurations": [ + { + "type": "PowerShell", + "request": "launch", + "name": "PowerShell Launch Current File", + "script": "${file}", + "args": [], + "cwd": "${file}" + }, + { + "type": "PowerShell", + "request": "launch", + "name": "PowerShell Launch Current File w/Args Prompt", + "script": "${file}", + "args": [ + "${command:SpecifyScriptArgs}" + ], + "cwd": "${file}" + }, + { + "type": "PowerShell", + "request": "attach", + "name": "PowerShell Attach to Host Process", + "processId": "${command:PickPSHostProcess}", + "runspaceId": 1 + }, + { + "type": "PowerShell", + "request": "launch", + "name": "PowerShell Interactive Session", + "cwd": "${workspaceRoot}" + } + ] +} \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 000000000..1f064ca65 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,53 @@ +{ + // Automatically format code as it is typed. + "editor.formatOnType": true, + + // Controls if the editor will insert spaces for tabs. + // If set to auto, the value will be guessed based on the opened file. + "editor.insertSpaces": true, + + // controlls how editor renders white space + // boundary does not render single spaces between words + "editor.renderWhitespace": "boundary", + + // The default language mode applied to new files + "files.defaultLanguage": "powershell", + + // When enabled, insert a final new line at the end of the file when saving it. + "files.insertFinalNewline": true, + + "files.trimTrailingWhitespace": false, + + // Places open brace on the same line as its associated statement. + "powershell.codeFormatting.openBraceOnSameLine": false, + + // Adds a newline (line break) after an open brace. + "powershell.codeFormatting.newLineAfterOpenBrace": true, + + // Adds a newline (line break) after a closing brace. + "powershell.codeFormatting.newLineAfterCloseBrace": true, + + // Adds a space between a keyword and its associated scriptblock expression. + "powershell.codeFormatting.whitespaceBeforeOpenBrace": true, + + // Adds a space between a keyword (if, elseif, while, switch, etc) and its associated conditional expression. + "powershell.codeFormatting.whitespaceBeforeOpenParen": true, + + // Adds spaces before and after an operator ('=', '+', '-', etc.). + "powershell.codeFormatting.whitespaceAroundOperator": true, + + // Adds a space after a separator (',' and ';'). + "powershell.codeFormatting.whitespaceAfterSeparator": true, + + // Does not reformat one-line code blocks, such as "if (...) {...} else {...}". + "powershell.codeFormatting.ignoreOneLineBlock": false, + + // Align assignment statements in a hashtable or a DSC Configuration. + "powershell.codeFormatting.alignPropertyValuePairs": true, + + // Shows the integrated console when the PowerShell extension is initialized. + "powershell.integratedConsole.showOnStartup": true, + + // Switches focus to the console when a script selection is run or a script file is debugged. This is an accessibility feature. To disable it, set to false. + "powershell.integratedConsole.focusConsoleOnExecute": true +} diff --git a/.vscode/tasks.json b/.vscode/tasks.json new file mode 100644 index 000000000..de2b88be2 --- /dev/null +++ b/.vscode/tasks.json @@ -0,0 +1,128 @@ +// Available variables which can be used inside of strings. +// ${workspaceRoot}: the root folder of the team +// ${file}: the current opened file +// ${relativeFile}: the current opened file relative to workspaceRoot +// ${fileBasename}: the current opened file's basename +// ${fileDirname}: the current opened file's dirname + +// ${fileExtname}: the current opened file's extension +// ${cwd}: the current working directory of the spawned process +{ + // See https://go.microsoft.com/fwlink/?LinkId=733558 + // for the documentation about the tasks.json format + "version": "2.0.0", + + // Start PowerShell + "windows": { + "command": "C:\\Windows\\sysnative\\windowspowershell\\v1.0\\PowerShell.exe", + "args": [ "-NoProfile", "-ExecutionPolicy", "Bypass", + "-File", "${workspaceRoot}\\build\\start.ps1" + ] + }, + "linux": { + "command": "/usr/bin/powershell", + "args": [ "-NoProfile" ] + }, + "osx": { + "command": "/usr/local/bin/powershell", + "args": [ "-NoProfile" ] + }, + + // Show the output window always + "presentation": { + "echo": true, + "reveal": "always", + "focus": false, + "panel": "shared" + }, + + // Associate with test task runner + "tasks": [ + { + "taskName": "Clean", + "suppressTaskName": true, + "presentation": { + "echo": true, + "reveal": "always", + "focus": false, + "panel": "shared" + }, + "args": [ + "-Task", + "Clean" + ] + }, + { + "taskName": "Build", + "suppressTaskName": true, + "group": "build", + "presentation": { + "echo": true, + "reveal": "always", + "focus": false, + "panel": "shared" + }, + "args": [ + "-Task", + "Build" + ], + "problemMatcher": [ + "$pester" + ] + }, + { + "taskName": "BuildNoUt", + "suppressTaskName": true, + "group": "build", + "presentation": { + "echo": true, + "reveal": "always", + "focus": false, + "panel": "shared" + }, + "args": [ + "-Task", + "BuildNoUt" + ], + "problemMatcher": [ + "$pester" + ] + }, + { + "taskName": "Install", + "suppressTaskName": true, + "group": "build", + "presentation": { + "echo": true, + "reveal": "always", + "focus": false, + "panel": "shared" + }, + "args": [ + "-Task", + "Install" + ], + "problemMatcher": [ + "$pester" + ] + }, + { + "taskName": "Unit", + "suppressTaskName": true, + "group": "test", + "presentation": { + "echo": true, + "reveal": "always", + "focus": false, + "panel": "shared" + }, + "args": [ + "-Task", + "Test.Unit" + ], + "problemMatcher": [ + "$pester" + ] + } + ] +} diff --git a/LICENSE b/LICENSE index 21071075c..2f3f75c16 100644 --- a/LICENSE +++ b/LICENSE @@ -1,21 +1,13 @@ - MIT License - - Copyright (c) Microsoft Corporation. All rights reserved. - - Permission is hereby granted, free of charge, to any person obtaining a copy - of this software and associated documentation files (the "Software"), to deal - in the Software without restriction, including without limitation the rights - to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - copies of the Software, and to permit persons to whom the Software is - furnished to do so, subject to the following conditions: - - The above copyright notice and this permission notice shall be included in all - copies or substantial portions of the Software. - - THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - SOFTWARE +------------------------------------------- START OF LICENSE ----------------------------------------- +PowerSTIG Copyright (c) Microsoft Corporation All rights reserved. MIT License Permission is hereby +granted, free of charge, to any person obtaining a copy of this software and associated documentation +files (the Software), to deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the +Software, and to permit persons to whom the Software is furnished to do so, subject to the following +conditions: The above copyright notice and this permission notice shall be included in all copies or +substantial portions of the Software.THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A +PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE +FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +-------------------------------------------- END OF LICENSE ------------------------------------------ diff --git a/README.md b/README.md index 72f1506a9..7091f524d 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ +# PowerSTIG -# Contributing +PowerSTIG is a core data module that other modules in the PowerSTIG project reference. + +## Contributing This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us diff --git a/appveyor.yml b/appveyor.yml new file mode 100644 index 000000000..1dee0de21 --- /dev/null +++ b/appveyor.yml @@ -0,0 +1,33 @@ +#---------------------------------# +# environment configuration # +#---------------------------------# + +version: 1.0.{build}.0 +install: + - git clone https://github.com/PowerShell/DscResource.Tests + - ps: Write-Verbose -Message "PowerShell version $($PSVersionTable.PSVersion)" -Verbose + - ps: Import-Module "$env:APPVEYOR_BUILD_FOLDER\DscResource.Tests\AppVeyor.psm1" + - ps: Invoke-AppveyorInstallTask + +#---------------------------------# +# build configuration # +#---------------------------------# + +build: false + +#---------------------------------# +# test configuration # +#---------------------------------# + +test_script: + - ps: | + Invoke-AppveyorTestScriptTask -CodeCoverage -CodeCovIo -ExcludeTag @() + +#---------------------------------# +# deployment configuration # +#---------------------------------# + +# scripts to run before deployment +deploy_script: + - ps: | + Invoke-AppveyorAfterTestTask diff --git a/src/Class/OrganizationalSetting.psm1 b/src/Class/OrganizationalSetting.psm1 new file mode 100644 index 000000000..6ff85df6b --- /dev/null +++ b/src/Class/OrganizationalSetting.psm1 @@ -0,0 +1,184 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +<# +.SYNOPSIS + This class describes an OrganizationalSetting + +.DESCRIPTION + The OrganizationalSetting class describes OrganizationalSetting, a value for a Stig Rule that is specific to the implementing organization. + Stigs requiring organizational settings will be accompanied by a default settings file. These can either be used as-is or replaced with + values specific to the implementing organization. This Xml file will subsequently be transformed into OrganizationalSetting objects to + be passed into and used in the StigData class constructor. + +.EXAMPLE + $organizationalSetting = [OrganizationalSetting]::new('V-1090', '4') + +.NOTES + This class requires PowerShell v5 or above. +#> + +Class OrganizationalSetting +{ + #region Properties + <# + .DESCRIPTION + The Id of an individual Stig Rule + #> + [string] $StigRuleId + + <# + .DESCRIPTION + The specific organizational value to set for the associated Stig rule + #> + [string] $Value + #endregion Properties + + #region Constructors + <# + .SYNOPSIS + Parameterless constructor + + .DESCRIPTION + A parameterless constructor for OrganizationalSetting. To be used only for + build/unit testing purposes as Pester currently requires it in order to test + static methods on powershell classes + + .RETURN + OrganizationalSetting + #> + OrganizationalSetting() + { + Write-Warning "This constructor is for build testing only." + } + + <# + .SYNOPSIS + Constructor + + .DESCRIPTION + A constructor for OrganizationalSetting. Returns a ready to use instance + of OrganizationalSetting. + + .PARAMETER StigRuleId + The Id of an individual Stig Rule + + .PARAMETER Value + The specific organizational value to set for the associated Stig rule + + .RETURN + OrganizationalSetting + #> + OrganizationalSetting([string] $StigRuleId, [string] $Value) + { + $this.StigRuleId = $StigRuleId + $this.Value = $Value + } + #endregion Constructors + + #region Static Methods + <# + .SYNOPSIS + The mapping of Stig rule types to the property needing to be modified + within the Stig rule + + .DESCRIPTION + This method returns a Hashtable containing a mapping between a specific Stig rule + type and the property of that Stig rule type that needs to be modified by the + organizational setting + + .RETURN + Hashtable + #> + static [Hashtable] PropertyMap () + { + return Import-PowerShellDataFile -Path $PSScriptRoot\..\Common\OrganizationalSettingsPropertyMap.psd1 + } + + <# + .SYNOPSIS + Converts a provided Xml document into an OrganizationalSetting array + + .DESCRIPTION + This method returns an OrganizationalSetting array based on the Xml document provided + as the parameter. The Xml document must follow the same schema as the associated + default org settings file for a given Stig + + .PARAMETER OrganizationalSettingsXml + An Xml document describing the implementing organization's settings for Stig rules with + a valid range + + [xml] $OrgSettingXml = + @" + + + + + + + + + + + + + "@ + + .RETURN + OrganizationalSetting[] + #> + static [OrganizationalSetting[]] ConvertFrom ([xml] $OrganizationalSettingsXml) + { + [System.Collections.ArrayList] $orgSettings = @() + + foreach ($orgSetting in $OrganizationalSettingsXml.OrganizationalSettings.OrganizationalSetting) + { + $org = [OrganizationalSetting]::new($orgSetting.id, $orgSetting.Value) + $orgSettings.Add($org) + } + + return $orgSettings + } + + <# + .SYNOPSIS + Converts a provided Hashtable into an OrganizationalSetting array + + .DESCRIPTION + This method returns an OrganizationalSetting array based on the Hashtable provided + as the parameter. The Hashtable must follow the schema specified below. + + .PARAMETER OrganizationalSettingsHashtable + A Hashtable describing the implementing organization's settings for Stig rules with + a valid range + + [hashtable] $OrgSettingHashtable = + @{ + "V-1114"="xGuest"; + "V-1115"="xAdministrator"; + "V-3472.a"="NT5DS"; + "V-4108"="90"; + "V-4113"="300000"; + "V-8322.b"="NT5DS"; + "V-26482"="Administrators"; + "V-26579"="32768"; + "V-26580"="196608"; + "V-26581"="32768" + } + + .RETURN + OrganizationalSetting[] + #> + static [OrganizationalSetting[]] ConvertFrom ([hashtable] $OrganizationalSettingsHashtable) + { + [System.Collections.ArrayList] $orgSettings = @() + + foreach ($orgSetting in $OrganizationalSettingsHashtable.Keys) + { + $org = [OrganizationalSetting]::new($orgSetting, $OrganizationalSettingsHashtable.$orgSetting) + $orgSettings.Add($org) + } + + return $orgSettings + } + #endregion Static Methods +} diff --git a/src/Class/SkippedRule.psm1 b/src/Class/SkippedRule.psm1 new file mode 100644 index 000000000..4104ecb38 --- /dev/null +++ b/src/Class/SkippedRule.psm1 @@ -0,0 +1,109 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +<# +.SYNOPSIS + This class describes a SkippedRule + +.DESCRIPTION + The SkippedRule class describes a SkippedRule, the rule id of a specific Stig rule that should be excluded from the Stigs that need to be + processed. The SkippedRule class instance will move the specific Stig rule into a SkippedRule section of the StigData output Xml so that + it is documented as having been skipped. + +.EXAMPLE + $skippedRule = [SkippedRule]::new('V-1090') + +.NOTES + This class requires PowerShell v5 or above. +#> + +Class SkippedRule +{ + #region Properties + <# + .DESCRIPTION + The Id of an individual Stig Rule + #> + [string] $StigRuleId + #endregion Properties + + #region Constructor + <# + .SYNOPSIS + Parameterless constructor + + .DESCRIPTION + A parameterless constructor for SkippedRule. To be used only for + build/unit testing purposes as Pester currently requires it in order to test + static methods on powershell classes + + .RETURN + SkippedRule + #> + SkippedRule() + { + Write-Warning "This constructor is for build testing only." + } + + <# + .SYNOPSIS + Constructor + + .DESCRIPTION + A constructor for SkippedRule. Returns a ready to use instance + of SkippedRule. + + .PARAMETER StigRuleId + The Id of an individual Stig Rule + + .RETURN + SkippedRule + #> + SkippedRule([string] $StigRuleId) + { + $this.StigRuleId = $StigRuleId + } + #endregion Constructor + + #region Static Methods + <# + .SYNOPSIS + Converts a provided string array of Stig rule ids into a SkippedRule array + + .DESCRIPTION + This method returns an SkippedRule array based on the string array provided + as the parameter. + + .PARAMETER SkippedRules + A string array of Stig rule ids + + [string[]] $SkippedRuleArray = + @( + "V-1114", + "V-1115", + "V-3472.a", + "V-4108", + "V-4113", + "V-8322.b", + "V-26482", + "V-26579", + "V-26580", + "V-26581" + ) + + .RETURN + SkippedRule[] + #> + static [SkippedRule[]] ConvertFrom ([string[]] $SkippedRules) + { + [System.Collections.ArrayList] $skips = @() + + foreach ($skip in $SkippedRules) + { + $rule = [SkippedRule]::new($skip.Trim()) + $skips.Add($rule) + } + + return $skips + } + #endregion Static Methods +} diff --git a/src/Class/SkippedRuleType.psm1 b/src/Class/SkippedRuleType.psm1 new file mode 100644 index 000000000..e9ab1383d --- /dev/null +++ b/src/Class/SkippedRuleType.psm1 @@ -0,0 +1,115 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +using module .\..\Enum\StigRuleType.psm1 + +<# +.SYNOPSIS + This class describes a SkippedRuleType + +.DESCRIPTION + The SkippedRuleType class describes a SkippedRuleType, the collection of Stig rule ids of a specific Stig rule type that should be excluded + from the Stigs that need to be processed. The SkippedRuleType class instance will move all of the Stig rules under that type into a + SkippedRule section of the StigData output Xml so that it is documented as having been skipped. + +.EXAMPLE + $skippedRuleType = [SkippedRuleType]::new('AccountPolicyRule') + +.NOTES + This class requires PowerShell v5 or above. +#> + +Class SkippedRuleType +{ + #region Properties + <# + .DESCRIPTION + The name of the type of Stig rule + #> + [StigRuleType] $StigRuleType + #endregion Properties + + #region Constructors + <# + .SYNOPSIS + Parameterless constructor + + .DESCRIPTION + A parameterless constructor for SkippedRuleType. To be used only for + build/unit testing purposes as Pester currently requires it in order to test + static methods on powershell classes + + .RETURN + SkippedRuleType + #> + SkippedRuleType() + { + Write-Warning "This constructor is for build testing only." + } + + <# + .SYNOPSIS + Constructor + + .DESCRIPTION + A constructor for SkippedRuleType. Returns a ready to use instance + of SkippedRuleType. + + .PARAMETER StigRuleType + The name of the type of Stig rule from the StigRuleType Enum + + .RETURN + SkippedRuleType + #> + SkippedRuleType([StigRuleType] $StigRuleType) + { + $this.StigRuleType = $StigRuleType + } + #endregion Constructors + + #region Static Methods + <# + .SYNOPSIS + Converts a provided string array of Stig rule types into a SkippedRuleType array + + .DESCRIPTION + This method returns an SkippedRuleType array based on the string array provided + as the parameter. + + .PARAMETER SkippedRules + A string array of Stig rule types + + [string[]] $SkippedRuleTypeArray = + @( + "AccountPolicyRule", + "AuditPolicyRule", + "RegistryRule", + "SecurityOptionRule", + "ServicePolicy", + "UserRightRule" + ) + + .RETURN + SkippedRuleType[] + #> + static [SkippedRuleType[]] ConvertFrom ([string[]] $SkippedRuleTypes) + { + [System.Collections.ArrayList] $skips = @() + + foreach ($skip in $SkippedRuleTypes) + { + try + { + $rule = [SkippedRuleType]::new($skip.Trim()) + $skips.Add($rule) + } + catch + { + throw("$($skip) is not a valid StigRuleType.") + } + + } + + return $skips + } + #endregion Static Methods +} diff --git a/src/Class/StigData.psm1 b/src/Class/StigData.psm1 new file mode 100644 index 000000000..0deef0f63 --- /dev/null +++ b/src/Class/StigData.psm1 @@ -0,0 +1,506 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +using module .\StigException.psm1 +using module .\SkippedRuleType.psm1 +using module .\SkippedRule.psm1 +using module .\OrganizationalSetting.psm1 +using module .\Technology.psm1 +using module .\TechnologyRole.psm1 +using module .\TechnologyVersion.psm1 + +<# +.SYNOPSIS + This class describes a StigData + +.DESCRIPTION + The StigData class describes a StigData, the collection of all Stig rules for a given technology that need to be implemented + in order to enforce the security posture those rules define. StigData takes in instances of many other classes that describe + the given technology and the implementing organizations specific settings, exceptions, and rules to skip. Upon creation of a + StigData instance, the resulting Xml is immediately available for those preconditions. + +.EXAMPLE + $stigData = [StigData]::new([string] $StigVersion, [OrganizationalSetting[]] $OrganizationalSettings, [Technology] $Technology, [TechnologyRole] $TechnologyRole, [TechnologyVersion] $TechnologyVersion, [StigException[]] $StigExceptions, [SkippedRuleType[]] $SkippedRuleTypes, [SkippedRule[]] $SkippedRules) + +.NOTES + This class requires PowerShell v5 or above. +#> + +Class StigData +{ + #region Properties + <# + .DESCRIPTION + The document/published version of the Stig to select + #> + [Version] $StigVersion + + <# + .DESCRIPTION + An array of settings/values specific to an organization to apply to specific rules + #> + [OrganizationalSetting[]] $OrganizationalSettings + + <# + .DESCRIPTION + The type of the technology of the Stig to select + #> + [Technology] $Technology + + <# + .DESCRIPTION + The role of the technology of the Stig to select + #> + [TechnologyRole] $TechnologyRole + + <# + .DESCRIPTION + The version of the technology of the Stig to select + #> + [TechnologyVersion] $TechnologyVersion + + <# + .DESCRIPTION + An array of names of Stig exceptions to apply to specific rules + #> + [StigException[]] $StigExceptions + + <# + .DESCRIPTION + An array of names of rule types to skip all rules of + #> + [SkippedRuleType[]] $SkippedRuleTypes + + <# + .DESCRIPTION + An array of Stig rules to skip and move into the SkipRule rule type + #> + [SkippedRule[]] $SkippedRules + + <# + .DESCRIPTION + The loaded Xml document of the Stig loaded from StigPath + #> + [xml] $StigXml + + <# + .DESCRIPTION + The file path to the Stig Xml file in the StigData directory + #> + [string] $StigPath + #endregion Properties + + #region Constructor + <# + .SYNOPSIS + Parameterless constructor + + .DESCRIPTION + A parameterless constructor for StigData. To be used only for + build/unit testing purposes as Pester currently requires it in order to test + static methods on powershell classes + + .RETURN + StigData + #> + StigData() + { + Write-Warning "This constructor is for build testing only." + } + + <# + .SYNOPSIS + Constructor + + .DESCRIPTION + A constructor for StigData. Returns a ready to use instance + of StigData. + + .PARAMETER StigVersion + The document/published version of the Stig to select + + .PARAMETER OrganizationalSettings + An array of settings/values specific to an organization to apply to specific rules + + .PARAMETER Technology + The type of the technology of the Stig to select + + .PARAMETER TechnologyRole + The role of the technology of the Stig to select + + .PARAMETER TechnologyVersion + The version of the technology of the Stig to select + + .PARAMETER StigExceptions + An array of names of Stig exceptions to apply to specific rules + + .PARAMETER SkippedRuleTypes + An array of names of rule types to skip all rules of + + .PARAMETER SkippedRules + An array of Stig rules to skip and move into the SkipRule rule type + + .RETURN + StigData + #> + StigData([string] $StigVersion, [OrganizationalSetting[]] $OrganizationalSettings, [Technology] $Technology, [TechnologyRole] $TechnologyRole, [TechnologyVersion] $TechnologyVersion, [StigException[]] $StigExceptions, [SkippedRuleType[]] $SkippedRuleTypes, [SkippedRule[]] $SkippedRules) + { + if (!($Technology) -or !($TechnologyRole) -or !($TechnologyVersion)) { + throw("Technology, TechnologyVersion, and TechnologyRole must be provided.") + } + + if (!($StigVersion)) + { + $this.StigVersion = [StigData]::GetHighestStigVersion($Technology, $TechnologyRole, $TechnologyVersion) + } + else + { + $this.StigVersion = $StigVersion + } + + $this.Technology = $Technology + $this.TechnologyRole = $TechnologyRole + $this.TechnologyVersion = $TechnologyVersion + + $this.OrganizationalSettings = $OrganizationalSettings + $this.StigExceptions = $StigExceptions + $this.SkippedRuleTypes = $SkippedRuleTypes + $this.SkippedRules = $SkippedRules + + $this.SetStigPath() + $this.ProcessStigData() + } + #endregion Constructor + + #region Methods + <# + .SYNOPSIS + Determines and sets the StigPath + + .DESCRIPTION + This method determines the value of Stig path given the passed in + StigVersion, Technology, TechnologyVersion, and TechnologyRole. It + also validates that a file exists at that determined path. + + .RETURN + void + #> + [void] SetStigPath () + { + $path = "$([StigData]::GetRootPath())\$($this.Technology.Name)-$($this.TechnologyVersion.Name)-$($this.TechnologyRole.Name)-$($this.StigVersion).xml" + + if (Test-Path -Path $path) + { + $this.StigPath = $path + } + else + { + throw("No STIG exists matching the supplied Technology, TechnologyRole, and TechnologyVersion. Please check configuration and try again.") + } + } + + <# + .SYNOPSIS + Processes properties into Stig Xml + + .DESCRIPTION + This method processes all the class properties and merges them into the default Stig + + .RETURN + void + #> + [void] ProcessStigData () + { + $this.StigXml = [xml] (Get-Content -Path $this.StigPath -Raw) + + $this.MergeOrganizationalSettings() + $this.MergeStigExceptions() + $this.ProcessSkippedRuleTypes() + $this.MergeSkippedRules() + } + + <# + .SYNOPSIS + Merges OrganizationalSetting property into StigXml + + .DESCRIPTION + This method merges the OrganizationalSettings property into StigXml. If OrganizationalSettings + are null it will load in the associated default OrganizationalSettings from the default + file stored in PowerStig. A partial or complete OrganizationalSettings property will be + merged with the defaults prior to being merged into StigXml. + + .RETURN + void + #> + [void] MergeOrganizationalSettings () + { + $propertyMap = [OrganizationalSetting]::PropertyMap() + + # Check if default Org Settings exists for STIG + $orgSettingPath = $this.StigPath -replace "\.xml", ".org.default.xml" + $orgSettingsExists = Test-Path -Path $orgSettingPath + + # Check if STIG has Org Settings + if ($orgSettingsExists) + { + [xml] $orgSettingsXml = Get-Content -Path $orgSettingPath -Raw + $mergedOrgSettings = [OrganizationalSetting]::ConvertFrom($orgSettingsXml) + + # Merge default Org Settings with passed in Org Settings + if ($this.OrganizationalSettings) + { + foreach ($orgSetting in $mergedOrgSettings) + { + $matchingOrgSetting = $this.OrganizationalSettings.Where({$_.StigRuleId -eq $orgSetting.StigRuleId}) + if ($matchingOrgSetting) + { + $orgSetting.Value = $matchingOrgSetting.Value + } + } + } + + $this.OrganizationalSettings = $mergedOrgSettings + + # Merge Org Settings into StigXml + + foreach ( $node in $this.StigXml.DISASTIG.ChildNodes.Name ) + { + # Get the list of STIG settings for the current type + + foreach ( $rule in $this.StigXml.DISASTIG.$node.Rule ) + { + if ( $rule.OrganizationValueRequired -eq $true ) + { + $orgSetting = $this.OrganizationalSettings.where({$_.StigRuleId -eq $rule.id}) + + if ( -not $orgSetting ) + { + Write-Warning "An organizational setting was not found for $( $rule.id )." + } + + if ( -not ( & ( [Scriptblock]::Create( "$($rule.OrganizationValueTestString)" -f $orgSetting.Value.ToString() ) ) ) ) + { + Write-Warning "The local setting ($($orgSetting.Value.ToString())) for $($rule.id) is not within the specified range ($($rule.OrganizationValueTestString)) + Please check and update the Organizational Setting array passed in." + } + + $propertyToOverride = $propertyMap.$node + $rule.$propertyToOverride = $orgSetting.Value + } + } + } + } + } + + <# + .SYNOPSIS + Merges StigExceptions property into StigXml + + .DESCRIPTION + This method merges the StigExceptions property into StigXml. If StigExceptions + are null it will skip any additional execution. + + .RETURN + void + #> + [void] MergeStigExceptions () + { + if ($this.StigExceptions) + { + foreach ($exception in $this.StigExceptions) + { + # Lookup the STIG Id in the data + $ruleToOverride = ( $this.StigXml.DISASTIG | + Select-Xml -XPath "//Rule[@id='$( $exception.StigRuleId )']" -ErrorAction Stop ).Node + + # If an Id is not found we can continue, but notify the user. + if ($null -eq $ruleToOverride) + { + Write-warning "$($exception.StigRuleId) was not found" + continue + } + + # Append [Exception] to the STIG title + $ruleToOverride.title = "[Exception]" + $ruleToOverride.title + # select and Update the property to override + $propertiesToOverride = $exception.Properties + foreach ($property in $propertiesToOverride) + { + $propertyToOverride = $property.Name + $ruleToOverride.$propertyToOverride = $property.Value.ToString() + } + } + } + } + + <# + .SYNOPSIS + Processes SkippedRuleTypes property into SkippedRules + + .DESCRIPTION + This method processes the SkippedRuleTypes and adds the individual rules + for each type into the SkippedRules property. + + .RETURN + void + #> + [void] ProcessSkippedRuleTypes () + { + if ($this.SkippedRuleTypes) + { + foreach ($ruleType in $this.SkippedRuleTypes) + { + #Collects the Id's of the rules of the RuleType + $ruleToOverride = $this.StigXml.DISASTIG.$($RuleType.StigRuleType).rule.id + + # If an Id is not found we can continue, but notify the user. + if ($null -eq $ruleToOverride) + { + Write-Warning "SkippedRuleType of $($ruleType.StigRuleType) was not found" + continue + } + else + { + foreach($rule in $ruleToOverride) + { + $newSkipRule = [SkippedRule]::new($rule) + $this.SkippedRules += $newSkipRule + } + } + } + } + } + + <# + .SYNOPSIS + Merges SkippedRules property into StigXml + + .DESCRIPTION + This method merges the SkippedRules property into StigXml. All Stig rules within + the SkippedRules array will be moved from their associated Stig rule type into + a new 'SkipRule' Stig rule type within StigXml. + + .RETURN + void + #> + [void] MergeSkippedRules () + { + if ($this.SkippedRules) + { + # This creates a Skip rule XML element and appends it to $stigContent + [System.XML.XMLElement] $skipNode = $this.StigXml.CreateElement("SkipRule") + [void] $this.StigXml.DISASTIG.AppendChild($skipNode) + + Foreach ($rule in $this.SkippedRules) + { + # Lookup the STIG Id in the data + $ruleToOverride = ( $this.StigXml.DISASTIG | Select-Xml -XPath "//Rule[@id='$( $rule.StigRuleId )']" -ErrorAction Stop ).Node + + # If an Id is not found we can continue, but notify the user. + if ($null -eq $ruleToOverride) + { + Write-Warning "STIG rule with Id '$($rule.StigRuleId)' was not found" + continue + } + else + { + $ruleToOverride.title = "[Skip]" + $ruleToOverride.title + [void] $this.StigXml.SelectSingleNode("//SkipRule").AppendChild($ruleToOverride) + } + } + } + } + #endregion Methods + + #region Static Methods + <# + .SYNOPSIS + Returns the root path to the StigData directory + + .DESCRIPTION + Returns the root path to the StigData directory which contains all the Stig XML files + currently available for PowerStig + + .RETURN + string + #> + static [string] GetRootPath () + { + # The path needs to take into account the version folder that changes with each release + $rootPath = (Resolve-Path -Path $PSScriptRoot\..).Path + + return (Get-ChildItem -Path $rootPath -Filter 'StigData' -Directory -Recurse).FullName + } + + <# + .SYNOPSIS + Returns the highest available Stig version + + .DESCRIPTION + Returns the highest available Stig version for a given Technology, TechnologyVersion, and TechnologyRole + + .PARAMETER Technology + The type of the technology of the Stig to select + + .PARAMETER TechnologyRole + The role of the technology of the Stig to select + + .PARAMETER TechnologyVersion + The version of the technology of the Stig to select + + .RETURN + string + #> + static [Version] GetHighestStigVersion ([Technology] $Technology, [TechnologyRole] $TechnologyRole, [TechnologyVersion] $TechnologyVersion) + { + $highestStigVersionInTarget = (Get-ChildItem -Path $([StigData]::GetRootPath()) -Exclude "*org*").BaseName | + Where-Object {$PSItem -like "*$($Technology.Name)-$($TechnologyVersion.Name)-$($TechnologyRole.Name)*"} | + Foreach-Object {($PsItem -split "-")[3]} | + Select-Object -unique | + Sort-Object | + Select-Object -First 1 + + return [Version]::new($highestStigVersionInTarget) + } + + <# + .SYNOPSIS + Returns all available Stigs + + .DESCRIPTION + Returns all of the currently available for PowerStig along with their + associated Technology, TechnologyVersion, TechnologyRole, and StigVersion + + .RETURN + PSObject[] + #> + static [PSObject[]] GetAvailableStigs () + { + $childItemParameters = @{ + Path = "$([StigData]::GetRootPath())" + Exclude = "*.org.*" + Include = "*.xml" + File = $true + Recurse = $true + } + + $stigList = Get-ChildItem @childItemParameters + + [System.Collections.ArrayList] $returnList = @() + + foreach ($stig in $stigList) + { + $stigProperties = $stig.BaseName -Split "-" + + $stigPropertyList = New-Object PSObject + $stigPropertyList | Add-Member -MemberType NoteProperty -Name 'Technology' -Value $stigProperties[-4] + $stigPropertyList | Add-Member -MemberType NoteProperty -Name 'TechnologyVersion' -Value $stigProperties[-3] + $stigPropertyList | Add-Member -MemberType NoteProperty -Name 'TechnologyRole' -Value $stigProperties[-2] + $stigPropertyList | Add-Member -MemberType NoteProperty -Name 'StigVersion' -Value $stigProperties[-1] + + [void] $ReturnList.Add($stigPropertyList) + } + + return $returnList + } + #endregion Static Methods +} diff --git a/src/Class/StigException.psm1 b/src/Class/StigException.psm1 new file mode 100644 index 000000000..3bd7b1db9 --- /dev/null +++ b/src/Class/StigException.psm1 @@ -0,0 +1,161 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +using module .\StigProperty.psm1 + +<# +.SYNOPSIS + This class describes a StigException + +.DESCRIPTION + The StigException class describes a StigException, the collection of StigProperty to override on a specific Stig rule. + +.EXAMPLE + $stigException = [StigException]::new([string] $StigRuleId, [StigProperty[]] $Properties) + +.NOTES + This class requires PowerShell v5 or above. +#> + +Class StigException +{ + #region Properties + <# + .DESCRIPTION + The Id of an individual Stig Rule + #> + [string] $StigRuleId + + <# + .DESCRIPTION + An array of properties and their values to override on a Stig rule + #> + [StigProperty[]] $Properties + #endregion Properties + + #region Constructors + <# + .SYNOPSIS + Parameterless constructor + + .DESCRIPTION + A parameterless constructor for StigException. To be used only for + build/unit testing purposes as Pester currently requires it in order to test + static methods on powershell classes + + .RETURN + StigException + #> + StigException() + { + Write-Warning "This constructor is for build testing only." + } + + <# + .SYNOPSIS + Constructor + + .DESCRIPTION + A constructor for StigException. Returns a ready to use instance + of StigException. + + .PARAMETER StigRuleId + The Id of an individual Stig Rule + + .PARAMETER Properties + An array of properties and their values to override on a Stig rule + + .RETURN + StigException + #> + StigException([string] $StigRuleId, [StigProperty[]] $Properties) + { + $this.StigRuleId = $StigRuleId + $this.Properties = $Properties + } + #endregion Constructors + + #region Methods + <# + .SYNOPSIS + Adds a StigPropery instance to the StigException Properties property + + .DESCRIPTION + Adds a StigPropery instance to the StigException Properties property + + .PARAMETER StigProperty + A StigProperty instance + + .RETURN + void + #> + [void] AddProperty ([StigProperty] $StigProperty) + { + $this.Properties += $StigProperty + } + + <# + .SYNOPSIS + Adds a StigPropery instance to the StigException Properties property + + .DESCRIPTION + Adds a StigPropery instance to the StigException Properties property based on the provided key/value pair + + .PARAMETER Name + A Stig property name + + .PARAMETER Value + A Stig property value + + .RETURN + void + #> + [void] AddProperty ([string] $Name, [string] $Value) + { + $this.Properties += [StigProperty]::new($Name, $Value) + } + #endregion Methods + + #region Static Methods + <# + .SYNOPSIS + Converts a provided hashtable of Stig exceptions into a StigException array + + .DESCRIPTION + This method returns an StigException array based on the hashtable provided + as the parameter + + .PARAMETER ExceptionsHashtable + A hashtable of Stig exceptions + + [hashtable] $StigExceptionHashtable = + @{ + "V-26606" = @{'ServiceState' = 'Running'; + 'StartupType'= 'Automatic'}; + "V-15683" = @{'ValueData' = '1'}; + "V-26477" = @{'Identity' = 'Administrators'}; + } + + .RETURN + StigException[] + #> + static [StigException[]] ConvertFrom ([Hashtable] $ExceptionsHashtable) + { + [System.Collections.ArrayList] $stigExceptions = @() + + foreach ($rule in $ExceptionsHashtable.GetEnumerator()) + { + [System.Collections.ArrayList] $stigProperties = @() + + foreach ($prop in $rule.Value.GetEnumerator()) + { + $stigProperties.Add([StigProperty]::new($prop.Key, $prop.Value)) + } + + $stigException = [StigException]::new($rule.Key, $stigProperties) + $stigExceptions.Add($stigException) + } + + return $stigExceptions + } + #endregion Static Methods +} diff --git a/src/Class/StigProperty.psm1 b/src/Class/StigProperty.psm1 new file mode 100644 index 000000000..c7b1457cd --- /dev/null +++ b/src/Class/StigProperty.psm1 @@ -0,0 +1,76 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +<# +.SYNOPSIS + This class describes a StigProperty + +.DESCRIPTION + The StigProperty class describes a StigProperty, the abstracted key/value pair definition of any property within a Stig rule. A collection of StigProperty + instances combine to for a complete description of a Stig rule. StigException instances are made up of a collection of StigProperty in order to + override the existing values of those properties. + +.EXAMPLE + $stigProperty = [StigProperty]::new([string] $Name, [string] $Value) + +.NOTES + This class requires PowerShell v5 or above. +#> + +Class StigProperty +{ + #region Properties + <# + .DESCRIPTION + The name of an individual property on a Stig Rule + #> + [string] $Name + + <# + .DESCRIPTION + The value of an individual property on a Stig Rule + #> + [string] $Value + #endregion Properties + + #region Constructors + <# + .SYNOPSIS + Parameterless constructor + + .DESCRIPTION + A parameterless constructor for StigProperty. To be used only for + build/unit testing purposes as Pester currently requires it in order to test + static methods on powershell classes + + .RETURN + StigProperty + #> + StigProperty() + { + Write-Warning "This constructor is for build testing only." + } + + <# + .SYNOPSIS + Constructor + + .DESCRIPTION + A constructor for StigProperty. Returns a ready to use instance + of StigProperty. + + .PARAMETER Name + The name of an individual property on a Stig Rule + + .PARAMETER Value + The value of an individual property on a Stig Rule + + .RETURN + StigProperty + #> + StigProperty ([string] $Name, [string] $Value) + { + $this.Name = $Name + $this.Value = $Value + } + #endregion Constructors +} diff --git a/src/Class/Technology.psm1 b/src/Class/Technology.psm1 new file mode 100644 index 000000000..624257fb1 --- /dev/null +++ b/src/Class/Technology.psm1 @@ -0,0 +1,122 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +<# +.SYNOPSIS + This class describes a Technology + +.DESCRIPTION + The Technology class describes a Technology, the definition of the abstracted platform of an application or portion of an application that + the Stig applies to. This could often be a specific type of OS, but is not limited to that. The Technology is one of a few Technology + focused classes that work together to form a complete description of the Stig required by the user or application creating the StigData + instance. + +.EXAMPLE + $technology = [Technology]::new([string] $Name) + +.NOTES + This class requires PowerShell v5 or above. +#> + +Class Technology +{ + #region Properties + <# + .DESCRIPTION + The name of a type of technology of the Stig to select + #> + [string] $Name + + <# + .DESCRIPTION + The available types of technology currently in PowerStig + #> + static $ValidateSet = @('Windows', 'SQL') + #endregion Properties + + #region Constructors + <# + .SYNOPSIS + Parameterless constructor + + .DESCRIPTION + A parameterless constructor for Technology. To be used only for + build/unit testing purposes as Pester currently requires it in order to test + static methods on powershell classes + + .RETURN + Technology + #> + Technology() + { + Write-Warning "This constructor is for build testing only." + } + + <# + .SYNOPSIS + Constructor + + .DESCRIPTION + A constructor for Technology. Returns a ready to use instance + of Technology. + + .PARAMETER Name + The name of a type of technology of the Stig to select + + .RETURN + Technology + #> + Technology([string] $Name) + { + $this.Name = $Name + if (!($this.Validate())) + { + throw("The specified Technology name is not valid. Please check for available Technologies.") + } + } + #endregion Constructors + + #region Methods + <# + .SYNOPSIS + Validates the provided name + + .DESCRIPTION + This method validates that the provided name for the Technology is + available in PowerStig + + .RETURN + bool + #> + [bool] Validate () + { + $techs = [Technology]::Available() + + if ($techs -contains $this.Name) + { + return $true + } + else + { + Write-Warning -Message "The Technologies currently available within PowerStig include:`n$($techs -join "`n")" + return $false + } + } + #endregion Methods + + #region Static Methods + <# + .SYNOPSIS + Returns available Technologies + + .DESCRIPTION + This method returns Technologies currently available in PowerStig + + .RETURN + string[] + #> + static [string[]] Available () + { + return [Technology]::ValidateSet + } + #endregion Static Methods +} diff --git a/src/Class/TechnologyRole.psm1 b/src/Class/TechnologyRole.psm1 new file mode 100644 index 000000000..e3cd84950 --- /dev/null +++ b/src/Class/TechnologyRole.psm1 @@ -0,0 +1,150 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +using module .\TechnologyVersion.psm1 + +<# +.SYNOPSIS + This class describes a TechnologyRole + +.DESCRIPTION + The TechnologyRole class describes a TechnologyRole, the definition of the specific application or portion of an application that + the Stig applies to. The TechnologyRole is one of a few Technology focused classes that work together to form a complete + description of the Stig required by the user or application creating the StigData instance. + +.EXAMPLE + $technologyRole = [TechnologyRole]::new([string] $Name, [TechnologyVersion] $TechnologyVersion) + +.NOTES + This class requires PowerShell v5 or above. +#> + +Class TechnologyRole +{ + #region Properties + <# + .DESCRIPTION + The name of a role of technology of the Stig to select + #> + [string] $Name + + <# + .DESCRIPTION + The TechnologyVersion instance for the selected role + #> + [TechnologyVersion] $TechnologyVersion + + <# + .DESCRIPTION + The available roles for each version of technology currently in PowerStig + #> + static $ValidateSet = @" +2012R2 = DNS, DC, MS, IISSite +All = ADDomain, ADForest, FW, IE11 +Server2012 = Instance, Database +"@ + #endregion Properties + + #region Constructors + <# + .SYNOPSIS + Parameterless constructor + + .DESCRIPTION + A parameterless constructor for TechnologyRole. To be used only for + build/unit testing purposes as Pester currently requires it in order to test + static methods on powershell classes + + .RETURN + TechnologyRole + #> + TechnologyRole() + { + Write-Warning "This constructor is for build testing only." + } + + <# + .SYNOPSIS + Constructor + + .DESCRIPTION + A constructor for TechnologyRole. Returns a ready to use instance + of TechnologyRole. + + .PARAMETER Name + The name of a role of technology of the Stig to select + + .PARAMETER TechnologyVersion + The TechnologyVersion instance for the selected role + + .RETURN + TechnologyRole + #> + TechnologyRole ([string] $Name, [TechnologyVersion] $TechnologyVersion) + { + $this.Name = $Name + $TechnologyVersion.Validate() + $this.TechnologyVersion = $TechnologyVersion + if (!($this.Validate())) + { + throw("The specified Role name is not valid. Please check for available Roles.") + } + } + #endregion Constructors + + #region Methods + <# + .SYNOPSIS + Validates the provided name + + .DESCRIPTION + This method validates that the provided name for the TechnologyRole is + available for a given TechnologyVersion in PowerStig + + .RETURN + bool + #> + [bool] Validate () + { + $roles = [TechnologyRole]::Available($this.TechnologyVersion.Name) + + if ($roles -contains $this.Name) + { + return $true + } + else + { + Write-Warning -Message "The Roles currently available within PowerStig for $($this.TechnologyVersion.Name) include:`n$($roles -join "`n")" + return $false + } + } + #endregion Methods + + #region Static Methods + <# + .SYNOPSIS + Returns available TechnologyRoles + + .DESCRIPTION + This method returns TechnologyRoles for a given TechnologyVersion name currently available in PowerStig + + .PARAMETER TechnologyVersion + The TechnologyVersion name + + .RETURN + string[] + #> + static [string[]] Available ([string] $TechnologyVersion) + { + $roles = ConvertFrom-StringData -StringData $([TechnologyRole]::ValidateSet) + + if ($roles.$TechnologyVersion) + { + return $roles.$TechnologyVersion.Split(',').Trim() + } + else + { + throw("No Roles are available for the Version you have specified. Please check available Versions and run again.") + } + } + #endregion Static Methods +} diff --git a/src/Class/TechnologyVersion.psm1 b/src/Class/TechnologyVersion.psm1 new file mode 100644 index 000000000..b21a539cf --- /dev/null +++ b/src/Class/TechnologyVersion.psm1 @@ -0,0 +1,149 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +using module .\Technology.psm1 + +<# +.SYNOPSIS + This class describes a TechnologyVersion + +.DESCRIPTION + The TechnologyVersion class describes a TechnologyVersion, the definition of the specific version of the application or portion of an application that + the Stig applies to. The TechnologyVersion is one of a few Technology focused classes that work together to form a complete + description of the Stig required by the user or application creating the StigData instance. + +.EXAMPLE + $technologyVersion = [TechnologyVersion]::new([string] $Name, [Technology] $Technology) + +.NOTES + This class requires PowerShell v5 or above. +#> + +Class TechnologyVersion +{ + #region Properties + <# + .DESCRIPTION + The name of a version of technology of the Stig to select + #> + [string] $Name + + <# + .DESCRIPTION + The Technology instance for the selected version + #> + [Technology] $Technology + + <# + .DESCRIPTION + The available versions for each technology currently in PowerStig + #> + static $ValidateSet = @" +Windows = All, 2012R2 +SQL = Server2012 +"@ + #endregion Properties + + #region Constructors + <# + .SYNOPSIS + Parameterless constructor + + .DESCRIPTION + A parameterless constructor for TechnologyVersion. To be used only for + build/unit testing purposes as Pester currently requires it in order to test + static methods on powershell classes + + .RETURN + TechnologyVersion + #> + TechnologyVersion() + { + Write-Warning "This constructor is for build testing only." + } + + <# + .SYNOPSIS + Constructor + + .DESCRIPTION + A constructor for TechnologyVersion. Returns a ready to use instance + of TechnologyVersion. + + .PARAMETER Name + The Technology for the selected version + + .PARAMETER Technology + The Technology instance for the selected version + + .RETURN + TechnologyVersion + #> + TechnologyVersion ([string] $Name, [Technology] $Technology) + { + $this.Name = $Name + $Technology.Validate() + $this.Technology = $Technology + if (!($this.Validate())) + { + throw("The specified Version name is not valid. Please check for available Versions.") + } + } + #endregion Constructors + + #region Methods + <# + .SYNOPSIS + Validates the provided name + + .DESCRIPTION + This method validates that the provided name for the TechnologyVersion is + available for a given Technology in PowerStig + + .RETURN + bool + #> + [bool] Validate () + { + $versions = [TechnologyVersion]::Available($this.Technology.Name) + + if ($versions -contains $this.Name) + { + return $true + } + else + { + Write-Warning -Message "The Versions currently available within PowerStig for $($this.Technology.Name) include:`n$($versions -join "`n")" + return $false + } + } + #endregion Methods + + #region Static Methods + <# + .SYNOPSIS + Returns available TechnologyVersions + + .DESCRIPTION + This method returns TechnologyVersions for a given Technology name currently available in PowerStig + + .PARAMETER TechnologyVersion + The Technology name + + .RETURN + string[] + #> + static [string[]] Available ([string] $Technology) + { + $versions = ConvertFrom-StringData -StringData $([TechnologyVersion]::ValidateSet) + + if ($versions.$Technology) + { + return $versions.$Technology.Split(',').Trim() + } + else + { + throw("No Versions are available for the Technology you have specified. Please check available Technologies and run again.") + } + } + #endregion Static Methods +} diff --git a/src/Common/Get-DomainName.ps1 b/src/Common/Get-DomainName.ps1 new file mode 100644 index 000000000..490ec5b6a --- /dev/null +++ b/src/Common/Get-DomainName.ps1 @@ -0,0 +1,214 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +#region Main Functions +<# + .SYNOPSIS + Enforces the behavior of getting the domain name. + If a domain name is provided, it will be used. + If a domain name is not provided, the domain name of the generating system will be used. + + .PARAMETER DomainName + The FQDN of the domain the configuration will be running on. + + .PARAMETER ForestName + The FQDN of the forest the configuration will be running on. + + .PARAMETER Format + Determines the format in which to convert the FQDN provided into and return back + + .OUTPUTS + string + + .EXAMPLE + Get-DomainName -DomainName "contoso.com" -Format FQDN + + Returns "contoso.com" + + .EXAMPLE + Get-DomainName -DomainName "contoso.com" -Format NetbiosName + + Returns "contoso" + + .EXAMPLE + Get-DomainName -ForestName "contoso.com" -Format DistinguishedName + + Returns "DC=contoso,DC=com" +#> +Function Get-DomainName +{ + [outputtype([string])] + [cmdletbinding()] + param + ( + [Parameter(Mandatory = $true, ParameterSetName = 'DomainName')] + [AllowNull()] + [AllowEmptyString()] + [string] + $DomainName, + + [Parameter(Mandatory = $true, ParameterSetName = 'ForestName')] + [AllowNull()] + [AllowEmptyString()] + [string] + $ForestName, + + [Parameter(ParameterSetName = 'DomainName')] + [Parameter(ParameterSetName = 'ForestName')] + [ValidateSet('FQDN', 'NetbiosName', 'DistinguishedName')] + [string] + $Format = 'FQDN' + ) + + $fqdn = [string]::Empty + + if ($PSCmdlet.ParameterSetName -eq 'DomainName') + { + if ( [string]::IsNullOrEmpty( $DomainName ) ) + { + $fqdn = Get-DomainFQDN + } + else + { + $fqdn = $DomainName + } + } + else + { + if ( [string]::IsNullOrEmpty( $ForestName ) ) + { + $fqdn = Get-ForestFQDN + } + else + { + $fqdn = $ForestName + } + } + + if ([string]::IsNullOrEmpty($fqdn)) + { + Write-Warning "$($PSCmdlet.ParameterSetName) was not found." + } + + switch ($Format) + { + 'FQDN' + { + return $fqdn + } + 'NetbiosName' + { + return Get-NetbiosName -FQDN $fqdn + } + 'DistinguishedName' + { + return Get-DistinguishedName -FQDN $fqdn + } + } +} + +#endregion Main Functions +#region Support Functions + +<# + .SYNOPSIS + returns $env:USERDNSDOMAIN to support mocking in unit tests +#> +Function Get-DomainFQDN +{ + [outputtype([string])] + param + ( ) + + return $env:USERDNSDOMAIN +} + +<# + .SYNOPSIS + Calls ADSI to discover the forest root (DN) and converts it to an FQDN. +#> +Function Get-ForestFQDN +{ + [outputtype([string])] + param + ( ) + + $forestRoot = [ADSI]"LDAP://RootDSE" + return $forestRoot.rootDomainNamingContext -replace '^DC=', '' -replace '.DC=', '.' +} + +Function Get-NetbiosName +{ + [outputtype([string])] + param + ( + [Parameter(Mandatory = $true)] + [string] + $FQDN + ) + + $parts = Get-DomainParts -FQDN $FQDN + If ($parts.Count -gt 1) + { + return $parts[0] + } + else + { + return $parts + } +} + +Function Get-DistinguishedName +{ + [outputtype([string])] + param + ( + [parameter()] + [string] + $FQDN + ) + + $parts = Get-DomainParts -FQDN $FQDN + return Format-DistinguishedName -Parts $parts +} + +Function Format-DistinguishedName +{ + [outputtype([string])] + param + ( + [parameter()] + [string[]] + $Parts + ) + + $distinguishedName = "" + $lastIndex = $Parts.Count - 1 + + foreach ($part in $Parts) + { + if ($part -eq $Parts[$lastIndex]) + { + $distinguishedName += 'DC=' + $part.ToString() + } + else + { + $distinguishedName += 'DC=' + $part.ToString() + ',' + } + } + + return $distinguishedName.ToString() +} + +Function Get-DomainParts +{ + [outputtype([string[]])] + param + ( + [parameter(Mandatory = $true)] + [string] + $FQDN + ) + + return $FQDN.Split('{.}') +} +#endregion Support Functions diff --git a/src/Common/Get-OrgSettingsObject.ps1 b/src/Common/Get-OrgSettingsObject.ps1 new file mode 100644 index 000000000..6f3c6b98a --- /dev/null +++ b/src/Common/Get-OrgSettingsObject.ps1 @@ -0,0 +1,56 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +using module .\..\Class\OrganizationalSetting.psm1 + +<# +.SYNOPSIS + Creates an OrganizationSetting object + +.PARAMETER OrgSettings + OrgSettings can be either a string path to an OrganizationalFile XML or a hash table of org settings + to override from the default organization file. + +.RETURN + OrganizationalSetting + +.EXAMPLE + Get-OrgSettingsObject -OrgSettings @{"v-1000"="15"} +#> +Function Get-OrgSettingsObject +{ + [cmdletbinding()] + [outputtype([OrganizationalSetting])] + Param + ( + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [PSObject] + $OrgSettings + ) + + switch ($OrgSettings.GetType()) + { + "string" + { + if (Test-Path -Path $OrgSettings) + { + [xml] $orgSettingsXml = Get-Content -Path $orgSettings + $orgSettingsObject = [OrganizationalSetting]::ConvertFrom($orgSettingsXml) + } + else + { + Throw "Organizational file not found" + } + } + "xml" + { + $orgSettingsObject = [OrganizationalSetting]::ConvertFrom($OrgSettings) + } + "hashtable" + { + $orgSettingsObject = [OrganizationalSetting]::ConvertFrom($OrgSettings) + } + } + + return $orgSettingsObject +} diff --git a/src/Common/Get-StigList.ps1 b/src/Common/Get-StigList.ps1 new file mode 100644 index 000000000..a6715a721 --- /dev/null +++ b/src/Common/Get-StigList.ps1 @@ -0,0 +1,26 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +using module .\..\Class\StigData.psm1 + +<# +.SYNOPSIS + Returns an array of all available STIGs with the associated Technology, TechnologyVersion, TechnologyRole, and StigVersion. + This function is a wrapper of the StigData class, and the return of this function call will provide you with the values needed + to create a default StigData object. + +.RETURN + PSObject[] + +.EXAMPLE + Get-StigList +#> +Function Get-StigList +{ + [cmdletbinding()] + [outputtype([PSObject[]])] + Param + ( + ) + + return [StigData]::GetAvailableStigs() +} diff --git a/src/Common/OrganizationalSettingsPropertyMap.psd1 b/src/Common/OrganizationalSettingsPropertyMap.psd1 new file mode 100644 index 000000000..5bcd695a5 --- /dev/null +++ b/src/Common/OrganizationalSettingsPropertyMap.psd1 @@ -0,0 +1,21 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +# In order to merge in the localsettings and orgsettings data, we need a table that can translate +# the unique values that are settable for each type of STIG object +@{ + AccountPolicyRule = 'PolicyValue' + + AuditPolicyRule = 'Ensure' + + RegistryRule = 'ValueData' + + SecurityOptionRule = 'OptionValue' + + ServiceRule = 'StartupType' + + UserRightRule = 'Identity' + + WebAppPoolRule = 'Value' + + WebConfigurationPropertyRule = 'Value' +} diff --git a/src/Enum/StigRuleType.psm1 b/src/Enum/StigRuleType.psm1 new file mode 100644 index 000000000..91901be3e --- /dev/null +++ b/src/Enum/StigRuleType.psm1 @@ -0,0 +1,31 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +<# +.SYNOPSIS + This enum describes a StigRuleType + +.DESCRIPTION + The StigRuleType enum describes a StigRuleType, the value of a specific type of Stig rule. + +.EXAMPLE + $stigRuleType = [StigRuleType]::AccountPolicyRule + +.NOTES + This enum requires PowerShell v5 or above. +#> +Enum StigRuleType { + AccountPolicyRule + AuditPolicyRule + DnsServerRootHintRule + DnsServerSettingRule + PermissionRule + RegistryRule + SecurityOptionRule + ServiceRule + SkipRule + SqlScriptQueryRule + UserRightRule + WindowsFeatureRule + WinEventLogRule + WmiRuleClass +} diff --git a/src/PowerStig.psd1 b/src/PowerStig.psd1 new file mode 100644 index 000000000..1f7884d15 --- /dev/null +++ b/src/PowerStig.psd1 @@ -0,0 +1,58 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +@{ +# Script module or binary module file associated with this manifest. +RootModule = 'PowerStig.psm1' + +# Version number of this module. +ModuleVersion = '1.0.0.0' + +# ID used to uniquely identify this module +GUID = 'a132f6a5-8f96-4942-be25-b213ee7e4af3' + +# Author of this module +Author = 'Adam Haynes' + +# Company or vendor of this module +CompanyName = 'Microsoft Corporation' + +# Copyright statement for this module +Copyright = '(c) 2017 Adam Haynes. All rights reserved.' + +# Description of the functionality provided by this module +Description = 'Module for managing the DISA STIGs' + +# Minimum version of the Windows PowerShell engine required by this module +PowerShellVersion = '5.0' + +# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. +CLRVersion = '4.0' + +# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. +FunctionsToExport = 'Get-OrgSettingsObject', 'Get-DomainName', 'Get-StigList' + +# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. +PrivateData = @{ + + PSData = @{ + + # Tags applied to this module. These help with module discovery in online galleries. + Tags = 'DSC','DesiredStateConfiguration','STIG','PowerStig' + + # A URL to the license for this module. + LicenseUri = 'https://github.com/Microsoft/PowerStig/blob/master/LICENSE' + + # A URL to the main website for this project. + ProjectUri = 'https://github.com/Microsoft/PowerStig' + + # ReleaseNotes of this module + ReleaseNotes = 'STIGs added: + Windows Server 2012R2 MS STIG V2R12 + Windows Server 2012R2 DC STIG V2R12 + Windows Server DNS V1R9 + Windows AD Domain V2R9 + IE11 V1R15 + ' + } # End of PSData hashtable + } # End of PrivateData hashtable +} diff --git a/src/PowerStig.psm1 b/src/PowerStig.psm1 new file mode 100644 index 000000000..c45cbc1e7 --- /dev/null +++ b/src/PowerStig.psm1 @@ -0,0 +1,17 @@ +# // Copyright (c) Microsoft Corporation. All rights reserved.// Licensed under the MIT license. + +using module .\Class\StigData.psm1 +using module .\Class\Technology.psm1 +using module .\Class\TechnologyRole.psm1 +using module .\Class\TechnologyVersion.psm1 +using module .\Class\StigException.psm1 +using module .\Class\OrganizationalSetting.psm1 +using module .\Class\SkippedRule.psm1 +using module .\Class\SkippedRuleType.psm1 + +Import-Module $PsScriptRoot\Common\Get-OrgSettingsObject.ps1 +Import-Module $PsScriptRoot\Common\Get-DomainName.ps1 +Import-Module $PsScriptRoot\Common\Get-StigList.ps1 + +Export-ModuleMember -Function @('Get-OrgSettingsObject', 'Get-DomainName', 'Get-StigList') + diff --git a/src/StigData/Schema/PowerStig.xsd b/src/StigData/Schema/PowerStig.xsd new file mode 100644 index 000000000..016d63cb9 --- /dev/null +++ b/src/StigData/Schema/PowerStig.xsd @@ -0,0 +1,502 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StigData/Sql-Server2012-Database-1.17.org.default.xml b/src/StigData/Sql-Server2012-Database-1.17.org.default.xml new file mode 100644 index 000000000..46ea02de5 --- /dev/null +++ b/src/StigData/Sql-Server2012-Database-1.17.org.default.xml @@ -0,0 +1,8 @@ + + \ No newline at end of file diff --git a/src/StigData/Sql-Server2012-Database-1.17.xml b/src/StigData/Sql-Server2012-Database-1.17.xml new file mode 100644 index 000000000..568e84f2a --- /dev/null +++ b/src/StigData/Sql-Server2012-Database-1.17.xml @@ -0,0 +1,577 @@ + + + + False + False + + Review system documentation to determine if the labeling of sensitive data is required under organization-defined guidelines. +If the labeling of sensitive data is not required, this is NA. + +Obtain system configuration settings to determine how data labeling is being performed. This can be through triggers or some other SQL-developed means or via a third-party tool. Spot check data and ensure the appropriate labels have been applied to stored data. + +If the labeling of sensitive data is required and is not being performed, this is a finding. + + + False + False + + Review system documentation to determine if the labeling of sensitive data is required under organization-defined guidelines. + +If the labeling of sensitive data is not required, this is NA. + +Obtain system configuration settings to determine how data labeling is being performed. This can be through triggers or some other SQL-developed means or via a third-party tool. + +If the labeling of sensitive information in process is not being performed, this is a finding. + + + False + False + + Review system documentation to determine if the labeling of sensitive data is required under organization-defined guidelines. +If the labeling of sensitive data is not required, this is NA. + +Obtain system configuration settings to determine how data labeling is being performed. This can be through triggers or some other SQL-developed means or via a third-party tool. + +If the labeling of sensitive data in transmission is not being performed, this is a finding. + + + False + False + + Review system documentation to determine if the labeling of sensitive data is required under organization-defined guidelines. +If the labeling of sensitive data is not required, this is NA. + +Obtain system configuration setting to determine how data labeling is being performed. This can be through triggers or some other SQL-developed means or via a third-party tool. Determine how authorized users associate security information to data. If authorized users are not able to associate security labels to data, this is a finding. + + + False + False + + Check for rights propagation assignment to database permissions by running the following query: + +USE <name of database being reviewed>; +SELECT * +FROM sys.database_permissions +WHERE state_desc = 'GRANT_WITH_GRANT_OPTION'; + +If any of the permissions listed have not been documented and approved as requiring GRANT_WITH_GRANT_OPTION, this is a finding. + + + False + False + + Identify whether SQL Server contains both development and production databases from the system documentation. + +If SQL Server is not hosting both production and development databases, this is NA. + + +If SQL Server is hosting both development and production databases, but this is not clearly documented in the system documentation, this is a finding. +Check the list of SQL Server users against the list of developer accounts by running the following SQL Server query: + +SELECT name AS 'Account Name' + , create_date AS 'Account Create Date' + , LOGINPROPERTY(name, 'PasswordLastSetTime') AS 'Password Last Set on' + FROM sys.server_principals + WHERE NOT TYPE IN ('C', 'R', 'U') -- ('C', 'G', 'K', 'R', 'S', 'U') + AND NOT name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##') + AND sid <> CONVERT(VARBINARY(85), 0x01) -- no 'sa' account + AND is_disabled <> 1 + ORDER BY name + + +If no developer user account is listed, this is not a finding. + +Check each developer user account privilege listed above. + +Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'developer account name'> >> Properties >> User >> Securables. + +If any item in the 'Permission' listing, for each highlighted item that exists in the 'Securables' listing, grants production privileges, this is a finding. + +Navigate from 'Securables' to 'Server Roles'. + +If any 'Server roles' are checked that grant production privileges, this is a finding. + +Navigate from 'Server Roles' to 'Users mapped to the login'. + +If any checked 'Database role membership' of each highlighted and checked 'Database' are determined to be granting production privileges, this is a finding. + + + False + False + + Check system documentation for procedures that are regularly implemented in an effort to detect unauthorized SQL Server job submissions. + +If procedures that are regularly implemented are not documented in the system documentation, this is a finding. + +If the procedures are not implemented regularly or do not detect for unauthorized SQL Server job submissions, this is a finding. + +Review Stored Procedures that are able to automatically execute jobs scheduled to start automatically at system startup by running the following query: +SELECT name + FROM master.sys.procedures + WHERE is_auto_executed = 1 + +If any Stored Procedures listed are not documented as authorized, this is a finding. + +Review the SQL Server job history by running the following query: + +SELECT * FROM msdb.dbo.sysjobhistory + + +If any jobs listed are not documented as authorized, this is a finding. + + + False + False + + Review system documentation to identify SQL Server accounts authorized to own database objects. + +If the SQL Server database ownership list does not exist or needs to be updated, this is a finding. + +Run the following SQL query to determine SQL Server ownership of all database objects: +SELECT name AS 'Database name' + , SUSER_SNAME(owner_sid) AS 'Database Owner' + , state_desc AS 'Database state' + FROM sys.databases + + + + False + False + + Review the list of components or optional features installed with SQL Server. +If optional features or components of SQL Server are installed, this is not a finding. + +If unused components or features of SQL Server are installed, then review the system documentation to verify unused components or features are documented and authorized. +If any are not documented and authorized, this is a finding. + + + False + False + + In a query tool: +USE <database name>; +GO +SELECT s.name, k.crypt_type_desc +FROM sys.symmetric_keys s, sys.key_encryptions k +WHERE s.symmetric_key_id = k.key_id +AND s.name <> '##MS_DatabaseMasterKey##' +AND k.crypt_type IN ('ESKP', 'ESKS') +ORDER BY s.name, k.crypt_type_desc; +GO + +Review any symmetric keys that have been defined against the System Security Plan. + +If any keys are defined that are not documented in the System Security Plan, this is a finding. + +Review the System Security Plan to review the encryption mechanism specified for each symmetric key. If the method does not indicate use of certificates, this is a finding. + +If the certificate specified is not a DoD PKI certificate, this is a finding. + + + False + False + + Verify there are proper procedures in place for the transfer of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test and verify copies of production data are not left in unprotected locations. + +If there is no documented procedure for data movement from production to development/test, this is a finding. + +If data movement code that copies from production to development/test does exist and leaves any copies of production data in unprotected locations, this is a finding. + + + False + False + + If the database is owned by an account that is directly or indirectly a member of a fixed (built-in) server role, this is not applicable (NA). + +Run the query: +USE <database name>; +GO +SELECT + DB_NAME() AS [Database], + SUSER_SNAME(D.owner_sid) AS [Database Owner], + CASE WHEN D.is_trustworthy_on = 1 THEN 'ON' ELSE 'off' END + AS [Trustworthy] +FROM + sys.databases D +WHERE + D.[name] = DB_NAME() +AND DB_NAME() <> 'msdb' +AND D.is_trustworthy_on = 1; +GO +If the query returns a row indicating that the TRUSTWORTHY setting is OFF, or returns no rows, this is not a finding. + +Review the system security plan to determine whether the need for TRUSTWORTHY is documented and approved. If not, this is a finding. + + + False + False + + Review system documentation and/or organizational procedures to determine the threshold value for the storage used by the transaction log, above which staff must be alerted. The threshold may be expressed as an absolute quantity, or a percentage of total available space. + +If this threshold has not been defined, this is a finding. + +If monitoring software is in use, and has been configured to alert system and database administrators when the threshold is exceeded, this is not a finding. + +If manual procedures exist for frequently checking the space used and alerting system and database administrators, and there is evidence that the procedures are adhered to, this is not a finding. + +Otherwise, this is a finding. + + + + + False + False + + If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding. + +If the application owner and Authorizing Official have determined that encryption of data at rest is required, +ensure the data on secondary devices is encrypted. If full-disk encryption is being used, this is not a finding. + +If DBMS data encryption is required, ensure the data is encrypted before being put on the secondary device by executing: + +SELECT + d.name AS [Database Name], + CASE e.encryption_state + WHEN 0 THEN 'No database encryption key present, no encryption' + WHEN 1 THEN 'Unencrypted' + WHEN 2 THEN 'Encryption in progress' + WHEN 3 THEN 'Encrypted' + WHEN 4 THEN 'Key change in progress' + WHEN 5 THEN 'Decryption in progress' + WHEN 6 THEN 'Protection change in progress' + END AS [Encryption State] +FROM sys.dm_database_encryption_keys e +RIGHT JOIN sys.databases d ON DB_NAME(e.database_id) = d.name +WHERE d.name NOT IN ('master','model','msdb') +ORDER BY 1 +; + +For each user database where encryption is required, verify that encryption is in effect. If not, this is a finding. + +Verify that there are physical security measures, operating system access control lists and organizational controls appropriate to the sensitivity level of the data in the database(s). If not, this is a finding. + + + False + False + + Check the list of SQL Server users against the list of developer accounts by running the following SQL Server query: + +SELECT name AS 'Account Name' + , create_date AS 'Account Create Date' + , LOGINPROPERTY(name, 'PasswordLastSetTime') AS 'Password Last Set on' +FROM sys.server_principals +WHERE NOT TYPE IN ('C', 'R', 'U') +AND NOT name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##') +AND sid <> CONVERT(VARBINARY(85), 0x01) -- no 'sa' account +AND is_disabled <> 1 +ORDER BY name; + +For each developer account found on a production machine, verify if the developer account can change or alter database objects or data in the production database. If any developer account can change or alter database objects or data in a production database, this is a finding. + + + False + False + + Check administrative accounts for direct database role membership: + +Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'administrator account name'> >> Properties >> User Mapping >> <'highlight database'> >> review 'Database role membership' for each database. + +If any administration accounts have a direct privilege to any 'Database role membership' that is part of the SQL Server system, this is a finding. + +Check administrative accounts for direct server role membership: + +Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'administrator account name'> >> Properties >> Server Roles. + +If any administration accounts have direct access to any 'Server roles' privilege that is part of the SQL Server system, this is a finding. + +The special database principal [dbo] is an exception. It is mapped to the server login that is the database owner. Some roles cannot be mapped to it or unmapped from it. These role assignments are not a finding. + +The built-in server role "sysadmin" is a partial exception. See the Vulnerability Discussion. + + + False + False + + Check the SQL Server configuration for a timed job that automatically checks all system and user-defined Functions for being modified by running the following SQL Server query: +EXEC msdb.dbo.sp_help_job @job_name = '<enter . . . job name>'; + +(Alternatively, in SQL Server Management Studio, navigate to SQL Server Agent and examine the job from there.) + +If a timed job or some other method is not implemented to check for Functions being modified, this is a finding. + + + False + False + + Check the SQL Server configuration for the timed job that automatically checks all system and user-defined Triggers for being modified by running the following SQL Server query: +EXEC msdb.dbo.sp_help_job @job_name = '<enter . . . job name>'; + +(Alternatively, in SQL Server Management Studio, navigate to SQL Server Agent and examine the job from there.) + +If such a job, or an alternative method of monitoring triggers for modification, does not exist, this is a finding. + + + False + False + + Check for the existence of a job to monitor for changes to stored procedures: +EXEC msdb.dbo.sp_help_job @job_name = '<enter . . . job name>'; + +(Alternatively, in SQL Server Management Studio, navigate to SQL Server Agent and examine the job from there.) + +If such a job, or an alternative method of monitoring stored procedures for modification, does not exist, this is a finding. + + + False + False + + Review SQL Server's cryptographic settings to determine whether data stored in databases is encrypted according to organizational requirements and the system owner. + +If all of the data on SQL Server is unclassified and encryption of information is not required, this requirement is NA. + +Ensure the data is encrypted by executing: +USE <databse name>; +IF NOT EXISTS + ( + SELECT 1 + FROM sys.dm_database_encryption_keys + WHERE DB_NAME(database_id) = DB_NAME() + ) + SELECT + DB_NAME() AS [Database Name], + 'No database encryption key present, no encryption' AS [Encryption State] +ELSE + SELECT + DB_NAME(database_id) AS [Database Name], + CASE encryption_state + WHEN 0 THEN 'No database encryption key present, no encryption' + WHEN 1 THEN 'Unencrypted' + WHEN 2 THEN 'Encryption in progress' + WHEN 3 THEN 'Encrypted' + WHEN 4 THEN 'Key change in progress' + WHEN 5 THEN 'Decryption in progress' + WHEN 6 THEN 'Protection change in progress' + END AS [Encryption State] + FROM sys.dm_database_encryption_keys + WHERE DB_NAME(database_id) = DB_NAME() +; + +If any database that is supposed to have encryption enabled is not listed as such, this is a finding. + +If encryption is required by the information owner and an approved, NIST-certified cryptography is not used to encrypt stored sensitive information, this is a finding. + +Verify all sensitive information is encrypted: entire database, tables, columns and/or data elements, as required by the organization and the system owner. + + + False + False + + If encryption is not required for this database, this is not a finding. + +Run the following SQL queries to review SQL Server's cryptographic settings for the database: + +USE <database name> ; +IF NOT EXISTS + ( + SELECT 1 + FROM sys.dm_database_encryption_keys + WHERE DB_NAME(database_id) = DB_NAME() + ) + SELECT + DB_NAME() AS [Database Name], + 'No database encryption key present, no encryption' AS [Encryption State], + NULL AS [Algorithm], + NULL AS [Key Length] +ELSE + SELECT + DB_NAME(database_id) AS [Database Name], + CASE encryption_state + WHEN 0 THEN 'No database encryption key present, no encryption' + WHEN 1 THEN 'Unencrypted' + WHEN 2 THEN 'Encryption in progress' + WHEN 3 THEN 'Encrypted' + WHEN 4 THEN 'Key change in progress' + WHEN 5 THEN 'Decryption in progress' + WHEN 6 THEN 'Protection change in progress' + END AS [Encryption State], + key_algorithm AS [Algorithm], + key_length AS [Key Length] + FROM sys.dm_database_encryption_keys + WHERE DB_NAME(database_id) = DB_NAME() + +SELECT DB_NAME() AS [Database], name, algorithm_desc +FROM sys.symmetric_keys +ORDER BY name, algorithm_desc; + +Note: The acceptable algorithms are: "AES 128", "AES 192", "AES 256" and "Triple DES". + +If SQL Server cryptographic algorithms are not listed or are found not to be compliant with applicable federal laws, Executive Orders, directives, policies, regulations, standards and guidance, this is a finding. + +If the encryption state indicates that the database is unencrypted, this is a finding. + + + False + False + + From the query prompt: +SELECT name +FROM [master].sys.databases +WHERE is_master_key_encrypted_by_server = 1 +AND owner_sid <> 1 +AND state = 0 +If no databases are returned, this is not a finding. +For any databases returned, verify in the System Security Plan that encryption of the Database +Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding. + +If approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring. + +If the additional requirements are not in place, this is a finding. + + + False + False + + From the query prompt: +SELECT COUNT(credential_id) +FROM [master].sys.master_key_passwords + +If count is not 0, this is a finding. + + + False + False + + If this is a system database (master, msdb, resource, tempdb or model), this is not applicable (NA). + +If the application owner and authorizing official have determined that the database does not require encryption, this is not a finding. + +Ensure the data is encrypted by executing: +USE <database name>; +IF NOT EXISTS + ( + SELECT 1 + FROM sys.dm_database_encryption_keys + WHERE DB_NAME(database_id) = DB_NAME() + ) + SELECT + DB_NAME() AS [Database Name], + 'No database encryption key present, no encryption' AS [Encryption State] +ELSE + SELECT + DB_NAME(database_id) AS [Database Name], + CASE encryption_state + WHEN 0 THEN 'No database encryption key present, no encryption' + WHEN 1 THEN 'Unencrypted' + WHEN 2 THEN 'Encryption in progress' + WHEN 3 THEN 'Encrypted' + WHEN 4 THEN 'Key change in progress' + WHEN 5 THEN 'Decryption in progress' + WHEN 6 THEN 'Protection change in progress' + END AS [Encryption State] + FROM sys.dm_database_encryption_keys + WHERE DB_NAME(database_id) = DB_NAME() +; + +For each user database, ensure that encryption is in effect. If not, this is a finding. + + + False + False + + Check SQL Server settings for the number of concurrent Check SQL Server settings for the number of concurrent sessions by running the following script: + +USE MASTER +GO + +EXEC sys.sp_configure N'show advanced options', N'1' RECONFIGURE WITH OVERRIDE +GO +EXEC sys.sp_configure N'user connections' +EXEC sys.sp_configure N'show advanced options', N'0' RECONFIGURE WITH OVERRIDE +GO + +If SQL Server settings for concurrent sessions is not lower than or equal to the organization-defined maximum number of sessions, this is a finding. + + + False + False + + Review SQL Server field definitions, constraints, and foreign keys to determine whether or not data being input into the database is valid. +If field definitions are not reflective of the data, this is a finding. + +If column data types are not assigned correctly where required within the database, this is a finding. + +If columns do not contain reasonable constraints based on column use, this is a finding. + + + False + False + + USE <database name>; +GO +WITH FixedServerRoles(RoleName) AS +( + SELECT 'sysadmin' + UNION SELECT 'securityadmin' + UNION SELECT 'serveradmin' + UNION SELECT 'setupadmin' + UNION SELECT 'processadmin' + UNION SELECT 'diskadmin' + UNION SELECT 'dbcreator' + UNION SELECT 'bulkadmin' +) +SELECT + DB_NAME() AS [Database], + SUSER_SNAME(D.owner_sid) AS [Database Owner], + F.RoleName AS [Fixed Server Role], + CASE WHEN D.is_trustworthy_on = 1 THEN 'ON' ELSE 'off' END + AS [Trustworthy] +FROM + FixedServerRoles F + INNER JOIN sys.databases D ON D.Name = DB_NAME() +WHERE + IS_SRVROLEMEMBER(F.RoleName, SUSER_SNAME(D.owner_sid)) = 1 +AND DB_NAME() <> 'msdb' +AND D.is_trustworthy_on = 1; +GO +If the query returns any rows, this is a finding. + + + + + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END + False + False + + Check to see that all required events are being audited. +From the query prompt: + SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); +All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace(s) being used for the auditing requirement. +In the following, replace # with a trace ID being used for the auditing requirements. +From the query prompt: + SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); +The following required event IDs should be listed: + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, + 170, 171, 172, 173, 175, 176, 177, 178. +If any of the audit event IDs required above is not listed, this is a finding. + +Notes: +1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. +2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. +3. It is acceptable to trace additional event IDs. This is the minimum list. +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +Use the following query to obtain a list of all event IDs, and their meaning: + SELECT * FROM sys.trace_events; +5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = N'C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Log\PowerStig', @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END + + + diff --git a/src/StigData/Sql-Server2012-Instance-1.16.org.default.xml b/src/StigData/Sql-Server2012-Instance-1.16.org.default.xml new file mode 100644 index 000000000..696926933 --- /dev/null +++ b/src/StigData/Sql-Server2012-Instance-1.16.org.default.xml @@ -0,0 +1,8 @@ + + \ No newline at end of file diff --git a/src/StigData/Sql-Server2012-Instance-1.16.xml b/src/StigData/Sql-Server2012-Instance-1.16.xml new file mode 100644 index 000000000..75868d12c --- /dev/null +++ b/src/StigData/Sql-Server2012-Instance-1.16.xml @@ -0,0 +1,6693 @@ + + + + False + False + + If the DBMS exists in the unclassified environment, and data transmission does not cross the boundary between the NIPRNet and the wider Internet, and the application owner and authorizing official have determined that encryption is not required, this is not a finding. + +Check SQL Server and network settings to determine whether cryptographic mechanisms are used to prevent the unauthorized disclosure of information during transmission. If not, this is a finding. + +Review system documentation to determine whether the system handles classified information. If the system does not handle classified information, the severity of this check should be downgraded to Category II. + +From Command Prompt, open SQL Server Configuration Manager by typing sqlservermanager11.msc, and pressing [ENTER]. + +Navigate to SQL Server Configuration Manager >> SQL Server Network Configuration. Right click on Protocols for [NAME OF INSTANCE], where [NAME OF INSTANCE] is a placeholder for the SQL Server instance name, and click on Properties. + +On the Flags tab, if Force Encryption is set to "YES", examine the certificate used on the Certificate tab. + +If Force Encryption is set, a DoD Certificate is not utilized, and a physical encryption measure is utilized, examine the physical encryption devices to determine the following: + +1. The plaintext connection to the database server is afforded the highest protections, allowing no access to unauthorized or non-cleared personnel. +2. The encryption device is configured to pass traffic to only the specific IP addresses as identified by the database documentation. +3. The encryption keys utilized are current and valid keys. +4. The keys utilized meet approved organizationally defined compliant algorithms. + +If any of the preceding requirements is not met, this is a finding. + +If Force Encryption is set to "NO" or a DoD Certificate is not utilized, and physical encryption measures are not utilized, this is a finding. + + + False + False + + If Database Availability Groups are not being used, this is not applicable (NA). + +Check the system documentation and check with the administrator regarding processing resources of the backup/secondary SQL Server. + +If the primary SQL Server has a backup/secondary server that is dedicated 100% to the primary server's processing, this is not a finding. + +If the secondary/backup SQL Server is already partly resourced to process something other than that of the primary SQL Server processing, then determine what resources would be required for the secondary/backup SQL Server. + +If the secondary/backup SQL Server is determined to not have enough processing resources to fulfill the function of the primary server's SQL Server process, this is a finding. + + + False + False + + Review system documentation and determine if one type or more of SQL Server users has a business need for priority usage over other types of users. The need for prioritization most frequently occurs when SQL Server resources are shared between two or more applications or systems where the number of users on more than one system is small or non-existent. This needs to be the case, because SQL Server limits resource based on user accounts and not what process is running. + +If SQL Server has users that are determined to run significantly high priority processes than other users and the SQL Server "Resource Governor" is not being implemented, this is a finding. + + + False + False + + Review system documentation to determine if the labeling of sensitive data is required under organization-defined guidelines. + +If the labeling of sensitive data is not required, this is NA. + +Obtain system configuration setting to determine how data labeling is being performed. This can be through triggers or some other SQL developed means or via a third-party tool. Check to ensure that labels are being associated to data when information is being exchanged between systems. + +If the labeling is not being associated to data when exchanging data between systems, this is a finding. + + + False + False + + If SQL Server is not housing or distributing publicly available information, this finding is NA. + +Obtain from the DBA or system documentation the list of publicly available data within SQL Server and the role names that assign read-only access to that public data. + +Obtain the publicly available user account name being used to access SQL Server. + +Navigate to Start >> Administrative Tools >> Server Manager >> Server Manager (<'server name'>) >> Configuration >> Local Users and Groups >> Groups >> right click 'Guests' >> Properties >> 'Members:' +The publicly available user account will likely be in the OS 'Guests' group. + +Determine if SQL Server is granting more than read access to the publicly available information through SQL Server 'Server Roles'. + +Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account'> >> Properties >> Server Roles. + +If any 'Server Roles' are marked that grant more than read access to the publicly available information, this is a finding. + + + False + False + + If SQL Server is not housing or distributing publicly available information, this finding is NA. + +Obtain from the DBA or system documentation the list of publicly available data within SQL Server. + +Obtain the publicly available user account name being used to access SQL Server. + +Navigate to Start >> Administrative Tools >> Server Manager >> Server Manager (<'server name'>) >> Configuration >> Local Users and Groups >> Groups >> right click 'Guests' >> Properties >> 'Members:' +The publicly available user account will likely be in the OS 'Guests' group. + +Determine if SQL Server is granting more than read access to the publicly available information through SQL Server 'User Mapping'. + +Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account'> >> Properties >> User Mapping. + +If any of the three system databases are checked (indicating a granted privilege): master, model, or msdb, this is a finding. + + + False + False + + If SQL Server is not housing or distributing publicly available information, this finding is NA. + +If SQL Server supports an application collecting information from the public, this is NA. + +Obtain from the DBA or system documentation the list of publicly available data within SQL Server. +Obtain the publicly available user account(s) being used to access SQL Server. + +Determine if SQL Server is granting more than read access to the publicly available information through SQL Server 'Securables'. + +Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'user account'> >> Properties >> Securables. + +If any 'Securables' are listed, this is a finding. + + + False + False + + If the system exists in the non-classified environment, this is NA. + +For each database under the SQL Server instance, review the system documentation to determine whether the database holds classified or sensitive information. If it does not, this is not a finding. + +If it does handle classified or sensitive information, review the system documentation and configuration to determine whether the classified information is protected by NSA- and NIST-approved cryptography. If not, this is a finding. + +If DBMS data encryption is required, ensure the status of encryption by executing: + +SELECT + d.name AS [Database Name], + CASE e.encryption_state + WHEN 0 THEN 'No database encryption key present, no encryption' + WHEN 1 THEN 'Unencrypted' + WHEN 2 THEN 'Encryption in progress' + WHEN 3 THEN 'Encrypted' + WHEN 4 THEN 'Key change in progress' + WHEN 5 THEN 'Decryption in progress' + WHEN 6 THEN 'Protection change in progress' + END AS [Encryption State] +FROM sys.dm_database_encryption_keys e +RIGHT JOIN sys.databases d ON DB_NAME(e.database_id) = d.name +WHERE d.name NOT IN ('master','model','msdb') +ORDER BY 1 +; +For each user database where encryption is required, verify that encryption is in effect. If not, this is a finding. + + + + False + False + + Review system documentation to determine whether cryptography for classified or sensitive information is required by the information owner. + +If the system documentation does not specify the type of information hosted on SQL Server: classified, sensitive and/or unclassified, this is a finding. + +If neither classified nor sensitive information exists within SQL Server databases or configuration, this requirement is NA. +Note: If the SQL Server is compliant, nothing is displayed. + +If cryptography is being used by SQL Server, examine evidence that an audit record is created whenever the asymmetric key is accessed by other than authorized users. In particular, view evidence that access by a SYSADMIN or other system privileged account results in the generation of an audit record. This is required because system privileges allow access to encryption keys and can be used to access sensitive data where there is not a need-to-know. + +Note: The list of acceptable algorithms: "AES 128", "AES 192", "AES 256" and "Triple DES". + +If cryptography is being used by SQL Server, verify that the cryptography is NIST FIPS 140-2 certified by running the following SQL query: +EXEC sp_MSforeachdb +' +DECLARE @nCount integer; + +SELECT @nCount = Count(*) + FROM [?].sys.symmetric_keys + WHERE key_algorithm NOT IN (''D3'',''A1'',''A2'',''A3''); + +IF @nCount > 0 + SELECT ''?'' AS ''database ?'' + , name + , algorithm_desc + FROM [?].sys.symmetric_keys + WHERE key_algorithm NOT IN (''D3'',''A1'',''A2'',''A3'') + ORDER BY name, algorithm_desc; +' +; + +If any items list showing an uncertified NIST FIPS 140-2 algorithm type, this is a finding. +If an audit record is not generated for unauthorized access to the asymmetric key, this is a finding. + +Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html. + + + False + False + + Review documentation, SQL Server settings and authentication system settings to determine if non-organizational users are individually identified and authenticated when logging onto the system. + +If non-organizational users are not uniquely identified and authenticated, this is a finding. + + + False + False + + Obtain authorized access list for backup and restoration procedures from system documentation. + +If documented procedures are insufficient to show or describe authorized personnel, this is a finding. + +Review file protections assigned to online backup and restoration files. + +Review access protections and procedures for offline backup and restoration files. + +If backup or restoration files are subject to unauthorized access, this is a finding. + +It may be necessary to review backup and restoration procedures to determine ownership and access during all phases of backup and recovery. In addition to physical and host system protections, consider other methods including encryption protection of the files. + + + False + False + + Review SQL Server's documented testing and recovery procedures that exist in the system documentation. + +If the testing or recovery procedures are not documented in the system documentation, this is a finding. + +If the documented testing or recovery procedures are not sufficient to test or recover SQL Server configuration and databases, this is a finding. + +Review evidence of implementation of testing and verification procedures by reviewing logs from backup and recovery implementation. Logs may be in electronic form or hardcopy, and may include email or other notification. + +If the system recovery testing has not been implemented and documented, this is a finding. + + + False + False + + Review the database backup procedures and implementation evidence. + +Evidence of implementation includes records of backup events and physical review of backup media. + +Evidence should match the backup plan as recorded in the system documentation. + +If backup procedures do not exist or are not implemented in accordance with the procedures, this is a finding. + + + False + False + + Review the components and features included in SQL Server and capable of being disabled (by configuration settings, permissions and privileges, etc.). Take note of those which are enabled. + +Review the system documentation to verify that the enabled components or features are documented and authorized. If any enabled components or features are not authorized, this is a finding. + + + False + False + + Review the list of components and features installed with the database. Using an account with System Administrator privileges, from Command Prompt, open control.exe. + +Navigate to Programs and Features. Check for the following entries in the 'Uninstall or change a program' window. + +Microsoft SQL Server Data Tools - Database Projects - Web installer entry point +Prerequisites for SSDT + +If SQL Server Data Tools is not documented as a server requirement, and these entries exist, this is a finding. + + + False + False + + Check system documentation for policy and procedures to restrict use of the SQL Server software installation account. + + +Check OS settings to determine whether users are restricted from accessing SQL Server objects and data they are not authorized to access by checking the local OS user accounts. +From a Command Prompt, open lusrmgr.msc. Navigate to Users >> right click individual user >> Properties >> Member Of. + + +If appropriate access controls for all users are not implemented to restrict access to only authorized users and to restrict the access of those users to objects and data they are authorized, this is a finding. + + +Review procedures for controlling and granting access to use of the SQL Server software installation account. + +If access or use of this account is not restricted to the minimum number of personnel required, or unauthorized access to this account has been granted, this is a finding. + + + False + False + + If a security and data integrity tool is not used for monitoring and alerting files and folders based on cryptographic hashes, this is a finding. + +If the tool does not verify files/folder locations as listed in the documentation, this is a finding. + + + False + False + + Verify within the system documentation that SQL Server is monitoring for security-relevant configuration settings to discover unauthorized changes. + +This can be done by a third-party tool or a SQL script that does baselining and then comparisons. + +If the monitoring of security-relevant configuration settings to discover unauthorized changes is not implemented on SQL Server, this is a finding. + + + False + False + + Check to see that all required events are being audited. +From the query prompt: + SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); +All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace(s) being used for the auditing requirement. +In the following, replace # with a trace ID being used for the auditing requirements. +From the query prompt: + SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); +The following required event IDs should be listed: + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, + 170, 171, 172, 173, 175, 176, 177, 178. +If any of the audit event IDs required above is not listed, this is a finding. + +Notes: +1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. +2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. +3. It is acceptable to trace additional event IDs. This is the minimum list. +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +Use the following query to obtain a list of all event IDs, and their meaning: + SELECT * FROM sys.trace_events; +5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. + + + False + False + + Check to see that all required events are being audited. +From the query prompt: + SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); +All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace(s) being used for the auditing requirement. +In the following, replace # with a trace ID being used for the auditing requirements. +From the query prompt: + SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); +The following required event IDs should be listed: + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, + 170, 171, 172, 173, 175, 176, 177, 178. +If any of the audit event IDs required above is not listed, this is a finding. + +Notes: +1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. +2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. +3. It is acceptable to trace additional event IDs. This is the minimum list. +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +Use the following query to obtain a list of all event IDs, and their meaning: + SELECT * FROM sys.trace_events; +5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. + + + False + False + + Check to see that all required events are being audited. +From the query prompt: + SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); +All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace(s) being used for the auditing requirement. +In the following, replace # with a trace ID being used for the auditing requirements. +From the query prompt: + SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); +The following required event IDs should be listed: + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, + 170, 171, 172, 173, 175, 176, 177, 178. +If any of the audit event IDs required above is not listed, this is a finding. + +Notes: +1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. +2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. +3. It is acceptable to trace additional event IDs. This is the minimum list. +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +Use the following query to obtain a list of all event IDs, and their meaning: + SELECT * FROM sys.trace_events; +5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. + + + False + False + + Check to see that all required events are being audited. +From the query prompt: + SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); +All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace(s) being used for the auditing requirement. +In the following, replace # with a trace ID being used for the auditing requirements. +From the query prompt: + SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); +The following required event IDs should be listed: + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, + 170, 171, 172, 173, 175, 176, 177, 178. +If any of the audit event IDs required above is not listed, this is a finding. + +Notes: +1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. +2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. +3. It is acceptable to trace additional event IDs. This is the minimum list. +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +Use the following query to obtain a list of all event IDs, and their meaning: + SELECT * FROM sys.trace_events; +5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. + + + False + False + + Check to see that all required events are being audited. +From the query prompt: + SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); +All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace(s) being used for the auditing requirement. +In the following, replace # with a trace ID being used for the auditing requirements. +From the query prompt: + SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); +The following required event IDs should be listed: + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, + 170, 171, 172, 173, 175, 176, 177, 178. +If any of the audit event IDs required above is not listed, this is a finding. + +Notes: +1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. +2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. +3. It is acceptable to trace additional event IDs. This is the minimum list. +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +Use the following query to obtain a list of all event IDs, and their meaning: + SELECT * FROM sys.trace_events; +5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. + + + False + False + + Check to see that all required events are being audited. +From the query prompt: + SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); +All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace(s) being used for the auditing requirement. +In the following, replace # with a trace ID being used for the auditing requirements. +From the query prompt: + SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); +The following required event IDs should be listed: + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, + 170, 171, 172, 173, 175, 176, 177, 178. +If any of the audit event IDs required above is not listed, this is a finding. + +Notes: +1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. +2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. +3. It is acceptable to trace additional event IDs. This is the minimum list. +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +Use the following query to obtain a list of all event IDs, and their meaning: + SELECT * FROM sys.trace_events; +5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. + + + False + False + + Check to see that all required events are being audited. +From the query prompt: + SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); +All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace(s) being used for the auditing requirement. +In the following, replace # with a trace ID being used for the auditing requirements. +From the query prompt: + SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); +The following required event IDs should be listed: + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, + 170, 171, 172, 173, 175, 176, 177, 178. +If any of the audit event IDs required above is not listed, this is a finding. + +Notes: +1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. +2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. +3. It is acceptable to trace additional event IDs. This is the minimum list. +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +Use the following query to obtain a list of all event IDs, and their meaning: + SELECT * FROM sys.trace_events; +5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. + + + False + False + + Obtain the list of authorized SQL Server accounts in the system documentation. + +If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding. (The key is individual accountability. If this can be traced, this is not a finding.) + +If accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding. + +Review contents of audit logs, traces and data tables to confirm that the identity of the individual user performing the action is captured. If shared identifiers are found, and not accompanied by individual identifiers, this is a finding. + +Note: Privileged installation accounts may be required to be accessed by the DBA or other administrators for system maintenance. In these cases, each use of the account must be logged in some manner to assign accountability for any actions taken during the use of the account. + + + False + False + + Check to see that all required events are being audited. +From the query prompt: + SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); +All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace(s) being used for the auditing requirement. +In the following, replace # with a trace ID being used for the auditing requirements. +From the query prompt: + SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); +The following required event IDs should be listed: + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, + 170, 171, 172, 173, 175, 176, 177, 178. +If any of the audit event IDs required above is not listed, this is a finding. + +Notes: +1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. +2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. +3. It is acceptable to trace additional event IDs. This is the minimum list. +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +Use the following query to obtain a list of all event IDs, and their meaning: + SELECT * FROM sys.trace_events; +5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. + + + False + False + + Review system documentation to identify the installation account. Verify whether the account is used for anything beyond SQL Server software installation, upgrade, and maintenance actions. + +If the account is used for anything beyond SQL Server installation, upgrade, and maintenance actions, this is a finding. + + + False + False + + From the system security documentation, obtain the list of SQL Server DBA accounts, the OS/domain Group(s) representing those DBAs' job role(s), and the OS permissions required by that/those role(s). + + +To review local accounts and groups: + +Log on to the Windows server hosting SQL Server, using an account with administrator privileges. + +From a command prompt opened as administrator, type gpedit.msc, and press [ENTER]. In Group Policy Editor, navigate to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Scan the list to determine which privileges are assigned to the Group(s) representing the SQL Server DBA job role(s). If any privileges are assigned that are not required by these roles, this is a finding. + +From the command prompt, type lusrmgr.msc, and press [ENTER]. In the Local Users and Groups console, navigate to Users. Right-click each DBA user. Click Properties. Click the 'Member of' tab. If any parent groups are listed that are not specific to DBA roles, this is a finding. + +In the Local Users and Groups console, navigate to Groups. Right-click each DBA Group. Click Properties. Review the list of group members. If any account that does not represent a DBA is listed, this is a finding. + + +To review domain-level accounts and groups: + +Log on to a domain controller with the necessary privileges. + +Open Active Directory Users and Computers (available from menus or run dsa.msc) + +Determine the location of the accounts or groups to be reviewed. The default is the Users container, but they could have been created or moved to an Organizational Unit (OU) that is domain specific. + +Right-click each DBA user. Click Properties. Click the 'Member of' tab. If any parent groups are listed that are not specific to DBA roles, this is a finding. + +Right-click each DBA Group. Click Properties. Select the 'Members' tab. Review the list of group members. If any account that does not represent a DBA is listed, this is a finding. + + + False + False + + Obtain the list of all DBAs. +Obtain documented role assignments for each DBA. +Obtain from system documentation or use SQL Server to determine privilege assignment of user-defined roles. + +Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins >> right click <'administrator account name'> >> Properties >> User >> Securables. + +If any item in the 'Permission' listing, for each highlighted item that exists in the 'Securables' listing, has excessive privileges, this is a finding. + +Navigate from 'Securables' to 'Server Roles'. + +If any checked 'Server roles' are determined to be excessive privileges, this is a finding. + +Navigate from 'Server Roles' to 'Users mapped to the login'. + +If any checked 'Database role membership' of each highlighted and checked 'Database' are determined to be excessive privileges, this is a finding. + + + False + False + + Check to see that all required events are being audited. +From the query prompt: + +SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); + +All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace(s) being used for the auditing requirement. +In the following, replace # with a trace ID being used for the auditing requirements. +From the query prompt: + +SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); +The following required event IDs should be listed: +14, 15, 18, 20, +102, 103, 104, 105, 106, 107, 108, 109, 110, +111, 112, 113, 115, 116, 117, 118, +128, 129, 130, +131, 132, 133, 134, 135, +152, 153, +170, 171, 172, 173, 175, 176, 177, 178. + +If any of the audit event IDs required above is not listed, this is a finding. + +Notes: +1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. +2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. +3. It is acceptable to trace additional event IDs. This is the minimum list. +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +Use the following query to obtain a list of all event IDs, and their meaning: +SELECT * FROM sys.trace_events; +5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. + + + False + False + + Use SQL Server and system documentation to determine privilege assignment of user-defined roles. + +Determine which user-defined roles grant privileges to system tables and configuration data stored in SQL Server. + +For each Login: + +In SQL Server Management Studio, Object Explorer, expand <SQL Server instance> >> Security >> Logins >> Right-click <login account name> >> Properties >> User >> Securables. + +If any item in the Explicit Permissions listing, for each highlighted item that exists in the Securables listing, indicates direct permission access, and that permission is anything other than Connect SQL, this is a finding. + +Navigate from Securables to Server Roles. + +If any Server Roles are checked from the following list, indicating direct permission access, this is a finding: +bulkadmin +dbcreator +diskadmin +processadmin +securityadmin +serveradmin +setupadmin + +If the sysadmin server role is checked, review system documentation to determine whether this login's need for the sysadmin role is documented and approved. If it is not, this is a finding. + +If any user-defined server roles with system table or configuration data privileges are checked, review system documentation to determine whether this login's need for the role is documented and approved. If it is not, this is a finding. + +Navigate from Server Roles to User Mapping. Select in turn each entry where the User column is non-blank. If any Database Roles are checked from the following list, indicating direct permission access, this is a finding: +db_accessadmin +db_backupoperator +db_datareader +db_datawriter +db_ddladmin +db_denydatareader +db_denydatawriter +db_owner +db_securityadmin + + + False + False + + Obtain the list of available user-defined server roles from system documentation. + +Obtain the list of available user-defined server roles from the SQL Server system by running the following script: +/********************************************************************************** + LIST ALL INDIRECT (via ROLES) ACCESS TO THE SERVER PERMISSION. + ***********************************************************************************/ +DECLARE @admin_Account_name sysname +SET @admin_Account_name = 'NO admin ACCOUNT found' +DECLARE @server_name sysname +SET @server_name = 'NO Server found' + +SELECT @server_name = name FROM sys.servers + WHERE server_id = 0 +SET @admin_Account_name = @server_name + '\Administrator' + +SELECT pe.grantee_principal_id + , pr.type AS 'Grantee_Type' + , pr.name AS 'Grantee_Name' + , pe.type + , pe.permission_name + , pe.state + , pe.state_desc + FROM sys.server_permissions pe + JOIN sys.server_principals pr + ON pe.grantee_principal_id = pr.principal_id + JOIN sys.server_principals ps + ON pe.grantor_principal_id = ps.principal_id + LEFT JOIN sys.server_principals us + ON us.principal_id = pe.major_id + WHERE pr.type IN ('R') + AND pe.grantee_principal_id > 10 + AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', + 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', + 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') + AND NOT pr.name = @admin_Account_name + ORDER BY CASE pe.state + WHEN 'D' THEN 1 + WHEN 'W' THEN 2 + WHEN 'G' THEN 3 + ELSE 4 + END + +If any listed user-defined roles are not found in the system documentation, this is a finding. + +Obtain the list assigned privileges for all user-defined roles in the system documentation. + +Check all SQL Server user-defined server roles for access rights as it relates to the separation of duties. Repeat steps for each user-defined server role. +Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Server Roles >> right click <'user-defined server role name'> >> Properties >> General >> Securables. If any user-defined role is assigned privileges that are not documented in the system documentation, this is a finding. + +If any user-defined role contains permissions that are inconsistent with separation sensitive information assignment, this is a finding. + +If system access requires more than one level of sensitive information access and the user-defined role names do not clearly differentiate between the different levels of sensitive information, this is a finding. + + + False + False + + Check for direct user assignment to server permissions by running the following script: +/********************************************************************************** + LIST ALL DIRECT SERVER PERMISSIONS TO ANY ACCOUNT EXCEPT + SYSTEM ADMINISTRATOR accounts. DO NOT LIST ROLES. +***********************************************************************************/ +DECLARE @admin_Account_name sysname +SET @admin_Account_name = 'NO administrator account found' +DECLARE @server_name sysname +SET @server_name = 'NO Server found' + +SELECT @server_name = name FROM sys.servers + WHERE server_id = 0 +SET @admin_Account_name = @server_name + '\Administrator' + +SELECT pe.grantee_principal_id + , pr.type AS 'Grantee_Type' + , pr.name AS 'Grantee_Name' + , pe.type + , pe.permission_name + , pe.state + , pe.state_desc + FROM sys.server_permissions pe + JOIN sys.server_principals pr + ON pe.grantee_principal_id = pr.principal_id + JOIN sys.server_principals ps + ON pe.grantor_principal_id = ps.principal_id + LEFT JOIN sys.server_principals us + ON us.principal_id = pe.major_id + WHERE pr.type IN ('K', 'S', 'U') + AND pe.grantee_principal_id > 10 + AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', + 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', + 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') + AND NOT pr.name = @admin_Account_name + AND NOT pe.permission_name = 'connect sql' + ORDER BY CASE pr.type + WHEN 'K' THEN 1 + WHEN 'S' THEN 2 + WHEN 'U' THEN 3 + ELSE 4 + END + +If any user account list indicates direct access to any server permission, this is a finding. + +Obtain the list of available user-defined server roles from system documentation. + +Obtain the list of available user-defined server roles from the SQL Server system by running the following script: +/********************************************************************************** + LIST ALL INDIRECT (via ROLES) ACCESS TO THE SERVER PERMISSION. + ***********************************************************************************/ +DECLARE @admin_Account_name sysname +SET @admin_Account_name = 'NO admin ACCOUNT found' +DECLARE @server_name sysname +SET @server_name = 'NO Server found' + +SELECT @server_name = name FROM sys.servers + WHERE server_id = 0 +SET @admin_Account_name = @server_name + '\Administrator' + +SELECT pe.grantee_principal_id + , pr.type AS 'Grantee_Type' + , pr.name AS 'Grantee_Name' + , pe.type + , pe.permission_name + , pe.state + , pe.state_desc + FROM sys.server_permissions pe + JOIN sys.server_principals pr + ON pe.grantee_principal_id = pr.principal_id + JOIN sys.server_principals ps + ON pe.grantor_principal_id = ps.principal_id + LEFT JOIN sys.server_principals us + ON us.principal_id = pe.major_id + WHERE pr.type IN ('R') + AND pe.grantee_principal_id > 10 + AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', + 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', + 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') + AND NOT pr.name = @admin_Account_name + AND NOT pe.permission_name = 'connect sql' + ORDER BY CASE pe.state + WHEN 'D' THEN 1 + WHEN 'W' THEN 2 + WHEN 'G' THEN 3 + ELSE 4 + END + +If any listed user-defined roles are not found in the system documentation, this is a finding. + +Obtain the list of assigned privileges for all user-defined roles in the system documentation. + +Check all SQL Server user-defined server roles for access rights as it relates to the separation of duties. Repeat steps for each user-defined server role. +Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Server Roles >> right click <'user-defined server role name'> >> Properties >> General >> Securables. If any roles are found that do not enforce separation of duties, this is a finding. + + + False + False + + Check for rights propagation assignment to DBMS server permissions by running the following query: + +USE master; +SELECT * +FROM sys.server_permissions +WHERE state_desc = 'GRANT_WITH_GRANT_OPTION'; + +If any of the permissions listed have not been documented and approved as requiring GRANT_WITH_GRANT_OPTION, this is a finding. + + + False + False + + Check for direct user assignment to server permissions by running the following script: +/********************************************************************************** + LIST ALL DIRECT SERVER PERMISSIONS TO ANY ACCOUNT EXCEPT + SYSTEM ADMINISTRATOR accounts. DO NOT LIST ROLES. +***********************************************************************************/ +DECLARE @admin_Account_name sysname +SET @admin_Account_name = 'NO Administrator account found' +DECLARE @server_name sysname +SET @server_name = 'NO Server found' + +SELECT @server_name = name FROM sys.servers + WHERE server_id = 0 +SET @admin_Account_name = @server_name + '\Administrator' + +SELECT pe.grantee_principal_id + , pr.type AS 'Grantee_Type' + , pr.name AS 'Grantee_Name' + , pe.type + , pe.permission_name + , pe.state + , pe.state_desc + FROM sys.server_permissions pe + JOIN sys.server_principals pr + ON pe.grantee_principal_id = pr.principal_id + JOIN sys.server_principals ps + ON pe.grantor_principal_id = ps.principal_id + LEFT JOIN sys.server_principals us + ON us.principal_id = pe.major_id + WHERE pr.type IN ('K', 'S', 'U') + AND pe.grantee_principal_id > 10 + AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', + 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', + 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') + AND NOT pr.name = @admin_Account_name + ORDER BY CASE pr.type + WHEN 'K' THEN 1 + WHEN 'S' THEN 2 + WHEN 'U' THEN 3 + ELSE 4 + END + +If any user account list indicates direct access to any server permission, this is a finding. + +Obtain the list of available user-defined server roles from system documentation. + +Obtain the list of available user-defined server roles from the SQL Server system by running the following script: +/********************************************************************************** + LIST ALL INDIRECT (via ROLES) ACCESS TO THE SERVER PERMISSION. + ***********************************************************************************/ +DECLARE @admin_Account_name sysname +SET @admin_Account_name = 'NO admin ACCOUNT found' +DECLARE @server_name sysname +SET @server_name = 'NO Server found' + +SELECT @server_name = name FROM sys.servers + WHERE server_id = 0 +SET @admin_Account_name = @server_name + '\Administrator' + +SELECT pe.grantee_principal_id + , pr.type AS 'Grantee_Type' + , pr.name AS 'Grantee_Name' + , pe.type + , pe.permission_name + , pe.state + , pe.state_desc + FROM sys.server_permissions pe + JOIN sys.server_principals pr + ON pe.grantee_principal_id = pr.principal_id + JOIN sys.server_principals ps + ON pe.grantor_principal_id = ps.principal_id + LEFT JOIN sys.server_principals us + ON us.principal_id = pe.major_id + WHERE pr.type IN ('R') + AND pe.grantee_principal_id > 10 + AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', + 'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', + 'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') + AND NOT pr.name = @admin_Account_name + ORDER BY CASE pe.state + WHEN 'D' THEN 1 + WHEN 'W' THEN 2 + WHEN 'G' THEN 3 + ELSE 4 + END + +If any listed user-defined roles are not found in the system documentation, this is a finding. + +Obtain the list of user role assignments in the system documentation. + +Check all SQL Server user-defined server roles for authorized and documented permission assignments. Repeat steps for each user-defined server role. +Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Server Roles >> right click <'user-defined server role name'> >> Properties >> Members. If any roles are found that are not authorized and documented, this is a finding. + + + False + False + + Check for direct user assignment to server permissions by running the following script: +/********************************************************************************** +LIST ALL DIRECT SERVER PERMISSIONS TO ANY ACCOUNT EXCEPT +SYSTEM ADMINISTRATOR ACCOUNTS. DO NOT LIST ROLES. +***********************************************************************************/ +DECLARE @admin_Account_name sysname +SET @admin_Account_name = 'NO administrator account found' +DECLARE @server_name sysname +SET @server_name = 'NO Server found' + +SELECT @server_name = name FROM sys.servers +WHERE server_id = 0 +SET @admin_Account_name = @server_name + '\Administrator' + +SELECT pe.grantee_principal_id +, pr.type AS 'Grantee_Type' +, pr.name AS 'Grantee_Name' +, pe.type +, pe.permission_name +, pe.state +, pe.state_desc +FROM sys.server_permissions pe +JOIN sys.server_principals pr +ON pe.grantee_principal_id = pr.principal_id +JOIN sys.server_principals ps +ON pe.grantor_principal_id = ps.principal_id +LEFT JOIN sys.server_principals us +ON us.principal_id = pe.major_id +WHERE pr.type IN ('K', 'S', 'U') +AND pe.grantee_principal_id > 10 +AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', +'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', +'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') +AND NOT pr.name = @admin_Account_name +AND NOT pe.permission_name = 'connect sql' +ORDER BY CASE pr.type +WHEN 'K' THEN 1 +WHEN 'S' THEN 2 +WHEN 'U' THEN 3 +ELSE 4 +END; +GO + +If any user account listed indicates direct access to any server permission, this is a finding. + +Obtain the list of available user-defined server roles from system documentation. + +Obtain the list of available user-defined server roles from the SQL Server system by running the following script: +/********************************************************************************** + LIST ALL INDIRECT (via ROLES) ACCESS TO THE SERVER PERMISSION. + ***********************************************************************************/ +DECLARE @admin_Account_name sysname +SET @admin_Account_name = 'NO admin ACCOUNT found' +DECLARE @server_name sysname +SET @server_name = 'NO Server found' + +SELECT @server_name = name FROM sys.servers +WHERE server_id = 0 +SET @admin_Account_name = @server_name + '\Administrator' + +SELECT pe.grantee_principal_id +, pr.type AS 'Grantee_Type' +, pr.name AS 'Grantee_Name' +, pe.type +, pe.permission_name +, pe.state +, pe.state_desc +FROM sys.server_permissions pe +JOIN sys.server_principals pr +ON pe.grantee_principal_id = pr.principal_id +JOIN sys.server_principals ps +ON pe.grantor_principal_id = ps.principal_id +LEFT JOIN sys.server_principals us +ON us.principal_id = pe.major_id +WHERE pr.type IN ('R') +AND pe.grantee_principal_id > 10 +AND NOT pr.name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##', +'NT AUTHORITY\NETWORK SERVICE', 'NT AUTHORITY\SYSTEM', 'NT SERVICE\MSSQLSERVER', +'NT SERVICE\SQLSERVERAGENT', 'NT SERVICE\SQLWriter', 'NT SERVICE\Winmgmt') +AND NOT pr.name = @admin_Account_name +AND NOT pe.permission_name = 'connect sql' +ORDER BY CASE pe.state +WHEN 'D' THEN 1 +WHEN 'W' THEN 2 +WHEN 'G' THEN 3 +ELSE 4 +END; +GO + +Obtain the list of user role assignments in the system documentation. + +Check all SQL Server user-defined server roles for authorized and documented permission assignments. Repeat steps for each user-defined server role. +Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Server Roles >> right click <'user-defined server role name'> >> Properties >> Members. + +If both user-defined role(s) and user(s) are listed as "Member of this role", this is a propagation of access rights, and this is a finding. + + + False + False + + Check to see that all required events are being audited. +From the query prompt: + SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); +All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace(s) being used for the auditing requirement. +In the following, replace # with a trace ID being used for the auditing requirements. +From the query prompt: + SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); +The following required event IDs should be listed: + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, + 170, 171, 172, 173, 175, 176, 177, 178. +If any of the audit event IDs required above is not listed, this is a finding. + +Notes: +1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. +2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. +3. It is acceptable to trace additional event IDs. This is the minimum list. +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +Use the following query to obtain a list of all event IDs, and their meaning: + SELECT * FROM sys.trace_events; +5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. + + + False + False + + Check to see that all required events are being audited. +From the query prompt: + SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); +All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace(s) being used for the auditing requirement. +In the following, replace # with a trace ID being used for the auditing requirements. +From the query prompt: + SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); +The following required event IDs should be listed: + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, + 170, 171, 172, 173, 175, 176, 177, 178. +If any of the audit event IDs required above is not listed, this is a finding. + +Notes: +1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. +2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. +3. It is acceptable to trace additional event IDs. This is the minimum list. +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +Use the following query to obtain a list of all event IDs, and their meaning: + SELECT * FROM sys.trace_events; +5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. + + + False + False + + Check to see that all required events are being audited. +From the query prompt: + SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); +All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace(s) being used for the auditing requirement. +In the following, replace # with a trace ID being used for the auditing requirements. +From the query prompt: + SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); +The following required event IDs should be listed: + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, + 170, 171, 172, 173, 175, 176, 177, 178. +If any of the audit event IDs required above is not listed, this is a finding. + +Notes: +1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. +2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. +3. It is acceptable to trace additional event IDs. This is the minimum list. +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +Use the following query to obtain a list of all event IDs, and their meaning: + SELECT * FROM sys.trace_events; +5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. + + + False + False + + Review the system documentation to determine whether any limits have been defined. If not, this is a finding. + +If one limit has been defined but is not applied to all users, including privileged administrative accounts, this is a finding. + +If multiple limits have been defined, to accommodate different types of user, verify that together they cover all users. If not, this is a finding. + +If a mechanism other than a logon trigger is used, verify its correct operation by the appropriate means. If it does not work correctly, this is a finding. + +Otherwise, determine if a logon trigger exists: + +EITHER, in SQL Server Management Studio's Object Explorer tree: +Expand [SQL Server Instance] >> Security >> Server Objects >> Triggers + +OR run the query: +SELECT * FROM master.sys.server_triggers; + +If no triggers are listed, this is a finding. + +If triggers are listed, identify the one(s) limiting the number of concurrent sessions per user. If none are found, this is a finding. If they are present but disabled, this is a finding. + +Examine the trigger source code for logical correctness and for compliance with the documented limit(s). If errors or variances exist, this is a finding. + +Verify that the system does execute the trigger(s) each time a user session is established. If it does not operate correctly for all types of user, this is a finding. + + + False + False + + If the system exists in the Classified environment, this is NA. + +For each database under the SQL Server instance, review the system documentation to determine whether the database holds sensitive information. If it does not, this is not a finding. + +If it does handle sensitive information, review the system documentation and configuration to determine whether the sensitive information is protected by NIST-approved cryptography. If not, this is a finding. + + + False + False + + If the need for the SQL Server Browser service is documented, with appropriate approval, this is not a finding. + +Open the Services tool. + +Either navigate, via the Windows Start Menu and/or Control Panel, to "Administrative Tools", and select "Services" or at a command prompt, type "services.msc" and press the "Enter" key. + +Scroll to "SQL Server Browser". + +If its Startup Type is not shown as "Disabled", this is a finding. + + + False + False + + Run the statement: +SELECT + name +FROM + sys.sql_logins +WHERE + type_desc = 'SQL_LOGIN' + AND is_disabled = 0 + AND is_policy_checked = 0 ; + +If no account names are listed, this is not a finding. + +For each account name listed, determine whether it is documented as requiring exemption from the standard password complexity rules. If it is not, this is a finding. + + + False + False + + Run the statement: +SELECT +name +FROM +sys.sql_logins +WHERE +type_desc = 'SQL_LOGIN' +AND is_disabled = 0 +AND is_expiration_checked = 0; + +If no account names are listed, this is not a finding. + +For each account name listed, determine whether it is documented as requiring exemption from the standard password lifetime rules, if it is not, this is a finding. + + + + + False + False + + Check the configuration of SQL Server, the operating system and any monitoring/management tools to verify the system activates an alarm and/or triggers a shutdown of SQL Server when a component failure is detected. + +If system does not take either or both actions, this is a finding. + + + False + False + + Security-related errors must be identified and monitored. In most cases, these items would appear in the SQL Server log file. + +If security-related error conditions are not being monitored to meet this requirement, this is a finding. + + + False + False + + Determine elements of security functionality (lists of permissions, additional authentication information, stored procedures, application specific auditing, etc.) which are being housed inside SQL server. + +For any elements found, check SQL Server to determine if these objects or code implementing security functionality are located in a separate security domain, such as a separate database or schema created specifically for security functionality. + +Run the following queryto list all the user-defined databases: +SELECT Name +FROM sys.databases +WHERE database_id > 4 +ORDER BY 1; + +If security-related database objects or code are not kept separate, this is a finding. + + + False + False + + If SQL Server is not housing or distributing publicly available information, this finding is NA. + +If SQL Server supports an application collecting information from the public, this is NA. + +Obtain the publicly available user account name being used to access SQL Server. + +Using an account with System Administrator privileges, from a command prompt, type lusrmgr.msc, and press [ENTER]. +Navigate to Groups >> right click 'Guests' >> Properties >> 'Members:' +The publicly available user account will be in the OS 'Guests' group, or another explicitly defined group. + +Determine if the obtained publicly available user account is located in any other groups. + +In lusrmgr.msc, navigate to Users. Right click publicly available account name. Click Properties, then click the 'Member of' tab. + +If the publicly available user account is found in any group 'Members' listing other than 'Guests', this is a finding. + +In SQL, for the account that is used for public access, ensure that read-only access is the only access granted. If any other access is granted, this is a finding. + + + False + False + + Since Windows security is being leveraged, this check applies to database configuration files, associated scripts, and applications external to SQL Server that access the database. + +Ask the DBA and/or IAO to determine if any SQL Server database objects, database configuration files, associated scripts, or applications defined as external to SQL Server that access the database/user environment files/settings contain database passwords. If any do, confirm that SQL Server passwords stored externally to the SQL Server are encoded or encrypted. If any passwords are stored in clear text, this is a finding. + + + False + False + + Review SQL Server users to determine whether shared accounts exist. + +If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding. + +If accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding. + + + False + False + + Review SQL Server users to determine whether shared accounts exist. (This does not include when SQL Server has a guest or public account that is providing access to publicly available information.) + +If accounts are determined to be shared, determine if individuals are first individually authenticated. If individuals are not individually authenticated before using the shared account (e.g., by the operating system or possibly by an application making calls to the database), this is a finding. + +If accounts are determined to be shared, determine if they are directly accessible to end users. If so, this is a finding. + + + False + False + + Review evidence of inclusion of SQL Server software libraries in current backup records. +If the backup tool does not include SQL Server, this is a finding. + + + False + False + + Windows Server Backup, or a 3rd Party Backup Tool, can be utilized to perform this function. Determine how SQL Server is being backed up. If there is no scheduled backup or if organizationally defined backup policy and procedures does not exist, this is finding. + +Check evidence of inclusion of system-level information into current backup records, if the organizationally defined backup policy, procedures, and backup configurations is not including system-level information backups, this is a finding. + + + False + False + + Windows Server Backup, or a 3rd Party Backup Tool, can be utilized to perform this function. Determine how SQL Server is being backed up. If there is no scheduled backup or if organizationally defined backup policy and procedures does not exist, this is finding. + +Check evidence of inclusion user-level information into current backup records, if the organizationally defined backup policy, procedures, and backup configurations is not including user-level information backups, this is a finding. + + + False + False + + Obtain the SQL Server recovery procedures and technical system features to determine if mechanisms exist and are in place to specify use of trusted files during SQL Server recovery. + +If recovery procedures do not exist or are not sufficient to ensure recovery is done in a secure and verifiable manner, this is a finding. + +Check the configurations of all transaction log files that are enabled by running the following SQL Server query: + +EXEC sp_MSforeachdb +' +SELECT ''?'' AS ''database name'' + , name AS ''log file name'' + , physical_name AS ''log file location and name'' + , state_desc + , size + , max_size + , growth + , is_percent_growth + FROM [?].sys.database_files + WHERE type_desc = ''LOG'' + AND state = 0; +' +; + +If any transaction log files are not configured correctly for size, max_size, and growth to log sufficient transaction information, this is a finding. + + + False + False + + Review the SQL Server configuration and settings for functions, ports, protocols, and services that are not approved or are not used, but are available. + +To determine the protocol(s) enabled for SQL Server, open SQL Server Configuration Manager. In the left-hand pane, expand SQL Server Network Configuration. Click on the entry for the SQL Server instance under review: "Protocols for <instance name>". The right-hand pane displays the protocols enabled for the instance. + +To determine whether SQL Server is configured to use a fixed port or dynamic ports, in the right-hand pane double-click on the TCP/IP entry, to open the Properties dialog. (The default fixed port is 1433.) + +To see which ports are open on the server, run netstat-a from a Windows command prompt. + +If any ports, protocols, and/or services that are not approved or are not used, are available, this is a finding. + + + False + False + + Review the list of user-defined Stored Procedures and Functions by running the following SQL query: +EXEC sp_MSforeachdb +' +DECLARE @nCount integer; + +SELECT @nCount = Count(*) + FROM [?].sys.objects + WHERE type in (''FN'', ''P'') + AND is_ms_shipped <> 1; + +IF @nCount > 0 +SELECT ''?'' AS ''Table Name'', * + FROM [?].sys.objects + WHERE type in (''FN'', ''P'') + AND is_ms_shipped <> 1; +' +; + +If any user-defined Stored Procedures and Functions are unauthorized and therefore should be prohibited or restricted and are not, this is a finding. + + + False + False + + To determine if xp_cmdshell is enabled, execute the following commands: + +EXEC SP_CONFIGURE 'show advanced option', '1'; +RECONFIGURE WITH OVERRIDE; +EXEC SP_CONFIGURE 'xp_cmdshell'; + +If the value of config_value is 1, this is a finding. + + + False + False + + Check SQL Server settings to determine if the 'sa' (sysadmin) account has been disabled by executing the following query: + +USE MASTER +GO +SELECT name, is_disabled +FROM sys.sql_logins +WHERE principal_id = 1; + +Verify that the "name" column contains the current name of the sa database server account (see note). + +If the "is_disabled" column is not set to 1, this is a finding. + +Note: If the 'sa' account name has been changed per SQL2-00-010200, its new name should appear in the query results. + + + False + False + + If the SQL Server service "SQL Server Analysis Services (MSSQLSERVER)" is used and the service satisfies functional organizational requirement, this is not a finding. + +If there is no functional organizational requirement for the "SQL Server Analysis Services (MSSQLSERVER)" service make sure that the service is not installed or is disabled. + +From command prompt, using an account with System Administrator Privilege, open dcomcnfg. Navigate to Console Root >> Services (Local) >> [sort by name] >> locate: "SQL Server Analysis Services (MSSQLSERVER)". + +If the "SQL Server Analysis Services (MSSQLSERVER)" service does not exist, this is not a finding. + +If the "SQL Server Analysis Services (MSSQLSERVER)" status is "Started" or the "Startup Type" is not "Disabled", this is a finding. + + + False + False + + If the SQL Server service "SQL Server Integration Services 11.0" is used and the service satisfies functional organizational requirement, this is not a finding. + +If there is no functional organizational requirement for the "SQL Server Integration Services 11.0" service make sure that the service is not installed or is disabled. + +From command prompt, using an account with System Administrator Privilege, open dcomcnfg. Navigate to Console Root >> Services (Local) >> [sort by name] >> locate: "SQL Server Integration Services 11.0". + +If the "SQL Server Integration Services 11.0" service does not exist, this is not a finding. + +If the "SQL Server Integration Services 11.0" status is "Started" or the "Startup Type" is not "Disabled", this is a finding. + + + False + False + + If there is no functional organizational requirement for the "SQL Server Reporting Services (MSSQLSERVER)" service, make sure that the service is not installed or that the service is disabled. + +If the SQL Server service "SQL Server Reporting Services (MSSQLSERVER)" is used and the service satisfies functional organizational requirement, this is not a finding. + + +From command prompt, using an account with System Administrator Privilege, open dcomcnfg. Navigate to Console Root >> Services (Local) >> [sort by name] >> locate: "SQL Server Reporting Services (MSSQLSERVER)". + +If the "SQL Server Reporting Services (MSSQLSERVER)" service does not exist, this is not a finding. + +If the "SQL Server Reporting Services (MSSQLSERVER)" status is "Started" or the "Startup Type" is not set to "Disabled", this is a finding. + + + False + False + + Obtain the SQL Server software directory location: from a command prompt, open the registry editor by typing regedit.exe and pressing [ENTER]. Navigate to the following registry location: +HKEY_LOCAL_MACHINE +>> SOFTWARE +>> Microsoft +>> Microsoft SQL Server +>> [INSTANCE NAME] +>> Setup +>> SQLBinRoot + +In the registry tree, the [INSTANCE NAME] for a SQL Server 2012 database engine instance is normally shown as "MSSQL11" followed by a period and the name that was specified for the SQL Server service at installation time. If multiple SQL Server instances are installed, each will have its own [INSTANCE NAME] node and subtree in the registry. + +The value in the Data column for the SQLBinRoot registry entry is the file system path for the SQL Server 2012 binaries. Navigate to that folder location using a command prompt or Windows Explorer. The following instructions assume that Windows Explorer is used. + +Verify that files and folders that are part of the SQL Server 2012 instance have only authorized privileges. Right-click the binaries (\binn) folder, click Properties. On the Security tab, verify that at most the following permissions are present: +Trusted Installer (Full Control) +CREATOR OWNER (Full Control) +SYSTEM (Full Control) +Administrators (Full Control) [See Note 3] +Users (Read, List Folder Contents, Read & Execute) +Creator Owner (Special Permissions - Full control - Subfolders and files only) +All Application Packages (Read & Execute) [Only as needed - see Note 4] +SQL Server Service SID OR Service Account (Read & Execute) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Full Control) [Notes 1, 2] +SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read & Execute) [Notes 1, 2] +System Administrators (Full Control) [Note 3] + +If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. + +Right-click each folder under the binaries folder; click Properties. On the Security tab, verify that at most the permissions listed in the preceding paragraph are present. +If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. + +Right-click the \Install folder, which is a peer of \binn, under ...\MSSQL. On the Security tab, verify that at most the permissions listed in the preceding paragraphs are present. If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. + + +Locate the ...\Microsoft SQL Server\110\Shared folder, either by stepping up the tree in Windows Explorer or by finding the file path in the registry at: +HKEY_LOCAL_MACHINE +>> SOFTWARE +>> Microsoft +>> Microsoft SQL Server +>> 110 +>> SharedCode + +Right-click on the ...\110\Shared folder; click Properties. On the Security tab, verify that at most the following permissions are present: +Trusted Installer (Full Control) +CREATOR OWNER (Full Control) +System (Full Control) +SQL Server Service SID OR Service Account (Read & Execute) [Notes 1, 2] +System Administrators (Full Control) [Note 3] +Local Administrators (Read) +SQL Server Analysis Services (SSAS) Service SID or Service Account, if SSAS is in use (Read & Execute) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] +SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] +Users (Read, List Folder Contents, Read & Execute) +[MsDtsServer110 (Read & Execute) is also permitted, if SSIS/DTS is in use.] +[NT AUTHORITY\NETWORK SERVICE (Read & Execute) may also be required for SQL Server Configuration Manager to operate.] + +If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. + +Right-click each folder under the ...\110\Shared folder; click Properties. On the Security tab, verify that at most the permissions listed in the preceding paragraph are present. If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. + +----- + +Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control because these permissions are available only to the specific service when it is running and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110).aspx. + +Note 2: Tips for adding a service SID/virtual account to a folder's permission list. +1) In Windows Explorer, right-click on the folder and select "Properties." +2) Select the "Security" tab +3) Click "Edit" +4) Click "Add" +5) Click "Locations" +6) Select the computer name +7) Search for the name +7.a) SQL Server Service +7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.) +7.a.ii) Select the "MSSQL$<instance name>" user and click "OK" +7.b) SQL Agent Service +7.b.i) Type "NT SERVICE\SQL" and click "Check Names" +7.b.ii) Select the "SQLAgent$<instance name>" user and click "OK" +8) Click "OK" +9) Permission like a normal user from here + +Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only. + +Note 4: Some files also require 'ALL APPLICATION PACKAGES (READ, EXECUTE)' permissions for certain functionality to work appropriately, and this is considered acceptable where those permissions are required. (All SQL Server files that require this access reside by default in the ..\Microsoft SQL Server\110\ directory.) + + + + False + False + + Check Microsoft's list of supported SQL Server versions. To locate the correct web page, perform a web search for "Microsoft SQL Server end of support." + +To be considered supported, Microsoft must report that the version is supported by security patches to known vulnerabilities. + +Check SQL Server version by running the following command: +print @@version + +If the security patch support for SQL Server cannot be determined or SQL Server version is not shown as supported, this is a finding. + +If SQL Server does not contain the latest security patches, this is a finding. + + + False + False + + Verify the SQL Server installations present on the server. + +From a Command Prompt, type regedit.exe, and press [ENTER]. + +Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> Instance Names. Each instance installed on the server possesses a key inside a folder under this registry entry. + +Analysis Services Instances are registered in the OLAP subfolder. +Reporting Services Instances are registered in the RS subfolder. +Standard SQL Server Instances are registered in the SQL subfolder. + +Inside each of these folders, a single key is used to reference an Instance's specific Windows Registry tree. Each key will have its own registry tree at the following registry location: + +HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME]. + +An [INSTANCE NAME] is listed as the Data component of a key found in one of the above OLAP, RS, or SQL folders. + +To find the installation location of a particular instance, navigate to the following location in the Windows Registry: + +HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup. + +Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server Instance. + +Navigate to that folder location using a Command Prompt or Windows Explorer. Only applications that are required for the functioning and administration, not use, of the SQL Server should be located on the same directory node as the SQL Server software libraries. + +If any files or subfolders that are not part of the SQL Server installation are in the folder, this is a finding. + + + False + False + + Verify that Files and Folders that are part of the SQL Server 2012 Installation have auditing enabled. + +Right click the root folder of the SQL Server installation. Typically, this is at <drive>:\Program Files\Microsoft SQL Server\. Select Properties. + +Click on the Security tab + +Click on the Advanced button + +Click on the Auditing tab + +If "Everyone" is not listed in the "Name" column, this is a finding. + +If "This folder, subfolders and files" is not listed in the "Apply To" column, this is a finding. + +When "Everyone" ... " is listed, select the "Everyone" row and click on the Edit button. + +If either the Successful or Failed checkbox is not selected for any of the following access types, this is a finding: + Traverse folder/execute file + List folder/read data + Read attributes + Read extended attributes + Create files/write data + Create folders/append data + Write attributes + Write extended attributes + Delete + Read permissions + + + False + False + + Obtain the SQL Server software library installation directory location. + +From a command prompt, type regedit.exe, and press [ENTER]. + +Navigate to HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> Instance Names. Each instance installed on the server possesses a key inside a folder under this registry entry. + +Analysis Services Instances are registered in the OLAP subfolder. +Reporting Services Instances are registered in the RS subfolder. +Standard SQL Server Instances are registered in the SQL subfolder. + +Inside each one of these folders, a single key is used to reference an instance's specific Windows Registry tree. Each key will have its own registry tree at the following registry location: HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME]. + +An [INSTANCE NAME] is listed as the data component of a key found in one of the above OLAP, RS, or SQL folders. + +To find the installation location of a particular instance, navigate to the following location in the Windows Registry: + HKEY_LOCAL_MACHINE >> SOFTWARE >> Microsoft >> Microsoft SQL Server >> [INSTANCE NAME] >> Setup. Examine the value of the 'SqlProgramDir' key. The value of the 'SqlProgramDir' key is the SQL Server installation directory for that SQL Server Instance. + +Navigate to that folder location using a command prompt or Windows Explorer. Note any custom subdirectories within the SQL Server software library directory. Only applications that are required for the functioning and administration of SQL Server should be located in the same disk directory as the SQL Server software libraries. + +If any directories or files not installed with the SQL Server software exist within the SQL Server software library directory, this is a finding. + + + False + False + + Obtain the SQL Server audit file location(s) by running the following SQL script: +SELECT DISTINCT +LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" +FROM sys.traces +UNION +SELECT log_file_path AS "Audit Path" +FROM sys.server_file_audits + +For each audit, the path column will give the location of the file. + +Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer. + +Right-click the file/folder, click Properties. On the Security tab, verify that at most the following permissions are applied: +Administrator(read) +Users (none) +Audit Administrator (Full Control) +Auditors group (Read) +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] + +If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. + +If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding +----- + +Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically-generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control, because these permissions are available only to the specific service when it is running, and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.120).aspx. + +Note 2: Tips for adding a service SID/virtual account to a folder's permission list. +1) In Windows Explorer, right-click on the folder and select "Properties." +2) Select the "Security" tab +3) Click "Edit" +4) Click "Add" +5) Click "Locations" +6) Select the computer name +7) Search for the name +7.a) SQL Server Service +7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.) +7.a.ii) Select the "MSSQL$<instance name>" user and click OK +7.b) SQL Agent Service +7.b.i) Type "NT SERVICE\SQL" and click "Check Names" +7.b.ii) Select the "SQLAgent$<instance name>" user and click OK +8) Click OK +9) Permission like a normal user from here + + + False + False + + Obtain the SQL Server audit file location(s) by running the following SQL script: +SELECT DISTINCT +LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" +FROM sys.traces +UNION +SELECT log_file_path AS "Audit Path" +FROM sys.server_file_audits + +For each audit, the Audit Path column will give the location of the file. + +Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer. The following instructions assume Windows Explorer is used. + +Right-click the file/folder, click Properties. On the Security tab, verify that at most the following permissions are applied: +Administrator(read) +Users (none) +Audit Administrator (Full Control) +Auditors group (Read) +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] + +If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. + +If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding. + +If Trace is in use, SQL Server creates each trace file with a standard set of permissions, overriding the folder permissions. It grants full control to OWNER RIGHTS, Administrators and <SQL Server Instance name>. Since this is not configurable, this is not a finding. + + + False + False + + Obtain the SQL Server audit file location(s) by running the following SQL script: +SELECT DISTINCT +LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" +FROM sys.traces +UNION +SELECT log_file_path AS "Audit Path" +FROM sys.server_file_audits + +For each audit, the path column will give the location of the file. + +Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer. + +Right-click the file/folder, click Properties. On the Security tab, verify that at most the following permissions are applied: +Administrator(read) +Users (none) +Audit Administrator (Full Control) +Auditors group (Read) +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] + + +If any less restrictive permissions are present and not specifically justified and approved in the system security plan, this is a finding. + +If less restrictive permissions are present and specifically justified and approved in the system security plan, this is not a finding. + +----- + +Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically-generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control, because these permissions are available only to the specific service when it is running, and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.120).aspx. + +Note 2: Tips for adding a service SID/virtual account to a folder's permission list. +1) In Windows Explorer, right-click on the folder and select "Properties." +2) Select the "Security" tab +3) Click "Edit" +4) Click "Add" +5) Click "Locations" +6) Select the computer name +7) Search for the name +7.a) SQL Server Service +7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.) +7.a.ii) Select the "MSSQL$<instance name>" user and click OK +7.b) SQL Agent Service +7.b.i) Type "NT SERVICE\SQL" and click "Check Names" +7.b.ii) Select the "SQLAgent$<instance name>" user and click OK +8) Click OK +9) Permission like a normal user from here + + + False + False + + Obtain the SQL Server audit file location(s) by running the following SQL script: +SELECT DISTINCT +LEFT(path, (LEN(path) - CHARINDEX('\',REVERSE(path)) + 1)) AS "Audit Path" +FROM sys.traces +UNION +SELECT log_file_path AS "Audit Path" +FROM sys.server_file_audits + +For each audit, the path column will give the location of the file. + +Verify that all audit files have the correct permissions by doing the following for each audit file: Navigate to audit folder location(s) using a command prompt or Windows Explorer. + +Right-click the file/folder, click Properties. On the Security tab, verify that at most the following permissions are applied: +Administrator(read) +Users (none) +Audit Administrator (Full Control) +Auditors group (Read) +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] +If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. + + + False + False + + From the query prompt: + +SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); + +All currently defined traces for the SQL Server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace being used for the auditing requirement. Replace # in the following code with a traceid being used for the auditing requirements. + +From the query prompt, determine whether the trace options include the value 4, which means SHUTDOWN_ON_ERROR: +SELECT CAST(value AS INT) +FROM sys.fn_trace_getinfo(#) +where property = 1; + +If the query does not return a value, this is a finding. +If a value is returned but is not 4 or 6, this is a finding. +(6 represents the combination of values 2 and 4. 2 means TRACE_FILE_ROLLOVER.) + + +NOTE: Microsoft has flagged the trace techniques and tools used in this STIG as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use and configured to satisfy this requirement, this is not a finding. The following code can be used to check Extended Events settings. +/********************************** +Check to verify shutdown on failure is set. +The following settings are what should be returned: +name = <name of audit> +on_failure = 1 +on_failure_desc = SHUTDOWN SERVER INSTANCE +**********************************/ +SELECT name, on_failure, on_failure_desc +FROM sys.server_audits + + + + False + False + + Since SQL Server does not support the monitoring of the available audit log file space, utilize Windows File Server Resource Manager or a third-party application to perform this activity. + +From a Command Prompt, open fsrm.msc. +If fsrm.msc is not installed, the File Server Resource Manager is not installed, File and Folder Quota Management is not enabled. If File Server Resource Manager or a third-party tool capable of sending alert notifications based on audit log store requirements is not installed, this is a finding. + +If fsrm.msc is installed, expand File Server Resource Manager in the left pane. +Expand Quota Management. +Select Quotas. +If Quotas have not been created for defined Audit Log storage locations that meet organizationally defined requirements, this is a finding. + +In the center pane, select each quota to determine its Path, Limit, Type, and Description. + +Right click the appropriate quota or quotas, and click Edit Quota Properties. +Examine the Notification thresholds panel. If there are no Notification thresholds applied to this Quota, this is a finding. +If a Notification Threshold is applied, and it does not send an email alert, or provide an Event Log entry which is handled by an automated Log Alert reporting application, this is a finding. + +If a third-party application is utilized to fulfill this requirement, and it is not configured to provide a notification, this is a finding. + + + False + False + + Check the SQL Server audit setting on the maximum number of files of the trace used for the auditing requirement. + +Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. + + +The amount of space determined for logging by SQL Server is calculated by multiplying the maximum number of files by the maximum file size. +If auditing will outgrow the space reserved for logging before being overwritten, this is a finding. + + + False + False + + Check the SQL Server audit setting on the maximum file size of the trace used for the auditing requirement. + +Select * from sys.traces. Determine the audit being used to fulfill the overall auditing requirement. Examine the max_files and max_size parameters. SQL will overwrite the oldest files when the max_files parameter has been exceeded. Care must be taken to ensure that this does not happen, or data will be lost. + + +The amount of space determined for logging by SQL Server is calculated by multiplying the maximum number of files by the maximum file size. +If auditing will outgrow the space reserved for logging before being overwritten, this is a finding. + + + False + False + + From a Command Prompt, open fsrm.msc. +If fsrm.msc is not installed, the File Server Resource Manager is not installed; File and Folder Quota Management is not enabled. If File Server Resource Manager or a third-party tool capable of sending alert notifications based on audit log store requirements is not installed, this is a finding. + +If fsrm.msc is installed, expand File Server Resource Manager in the left pane. +Expand Quota Management. +Expand Quotas. +If Quotas have not been created for defined Audit Log storage locations, this is a finding. + + + False + False + + To determine the Server Authentication Mode, execute the following: + +EXEC XP_LOGINCONFIG 'login mode' + +If the config_value does not equal "Windows NT Authentication", this is a finding. + + + False + False + + Verify the SQL Server default 'sa' account name has been changed. + +Navigate to SQL Server Management Studio >> Object Explorer >> <'SQL Server name'> >> Security >> Logins. + +If SQL Server default 'sa' account name is in the 'Logins' list, this is a finding. + + + False + False + + Determine which OS or domain accounts are used by SQL Server to run external procedures. Validate that these accounts have only the privileges necessary to perform the required functionality. + +If any OS or domain accounts utilized by SQL Server are running external procedures and have privileges beyond those required for running the external procedures, this is a finding. + + + False + False + + Obtain a list of SQL Server DBAs or other administrative accounts. Run the following SQL script to check all users’ permissions: + +SELECT SP1.[name] AS 'Login', 'Role: ' + SP2.[name] COLLATE DATABASE_DEFAULT AS 'ServerPermission' +FROM sys.server_principals SP1 + JOIN sys.server_role_members SRM + ON SP1.principal_id = SRM.member_principal_id + JOIN sys.server_principals SP2 + ON SRM.role_principal_id = SP2.principal_id +UNION ALL +SELECT SP.[name] AS 'Login' , SPerm.state_desc + ' ' + SPerm.permission_name COLLATE DATABASE_DEFAULT AS 'ServerPermission' + FROM sys.server_principals SP + JOIN sys.server_permissions SPerm + ON SP.principal_id = SPerm.grantee_principal_id +ORDER BY [Login], [ServerPermission] + +If any DBA or administrative objects are owned by non-DBA or non-administrative accounts, this is a finding. + +If any DBA or administrator has authorization for non- administrative access to the system for which they are the administrator and they do not have a non-administrator account, this is a finding. + + + False + False + + Check procedures for providing SQL Server database connection information to users/applications. If procedures do not indicate or implement restrictions to connections required by the particular user/application which indicate process of least privilege and specific authorization was employed, this is a finding. + + + False + False + + Check OS settings to determine whether SQL Server processes are running under a dedicated OS or domain account. If the SQL Server processes are running under shared accounts, this is a finding. + +From a Command Prompt, type services.msc, and press [ENTER]. Scroll down to the SQL Server Services. SQL Server Services begin with SQL. The following services, when present, should be listed as follows: + +Service Name: Log On As: +SQL Full-text Filter Daemon Launcher: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server [stand-alone]: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server [cluster]: <domain>\<CustomServiceAccount> +SQL Server Agent: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Analysis Services: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Browser: Local Service +SQL Server Distributed Replay Client: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Distributed Replay Controller: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Integration Services 11.0: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server Reporting Services: NT Service\UNIQUE CUSTOM ACCOUNT +SQL Server VSS Writer: Local System + +UNIQUE CUSTOM ACCOUNT refers to an account with which no other service listed in the services.msc window is assigned. If any account requiring a unique custom account uses an account that any other service utilizes (regardless of service status), this is a finding. + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Unsafe assembly' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Unsafe assembly' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges to the 'Unsafe assembly' permission and the role is not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter any availability group' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any availability group' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter any availability group' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'View any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'View any database' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the 'Shutdown' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Shutdown' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'External access assembly' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'External access assembly' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Create trace event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Create trace event notification' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Create server role' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Create server role' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Create endpoint' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. + +Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Create endpoint' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Create DDL event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Create DDL event notification' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Create availability group' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Create availability group' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter any server audit' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any server audit' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'View any definition' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'View any definition' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Administer bulk operations' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. + +Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Administer bulk operations' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter resources' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter resources' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter any availability group' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any availability group' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter any login' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any login' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter any linked server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any linked server' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'View server state' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'View server state' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter trace' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter trace' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Control server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Control server' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter any server role' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any server role' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter Settings' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter Settings' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Authenticate server' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Authenticate server' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Create any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Create any database' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter any connection' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any connection' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter any credential' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any credential' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter any database' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any database' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter any endpoint' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any endpoint' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter any event session' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any event session' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter server state' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. + +Obtain the list of roles with that permission by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter server state' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any role has 'Grant', 'With Grant' or 'Deny' privileges on this permission and users with that role are not authorized to have the permission, this is a finding. + + + False + False + + Review procedures for, and evidence of backup of, the SQL Server Service Master Key in the System Security Plan. + +If the procedures or evidence do not exist, this is a finding. + +If the procedures do not indicate offline and off-site storage of the Service Master Key, this is a finding. + +If procedures do not indicate access restrictions to the Service Master Key backup, this is a finding. + + + False + False + + Determine the accounts being used to manage the SQL Server operating system. Determine whether the same accounts are being used to manage other platforms. If the same account is used to manage more than one platform, this is a finding. +Note: If, because of the application configuration, there are multiple instances of SQL that would share a given exploit, a single account would be allowed to be used for the group and would not be considered a finding. + + + + False + False + + Obtain the SQL Server default data directory location: from a command prompt, open the registry editor by typing regedit.exe, and pressing [ENTER]. Navigate to the following registry location: +HKEY_LOCAL_MACHINE +>> SOFTWARE +>> Microsoft +>> Microsoft SQL Server +>> [INSTANCE NAME] +>> Setup +>> SqlDataRoot + +In the registry tree, the [INSTANCE NAME] for a SQL Server 2012 database engine instance is normally shown as "MSSQL11" followed by a period and the name that was specified for the SQL Server service at installation time. If multiple SQL Server instances are installed, each will have its own [INSTANCE NAME] node and subtree in the registry. + +The value in the Data column for the SqlDataRootregistry entry is the default file system path for the SQL Server 2012 data files. Navigate to that folder location using a command prompt or Windows Explorer. The following instructions assume that Windows Explorer is used. + +Determine whether a DefaultData registry entry also exists. Repeat the above for the path: +...[INSTANCE NAME] +>> MSSQLServer +>> DefaultData + +Verify that the identified folder(s) and their contents have only authorized privileges. Right-click the folder, click Properties. On the Security tab, verify that at most the following permissions are present: +CREATOR OWNER (Full Control) +System (Full control) +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +System Administrators (Full Control) [Note 3] +SQL Server Analysis Services (SSAS) Service SID or Service Account, if SSAS is in use (Read & Execute) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2, 4] +SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Execute, Write) [Notes 1, 2] +If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. + +Right-click each folder, if any, under the above folder(s); click Properties. On the Security tab, verify that at most the permissions listed in the preceding paragraph are present. If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. + +----- + +Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically-generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control because these permissions are available only to the specific service when it is running and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110).aspx. + +Note 2: Tips for adding a service SID/virtual account to a folder's permission list. +1) In Windows Explorer, right-click on the folder and select "Properties." +2) Select the "Security" tab +3) Click "Edit" +4) Click "Add" +5) Click "Locations" +6) Select the computer name +7) Search for the name +7.a) SQL Server Service +7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.) +7.a.ii) Select the "MSSQL$<instance name>" user and click OK +7.b) SQL Agent Service +7.b.i) Type "NT SERVICE\SQL" and click "Check Names" +7.b.ii) Select the "SQLAgent$<instance name>" user and click OK +8) Click OK +9) Permission like a normal user from here + +Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only. + +Note 4: It may also be necessary to grant the SQL Server Agent permission to Delete the \Log directory and its contents. This is not a finding. + + + False + False + + Obtain the SQL Server data directory location(s): in a tool such as SQL Server Management Studio, run the statement: +SELECT DISTINCT +LEFT(physical_name, (LEN(physical_name) - CHARINDEX('\',REVERSE(physical_name)) + 1 )) +AS "Database Data File Paths", +type_desc +FROM sys.master_files +WHERE database_id > 4 +AND type = 0 + +The query result is a list of file systems locations used for databases other than the system databases. Navigate to each of those folder locations using a command prompt or Windows Explorer. The following instructions assume that Windows Explorer is used. + + +Verify that the identified folders and their contents have only authorized privileges. Right-click each folder, click Properties. On the Security tab, verify that at most the following permissions are present: +CREATOR OWNER (Full Control) +System (Full control) +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +System Administrators (Full Control) [Note 3] +SQL Server Analysis Services (SSAS) Service SID or Service Account, if SSAS is in use (Read & Execute) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] +SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] +If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. + + + False + False + + Obtain the SQL Server backup directory location: from a command prompt, open the registry editor by typing regedit.exe, and pressing [ENTER]. Navigate to the following registry location: +HKEY_LOCAL_MACHINE +>> SOFTWARE +>> Microsoft +>> Microsoft SQL Server +>> [INSTANCE NAME] +>> MSSQLServer +>> BackupDirectory + +In the registry tree, the [INSTANCE NAME] for a SQL Server 2012 database engine instance is normally shown as "MSSQL11" followed by a period and the name that was specified for the SQL Server service at installation time. If multiple SQL Server instances are installed, each will have its own [INSTANCE NAME] node and subtree in the registry. + +The value in the Data column for the BackupDirectory registry entry is the file system path for the SQL Server 2012 backups. Also, review backup jobs to identify any additional directories used for backups. + +Navigate to each folder location using a command prompt or Windows Explorer. The following instructions assume that Windows Explorer is used. + +Verify that backup files and folders have only authorized privileges. Right-click the backup folder, click Properties. On the Security tab, verify that at most the following permissions are present: +CREATOR OWNER (Full Control) +System (Full control) +SQL Server Service SID OR Service Account (Full Control) [Notes 1, 2] +SQL Server SQL Agent Service SID OR Service Account, if SQL Server Agent is in use. (Read, Execute, Write) [Notes 1, 2] +SQL Server FD Launcher Service SID OR Service Account, if full-text indexing is in use. (Read, Write) [Notes 1, 2] +System Administrators (Full Control) [Note 3] +SQL Server Analysis Services (SSAS) Service SID or Service Account, if SSAS is in use (Read & Execute) [Notes 1, 2] +If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. + +Right-click each folder, if any, under the backup folder; click Properties. On the Security tab, verify that at most the permissions listed in the preceding paragraph are present. If any less restrictive permissions are present (and not specifically justified and approved), this is a finding. + + +----- + +Note 1: It is highly advisable to use a separate account for each service. When installing SQL Server in single-server mode, you can opt to have these provisioned for you. These automatically generated accounts are referred to as virtual accounts. Each virtual account has an equivalent Service SID, with the same name. The installer also creates an equivalent SQL Server login, also with the same name. Applying folder and file permissions to Service SIDs, rather than to domain accounts or local computer accounts, provides tighter control because these permissions are available only to the specific service when it is running and not in any other context. (However, when using failover clustering, a domain account must be specified at installation, rather than a virtual account.) For more on this topic, see http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110).aspx. + +Note 2: Tips for adding a service SID/virtual account to a folder's permission list. +1) In Windows Explorer, right-click on the folder and select "Properties." +2) Select the "Security" tab +3) Click "Edit" +4) Click "Add" +5) Click "Locations" +6) Select the computer name +7) Search for the name +7.a) SQL Server Service +7.a.i) Type "NT SERVICE\MSSQL" and click "Check Names". (What you have just typed in is the first 16 characters of the name. At least one character must follow "NT SERVICE\"; you will be presented with a list of all matches. If you have typed in the full, correct name, step 7.a.ii is bypassed.) +7.a.ii) Select the "MSSQL$<instance name>" user and click "OK" +7.b) SQL Agent Service +7.b.i) Type "NT SERVICE\SQL" and click "Check Names" +7.b.ii) Select the "SQLAgent$<instance name>" user and click "OK" +8) Click "OK" +9) Permission like a normal user from here + +Note 3: In the interest of separation of responsibilities with least privilege, consider granting Full Control only to SQL Database Administrators (create a custom group for these) and providing the local Administrators group with Read access only. + + + False + False + + Review procedures and practices. If there is not a policy requiring owners of privileged accounts to use non-privileged accounts for non-administrative activities, this is a finding. If there is evidence that owners of privileged accounts do not adhere to this policy, this is a finding. + + + False + False + + Obtain the list of roles that are authorized for the SQL Server 'Alter any event notification' permission and what 'Grant', 'Grant With', and/or 'Deny' privilege is authorized. Obtain the list of roles with that permission by running the following query: + +SELECT +who.name AS [Principal Name], +who.type_desc AS [Principal Type], +who.is_disabled AS [Principal Is Disabled], +what.state_desc AS [Permission State], +what.permission_name AS [Permission Name] +FROM +sys.server_permissions what +INNER JOIN sys.server_principals who +ON who.principal_id = what.grantee_principal_id +WHERE +what.permission_name = 'Alter any event notification' +AND who.type_desc = 'SERVER_ROLE' +ORDER BY +who.name +; +GO + + + False + False + + Obtain the SQL Server software directory location: from a command prompt, open the registry editor by typing regedit.exe and pressing [ENTER]. Navigate to the following registry location: +HKEY_LOCAL_MACHINE +>> SOFTWARE +>> Microsoft +>> Microsoft SQL Server +>> [INSTANCE NAME] +>> Setup +>> SQLBinRoot + +Determine the location of separate but related softare, such as audit file management tools. + +Verify that files and folders that are part of, or related to, the SQL Server 2012 installation have auditing enabled. Right-click on the file/folder, click Properties. On the Security tab, click Advanced. On the Auditing tab, verify +that the following is set up on at least one audit: +Type: All +Principal: Everyone +Access: Modify +Applies to: This Folder, subfolder, and files [where applicable] + +If the required audit settings are not configured, there is a risk that unauthorized changes to the software will go undetected, and this is a finding. + + + + + SELECT name from sysdatabases where name like 'AdventureWorks%'; + False + False + + Check SQL Server for the existence of the publicly available "AdventureWorks" database by performing the following query: + +SELECT name from sysdatabases where name like 'AdventureWorks%'; + +If the "AdventureWorks" database is present, this is a finding. + DROP DATABASE AdventureWorks; + SELECT name from sysdatabases where name like 'AdventureWorks%'; + + + SELECT name from sysdatabases where name like 'Northwind%'; + False + False + + Check SQL Server for the existence of the publicly available "NorthWind" database by performing the following query: + +SELECT name from sysdatabases where name like 'Northwind%'; + +If the "Northwind" database is present, this is a finding. + DROP DATABASE Northwind; + SELECT name from sysdatabases where name like 'Northwind%'; + + + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END + False + False + + Check to see that all required events are being audited. +From the query prompt: + SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0); +All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding. + +Determine the trace(s) being used for the auditing requirement. +In the following, replace # with a trace ID being used for the auditing requirements. +From the query prompt: + SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#); +The following required event IDs should be listed: + 14, 15, 18, 20, + 102, 103, 104, 105, 106, 107, 108, 109, 110, + 111, 112, 113, 115, 116, 117, 118, + 128, 129, 130, + 131, 132, 133, 134, 135, + 152, 153, + 170, 171, 172, 173, 175, 176, 177, 178. +If any of the audit event IDs required above is not listed, this is a finding. + +Notes: +1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner. +2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces. However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account. +3. It is acceptable to trace additional event IDs. This is the minimum list. +4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.) +Use the following query to obtain a list of all event IDs, and their meaning: + SELECT * FROM sys.trace_events; +5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements. However, it does represent the aggregate of all such requirements. +6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated. They will be removed at some point after SQL Server 2014. The replacement feature is Extended Events. If Extended Events are in use, and cover all the required audit events listed above, this is not a finding. + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = N'C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Log\PowerStig', @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END + BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any endpoint' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter any endpoint' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any endpoint' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter any endpoint' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ALTER ANY ENDPOINT TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any endpoint' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter any database' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any database' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter any database' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ALTER ANY DATABASE TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any credential' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter any credential' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any credential' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter any credential' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ALTER ANY CREDENTIAL TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any credential' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any connection' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter any connection' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any connection' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter any connection' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ALTER ANY CONNECTION TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any connection' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter server state' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter server state' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter server state' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter server state' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ALTER SERVER STATE TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter server state' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any event notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter any event notification' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any event notification' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter any event notification' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ALTER ANY EVENT NOTIFICATION TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any event notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any server audit' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter any server audit' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any server audit' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter any server audit' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ALTER ANY SERVER AUDIT TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any server audit' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'AUTHENTICATE SERVER' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Authenticate Server' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'AUTHENTICATE SERVER' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Authenticate Server' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE AUTHENTICATE SERVER FROM <account name>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'AUTHENTICATE SERVER' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Administer bulk operations' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Administer bulk operations' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Administer bulk operations' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Administer bulk operations' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ADMINISTER BULK OPERATIONS TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Administer bulk operations' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create endpoint' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Create endpoint' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Create endpoint' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Create endpoint' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE CREATE ENDPOINT TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create endpoint' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create DDL Event Notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Create DDL Event Notification' by running the following query: + +SELECT +who.name AS [Principal Name], +who.type_desc AS [Principal Type], +who.is_disabled AS [Principal Is Disabled], +what.state_desc AS [Permission State], +what.permission_name AS [Permission Name] +FROM +sys.server_permissions what +INNER JOIN sys.server_principals who +ON who.principal_id = what.grantee_principal_id +WHERE +what.permission_name = 'Create DDL Event Notification' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY +who.name +; +GO + +If any user accounts have direct access to the 'Create DDL Event Notification' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE CREATE DDL EVENT NOTIFICATION TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create DDL Event Notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create availability group' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Create availability group' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Create availability group' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Create availability group' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE CREATE AVAILABILITY GROUP TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create availability group' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create any database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Create any database' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Create any database' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Create any database' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE CREATE ANY DATABASE TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create any database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Control server' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Control server' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Control server' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Control server' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE CONTROL SERVER TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Control server' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any linked server' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter any linked server' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any linked server' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter any linked server' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ALTER ANY LINKED SERVER TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any linked server' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any event session' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter any event session' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any event session' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter any event session' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ALTER ANY EVENT SESSION TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any event session' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter trace' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter trace' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter trace' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter trace' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ALTER TRACE TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter trace' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter Settings' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter Settings' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter Settings' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter Settings' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ALTER SETTINGS TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter Settings' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create trace event notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Create trace event notification' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Create trace event notification' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Create trace event notification' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE CREATE TRACE EVENT NOTIFICATION TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create trace event notification' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter resources' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter resources' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter resources' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter resources' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ALTER RESOURCES TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter resources' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'External access assembly' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'External access assembly' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'External access assembly' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'External access assembly' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE EXTERNAL ACCESS ASSEMBLY TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'External access assembly' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any login' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter any login' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any login' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter any login' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ALTER ANY LOGIN TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any login' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Shutdown' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Shutdown' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Shutdown' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY +who.name +; +GO + +If any user accounts have direct access to the 'Shutdown' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE SHUTDOWN TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Shutdown' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Unsafe assembly' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Unsafe assembly' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Unsafe assembly' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Unsafe assembly' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE UNSAFE ASSEMBLY TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Unsafe assembly' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create server role' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Create server role' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Create server role' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Create server role' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE CREATE SERVER ROLE TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Create server role' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View server state' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'View server state' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'View server state' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user account has direct access to the 'View server state' permission, and the need for this has not been documented and approved, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE VIEW SERVER STATE TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View server state' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any server role' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'Alter any server role' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'Alter any server role' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'Alter any server role' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE ALTER ANY SERVER ROLE TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any server role' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View any definition' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'View any definition' by running the following query: + +SELECT + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled], + what.state_desc AS [Permission State], + what.permission_name AS [Permission Name] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name = 'View any definition' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + who.name +; +GO + +If any user accounts have direct access to the 'View any definition' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE VIEW ANY DEFINITION TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View any definition' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View Any Database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + False + False + + Obtain the list of accounts that have direct access to the server-level permission 'View Any Database' by running the following query: + +SELECT +who.name AS [Principal Name], +who.type_desc AS [Principal Type], +who.is_disabled AS [Principal Is Disabled], +what.state_desc AS [Permission State], +what.permission_name AS [Permission Name] +FROM +sys.server_permissions what +INNER JOIN sys.server_principals who +ON who.principal_id = what.grantee_principal_id +WHERE +what.permission_name = 'View Any Database' +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY +who.name +; +GO + +If any user accounts have direct access to the 'View Any Database' permission, this is a finding. + +Alternatively, to provide a combined list for all requirements of this type: +SELECT + what.permission_name AS [Permission Name], + what.state_desc AS [Permission State], + who.name AS [Principal Name], + who.type_desc AS [Principal Type], + who.is_disabled AS [Principal Is Disabled] +FROM + sys.server_permissions what + INNER JOIN sys.server_principals who + ON who.principal_id = what.grantee_principal_id +WHERE + what.permission_name IN + ( + 'Administer bulk operations', + 'Alter any availability group', + 'Alter any connection', + 'Alter any credential', + 'Alter any database', + 'Alter any endpoint ', + 'Alter any event notification ', + 'Alter any event session ', + 'Alter any linked server', + 'Alter any login', + 'Alter any server audit', + 'Alter any server role', + 'Alter resources', + 'Alter server state ', + 'Alter Settings ', + 'Alter trace', + 'Authenticate server ', + 'Control server', + 'Create any database ', + 'Create availability group', + 'Create DDL event notification', + 'Create endpoint', + 'Create server role', + 'Create trace event notification', + 'External access assembly', + 'Shutdown', + 'Unsafe Assembly', + 'View any database', + 'View any definition', + 'View server state' + ) +AND who.name NOT LIKE '##MS%##' +AND who.type_desc <> 'SERVER_ROLE' +ORDER BY + what.permission_name, + who.name +; +GO + USE master; REVOKE VIEW ANY DATABASE TO <'account name'>; + SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'View Any Database' AND who.name NOT LIKE '##MS%##' AND who.type_desc <> 'SERVER_ROLE' ORDER BY who.name; + + + diff --git a/src/StigData/WIndows-2012R2-DNS-1.7.org.default.xml b/src/StigData/WIndows-2012R2-DNS-1.7.org.default.xml new file mode 100644 index 000000000..fce00de30 --- /dev/null +++ b/src/StigData/WIndows-2012R2-DNS-1.7.org.default.xml @@ -0,0 +1,8 @@ + + \ No newline at end of file diff --git a/src/StigData/WIndows-2012R2-DNS-1.9.org.default.xml b/src/StigData/WIndows-2012R2-DNS-1.9.org.default.xml new file mode 100644 index 000000000..5c30906d6 --- /dev/null +++ b/src/StigData/WIndows-2012R2-DNS-1.9.org.default.xml @@ -0,0 +1,8 @@ + + \ No newline at end of file diff --git a/src/StigData/Windows-2012R2-DC-2.12.org.default.xml b/src/StigData/Windows-2012R2-DC-2.12.org.default.xml new file mode 100644 index 000000000..27a0c8aaf --- /dev/null +++ b/src/StigData/Windows-2012R2-DC-2.12.org.default.xml @@ -0,0 +1,73 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StigData/Windows-2012R2-DC-2.12.xml b/src/StigData/Windows-2012R2-DC-2.12.xml new file mode 100644 index 000000000..3f772b3af --- /dev/null +++ b/src/StigData/Windows-2012R2-DC-2.12.xml @@ -0,0 +1,8555 @@ + + + + False + True + '{0}' -le '3' -and '{0}' -ne '0' + Account lockout threshold + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy. + +If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding. + + + False + True + '{0}' -ge '15' + Reset account lockout counter after + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. + +If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding. + + + False + True + '{0}' -ge '15' -or '{0}' -eq '0' + Account lockout duration + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. + +If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding. + +Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding. + + + False + True + '{0}' -le '60' -and '{0}' -ne '0' + Maximum password age + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding. + + + False + True + '{0}' -ne '0' + Minimum password age + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Minimum password age" is set to "0" days ("Password can be changed immediately."), this is a finding. + + + False + True + '{0}' -ge '24' + Enforce password history + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding. + + + False + False + + Password must meet complexity requirements + Enabled + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. + +Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes. + + + False + False + + Store passwords using reversible encryption + Disabled + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding. + + + False + True + '{0}' -ge '14' + Minimum password length + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Minimum password length," is less than "14" characters, this is a finding. + + + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Logon -> Credential Validation - Success + Credential Validation + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Logon -> Credential Validation - Failure + Credential Validation + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management >> Computer Account Management - Success + Computer Account Management + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Other Account Management Events - Success + Other Account Management Events + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Security Group Management - Success + Security Group Management + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> User Account Management - Success + User Account Management + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> User Account Management - Failure + User Account Management + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Detailed Tracking -> Process Creation - Success + Process Creation + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logoff - Success + Logoff + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logon - Success + Logon + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logon - Failure + Logon + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Special Logon - Success + Special Logon + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Audit Policy Change - Success + Audit Policy Change + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Audit Policy Change - Failure + Audit Policy Change + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Authentication Policy Change - Success + Authentication Policy Change + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Privilege Use -> Sensitive Privilege Use - Success + Sensitive Privilege Use + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Privilege Use -> Sensitive Privilege Use - Failure + Sensitive Privilege Use + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> IPsec Driver - Success + IPsec Driver + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> IPsec Driver - Failure + IPsec Driver + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> Security State Change - Success + Security State Change + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> Security System Extension - Success + Security System Extension + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> System Integrity - Success + System Integrity + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> System Integrity - Failure + System Integrity + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. + +DS Access -> Directory Service Access - Success + Directory Service Access + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. + +DS Access -> Directory Service Access - Failure + Directory Service Access + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. + +DS Access -> Directory Service Changes - Success + Directory Service Changes + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. + +DS Access -> Directory Service Changes - Failure + Directory Service Changes + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access >> Removable Storage - Failure + +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. + Removable Storage + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access >> Removable Storage - Success + +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. + Removable Storage + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access -> Central Policy Staging - Failure + Central Policy Staging + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access -> Central Policy Staging - Success + Central Policy Staging + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Authorization Policy Change - Success + Authorization Policy Change + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Logon/Logoff >> Account Lockout - Success + Account Lockout + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff >> Account Lockout - Failure + Account Lockout + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +System >> Other System Events - Success + Other System Events + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +System >> Other System Events - Failure + Other System Events + + + + + False + False + + Determine whether any shared accounts exist. If no shared accounts exist, this is NA. + +Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. + +If unapproved shared accounts exist, this is a finding. + + + False + False + + Run "PowerShell". + +Member servers and standalone systems: +Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) + +"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { + $user = ([ADSI]$_.Path) + $lastLogin = $user.Properties.LastLogin.Value + $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 + if ($lastLogin -eq $null) { + $lastLogin = 'Never' + } + Write-Host $user.Name $lastLogin $enabled +}" + +This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). +For example: User1 10/31/2015 5:49:56 AM True + +Domain Controllers: +Enter the following command in PowerShell. +"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" + +This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. + +Review the list of accounts returned by the above queries to determine the finding validity for each account reported. + +Exclude the following accounts: +Built-in administrator account (Renamed, SID ending in 500) +Built-in guest account (Renamed, Disabled, SID ending in 501) +Application accounts + +If any enabled accounts have not been logged on to within the past 35 days, this is a finding. + +Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO. + + + False + False + + If FTP is not installed on the system, this is NA. + +Determine the IP address and port number assigned to FTP sites from documentation or configuration. + +If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". + +Select "Sites" under the server name. + +For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. + +Open a "Command Prompt". + +Attempt to log on as the user "anonymous" with the following commands: + +Note: Returned results may vary depending on the FTP server software. + +C:\> "ftp" +ftp> "Open IP Address Port" +(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) +(Connected to IP Address +220 Microsoft FTP Service) + +User (IP Address): "anonymous" +(331 Anonymous access allowed, send identity (e-mail name) as password.) + +Password: "password" +(230 User logged in.) +ftp> + +If the response indicates that an anonymous FTP login was permitted, this is a finding. + +If accounts with administrator privileges are used to access FTP, this is a CAT I finding. + + + False + False + + If FTP is not installed on the system, this is NA. + +Determine the IP address and port number assigned to FTP sites from documentation or configuration. + +If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". + +Select "Sites" under the server name. + +For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. + +Open a "Command Prompt". + +Access the FTP site and review accessible directories with the following commands: + +Note: Returned results may vary depending on the FTP server software. + +C:\> "ftp" +ftp> "Open IP Address Port" +(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) +(Connected to IP Address +220 Microsoft FTP Service) + +User (IP Address): "FTP User" +(Substituting [FTP User] with an account identified that is allowed access. If it was determined that anonymous access was allowed to the site [see V-1120], also review access using "anonymous".) + (331 Password required) + +Password: "Password" +(Substituting [Password] with password for the account attempting access.) +(230 User ftpuser logged in.) + +ftp> "Dir" + +If the FTP session indicates access to areas of the system other than the specific folder for FTP data, such as the root of the drive, Program Files or Windows directories, this is a finding. + + + False + False + + If no accounts are members of the Backup Operators group, this is NA. + +Any accounts that are members of the Backup Operators group, including application accounts, must be documented with the ISSO. If documentation of accounts that are members of the Backup Operators group is not maintained this is a finding. + + + False + False + + Determine whether there is a host-based Intrusion Detection System on each server. + +If the HIPS component of HBSS is installed and active on the host and the Alerts of blocked activity are being logged and monitored, this will meet the requirement of this finding. + +A HID device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the site ISSO. + +If a host-based Intrusion Detection System is not installed on the system, this is a finding. + + + False + False + + Required services will vary between organizations, and on the role of the individual system. Organizations will develop their own list of services which will be documented and justified with the ISSO. The site's list will be provided for any security review. Services common to multiple systems can be addressed in one document. Exceptions for individual systems should be identified separately by system. + +Individual services specifically required to be disabled per the STIG are identified in separate requirements. + +If the site has not documented the services required for their system(s), this is a finding. + +The following can be used to view the services on a system: +Run "Services.msc". + +Services for Windows Server 2012 roles are managed automatically, adding those necessary for a particular role. The following lists the default services for a baseline installation as a reference. This can be used as a basis for documenting the services necessary. + +Default Installation +Name - Startup Type +Application Experience - Manual (Trigger Start) +Application Identity - Manual (Trigger Start) +Application Information - Manual +Application Layer Gateway Service - Manual +Application Management - Manual +Background Intelligent Transfer Service - Automatic (Delayed Start) +Background Tasks Infrastructure Service - Automatic +Base Filtering Engine - Automatic +Certificate Propagation - Manual +CNG Key Isolation - Manual (Trigger Start) +COM+ Event System - Automatic +COM+ System Application - Manual +Computer Browser - Disabled +Credential Manager - Manual +Cryptographic Services - Automatic +DCOM Server Process Launcher - Automatic +Device Association Service - Manual (Trigger Start) +Device Install Service - Manual (Trigger Start) +Device Setup Manager - Manual (Trigger Start) +DHCP Client - Automatic +Diagnostic Policy Service - Automatic (Delayed Start) +Diagnostic Service Host - Manual +Diagnostic System Host - Manual +Distributed Link Tracking Client - Automatic +Distributed Transaction Coordinator - Automatic (Delayed Start) +DNS Client - Automatic (Trigger Start) +Encrypting File System (EFS) - Manual (Trigger Start) +Extensible Authentication Protocol - Manual +Function Discovery Provider Host - Manual +Function Discovery Resource Publication - Manual +Group Policy Client - Automatic (Trigger Start) +Health Key and Certificate Management - Manual +Human Interface Device Access - Manual (Trigger Start) +Hyper-V Data Exchange Service - Manual (Trigger Start) +Hyper-V Guest Shutdown Service - Manual (Trigger Start) +Hyper-V Heartbeat Service - Manual (Trigger Start) +Hyper-V Remote Desktop Virtualization Service - Manual (Trigger Start) +Hyper-V Time Synchronization Service - Manual (Trigger Start) +Hyper-V Volume Shadow Copy Requestor - Manual (Trigger Start) +IKE and AuthIP IPsec Keying Modules - Manual (Trigger Start) +Interactive Services Detection - Manual +Internet Connection Sharing (ICS) - Disabled +IP Helper - Automatic +IPsec Policy Agent - Manual (Trigger Start) +KDC Proxy Server service (KPS) - Manual +KtmRm for Distributed Transaction Coordinator - Manual (Trigger Start) +Link-Layer Topology Discovery Mapper - Manual +Local Session Manager - Automatic +Microsoft iSCSI Initiator Service - Manual +Microsoft Software Shadow Copy Provider - Manual +Multimedia Class Scheduler - Manual +Net.Tcp Port Sharing Service - Disabled +Netlogon - Manual +Network Access Protection Agent - Manual +Network Connections - Manual +Network Connectivity Assistant - Manual (Trigger Start) +Network List Service - Manual +Network Location Awareness - Automatic +Network Store Interface Service - Automatic +Optimize drives - Manual +Performance Counter DLL Host - Manual +Performance Logs & Alerts - Manual +Plug and Play - Manual +Portable Device Enumerator Service - Manual (Trigger Start) +Power - Automatic +Print Spooler - Automatic +Printer Extensions and Notifications - Manual +Problem Reports and Solutions Control Panel Support - Manual +Remote Access Auto Connection Manager - Manual +Remote Access Connection Manager - Manual +Remote Desktop Configuration - Manual +Remote Desktop Services - Manual +Remote Desktop Services UserMode Port Redirector - Manual +Remote Procedure Call (RPC) - Automatic +Remote Procedure Call (RPC) Locator - Manual +Remote Registry - Automatic (Trigger Start) +Resultant Set of Policy Provider - Manual +Routing and Remote Access - Disabled +RPC Endpoint Mapper - Automatic +Secondary Logon - Manual +Secure Socket Tunneling Protocol Service - Manual +Security Accounts Manager - Automatic +Server - Automatic +Shell Hardware Detection - Automatic +Smart Card - Disabled +Smart Card Removal Policy - Manual +SNMP Trap - Manual +Software Protection - Automatic (Delayed Start, Trigger Start) +Special Administration Console Helper - Manual +Spot Verifier - Manual (Trigger Start) +SSDP Discovery - Disabled +Superfetch - Manual +System Event Notification Service - Automatic +Task Scheduler - Automatic +TCP/IP NetBIOS Helper - Automatic (Trigger Start) +Telephony - Manual +Themes - Automatic +Thread Ordering Server - Manual +UPnP Device Host - Disabled +User Access Logging Service - Automatic (Delayed Start) +User Profile Service - Automatic +Virtual Disk - Manual +Volume Shadow Copy - Manual +Windows All-User Install Agent - Manual (Trigger Start) +Windows Audio - Manual +Windows Audio Endpoint Builder - Manual +Windows Color System - Manual +Windows Driver Foundation - User-mode Driver Framework - Manual (Trigger Start) +Windows Error Reporting Service - Manual (Trigger Start) +Windows Event Collector - Manual +Windows Event Log - Automatic +Windows Firewall - Automatic +Windows Font Cache Service - Automatic +Windows Installer - Manual +Windows Licensing Monitoring Service - Automatic +Windows Management Instrumentation - Automatic +Windows Modules Installer - Manual +Windows Remote Management (WS-Management) - Automatic +Windows Store Service (WSService) - Manual (Trigger Start) +Windows Time - Manual (Trigger Start) +Windows Update - Manual +WinHTTP Web Proxy Auto-Discovery Service - Manual +Wired AutoConfig - Manual +WMI Performance Adapter - Manual +Workstation - Automatic + + + False + False + + With the assistance of the SA, NSO, or network reviewer as required, review the site network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted. + +Determine the classification level of the Windows domain controller. + +If the classification level of the Windows domain controller is higher than the level of the networks, review the site network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic. + +If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding. + + + False + False + + Search all drives for *.p12 and *.pfx files. + +If any files with these extensions exist, this is a finding. + +This does not apply to server-based applications that have a requirement for certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO. + + + False + False + + Open "PowerShell" as Administrator. + +Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled -AutoSize". + +Review the User Principal Name (UPN) of user accounts, including administrators. + +Exclude the built-in accounts such as Administrator and Guest. + +If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding. + +For standard NIPRNET certificates the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI). + +Alt Tokens and other certificates may use a different UPN format than the EDI-PI, which vary by organization. Verify these with the organization. + +NIPRNET Example: +Name - User Principal Name +User1 - 1234567890@mil + +See PKE documentation for other network domain suffixes. + +If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding. + + + False + False + + Verify the DoD Root CA certificates are installed as Trusted Root Certification Authorities. + +The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks. + +Run "PowerShell" as an administrator. +Execute the following command: +Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint +If the following information is not displayed, this is finding. + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB + +Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 + +Alternately use the Certificates MMC snap-in: +Run "MMC". +Select "File", "Add/Remove Snap-in". +Select "Certificates", click "Add". +Select "Computer account", click "Next". +Select "Local computer: (the computer this console is running on)", click "Finish". +Click "OK". +Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". +If there are no entries for "DoD Root CA 2", "DoD Root CA 3", and "DoD Root CA 4", this is a finding. + +For each of the DoD Root CA certificates noted above: +Right click on the certificate and select "Open". +Select the "Details" Tab. +Scroll to the bottom and select "Thumbprint". + +If the value for the "Thumbprint" field is not as noted below, this is a finding. +DoD Root CA 2 - 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 +DoD Root CA 3 - D73CA91102A2204A36459ED32213B467D7CE97FB +DoD Root CA 4 - B8269F25DBD937ECAFD4C35A9838571723F2D026 + + + False + False + + Verify the permissions on Group Policy objects. + +Open "Group Policy Management". (Available from various menus or run "gpmc.msc".) +Navigate to "Group Policy Objects" in the domain being reviewed (Forest > Domains > Domain). + +For each Group Policy object: +Select the Group Policy object item in the left pane. +Select the Delegation tab in the right pane. +Select the Advanced button. + +If any standard user accounts or groups have greater than Allow permissions of Read and Apply group policy, this is a finding. + +Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. + +The default permissions noted below meet this requirement. + +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry, and the Edit button. + +Authenticated Users - Read, Apply group policy, Special permissions + +The Special permissions for Authenticated Users are for Read type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +The Special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. + +CREATOR OWNER - Special permissions + +SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions + +Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions + +Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + +The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default group policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created group policy objects. + +The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the ISSO. + + + False + False + + Review the necessary documentation that identifies the members of the Administrators group. If a list of all users belonging to the Administrators group is not maintained with the ISSO, this is a finding. + + + False + False + + Verifying the permissions on domain defined OUs. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. + +For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: +Right click the OU and select Properties. +Select the Security tab. + +If the permissions on the OU are not at least as restrictive as those below, this is a finding. + +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry and the Edit button. + +Self - Special permissions + +Authenticated Users - Read, Special permissions +The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +SYSTEM - Full Control + +Domain Admins - Full Control + +Enterprise Admins - Full Control + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions +The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + +If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. + + + False + False + + Determine whether system-related documentation is backed up in accordance with local recovery time and recovery point objectives. If system-related documentation is not backed up in accordance with local recovery time and recovery point objectives, this is a finding. + + + + + False + False + + Verify servers are located in controlled access areas that are accessible only to authorized personnel. If systems are not adequately protected, this is a finding. + + + False + False + + Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. + +If there is no anti-virus solution installed on the system, this is a finding. + + + False + False + + Determine whether system-level information is backed up in accordance with local recovery time and recovery point objectives. If system-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding. + + + False + False + + Verify the local system boots directly into Windows. + +Open Control Panel. +Select "System". +Select the "Advanced System Settings" link. +Select the "Advanced" tab. +Click the "Startup and Recovery" Settings button. + +If the drop-down list box "Default operating system:" shows any operating system other than Windows Server 2012, this is a finding. + + + False + False + + Review the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. + +Standard user accounts must not be members of the local administrator group. + +If prohibited accounts are members of the local administrators group, this is a finding. + +The built-in Administrator account or other required administrative accounts would not be a finding. + + + False + False + + Verify security configuration tools or equivalent processes are being used to configure Windows systems to meet security requirements. If security configuration tools or equivalent processes are not used, this is a finding. + +Security configuration tools that are integrated into Windows, such as Group Policies and Security Templates, may be used to configure platforms for security compliance. + +If an alternate method is used to configure a system (e.g., manually using the DISA Windows Security STIGs, etc.) and the same configured result is achieved, this is acceptable. + + + False + False + + Open "Devices and Printers" in Control Panel or through Search. +If there are no printers configured, this is NA. + +For each configured printer: +Right click on the printer. +Select "Printer Properties". +Select the "Sharing" tab. +View whether "Share this printer" is checked. + +For any printers with "Share this printer" selected: +Select the Security tab. + +If any standard user accounts or groups have permissions other than "Print", this is a finding. +Standard users will typically be given "Print" permission through the Everyone group. +"All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement. + + + False + False + + Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding. + + + False + False + + Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the value for "Maximum lifetime for service ticket" is 0 or greater than 600 minutes, this is a finding. + + + False + False + + Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the value for "Maximum lifetime for user ticket" is 0 or greater than 10 hours, this is a finding. + + + False + False + + Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the "Maximum lifetime for user ticket renewal" is greater than 7 days, this is a finding. + + + False + False + + Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the "Maximum tolerance for computer clock synchronization" is greater than 5 minutes, this is a finding. + + + False + False + + Determine whether the site monitors system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. If system files are not monitored for unauthorized changes, this is a finding. + +A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. The Asset module within HBSS does not meet this requirement. + + + False + False + + If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. +(System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) + +Run "Computer Management". +Navigate to System Tools >> Shared Folders >> Shares. + +Right click any non-system-created shares. +Select "Properties". +Select the "Share Permissions" tab. + +If the file shares have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. + +Select the "Security" tab. + +If the NTFS permissions have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. + + + False + False + + Review the password never expires status for enabled user accounts. + +Open "Windows PowerShell" with elevated privileges (run as administrator). + +Domain Controllers: + +Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | Where PasswordNeverExpires -eq True | FT Name, PasswordNeverExpires, Enabled". + +Exclude application accounts and disabled accounts (e.g., Guest). +Domain accounts requiring smart card (CAC/PIV) may also be excluded. + +If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding. + +Member servers and standalone systems: + +Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'. + +Exclude application accounts and disabled accounts (e.g., Guest). + +If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding. + + + False + False + + Review the password required status for enabled user accounts. + +Open "Windows PowerShell". + +Domain Controllers: + +Enter "Get-ADUser -Filter * -Properties PasswordNotRequired | Where PasswordNotRequired -eq True | FT Name, PasswordNotRequired, Enabled". + +Exclude disabled accounts (e.g., Guest). + +If "PasswordNotRequired" is "True" for any enabled user account, this is a finding. + +Member servers and standalone systems: + +Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. + +Exclude disabled accounts (e.g., Guest). + +If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding. + + + False + False + + Refer to the AD database location obtained in check V-8316. Note the logical drive (e.g., C:) on which the files are located. + +Determine if the server is currently providing file sharing services to users with the following command. +Enter "net share" at a command prompt. + +Note the logical drive(s) or file system partition for any site-created data shares. +Ignore all system shares (e.g., Windows NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored. + +If user shares are located on the same logical partition as the directory server data files, this is a finding. + + + False + False + + Review the roles and services the domain controller is running. +Run "services.msc" to display the Services console. + +Determine if any running services are application components. + +Examples of services indicating the presence of applications are: +-DHCP Server for DHCP server +-IIS Admin Service for IIS web server +-Microsoft Exchange System Attendant for Exchange +-MSSQLServer for SQL Server. + +If any application-related components have the "Started" status, this is a finding. + +Installed roles can be displayed by viewing Server Roles in the Add (or Remove) Roles and Features wizard. (Cancel before any changes are made.) + +Determine if any additional server roles are installed. A basic domain controller set up will include the following: +-Active Directory Domain Services +-DNS Server +-File and Storage Services + +If any roles not requiring installation on a domain controller are installed, this is a finding. + +Supplemental Notes: +A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. + +Some directory servers utilize specialized web servers for administrative functions and databases for data management. These web and database servers are permitted as long as they are dedicated to directory server support and only administrative users have access to them. + + + False + False + + Review the password last set date for the built-in Administrator account. + +Domain controllers: + +Open "Windows PowerShell". + +Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | FL Name, SID, PasswordLastSet". + +If the "PasswordLastSet" date is greater than one year old, this is a finding. + +Member servers and standalone systems: + +Open "Windows PowerShell" or "Command Prompt". + +Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account. + +(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.) + +If the "PasswordLastSet" date is greater than one year old, this is a finding. + + + False + False + + At this time, this is a finding for all Windows domain controllers for sensitive or classified levels as Windows Active Directory Domain Services (AD DS) does not provide a method to restrict anonymous access to the root DSE on domain controllers. + +The following can be used to verify anonymous access is allowed. + +Open a command prompt (not elevated). +Run "ldp.exe". +From the Connection menu, select Bind. +Clear the User, Password, and Domain fields. +Select Simple bind for the Bind type, Click OK. + +RootDSE attributes should display, such as various namingContexts. + +Confirmation of anonymous access will be displayed at the end: +res = ldap_simple_bind_s +Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' + + + False + False + + Verify anonymous access is not allowed to the AD domain naming context. + +Open a command prompt (not elevated). +Run "ldp.exe". +From the Connection menu, select Bind. +Clear the User, Password, and Domain fields. +Select Simple bind for the Bind type, Click OK. + +Confirmation of anonymous access will be displayed at the end: +res = ldap_simple_bind_s +Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' + +From the Browse menu, select Search. +In the Search dialog, enter the DN of the domain naming context (generally something like "dc=disaost,dc=mil") in the Base DN field. +Clear the Attributes field and select Run. + +Error messages should display related to bind and user not authenticated. + +If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding. + + + False + False + + Verify the source of the domain controller's server certificate. + +Run "mmc". +Select "Add/Remove Snap-in" from the File menu. +Select "Certificates" in the left pane and click the "Add >" button. +Select "Computer Account", click "Next". +Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish". +Click "OK". +Select and expand the Certificates (Local Computer) entry in the left pane. +Select and expand the Personal entry in the left pane. +Select the Certificates entry in the left pane. +In the right pane, examine the Issued By field for the certificate to determine the issuing CA. + +If the Issued By field of the PKI certificate being used by the domain controller does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding. + + +There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: + +The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. + +DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE. +http://iase.disa.mil/pki-pke/function_pages/tools.html + + + False + False + + Verify the value for MaxConnIdleTime. + +Open an elevated command prompt. +Enter "ntdsutil". +At the "ntdsutil:" prompt, enter "LDAP policies". +At the "ldap policy:" prompt, enter "connections". +At the "server connections:" prompt, enter "connect to server [host-name]". +(Where [host-name] is the computer name of the domain controller.) +At the "server connections:" prompt, enter "q". +At the "ldap policy:" prompt, enter "show values". + +If the value for MaxConnIdleTime is greater than 300 (the value for five minutes) or it is not specified, this is a finding. + +Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit. + + +Alternately, Dsquery can be used to display MaxConnIdleTime: + +Open an elevated command prompt. +Enter the following command (on a single line). +dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits +The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil). + + + False + False + + Verify active directory user accounts, including administrators, have "Smart card is required for interactive logon" selected. + +Run "PowerShell". +Enter the following: +"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name" +("DistinguishedName" may be substituted for "Name" for more detailed output.) +If any user accounts are listed, this is a finding. + +Alternately: +To view sample accounts in "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"): +Select the Organizational Unit (OU) where the User accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.) +Right click the sample User account and select "Properties". +Select the "Account" tab. +If any User accounts do not have "Smart card is required for interactive logon" checked in the "Account Options" area, this is a finding. + + + False + False + + Verify whether the registry key below exists. If it does not exist or the value is "0", this is not a finding. +If the registry key exists and contains a value other than "0", continue below. + +The values are determined by the selection of encryption suites in the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network Security: Configure encryption types allowed for Kerberos". + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ +Value Name: SupportedEncryptionTypes +Type: REG_DWORD + +Due to the number of possible combinations that may include the DES encryption types, it is not possible to include all acceptable values as viewed directly in the registry. + +If the registry key does exist, the value must be converted to binary to determine configuration of specific bits. This will determine whether this is a finding. + +Note the value for the registry key. +For example, when all suites, including the DES suites are selected, the value will be "0x7fffffff (2147483647)". + +Open the Windows calculator (Run/Search for "calc"). +Select "View", then "Programmer". +Select "Dword" and either "Hex" or "Dec". +Enter the appropriate form of the value found for the registry key (e.g., Hex - enter 0x7fffffff, Dec - enter 2147483647) +Select "Bin". +The returned value may vary in length, up to 32 characters. +If the either of 2 right most characters are "1", this is a finding. +If the both of 2 right most characters are "0", this is not a finding. + + + False + False + + Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates. + +Run "PowerShell" as an administrator. +Execute the following command: +Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint +If the following information is not displayed, this is finding. + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 + +Alternately use the Certificates MMC snap-in: +Run "MMC". +Select "File", "Add/Remove Snap-in". +Select "Certificates", click "Add". +Select "Computer account", click "Next". +Select "Local computer: (the computer this console is running on)", click "Finish". +Click "OK". +Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". + +For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By": +Right click on the certificate and select "Open". +Select the "Details" Tab. +Scroll to the bottom and select "Thumbprint". + +If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Issued To - Issued By - Thumbprint +DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F +DoD Root CA 3 - DoD Interoperability Root CA 2 - FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 +DoD Root CA 3 - DoD Interoperability Root CA 2 - FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 + + + False + False + + Determine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. + +The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. + +Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. + +If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding. + + + False + False + + Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. + +If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding. + + + False + False + + Verify the site has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. If such a policy does not exist or has not been implemented, this is a finding. + + + False + False + + Determine if manually managed application/service accounts exist. If none exist, this is NA. + +If passwords for manually managed application/service accounts are not changed at least annually or when an administrator with knowledge of the password leaves the organization, this is a finding. + +Identify manually managed application/service accounts. + +To determine the date a password was last changed: + +Domain controllers: + +Open "Windows PowerShell". + +Enter "Get-ADUser -Identity [application account name] -Properties PasswordLastSet | FL Name, PasswordLastSet", where [application account name] is the name of the manually managed application/service account. + +If the "PasswordLastSet" date is more than one year old, this is a finding. + +Member servers and standalone systems: + +Open "Windows PowerShell" or "Command Prompt". + +Enter 'Net User [application account name] | Find /i "Password Last Set"', where [application account name] is the name of the manually managed application/service account. + +If the "Password Last Set" date is more than one year old, this is a finding. + + + False + False + + Determine whether the site has a policy that requires SAs be trained for all operating systems running on systems under their control. If the site does not have a policy requiring SAs be trained for all operating systems under their control, this is a finding. + + + False + False + + Determine whether audit logs are reviewed on a predetermined schedule. If audit logs are not reviewed on a regular basis, this is a finding. + + + False + False + + Determine whether audit data is retained for at least one year. If the audit data is not retained for at least a year, this is a finding. + + + False + False + + Determine if a process to back up log data to a different system or media than the system being audited has been implemented. If it has not, this is a finding. + + + False + False + + Determine whether user-level information is backed up in accordance with local recovery time and recovery point objectives. If user-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding. + + + False + False + + Verify the operating system employs automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). If it does not, this is a finding. + + + False + False + + Verify the organization has an automated process to install security-related software updates. If it does not, this is a finding. + + + False + False + + Verify the system has software installed and running that provides certificate validation and revocation checking. If it does not, this is a finding. + + + False + False + + Verify the permissions on the Domain Controllers OU. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) + +Select Advanced Features in the View menu if not previously selected. + +Navigate to the Domain Controllers OU (folder in folder icon). + +Right click the OU and select Properties. + +Select the Security tab. + +If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding. + +The default permissions listed below satisfy this requirement. + +Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding. + +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the Advanced button, selecting the desired Permission entry, and the Edit button. + +SELF - Special permissions + +Authenticated Users - Read, Special permissions +The Special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +SYSTEM - Full Control + +Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Enterprise Admins - Full Control + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions +The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + + + False + False + + Verify the domain controller has a PKI server certificate. + +Run "mmc". +Select "Add/Remove Snap-in" from the File menu. +Select "Certificates" in the left pane and click the "Add >" button. +Select "Computer Account", click "Next". +Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish". +Click "OK". +Select and expand the Certificates (Local Computer) entry in the left pane. +Select and expand the Personal entry in the left pane. +Select the Certificates entry in the left pane. + +If no certificate for the domain controller exists in the right pane, this is a finding. + + + False + False + + Determine if system-level information backups are protected from destruction and stored in a physically secure location. If they are not, this is a finding. + + + False + False + + If no accounts are members of the Backup Operators group, this is NA. + +Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding. + + + False + False + + Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. + +Run "PowerShell" as an administrator. +Execute the following command: +Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint +If the following information is not displayed, this is finding. + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 + +Alternately use the Certificates MMC snap-in: +Run "MMC". +Select "File", "Add/Remove Snap-in". +Select "Certificates", click "Add". +Select "Computer account", click "Next". +Select "Local computer: (the computer this console is running on)", click "Finish". +Click "OK". +Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". + +For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": +Right click on the certificate and select "Open". +Select the "Details" Tab. +Scroll to the bottom and select "Thumbprint". + +If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Issued To - Issued By - Thumbprint +DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 - DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 + + + False + False + + Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. + +The configuration requirements will be determined by the applicable firewall STIG. + + + False + False + + This is applicable to unclassified systems, for other systems this is NA. + +Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + +If an application whitelisting program is not in use on the system, this is a finding. + +Configuration of whitelisting applications will vary by the program. + +AppLocker is a whitelisting application built into Windows Server 2012. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. + +If AppLocker is used, perform the following to view the configuration of AppLocker: +Open PowerShell. + +If the AppLocker PowerShell module has not been previously imported, execute the following first: +Import-Module AppLocker + +Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: +Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml + +This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. + +Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" under the Microsoft Windows section of the following link: + +https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml + + + False + False + + If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPSEC have been implemented. If protection methods have not been implemented, this is a finding. + + + False + False + + Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If it does not, this is a finding. + + + False + False + + Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA. + +Review temporary user accounts for expiration dates. + +Open "PowerShell". + +Domain Controllers: + +Enter "Search-ADAccount -AccountExpiring -TimeSpan 3:00:00:00 | FT Name, AccountExpirationDate" +This will return any accounts configured to expire within the next 3 days. (The "TimeSpan" value to can be changed to find accounts configured to expire at various times such as 30 for the next month.) + +If any accounts identified as temporary are not listed, this is a finding. + +For any temporary accounts returned by the previous query: +Enter "Get-ADUser -Identity [Name] -Property WhenCreated" to determine when the account was created. + +If the "WhenCreated" date and "AccountExpirationDate" from the previous query are greater than 3 days apart, this is a finding. + +Member servers and standalone systems: + +Enter "Net User [username]", where [username] is the name of the temporary user account. + +If "Account expires" has not been defined within 72 hours for any temporary user account, this is a finding. + +If the "Password last set" date and "Account expires" date are greater than 72 hours apart, this is a finding. (Net User does not provide an account creation date.) + + + False + False + + Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA. + +If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved. + +If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding. + +Domain Controllers: + +Enter "Search-ADAccount -AccountExpiring -TimeSpan 3:00:00:00 | FT Name, AccountExpirationDate" +This will return any accounts configured to expire within the next 3 days. (The "TimeSpan" value to can be changed to find accounts configured to expire at various times such as 30 for the next month.) + +If any accounts identified as emergency administrator accounts are not listed, this is a finding. + +For any emergency administrator accounts returned by the previous query: +Enter "Get-ADUser -Identity [Name] -Property WhenCreated" to determine when the account was created. + +If the "WhenCreated" date and "AccountExpirationDate" from the previous query are greater than 3 days apart, this is a finding. + +Member servers and standalone systems: + +Enter "Net User [username]", where [username] is the name of the emergency administrator accounts. + +If "Account expires" has not been defined within 72 hours for any emergency administrator accounts, this is a finding. + +If the "Password last set" date and "Account expires" date are greater than 72 hours apart, this is a finding. (Net User does not provide an account creation date.) + + + False + False + + Verify the operating system, at a minimum, off-loads audit records of interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding. + + + False + False + + Review the effective User Rights setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +Review each User Right listed for any unresolved SIDs to determine whether they are valid, such as due to being temporarily disconnected from the domain. (Unresolved SIDs have the format of "*S-1-…".) + +If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding. + + + + + + + + + Administrators + False + This Key and Subkeys + FullControl + + + + + Backup Operators + False + This Key Only + ReadKey + + + + + LOCAL SERVICE + False + This Key and Subkeys + ReadKey + + + True + False + False + + HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ + Run "Regedit". +Navigate to the following registry key: +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ + +If the key does not exist, this is a finding. + +Right-click on "winreg" and select "Permissions…". +Select "Advanced". + +If the permissions are not as restrictive as the defaults listed below, this is a finding. + +The following are the same for each permission listed: +Type - Allow +Inherited from - None + +Columns: Principal - Access - Applies to +Administrators - Full Control - This key and subkeys +Backup Operators - Read - This key only +LOCAL SERVICE - Read - This key and subkeys + + + + + + + NT AUTHORITY\SYSTEM + False + + + FullControl + + + + + BUILTIN\Administrators + False + + + FullControl + + + True + False + False + + %windir%\NTDS\*.* + Verify the permissions on the content of the NTDS directory. + +Open the registry editor (regedit). +Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters. +Note the directory locations in the values for: +Database log files path +DSA Database file + +By default they will be \Windows\NTDS. If the locations are different, the following will need to be run for each. + +Open an elevated command prompt (Win+x, Command Prompt (Admin)). +Navigate to the NTDS directory (\Windows\NTDS by default). +Run "icacls *.*". + +If the permissions on each file are not at least as restrictive as the following, this is a finding. + +NT AUTHORITY\SYSTEM:(I)(F) +BUILTIN\Administrators:(I)(F) + +(I) - permission inherited from parent container +(F) - full access + +Do not use File Explorer to attempt to view permissions of the NTDS folder. Accessing the folder through File Explorer will change the permissions on the folder. + + + + + + + TrustedInstaller + False + This Key and Subkeys + FullControl + + + + + SYSTEM + False + This Key and Subkeys + FullControl + + + + + Administrators + False + This Key and Subkeys + FullControl + + + + + Users + False + This Key and Subkeys + ReadKey + + + + + ALL APPLICATION PACKAGES + False + This Key and Subkeys + ReadKey + + + True + False + False + + HKLM:\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Winlogon\ + Run "Regedit". +Navigate to the following registry key: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Right-click on "WinLogon" and select "Permissions…". +Select "Advanced". + +If the permissions are not as restrictive as the defaults listed below, this is a finding. + +The following are the same for each permission listed: +Type - Allow +Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion +Applies to - This key and subkeys + +Columns: Principal - Access +TrustedInstaller - Full Control +SYSTEM - Full Control +Administrators - Full Control +Users - Read +ALL APPLICATION PACKAGES - Read + + + + + + + Users + False + + + ReadKey + + + + + Administrators + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + CREATOR OWNER + False + Subkeys Only + FullControl + + + + + ALL APPLICATION PACKAGES + False + + + ReadKey + + + True + False + False + + HKLM:\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ + Run "Regedit". +Navigate to the following registry keys and review the permissions: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ +HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems) + +If the default permissions listed below have been changed, this is a finding. + +Users - Read +Administrators - Full Control +SYSTEM - Full Control +CREATOR OWNER - Full Control (Subkeys only) +ALL APPLICATION PACKAGES - Read + + + + + + + Eventlog + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + Administrators + False + + + FullControl + + + True + False + False + + %windir%\SYSTEM32\WINEVT\LOGS\Application.evtx + Verify the permissions on the Application event log (Application.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + + + + + Eventlog + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + Administrators + False + + + FullControl + + + True + False + False + + %windir%\SYSTEM32\WINEVT\LOGS\Security.evtx + Verify the permissions on the Security event log (Security.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + + + + + Eventlog + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + Administrators + False + + + FullControl + + + True + False + False + + %windir%\SYSTEM32\WINEVT\LOGS\System.evtx + Verify the permissions on the System event log (System.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + + + Fail + Everyone + False + + + + + + + Success + Everyone + False + + + + + + + Success + Everyone + False + + + + + + + True + False + False + + + Review the auditing configuration for all Group Policy objects. + +Open "Group Policy Management". (Available from various menus, or run "gpmc.msc".) + +Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). + +For each Group Policy object: + +Select the Group Policy Object item in the left pane. + +Select the "Delegation" tab in the right pane. + +Select the "Advanced" button. + +Select the "Advanced" button again and then the "Auditing" tab. + +If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects + +The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. + +Type - Success +Principal - Everyone +Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) +Inherited from - Parent Object +Applies to - Descendant groupPolicyContainer objects + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) +Inherited from - Parent Object +Applies to - Descendant Organization Unit Objects + + + + + Fail + Everyone + False + + + FullControl + + + Success + Everyone + False + + + blank + + + Success + Domain Users + False + + + AllExtendedRights + + + Success + Administrators + False + + + AllExtendedRights + + + Success + Everyone + False + + + WriteallProperties,ModifyPermissions,ModifyOwner + + + True + False + False + + {Domain} + Verify the auditing configuration for the Domain object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select the domain being reviewed in the left pane. +Right click the domain name and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the Domain object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - None +Applies to - Special + +Type - Success +Principal - Domain Users +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Administrators +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: Write all properties, Modify permissions, Modify owner) + + + + + Fail + Everyone + False + + + FullControl + + + Success + Everyone + False + + + WriteallProperties,AllExtendedRights,ChangeInfrastructureMaster + + + Success + Everyone + False + + + blank + + + True + False + False + + CN=Infrastructure,{Domain} + Verify the auditing configuration for Infrastructure object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select the domain being reviewed in the left pane. +Right click the Infrastructure object in the right pane and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the Infrastructure object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +(Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) + + + + + Fail + Everyone + False + + + FullControl + + + Success + Everyone + False + + + Createallchildobjects,Delete,ModifyPermissions + + + Success + Everyone + False + + + WriteallProperties + + + Success + Everyone + False + + + blank + + + True + False + False + + OU=Domain Controllers,{Domain} + Verify the auditing configuration for the Domain Controller OU object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select the Domain Controllers OU under the domain being reviewed in the left pane. +Right click the Domain Controllers OU object and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the Domain Controllers OU object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object and all descendant objects + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: all create, delete and modify permissions) + +Type - Success +Principal - Everyone +Access - Write all properties +Inherited from - None +Applies to - This object and all descendant objects + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objects + + + + + Fail + Everyone + False + + + FullControl + + + Success + Everyone + False + + + WriteallProperties,ModifyPermissions,ModifyOwner + + + Success + Everyone + False + + + blank + + + True + False + False + + CN=AdminSDHolder,CN=System,{Domain} + Verify the auditing configuration for the AdminSDHolder object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select System under the domain being reviewed in the left pane. +Right click the AdminSDHolder object in the right pane and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the AdminSDHolder object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Write all properties, Modify permissions, Modify owner) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objects + + + + + Fail + Everyone + False + + + FullControl + + + Success + Everyone + False + + + WriteallProperties,AllExtendedRights,ChangeRIDMaster + + + Success + Everyone + False + + + blank + + + True + False + False + + CN=RID Manager$,CN=System,{Domain} + Verify the auditing configuration for the RID Manager$ object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select System under the domain being reviewed in the left pane. +Right-click the RID Manager$ object in the right pane and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the RID Manager$ object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None + (Access - Special = Write all properties, All extended rights, Change RID master) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) + + + + + Allow + Authenticated Users + False + This folder subfolders and files + ReadAndExecute + + + Allow + Server Operators + False + This folder subfolders and files + ReadAndExecute + + + Allow + Administrators + False + This folder only + AppendData,ChangePermissions,CreateDirectories,CreateFiles,Delete,DeleteSubdirectoriesAndFiles,ExecuteFile,ListDirectory,Modify,Read,ReadAndExecute,ReadAttributes,ReadData,ReadExtendedAttributes,ReadPermissions,Synchronize,TakeOwnership,Traverse,Write,WriteAttributes,WriteData,WriteExtendedAttributes + + + Allow + CREATOR OWNER + False + Subfolders and files only + FullControl + + + Allow + Administrators + False + Subfolders and files only + FullControl + + + Allow + SYSTEM + False + This folder subfolders and files + FullControl + + + True + False + False + + %windir%\sysvol + Verify the permissions on the SYSVOL directory. + +Open a command prompt. +Run "net share". +Make note of the directory location of the SYSVOL share. + +By default this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. + +Open File Explorer. +Navigate to \Windows\SYSVOL (or the directory noted previously if different). +Right click the directory and select properties. +Select the Security tab. +Click Advanced. + +If any standard user accounts or groups have greater than read & execute permissions, this is a finding. The default permissions noted below meet this requirement. + +Type - Allow +Principal - Authenticated Users +Access - Read & execute +Inherited from - None +Applies to - This folder, subfolder and files + +Type - Allow +Principal - Server Operators +Access - Read & execute +Inherited from - None +Applies to - This folder, subfolder and files + +Type - Allow +Principal - Administrators +Access - Special +Inherited from - None +Applies to - This folder only +(Access - Special - Basic Permissions: all selected except Full control) + +Type - Allow +Principal - CREATOR OWNER +Access - Full control +Inherited from - None +Applies to - Subfolders and files only + +Type - Allow +Principal - Administrators +Access - Full control +Inherited from - None +Applies to - Subfolders and files only + +Type - Allow +Principal - SYSTEM +Access - Full control +Inherited from - None +Applies to - This folder, subfolders and files + + +Alternately, use Icacls.exe to view the permissions of the SYSVOL directory. +Open a command prompt. +Run "icacls c:\Windows\SYSVOL +The following results should be displayed: + +NT AUTHORITY\Authenticated Users:(RX) +NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) +BUILTIN\Server Operators:(RX) +BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) +BUILTIN\Administrators:(M,WDAC,WO) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(F) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M,WDAC,WO) +CREATOR OWNER:(OI)(CI)(IO)(F) + +(RX) - Read & execute +Run "icacls /help" to view definitions of other permission codes. + + + + + + + TrustedInstaller + False + This folder and subfolders + FullControl + + + + + SYSTEM + False + This folder only + Modify + + + + + SYSTEM + False + Subfolders and files only + FullControl + + + + + Administrators + False + This folder only + Modify + + + + + Administrators + False + Subfolders and files only + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + + + ALL APPLICATION PACKAGES + False + This folder subfolders and files + ReadAndExecute + + + True + False + False + + %ProgramFiles(x86)% + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +For each folder, view the Properties. +Select the "Security" tab, and the "Advanced" button. + +Default Permissions: +\Program Files (x86) +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls "c:\program files" +icacls "c:\program files (x86)" + +The following results should be displayed as each is entered: + +c:\program files +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 files + + + + + + + + TrustedInstaller + False + This folder and subfolders + FullControl + + + + + SYSTEM + False + This folder only + Modify + + + + + SYSTEM + False + Subfolders and files only + FullControl + + + + + Administrators + False + This folder only + Modify + + + + + Administrators + False + Subfolders and files only + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + + + ALL APPLICATION PACKAGES + False + This folder subfolders and files + ReadAndExecute + + + True + False + False + + %ProgramFiles% + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +For each folder, view the Properties. +Select the "Security" tab, and the "Advanced" button. + +Default Permissions: +\Program Files +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls "c:\program files" +icacls "c:\program files (x86)" + +The following results should be displayed as each is entered: + +c:\program files +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 files + + + + + + + + SYSTEM + False + This folder subfolders and files + FullControl + + + + + Administrators + False + This folder subfolders and files + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + Users + False + This folder and subfolders + CreateDirectories,AppendData + + + + + Users + False + Subfolders only + CreateFiles,WriteData + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + True + False + False + + %SystemDrive%\ + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the system drive's root directory (usually C:\). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +View the Properties of system drive root directory. +Select the "Security" tab, and the "Advanced" button. + +C:\ +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +SYSTEM - Full control - This folder, subfolders and files +Administrators - Full control - This folder, subfolders and files +Users - Read & execute - This folder, subfolders and files +Users - Create folders / append data - This folder and subfolders +Users - Create files / write data - Subfolders only +CREATOR OWNER - Full Control - Subfolders and files only + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls c:\ + +The following results should be displayed: + +c:\ +NT AUTHORITY\SYSTEM:(OI)(CI)(F) +BUILTIN\Administrators:(OI)(CI)(F) +BUILTIN\Users:(OI)(CI)(RX) +BUILTIN\Users:(CI)(AD) +BUILTIN\Users:(CI)(IO)(WD) +CREATOR OWNER:(OI)(CI)(IO)(F) +Successfully processed 1 files; Failed processing 0 files + + + + + + + TrustedInstaller + False + This folder and subfolders + FullControl + + + + + SYSTEM + False + This folder only + Modify + + + + + SYSTEM + False + Subfolders and files only + FullControl + + + + + Administrators + False + This folder only + Modify + + + + + Administrators + False + Subfolders and files only + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + + + ALL APPLICATION PACKAGES + False + This folder subfolders and files + ReadAndExecute + + + True + False + False + + %windir% + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the Windows installation directory (usually C:\Windows). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +View the Properties of the folder. +Select the "Security" tab, and the "Advanced" button. + +Default Permissions: +\Windows +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls c:\windows + +The following results should be displayed: + +c:\windows +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 files + + + + + + + TrustedInstaller + False + + + FullControl + + + + + Administrators + False + + + ReadAndExecute + + + + + SYSTEM + False + + + ReadAndExecute + + + + + Users + False + + + ReadAndExecute + + + + + ALL APPLICATION PACKAGES + False + + + ReadAndExecute + + + True + False + False + + %windir%\SYSTEM32\eventvwr.exe + Verify the permissions on Event Viewer only allow TrustedInstaller permissions to change or modify. If any groups or accounts other than TrustedInstaller have Full control or Modify, this is a finding. + +Navigate to "%SystemRoot%\SYSTEM32". +View the permissions on "Eventvwr.exe". + +The default permissions below satisfy this requirement. +TrustedInstaller - Full Control +Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read & Execute + + + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ShutdownWithoutLogon + +Value Type: REG_DWORD +Value: 0 + 0 + ShutdownWithoutLogon + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LegalNoticeText + +Value Type: REG_SZ +Value: See message text below + +You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. +By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + LegalNoticeText + String + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -le '4' + If the system is not a member of a domain, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: CachedLogonsCount + +Value Type: REG_SZ +Value: 4 (or less) + + CachedLogonsCount + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: RestrictAnonymous + +Value Type: REG_DWORD +Value: 1 + 1 + RestrictAnonymous + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: EnableForcedLogoff + +Value Type: REG_DWORD +Value: 1 + 1 + EnableForcedLogoff + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: EnablePlainTextPassword + +Value Type: REG_DWORD +Value: 0 + 0 + EnablePlainTextPassword + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: AutoAdminLogon + +Type: REG_SZ +Value: 0 + 0 + AutoAdminLogon + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanManPrintServices\Servers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\ + +Value Name: AddPrinterDrivers + +Value Type: REG_DWORD +Value: 1 + 1 + AddPrinterDrivers + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: LmCompatibilityLevel + +Value Type: REG_DWORD +Value: 5 + 5 + LmCompatibilityLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DisableCAD + +Value Type: REG_DWORD +Value: 0 + 0 + DisableCAD + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -match '1|2' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: SCRemoveOption + +Value Type: REG_SZ +Value: 1 (Lock Workstation) or 2 (Force Logoff) + +If configuring this on servers causes issues such as terminating users' remote sessions and the site has a policy in place that any other sessions on the servers such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO. + + SCRemoveOption + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: EnableSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + EnableSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: SealSecureChannel + +Value Type: REG_DWORD +Value: 1 + +If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831). + 1 + SealSecureChannel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: SignSecureChannel + +Value Type: REG_DWORD +Value: 1 + +If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831). + 1 + SignSecureChannel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: DisablePasswordChange + +Value Type: REG_DWORD +Value: 0 + 0 + DisablePasswordChange + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: EnableSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + EnableSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: AllocateDASD + +Value Type: REG_SZ +Value: 0 + 0 + AllocateDASD + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -ge '14' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: PasswordExpiryWarning + +Value Type: REG_DWORD +Value: 14 (or greater) + + PasswordExpiryWarning + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\ + +Value Name: ProtectionMode + +Value Type: REG_DWORD +Value: 1 + 1 + ProtectionMode + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters + True + {0} -le '15' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: autodisconnect + +Value Type: REG_DWORD +Value: 0x0000000f (15) (or less) + + autodisconnect + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ + +Value Name: NoDriveTypeAutoRun + +Type: REG_DWORD +Value: 0x000000ff (255) + 255 + NoDriveTypeAutoRun + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: NullSessionPipes + +Value Type: REG_MULTI_SZ +Value: netlogon, samr, lsarpc + +The default configuration of systems promoted to domain controllers may include a blank entry in the first line prior to "netlogon", "samr", and "lsarpc". This will appear in the registry as a blank entry when viewing the registry key summary; however the value data for "NullSessionPipes" will contain the default entries. + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions. + netlogon;samr;lsarpc + NullSessionPipes + MultiString + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\ + +Value Name: Machine + +Value Type: REG_MULTI_SZ +Value: see below + +System\CurrentControlSet\Control\ProductOptions +System\CurrentControlSet\Control\Server Applications +Software\Microsoft\Windows NT\CurrentVersion + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions. + System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion + Machine + MultiString + + + Present + True + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist, this is not a finding: + +If the following registry value does exist and is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: NullSessionShares + +Value Type: REG_MULTI_SZ +Value: (Blank) + + + NullSessionShares + MultiString + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fAllowToGetHelp + +Type: REG_DWORD +Value: 0 + 0 + fAllowToGetHelp + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: LimitBlankPasswordUse + +Value Type: REG_DWORD +Value: 1 + 1 + LimitBlankPasswordUse + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + True + {0} -le '30' -and {0} -gt '0' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: MaximumPasswordAge + +Value Type: REG_DWORD +Value: 30 (or less, but not 0) + + MaximumPasswordAge + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RequireStrongKey + +Value Type: REG_DWORD +Value: 1 + +This setting may prevent a system from being joined to a domain if not configured consistently between systems. + 1 + RequireStrongKey + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: DisableDomainCreds + +Value Type: REG_DWORD +Value: 1 + 1 + DisableDomainCreds + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: EveryoneIncludesAnonymous + +Value Type: REG_DWORD +Value: 0 + 0 + EveryoneIncludesAnonymous + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: ForceGuest + +Value Type: REG_DWORD +Value: 0 + 0 + ForceGuest + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: NoLMHash + +Value Type: REG_DWORD +Value: 1 + 1 + NoLMHash + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LDAP\ + +Value Name: LDAPClientIntegrity + +Value Type: REG_DWORD +Value: 1 + 1 + LDAPClientIntegrity + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ + +Value Name: NTLMMinClientSec + +Value Type: REG_DWORD +Value: 0x20080000 (537395200) + 537395200 + NTLMMinClientSec + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ + +Value Name: Enabled + +Value Type: REG_DWORD +Value: 1 + +Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site. + 1 + Enabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\Kernel\ + +Value Name: ObCaseInsensitive + +Value Type: REG_DWORD +Value: 1 + 1 + ObCaseInsensitive + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fSingleSessionPerUser + +Type: REG_DWORD +Value: 1 + 1 + fSingleSessionPerUser + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fPromptForPassword + +Type: REG_DWORD +Value: 1 + 1 + fPromptForPassword + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: MinEncryptionLevel + +Type: REG_DWORD +Value: 3 + 3 + MinEncryptionLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: PerSessionTempDir + +Type: REG_DWORD +Value: 1 + 1 + PerSessionTempDir + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: DeleteTempDirsOnExit + +Type: REG_DWORD +Value: 1 + 1 + DeleteTempDirsOnExit + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system + False + + Review the registry. +If the following registry value does not exist, this is not a finding (this is the expected result from configuring the policy as outlined in the Fix section.): +If the following registry value exists but is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\system\ + +Value Name: DisableBkGndGroupPolicy + +Type: REG_DWORD +Value: 0 + 0 + DisableBkGndGroupPolicy + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fAllowUnsolicited + +Type: REG_DWORD +Value: 0 + 0 + fAllowUnsolicited + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32time\Parameters + True + '{0}' -match '^(NoSync|NTP|NT5DS|AllSync)$' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\W32time\Parameters\ +Type: REG_SZ +Value Name: Type +Value: Possible values are NoSync, NTP, NT5DS, AllSync + + Type + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32time\Parameters + True + '{0}' -notmatch 'time.windows.com' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\W32time\Parameters\ +Type: REG_SZ +Value Name: NTPServer +Value: "address of the time server" + + NTPServer + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\ + +Value Name: SafeDllSearchMode + +Value Type: REG_DWORD +Value: 1 + 1 + SafeDllSearchMode + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer + False + + Windows Media Player is not installed by default. If it is not installed, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: DisableAutoupdate + +Type: REG_DWORD +Value: 1 + 1 + DisableAutoupdate + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: PreventCodecDownload + +Type: REG_DWORD +Value: 1 + 1 + PreventCodecDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ + +Value Name: NTLMMinServerSec + +Value Type: REG_DWORD +Value: 0x20080000 (537395200) + 537395200 + NTLMMinServerSec + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security + True + {0} -le '90' + If the system is configured to write to an audit server, or is configured to automatically archive full logs, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Eventlog\Security\ + +Value Name: WarningLevel + +Value Type: REG_DWORD +Value: 90 (or less) + + WarningLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: DisableIPSourceRouting + +Value Type: REG_DWORD +Value: 2 + 2 + DisableIPSourceRouting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: EnableICMPRedirect + +Value Type: REG_DWORD +Value: 0 + 0 + EnableICMPRedirect + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: PerformRouterDiscovery + +Value Type: REG_DWORD +Value: 0 + 0 + PerformRouterDiscovery + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + True + {0} -le '300000' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: KeepAliveTime + +Value Type: REG_DWORD +Value: 300000 (or less) + + KeepAliveTime + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ + +Value Name: NoNameReleaseOnDemand + +Value Type: REG_DWORD +Value: 1 + 1 + NoNameReleaseOnDemand + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\NTDS\Parameters\ + +Value Name: LDAPServerIntegrity + +Value Type: REG_DWORD +Value: 2 + 2 + LDAPServerIntegrity + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RefusePasswordChange + +Value Type: REG_DWORD +Value: 0 + 0 + RefusePasswordChange + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + True + {0} -le '3' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: TcpMaxDataRetransmissions + +Value Type: REG_DWORD +Value: 3 (or less) + + TcpMaxDataRetransmissions + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -le '5' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: ScreenSaverGracePeriod + +Value Type: REG_SZ +Value: 5 (or less) + + ScreenSaverGracePeriod + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\ + +Value Name: Machine + +Value Type: REG_MULTI_SZ +Value: see below + +Software\Microsoft\OLAP Server +Software\Microsoft\Windows NT\CurrentVersion\Perflib +Software\Microsoft\Windows NT\CurrentVersion\Print +Software\Microsoft\Windows NT\CurrentVersion\Windows +System\CurrentControlSet\Control\ContentIndex +System\CurrentControlSet\Control\Print\Printers +System\CurrentControlSet\Control\Terminal Server +System\CurrentControlSet\Control\Terminal Server\UserConfig +System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration +System\CurrentControlSet\Services\Eventlog +System\CurrentControlSet\Services\Sysmonlog + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions. + Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Perflib;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;System\CurrentControlSet\Services\Eventlog;System\CurrentControlSet\Services\Sysmonlog + Machine + MultiString + + + Present + True + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Subsystems + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\Subsystems\ + +Value Name: Optional + +Value Type: REG_MULTI_SZ +Value: (Blank) + + + Optional + MultiString + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fEncryptRPCTraffic + +Type: REG_DWORD +Value: 1 + 1 + fEncryptRPCTraffic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\GroupPolicy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ + +Value Name: NoGPOListChanges + +Type: REG_DWORD +Value: 0 + 0 + NoGPOListChanges + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RequireSignOrSeal + +Value Type: REG_DWORD +Value: 1 + 1 + RequireSignOrSeal + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: RequireSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + RequireSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: RequireSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + RequireSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: RestrictNullSessAccess + +Value Type: REG_DWORD +Value: 1 + 1 + RestrictNullSessAccess + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ +Type: REG_DWORD +Value Name: Enabled +Value: 1 + 1 + Enabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient + True + '{0}' -match '^(NoSync|NTP|NT5DS|AllSync)$' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ +Type: REG_SZ +Value Name: Type +Value: NT5DS (preferred), NTP or Allsync + + Type + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Config + True + {0} -match '2|3' + Verify logging is configured to capture time source switches. + +If the Windows Time Service is used, verify the following registry value. If it is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\W32Time\Config\ + +Value Name: EventLogFlags + +Type: REG_DWORD +Value: 2 or 3 + +If another time synchronization tool is used, review the available configuration options and logs. If the tool has time source logging capability and it is not enabled, this is a finding. + + EventLogFlags + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DontDisplayLastUserName + +Value Type: REG_DWORD +Value: 1 + 1 + DontDisplayLastUserName + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: AuditBaseObjects + +Value Type: REG_DWORD +Value: 0 + 0 + AuditBaseObjects + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: FullPrivilegeAuditing + +Value Type: REG_BINARY +Value: 0 + 0 + FullPrivilegeAuditing + Binary + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: SCENoApplyLegacyAuditPolicy + +Value Type: REG_DWORD +Value: 1 + 1 + SCENoApplyLegacyAuditPolicy + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\IPSEC\ + +Value Name: NoDefaultExempt + +Value Type: REG_DWORD +Value: 3 + 3 + NoDefaultExempt + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: FilterAdministratorToken + +Value Type: REG_DWORD +Value: 1 + 1 + FilterAdministratorToken + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + True + '{0}' -le '4' + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ConsentPromptBehaviorAdmin + +Value Type: REG_DWORD +Value: 4 (Prompt for consent) +3 (Prompt for credentials) +2 (Prompt for consent on the secure desktop) +1 (Prompt for credentials on the secure desktop) + + ConsentPromptBehaviorAdmin + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ConsentPromptBehaviorUser + +Value Type: REG_DWORD +Value: 0 + 0 + ConsentPromptBehaviorUser + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableInstallerDetection + +Value Type: REG_DWORD +Value: 1 + 1 + EnableInstallerDetection + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableSecureUIAPaths + +Value Type: REG_DWORD +Value: 1 + 1 + EnableSecureUIAPaths + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableLUA + +Value Type: REG_DWORD +Value: 1 + 1 + EnableLUA + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: PromptOnSecureDesktop + +Value Type: REG_DWORD +Value: 1 + 1 + PromptOnSecureDesktop + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableVirtualization + +Value Type: REG_DWORD +Value: 1 + 1 + EnableVirtualization + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ + +Value Name: EnumerateAdministrators + +Type: REG_DWORD +Value: 0x00000000 (0) + 0 + EnumerateAdministrators + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: DisablePasswordSaving + +Type: REG_DWORD +Value: 1 + 1 + DisablePasswordSaving + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableCdm + +Type: REG_DWORD +Value: 1 + 1 + fDisableCdm + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DisableHTTPPrinting + +Type: REG_DWORD +Value: 1 + 1 + DisableHTTPPrinting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DisableWebPnPDownload + +Type: REG_DWORD +Value: 1 + 1 + DisableWebPnPDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DontSearchWindowsUpdate + +Type: REG_DWORD +Value: 1 + 1 + DontSearchWindowsUpdate + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: SaveZoneInformation + +Type: REG_DWORD +Value: 2 + 2 + SaveZoneInformation + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: HideZoneInfoOnProperties + +Type: REG_DWORD +Value: 1 + 1 + HideZoneInfoOnProperties + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: ScanWithAntiVirus + +Type: REG_DWORD +Value: 3 + 3 + ScanWithAntiVirus + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Peernet\ + +Value Name: Disabled + +Type: REG_DWORD +Value: 1 + 1 + Disabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ + +Value Name: NC_AllowNetBridge_NLA + +Type: REG_DWORD +Value: 0 + 0 + NC_AllowNetBridge_NLA + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\EventViewer\ + +Value Name: MicrosoftEventVwrDisableLinks + +Type: REG_DWORD +Value: 1 + 1 + MicrosoftEventVwrDisableLinks + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoInternetOpenWith + +Type: REG_DWORD +Value: 1 + 1 + NoInternetOpenWith + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ + +Value Name: DisableEnclosureDownload + +Type: REG_DWORD +Value: 1 + 1 + DisableEnclosureDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: PreXPSP2ShellProtocolBehavior + +Type: REG_DWORD +Value: 0 + 0 + PreXPSP2ShellProtocolBehavior + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: SafeForScripting + +Type: REG_DWORD +Value: 0 + 0 + SafeForScripting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: EnableUserControl + +Type: REG_DWORD +Value: 0 + 0 + EnableUserControl + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: DisableLUAPatching + +Type: REG_DWORD +Value: 1 + 1 + DisableLUAPatching + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer + False + + Windows Media Player is not installed by default. If it is not installed, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: GroupPrivacyAcceptance + +Type: REG_DWORD +Value: 1 + 1 + GroupPrivacyAcceptance + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowLLTDIOOndomain +Value: 0 + 0 + AllowLLTDIOOndomain + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowLLTDIOOnPublicNet +Value: 0 + 0 + AllowLLTDIOOnPublicNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: EnableLLTDIO +Value: 0 + 0 + EnableLLTDIO + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: ProhibitLLTDIOOnPrivateNet +Value: 0 + 0 + ProhibitLLTDIOOnPrivateNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowRspndrOndomain +Value: 0 + 0 + AllowRspndrOndomain + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowRspndrOnPublicNet +Value: 0 + 0 + AllowRspndrOnPublicNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: EnableRspndr +Value: 0 + 0 + EnableRspndr + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: ProhibitRspndrOnPrivateNet +Value: 0 + 0 + ProhibitRspndrOnPrivateNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableFlashConfigRegistrar +Value: 0 + 0 + DisableFlashConfigRegistrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableInBand802DOT11Registrar +Value: 0 + 0 + DisableInBand802DOT11Registrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableUPnPRegistrar +Value: 0 + 0 + DisableUPnPRegistrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableWPDRegistrar +Value: 0 + 0 + DisableWPDRegistrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: EnableRegistrars +Value: 0 + 0 + EnableRegistrars + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\UI\ + +Value Name: DisableWcnUi + +Type: REG_DWORD +Value: 1 + 1 + DisableWcnUi + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: AllowRemoteRPC + +Type: REG_DWORD +Value: 0 + 0 + AllowRemoteRPC + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSystemRestore + +Type: REG_DWORD +Value: 0 + 0 + DisableSystemRestore + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSendGenericDriverNotFoundToWER + +Type: REG_DWORD +Value: 1 + 1 + DisableSendGenericDriverNotFoundToWER + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DontPromptForWindowsUpdate + +Type: REG_DWORD +Value: 1 + 1 + DontPromptForWindowsUpdate + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\HandwritingErrorReports\ + +Value Name: PreventHandwritingErrorReports + +Type: REG_DWORD +Value: 1 + 1 + PreventHandwritingErrorReports + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ + +Value Name: DCSettingIndex + +Type: REG_DWORD +Value: 1 + 1 + DCSettingIndex + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ + +Value Name: ACSettingIndex + +Type: REG_DWORD +Value: 1 + 1 + ACSettingIndex + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: LoggingEnabled + +Type: REG_DWORD +Value: 1 + 1 + LoggingEnabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet + True + {0} -notmatch '1|2' + If the following registry value exists and is set to "1" (Basic) or "2" (Advanced), this is a finding: + +If the registry value does not exist, this is not a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\ + +Value Name: SpyNetReporting + +Type: REG_DWORD +Value: 1 or 2 = a Finding + + SpyNetReporting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoHeapTerminationOnCorruption + +Type: REG_DWORD +Value: 0 + 0 + NoHeapTerminationOnCorruption + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRM + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WMDRM\ + +Value Name: DisableOnline + +Type: REG_DWORD +Value: 1 + 1 + DisableOnline + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoInPlaceSharing + +Type: REG_DWORD +Value: 1 + 1 + NoInPlaceSharing + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableUIADesktopToggle + +Value Type: REG_DWORD +Value: 0 + 0 + EnableUIADesktopToggle + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableCcm + +Type: REG_DWORD +Value: 1 + 1 + fDisableCcm + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableLPT + +Type: REG_DWORD +Value: 1 + 1 + fDisableLPT + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisablePNPRedir + +Type: REG_DWORD +Value: 1 + 1 + fDisablePNPRedir + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fEnableSmartCard + +Type: REG_DWORD +Value: 1 + 1 + fEnableSmartCard + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ValidateAdminCodeSignatures + +Value Type: REG_DWORD +Value: 0 + 0 + ValidateAdminCodeSignatures + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\SQMClient\Windows\ + +Value Name: CEIPEnable + +Type: REG_DWORD +Value: 0 + 0 + CEIPEnable + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ + +Value Name: NoImplicitFeedback + +Type: REG_DWORD +Value: 1 + 1 + NoImplicitFeedback + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ + +Value Name: NoExplicitFeedback + +Type: REG_DWORD +Value: 1 + 1 + NoExplicitFeedback + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanServer\Parameters\ + +Value Name: SmbServerNameHardeningLevel + +Type: REG_DWORD +Value: 0 + 0 + SmbServerNameHardeningLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\ + +Value Name: UseMachineId + +Type: REG_DWORD +Value: 1 + 1 + UseMachineId + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\MSV1_0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\MSV1_0\ + +Value Name: allownullsessionfallback + +Type: REG_DWORD +Value: 0 + 0 + allownullsessionfallback + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\pku2u + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\pku2u\ + +Value Name: AllowOnlineID + +Type: REG_DWORD +Value: 0 + 0 + AllowOnlineID + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ + +Value Name: DisableIPSourceRouting + +Type: REG_DWORD +Value: 2 + 2 + DisableIPSourceRouting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters + True + {0} -le '3' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ + +Value Name: TcpMaxDataRetransmissions + +Value Type: REG_DWORD +Value: 3 (or less) + + TcpMaxDataRetransmissions + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ + +Value Name: NC_StdDomainUserSetLocation + +Type: REG_DWORD +Value: 1 + 1 + NC_StdDomainUserSetLocation + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: Force_Tunneling + +Type: REG_SZ +Value: Enabled + Enabled + Force_Tunneling + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DoNotInstallCompatibleDriverFromWindowsUpdate + +Type: REG_DWORD +Value: 1 + 1 + DoNotInstallCompatibleDriverFromWindowsUpdate + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Device Metadata\ + +Value Name: PreventDeviceMetadataFromNetwork + +Value Type: REG_DWORD +Value: 1 + 1 + PreventDeviceMetadataFromNetwork + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: SearchOrderConfig + +Type: REG_DWORD +Value: 0 + 0 + SearchOrderConfig + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ + +Value Name: DisableQueryRemoteServer + +Type: REG_DWORD +Value: 0 + 0 + DisableQueryRemoteServer + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ + +Value Name: EnableQueryRemoteServer + +Type: REG_DWORD +Value: 0 + 0 + EnableQueryRemoteServer + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ + +Value Name: ScenarioExecutionEnabled + +Type: REG_DWORD +Value: 0 + 0 + ScenarioExecutionEnabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ + +Value Name: DisableInventory + +Type: REG_DWORD +Value: 1 + 1 + DisableInventory + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoAutoplayfornonVolume + +Type: REG_DWORD +Value: 1 + 1 + NoAutoplayfornonVolume + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoDataExecutionPrevention + +Type: REG_DWORD +Value: 0 + 0 + NoDataExecutionPrevention + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoAutorun + +Type: REG_DWORD +Value: 1 + 1 + NoAutorun + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: RestrictAnonymousSAM + +Value Type: REG_DWORD +Value: 1 + 1 + RestrictAnonymousSAM + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + True + '{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LegalNoticeCaption + +Value Type: REG_SZ +Value: See message title options below + +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. + +If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089. + +Automated tools may only search for the titles defined above. If a site-defined title is used, a manual review will be required. + + LegalNoticeCaption + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: 6to4_State + +Type: REG_SZ +Value: Disabled + Disabled + 6to4_State + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\ + +Value Name: IPHTTPS_ClientState + +Type: REG_DWORD +Value: 3 + 3 + IPHTTPS_ClientState + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: ISATAP_State + +Type: REG_SZ +Value: Disabled + Disabled + ISATAP_State + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: Teredo_State + +Type: REG_SZ +Value: Disabled + Disabled + Teredo_State + String + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application + True + {0} -ge '32768' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security + True + {0} -ge '196608' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00030000 (196608) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup + True + {0} -ge '32768' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System + True + {0} -ge '32768' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSendRequestAdditionalSoftwareToWER + +Type: REG_DWORD +Value: 1 + 1 + DisableSendRequestAdditionalSoftwareToWER + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: AlwaysInstallElevated + +Type: REG_DWORD +Value: 0 + 0 + AlwaysInstallElevated + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\ControlPanel\Desktop + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ + +Value Name: ScreenSaveActive + +Type: REG_SZ +Value: 1 + +Applications requiring continuous, real-time screen display (e.g., network management products) require the following and must be documented with the ISSO: + +-The logon session does not have administrator rights. +-The display station (e.g., keyboard, monitor, etc.) is located in a controlled access area. + 1 + ScreenSaveActive + String + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\ControlPanel\Desktop + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ + +Value Name: ScreenSaverIsSecure + +Type: REG_SZ +Value: 1 + 1 + ScreenSaverIsSecure + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: EnableIPAutoConfigurationLimits + +Type: REG_DWORD +Value: 1 + 1 + EnableIPAutoConfigurationLimits + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Servicing + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Servicing\ + +Value Name: UseWindowsUpdate + +Type: REG_DWORD +Value: 2 + 2 + UseWindowsUpdate + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DriverServerSelection + +Type: REG_DWORD +Value: 1 + 1 + DriverServerSelection + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Policies\EarlyLaunch\ + +Value Name: DriverLoadPolicy + +Type: REG_DWORD +Value: 1 + 1 + DriverLoadPolicy + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer + False + + The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoUseStoreOpenWith + +Type: REG_DWORD +Value: 1 + 1 + NoUseStoreOpenWith + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\ControlPanel\International + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Control Panel\International\ + +Value Name: BlockUserInputMethodsForSignIn + +Type: REG_DWORD +Value: 1 + 1 + BlockUserInputMethodsForSignIn + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\System\ + +Value Name: EnumerateLocalUsers + +Type: REG_DWORD +Value: 0 + 0 + EnumerateLocalUsers + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\System\ + +Value Name: DisableLockScreenAppNotifications + +Type: REG_DWORD +Value: 1 + 1 + DisableLockScreenAppNotifications + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ + +Value Name: DisablePcaUI + +Type: REG_DWORD +Value: 0 + 0 + DisablePcaUI + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Appx\ + +Value Name: AllowAllTrustedApps + +Type: REG_DWORD +Value: 1 + 1 + AllowAllTrustedApps + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Biometrics\ + +Value Name: Enabled + +Type: REG_DWORD +Value: 0 + 0 + Enabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\CredUI\ + +Value Name: DisablePasswordReveal + +Type: REG_DWORD +Value: 1 + 1 + DisablePasswordReveal + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ + +Value Name: EnableSmartScreen + +Type: REG_DWORD +Value: 0x00000002 (2) + 2 + EnableSmartScreen + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LocationAndSensors\ + +Value Name: DisableLocation + +Type: REG_DWORD +Value: 1 (Enabled) + +If location services are approved for the system by the organization, this may be set to "Disabled" (0). This must be documented with the ISSO. + 1 + DisableLocation + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ + +Value Name: AllowBasicAuthInClear + +Type: REG_DWORD +Value: 0 + 0 + AllowBasicAuthInClear + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ +Type: REG_DWORD +Value Name: AutoDownload +Value: 0x00000002 (2) + 2 + AutoDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate\ +Type: REG_DWORD +Value Name: AutoDownload +Value: 0x00000002 (2) + 2 + AutoDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore + False + + The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ + +Value Name: RemoveWindowsStore + +Type: REG_DWORD +Value: 1 + 1 + RemoveWindowsStore + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowBasic + +Type: REG_DWORD +Value: 0 + 0 + AllowBasic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowUnencryptedTraffic + +Type: REG_DWORD +Value: 0 + 0 + AllowUnencryptedTraffic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowDigest + +Type: REG_DWORD +Value: 0 + 0 + AllowDigest + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: AllowBasic + +Type: REG_DWORD +Value: 0 + 0 + AllowBasic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: AllowUnencryptedTraffic + +Type: REG_DWORD +Value: 0 + 0 + AllowUnencryptedTraffic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: DisableRunAs + +Type: REG_DWORD +Value: 1 + 1 + DisableRunAs + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + True + {0} -le '900' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: InactivityTimeoutSecs + +Value Type: REG_DWORD +Value: 0x00000384 (900) (or less) + + InactivityTimeoutSecs + Dword + + + Present + False + HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ + +Value Name: NoCloudApplicationNotification + +Type: REG_DWORD +Value: 1 + 1 + NoCloudApplicationNotification + Dword + + + Present + False + HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ + +Value Name: NoToastApplicationNotificationOnLockScreen + +Type: REG_DWORD +Value: 1 + 1 + NoToastApplicationNotificationOnLockScreen + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: RedirectOnlyDefaultClientPrinter + +Type: REG_DWORD +Value: 1 + 1 + RedirectOnlyDefaultClientPrinter + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ + +Value Name: NoLockScreenSlideshow + +Value Type: REG_DWORD +Value: 1 + 1 + NoLockScreenSlideshow + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ + +Value Name: ProcessCreationIncludeCmdLine_Enabled + +Value Type: REG_DWORD +Value: 0x00000001 (1) + 1 + ProcessCreationIncludeCmdLine_Enabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ + +Value Name: DontDisplayNetworkSelectionUI + +Value Type: REG_DWORD +Value: 1 + 1 + DontDisplayNetworkSelectionUI + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + +Value Name: MSAOptional + +Value Type: REG_DWORD +Value: 1 + 1 + MSAOptional + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DisableAutomaticRestartSignOn + +Value Type: REG_DWORD +Value: 1 + 1 + DisableAutomaticRestartSignOn + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\ + +Value Name: ForceKeyProtection + +Type: REG_DWORD +Value: 2 + 2 + ForceKeyProtection + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest + False + + If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ + +Value Name: UseLogonCredential + +Type: REG_DWORD +Value: 0x00000000 (0) + +Note: Microsoft Security Advisory update 2871997 is required for this setting to be effective on Windows 2012. It is not required for Windows 2012 R2. + 0 + UseLogonCredential + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters + False + + This requirement specifically applies to Windows 2012 but can also be used for Windows 2012 R2. + +Different methods are available to disable SMBv1 on Windows 2012 R2, if V-73805 is configured on Windows 2012 R2, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ + +Value Name: SMB1 + +Type: REG_DWORD +Value: 0x00000000 (0) + 0 + SMB1 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ +Type: REG_DWORD +Value Name: Start +Value: 0x00000004 (4) + 4 + Start + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\ +Type: REG_MULTI_SZ +Value Name: DependOnService +Value: Default values after removing MRxSmb10 include the following, which are not a finding: + Default;values;after;removing;MRxSmb10;include;the;following;which;are;not;a;finding: + DependOnService + MultiString + + + + + False + Accounts: Guest account status + Disabled + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding. + + + False + Accounts: Rename guest account + + True + '{0}' -ne 'Guest' + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding. + + + False + Accounts: Rename administrator account + + True + '{0}' -ne 'Administrator' + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding. + + + False + Network access: Allow anonymous SID/Name translation + Disabled + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding. + + + False + Network security: Force logoff when logon hours expire + Enabled + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Network security: Force logoff when logon hours expire" is not set to "Enabled", this is a finding. + + + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + DFSR + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + Dnscache + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + DNS + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + gpsvc + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + IsmServ + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + Kdc + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + NetLogon + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + W32Time + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + NTDS + Running + Automatic + + + Present + False + False + + Run "Services.msc". + +Verify the McAfee Agent service is running, depending on the version installed. + +Version - Service Name +McAfee Agent v5.x - McAfee Agent Service +McAfee Agent v4.x - McAfee Framework Service + +If the service is not listed or does not have a Status of "Started", this is a finding. + McAfee + Running + Automatic + + + Present + False + False + + Verify the Fax (fax) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Fax (fax) + fax + Stopped + Disabled + + + Present + False + False + + If the server has the role of an FTP server, this is NA. + +Run "Services.msc". + +If the "Microsoft FTP Service" (Service name: FTPSVC) is installed and not disabled, this is a finding. + FTPSVC + Stopped + Disabled + + + Present + False + False + + Verify the Peer Network Identity Manager (p2pimsvc) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Peer Networking Identity Manager (p2pimsvc) + p2pimsvc + Stopped + Disabled + + + Present + False + False + + Verify the Simple TCP/IP (simptcp) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Simple TCP/IP Services (simptcp) + simptcp + Stopped + Disabled + + + Present + False + False + + Verify the Telnet (tlntsvr) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Telnet (tlntsvr) + tlntsvr + Stopped + Disabled + + + Present + False + False + + Verify the Smart Card Removal Policy service is configured to "Automatic". + +Run "Services.msc". + +If the Startup Type for Smart Card Removal Policy is not set to Automatic, this is a finding. + SCPolicySvc + Running + Automatic + + + + + SeTcbPrivilege + Act as part of the operating system + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. + + + SeDenyNetworkLogonRight + Deny access to this computer from the network + False + Guests + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: + +Guests Group + + + SeSyncAgentPrivilege + Synchronize directory service data + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Synchronize directory service data" user right, this is a finding. + + + SeDebugPrivilege + Debug programs + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding: + +Administrators + + + SeTrustedCredManAccessPrivilege + Access Credential Manager as a trusted caller + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding. + + + SeNetworkLogonRight + Access this computer from the network + True + Administrators,Authenticated Users,Enterprise Domain Controllers + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding: + +Administrators +Authenticated Users +Enterprise Domain Controllers + + + SeInteractiveLogonRight + Allow log on locally + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding: + +Administrators + + + SeRemoteInteractiveLogonRight + Allow log on through Remote Desktop Services + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding: + +Administrators + + + SeBackupPrivilege + Back up files and directories + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding: + +Administrators + + + SeSystemtimePrivilege + Change the system time + True + Administrators,Local Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Change the system time" user right, this is a finding: + +Administrators +Local Service + + + SeCreatePagefilePrivilege + Create a pagefile + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding: + +Administrators + + + SeCreateTokenPrivilege + Create a token object + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Create a token object" user right, this is a finding. + + + SeCreateGlobalPrivilege + Create global objects + True + Administrators,Service,Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding: + +Administrators +Service +Local Service +Network Service + + + SeCreatePermanentPrivilege + Create permanent shared objects + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding. + + + SeCreateSymbolicLinkPrivilege + Create symbolic links + True + Administrators,{Hyper-V} + False + True + '{0}' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$' + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding: + +Administrators + +Systems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines"). This is not a finding. + + + SeDenyBatchLogonRight + Deny log on as a batch job + False + Guests + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding: + +Guests Group + + + SeDenyServiceLogonRight + Deny log on as a service + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are defined for the "Deny log on as a service" user right, this is a finding. + + + SeDenyInteractiveLogonRight + Deny log on locally + False + Guests + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding: + +Guests Group + + + SeDenyRemoteInteractiveLogonRight + Deny log on through Remote Desktop Services + False + Guests + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding: + +Guests Group + + + SeEnableDelegationPrivilege + Enable computer and user accounts to be trusted for delegation + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding: + +Administrators + + + SeRemoteShutdownPrivilege + Force shutdown from a remote system + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding: + +Administrators + + + SeAuditPrivilege + Generate security audits + True + Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding: + +Local Service +Network Service + + + SeImpersonatePrivilege + Impersonate a client after authentication + True + Administrators,Service,Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding: + +Administrators +Service +Local Service +Network Service + + + SeIncreaseBasePriorityPrivilege + Increase scheduling priority + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Increase scheduling priority" user right, this is a finding: + +Administrators + + + SeLoadDriverPrivilege + Load and unload device drivers + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding: + +Administrators + + + SeLockMemoryPrivilege + Lock pages in memory + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding. + + + SeSecurityPrivilege + Manage auditing and security log + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: + +Administrators + +If the organization has an Auditors group, the assignment of this group to the user right would not be a finding. + +If an application requires this user right, this would not be a finding. +Vendor documentation must support the requirement for having the user right. +The requirement must be documented with the ISSO. +The application account must meet requirements for application account passwords, such as length (V-36661) and required changes frequency (V-36662). + + + SeRelabelPrivilege + Modify an object label + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Modify an object label" user right, this is a finding. + + + SeSystemEnvironmentPrivilege + Modify firmware environment values + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Modify firmware environment values" user right, this is a finding: + +Administrators + + + SeManageVolumePrivilege + Perform volume maintenance tasks + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding: + +Administrators + + + SeProfileSingleProcessPrivilege + Profile single process + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Profile single process" user right, this is a finding: + +Administrators + + + SeSystemProfilePrivilege + Profile system performance + True + Administrators,NT Service\WdiServiceHost + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Profile system performance" user right, this is a finding: + +Administrators +NT Service\WdiServiceHost + + + SeAssignPrimaryTokenPrivilege + Replace a process level token + True + Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Replace a process level token" user right, this is a finding: + +Local Service +Network Service + + + SeRestorePrivilege + Restore files and directories + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding: + +Administrators + + + SeTakeOwnershipPrivilege + Take ownership of files or other objects + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding: + +Administrators + + + SeMachineAccountPrivilege + Add workstations to domain + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Add workstations to domain" right, this is a finding: + +Administrators + + + + + SMB1Protocol + Absent + False + False + + This requirement applies to Windows 2012 R2, it is NA for Windows 2012 (see V-73519 and V-73523 for 2012 requirements). + +Different methods are available to disable SMBv1 on Windows 2012 R2. This is the preferred method, however if V-73519 and V-73523 are configured, this is NA. + +Run "Windows PowerShell" with elevated privileges (run as administrator). +Enter the following: +Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol + +If "State : Enabled" is returned, this is a finding. + +Alternately: +Search for "Features". +Select "Turn Windows features on or off". + +If "SMB 1.0/CIFS File Sharing Support" is selected, this is a finding. + + + + + Win32_OperatingSystem + False + -ge + False + + Version + Run "winver.exe". + +If the "About Windows" dialog box does not display +"Microsoft Windows Server +Version 6.2 (Build 9200)" +or greater, this is a finding. + +No preview versions will be used in a production environment. + +Unsupported Service Packs/Releases: +Windows 2012 - any release candidates or versions prior to the initial release. + 6.2.9200 + + + Win32_LogicalDisk + False + -match + False + + FileSystem + Open "Computer Management". + +Select "Disk Management" under "Storage". + +For each local volume, if the file system does not indicate "NTFS", this is a finding. + +"ReFS" (Resilient File System) is also acceptable and would not be a finding. + +This does not apply to system partitions such as the Recovery and EFI System Partition. + NTFS|ReFS + + + diff --git a/src/StigData/Windows-2012R2-DC-2.9.org.default.xml b/src/StigData/Windows-2012R2-DC-2.9.org.default.xml new file mode 100644 index 000000000..5b3c9aadb --- /dev/null +++ b/src/StigData/Windows-2012R2-DC-2.9.org.default.xml @@ -0,0 +1,73 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StigData/Windows-2012R2-DC-2.9.xml b/src/StigData/Windows-2012R2-DC-2.9.xml new file mode 100644 index 000000000..40a4272da --- /dev/null +++ b/src/StigData/Windows-2012R2-DC-2.9.xml @@ -0,0 +1,8569 @@ + + + + False + True + '{0}' -le '3' -and '{0}' -ne '0' + Account lockout threshold + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy. + +If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding. + + + False + True + '{0}' -ge '15' + Reset account lockout counter after + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. + +If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding. + + + False + True + '{0}' -ge '15' -or '{0}' -eq '0' + Account lockout duration + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. + +If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding. + +Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding. + + + False + True + '{0}' -le '60' -and '{0}' -ne '0' + Maximum password age + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding. + + + False + True + '{0}' -ne '0' + Minimum password age + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Minimum password age" is set to "0" days ("Password can be changed immediately."), this is a finding. + + + False + True + '{0}' -ge '24' + Enforce password history + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding. + + + False + False + + Password must meet complexity requirements + Enabled + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. + +Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes. + + + False + False + + Store passwords using reversible encryption + Disabled + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding. + + + False + True + '{0}' -ge '14' + Minimum password length + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Minimum password length," is less than "14" characters, this is a finding. + + + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Logon -> Credential Validation - Success + Credential Validation + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Logon -> Credential Validation - Failure + Credential Validation + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Computer Account Management - Success + Computer Account Management + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Computer Account Management - Failure + Computer Account Management + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Other Account Management Events - Success + Other Account Management Events + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Other Account Management Events - Failure + Other Account Management Events + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Security Group Management - Success + Security Group Management + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Security Group Management - Failure + Security Group Management + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> User Account Management - Success + User Account Management + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> User Account Management - Failure + User Account Management + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Detailed Tracking -> Process Creation - Success + Process Creation + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logoff - Success + Logoff + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logon - Success + Logon + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logon - Failure + Logon + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Special Logon - Success + Special Logon + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Audit Policy Change - Success + Audit Policy Change + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Audit Policy Change - Failure + Audit Policy Change + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Authentication Policy Change - Success + Authentication Policy Change + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Privilege Use -> Sensitive Privilege Use - Success + Sensitive Privilege Use + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Privilege Use -> Sensitive Privilege Use - Failure + Sensitive Privilege Use + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> IPsec Driver - Success + IPsec Driver + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> IPsec Driver - Failure + IPsec Driver + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> Security State Change - Success + Security State Change + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> Security State Change - Failure + Security State Change + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> Security System Extension - Success + Security System Extension + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> Security System Extension - Failure + Security System Extension + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> System Integrity - Success + System Integrity + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> System Integrity - Failure + System Integrity + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. + +DS Access -> Directory Service Access - Success + Directory Service Access + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. + +DS Access -> Directory Service Access - Failure + Directory Service Access + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. + +DS Access -> Directory Service Changes - Success + Directory Service Changes + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. + +DS Access -> Directory Service Changes - Failure + Directory Service Changes + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access >> Removable Storage - Failure + +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. + Removable Storage + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access >> Removable Storage - Success + +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. + Removable Storage + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access -> Central Policy Staging - Failure + Central Policy Staging + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access -> Central Policy Staging - Success + Central Policy Staging + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Authorization Policy Change - Success + Authorization Policy Change + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Authorization Policy Change - Failure + Authorization Policy Change + + + + + False + False + + Run "PowerShell". + +Member servers and standalone systems: +Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) + +"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { + $user = ([ADSI]$_.Path) + $lastLogin = $user.Properties.LastLogin.Value + $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 + if ($lastLogin -eq $null) { + $lastLogin = 'Never' + } + Write-Host $user.Name $lastLogin $enabled +}" + +This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). +For example: User1 10/31/2015 5:49:56 AM True + +Domain Controllers: +Enter the following command in PowerShell. +"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" + +This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. + +Review the list of accounts returned by the above queries to determine the finding validity for each account reported. + +Exclude the following accounts: +Built-in administrator account (Renamed, SID ending in 500) +Built-in guest account (Renamed, Disabled, SID ending in 501) +Application accounts + +If any enabled accounts have not been logged on to within the past 35 days, this is a finding. + +Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO. + + + False + False + + If FTP is not installed on the system, this is NA. + +Determine the IP address and port number assigned to FTP sites from documentation or configuration. + +If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". + +Select "Sites" under the server name. + +For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. + +Open a "Command Prompt". + +Attempt to log on as the user "anonymous" with the following commands: + +Note: Returned results may vary depending on the FTP server software. + +C:\> "ftp" +ftp> "Open IP Address Port" +(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) +(Connected to IP Address +220 Microsoft FTP Service) + +User (IP Address): "anonymous" +(331 Anonymous access allowed, send identity (e-mail name) as password.) + +Password: "password" +(230 User logged in.) +ftp> + +If the response indicates that an anonymous FTP login was permitted, this is a finding. + +If accounts with administrator privileges are used to access FTP, this is a CAT I finding. + + + False + False + + If FTP is not installed on the system, this is NA. + +Determine the IP address and port number assigned to FTP sites from documentation or configuration. + +If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". + +Select "Sites" under the server name. + +For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. + +Open a "Command Prompt". + +Access the FTP site and review accessible directories with the following commands: + +Note: Returned results may vary depending on the FTP server software. + +C:\> "ftp" +ftp> "Open IP Address Port" +(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) +(Connected to IP Address +220 Microsoft FTP Service) + +User (IP Address): "FTP User" +(Substituting [FTP User] with an account identified that is allowed access. If it was determined that anonymous access was allowed to the site [see V-1120], also review access using "anonymous".) + (331 Password required) + +Password: "Password" +(Substituting [Password] with password for the account attempting access.) +(230 User ftpuser logged in.) + +ftp> "Dir" + +If the FTP session indicates access to areas of the system other than the specific folder for FTP data, such as the root of the drive, Program Files or Windows directories, this is a finding. + + + False + False + + If no accounts are members of the Backup Operators group, this is NA. + +Any accounts that are members of the Backup Operators group, including application accounts, must be documented with the ISSO. If documentation of accounts that are members of the Backup Operators group is not maintained this is a finding. + + + False + False + + Determine whether there is a host-based Intrusion Detection System on each server. + +If the HIPS component of HBSS is installed and active on the host and the Alerts of blocked activity are being logged and monitored, this will meet the requirement of this finding. + +A HID device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the site ISSO. + +If a host-based Intrusion Detection System is not installed on the system, this is a finding. + + + False + False + + Required services will vary between organizations, and on the role of the individual system. Organizations will develop their own list of services which will be documented and justified with the ISSO. The site's list will be provided for any security review. Services common to multiple systems can be addressed in one document. Exceptions for individual systems should be identified separately by system. + +Individual services specifically required to be disabled per the STIG are identified in separate requirements. + +If the site has not documented the services required for their system(s), this is a finding. + +The following can be used to view the services on a system: +Run "Services.msc". + +Services for Windows Server 2012 roles are managed automatically, adding those necessary for a particular role. The following lists the default services for a baseline installation as a reference. This can be used as a basis for documenting the services necessary. + +Default Installation +Name - Startup Type +Application Experience - Manual (Trigger Start) +Application Identity - Manual (Trigger Start) +Application Information - Manual +Application Layer Gateway Service - Manual +Application Management - Manual +Background Intelligent Transfer Service - Automatic (Delayed Start) +Background Tasks Infrastructure Service - Automatic +Base Filtering Engine - Automatic +Certificate Propagation - Manual +CNG Key Isolation - Manual (Trigger Start) +COM+ Event System - Automatic +COM+ System Application - Manual +Computer Browser - Disabled +Credential Manager - Manual +Cryptographic Services - Automatic +DCOM Server Process Launcher - Automatic +Device Association Service - Manual (Trigger Start) +Device Install Service - Manual (Trigger Start) +Device Setup Manager - Manual (Trigger Start) +DHCP Client - Automatic +Diagnostic Policy Service - Automatic (Delayed Start) +Diagnostic Service Host - Manual +Diagnostic System Host - Manual +Distributed Link Tracking Client - Automatic +Distributed Transaction Coordinator - Automatic (Delayed Start) +DNS Client - Automatic (Trigger Start) +Encrypting File System (EFS) - Manual (Trigger Start) +Extensible Authentication Protocol - Manual +Function Discovery Provider Host - Manual +Function Discovery Resource Publication - Manual +Group Policy Client - Automatic (Trigger Start) +Health Key and Certificate Management - Manual +Human Interface Device Access - Manual (Trigger Start) +Hyper-V Data Exchange Service - Manual (Trigger Start) +Hyper-V Guest Shutdown Service - Manual (Trigger Start) +Hyper-V Heartbeat Service - Manual (Trigger Start) +Hyper-V Remote Desktop Virtualization Service - Manual (Trigger Start) +Hyper-V Time Synchronization Service - Manual (Trigger Start) +Hyper-V Volume Shadow Copy Requestor - Manual (Trigger Start) +IKE and AuthIP IPsec Keying Modules - Manual (Trigger Start) +Interactive Services Detection - Manual +Internet Connection Sharing (ICS) - Disabled +IP Helper - Automatic +IPsec Policy Agent - Manual (Trigger Start) +KDC Proxy Server service (KPS) - Manual +KtmRm for Distributed Transaction Coordinator - Manual (Trigger Start) +Link-Layer Topology Discovery Mapper - Manual +Local Session Manager - Automatic +Microsoft iSCSI Initiator Service - Manual +Microsoft Software Shadow Copy Provider - Manual +Multimedia Class Scheduler - Manual +Net.Tcp Port Sharing Service - Disabled +Netlogon - Manual +Network Access Protection Agent - Manual +Network Connections - Manual +Network Connectivity Assistant - Manual (Trigger Start) +Network List Service - Manual +Network Location Awareness - Automatic +Network Store Interface Service - Automatic +Optimize drives - Manual +Performance Counter DLL Host - Manual +Performance Logs & Alerts - Manual +Plug and Play - Manual +Portable Device Enumerator Service - Manual (Trigger Start) +Power - Automatic +Print Spooler - Automatic +Printer Extensions and Notifications - Manual +Problem Reports and Solutions Control Panel Support - Manual +Remote Access Auto Connection Manager - Manual +Remote Access Connection Manager - Manual +Remote Desktop Configuration - Manual +Remote Desktop Services - Manual +Remote Desktop Services UserMode Port Redirector - Manual +Remote Procedure Call (RPC) - Automatic +Remote Procedure Call (RPC) Locator - Manual +Remote Registry - Automatic (Trigger Start) +Resultant Set of Policy Provider - Manual +Routing and Remote Access - Disabled +RPC Endpoint Mapper - Automatic +Secondary Logon - Manual +Secure Socket Tunneling Protocol Service - Manual +Security Accounts Manager - Automatic +Server - Automatic +Shell Hardware Detection - Automatic +Smart Card - Disabled +Smart Card Removal Policy - Manual +SNMP Trap - Manual +Software Protection - Automatic (Delayed Start, Trigger Start) +Special Administration Console Helper - Manual +Spot Verifier - Manual (Trigger Start) +SSDP Discovery - Disabled +Superfetch - Manual +System Event Notification Service - Automatic +Task Scheduler - Automatic +TCP/IP NetBIOS Helper - Automatic (Trigger Start) +Telephony - Manual +Themes - Automatic +Thread Ordering Server - Manual +UPnP Device Host - Disabled +User Access Logging Service - Automatic (Delayed Start) +User Profile Service - Automatic +Virtual Disk - Manual +Volume Shadow Copy - Manual +Windows All-User Install Agent - Manual (Trigger Start) +Windows Audio - Manual +Windows Audio Endpoint Builder - Manual +Windows Color System - Manual +Windows Driver Foundation - User-mode Driver Framework - Manual (Trigger Start) +Windows Error Reporting Service - Manual (Trigger Start) +Windows Event Collector - Manual +Windows Event Log - Automatic +Windows Firewall - Automatic +Windows Font Cache Service - Automatic +Windows Installer - Manual +Windows Licensing Monitoring Service - Automatic +Windows Management Instrumentation - Automatic +Windows Modules Installer - Manual +Windows Remote Management (WS-Management) - Automatic +Windows Store Service (WSService) - Manual (Trigger Start) +Windows Time - Manual (Trigger Start) +Windows Update - Manual +WinHTTP Web Proxy Auto-Discovery Service - Manual +Wired AutoConfig - Manual +WMI Performance Adapter - Manual +Workstation - Automatic + + + False + False + + With the assistance of the SA, NSO, or network reviewer as required, review the site network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted. + +Determine the classification level of the Windows domain controller. + +If the classification level of the Windows domain controller is higher than the level of the networks, review the site network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic. + +If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding. + + + False + False + + Search all drives for *.p12 and *.pfx files. + +If any files with these extensions exist, this is a finding. + +This does not apply to server-based applications that have a requirement for .p12 certificate files (e.g., Oracle Wallet Manager). Some applications create files with extensions of .p12 that are NOT certificate installation files. Removal of noncertificate installation files from systems is not required. These must be documented with the ISSO. + + + False + False + + Open "PowerShell" as Administrator. + +Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled" -AutoSize. + +Review the User Principal Name (UPN) of user accounts, including administrators. + +Exclude the built-in accounts such as Administrator and Guest. + +If the User Principal Name (UPN) is not in the format of an individual's Electronic Data Interchange - Personnel Identifier (EDI-PI) and the appropriate domain suffix, this is a finding. + +NIPRNET Example: +Name - User Principal Name +User1 - 1234567890@mil + +See PKE documentation for other network domain suffixes. + +If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding. + + + False + False + + Verify the DoD Root CA certificates are installed as Trusted Root Certification Authorities. + +Run "PowerShell" as an administrator. +Execute the following command: +Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint +If the following information is not displayed, this is finding. + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB + +Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 + +Alternately use the Certificates MMC snap-in: +Run "MMC". +Select "File", "Add/Remove Snap-in". +Select "Certificates", click "Add". +Select "Computer account", click "Next". +Select "Local computer: (the computer this console is running on)", click "Finish". +Click "OK". +Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". +If there are no entries for "DoD Root CA 2", "DoD Root CA 3", and "DoD Root CA 4", this is a finding. + +For each of the DoD Root CA certificates noted above: +Right click on the certificate and select "Open". +Select the "Details" Tab. +Scroll to the bottom and select "Thumbprint". + +If the value for the "Thumbprint" field is not as noted below, this is a finding. +DoD Root CA 2 - 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 +DoD Root CA 3 - D73CA91102A2204A36459ED32213B467D7CE97FB +DoD Root CA 4 - B8269F25DBD937ECAFD4C35A9838571723F2D026 + +The thumbprints referenced apply to unclassified systems; see PKE documentation for other networks. + + + False + False + + Verify the permissions on Group Policy objects. + +Open "Group Policy Management". (Available from various menus or run "gpmc.msc".) +Navigate to "Group Policy Objects" in the domain being reviewed (Forest > Domains > Domain). + +For each Group Policy object: +Select the Group Policy object item in the left pane. +Select the Delegation tab in the right pane. +Select the Advanced button. + +If any standard user accounts or groups have greater than Allow permissions of Read and Apply group policy, this is a finding. + +Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. + +The default permissions noted below meet this requirement. + +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry, and the Edit button. + +Authenticated Users - Read, Apply group policy, Special permissions + +The Special permissions for Authenticated Users are for Read type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +The Special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. + +CREATOR OWNER - Special permissions + +SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions + +Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions + +Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + +The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default group policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created group policy objects. + +The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the ISSO. + + + False + False + + Review the necessary documentation that identifies the members of the Administrators group. If a list of all users belonging to the Administrators group is not maintained with the ISSO, this is a finding. + + + False + False + + Verifying the permissions on domain defined OUs. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. + +For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: +Right click the OU and select Properties. +Select the Security tab. + +If the permissions on the OU are not at least as restrictive as those below, this is a finding. + +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry and the Edit button. + +Self - Special permissions + +Authenticated Users - Read, Special permissions +The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +SYSTEM - Full Control + +Domain Admins - Full Control + +Enterprise Admins - Full Control + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions +The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + +If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. + + + False + False + + Determine whether system-related documentation is backed up in accordance with local recovery time and recovery point objectives. If system-related documentation is not backed up in accordance with local recovery time and recovery point objectives, this is a finding. + + + + + False + False + + Verify servers are located in controlled access areas that are accessible only to authorized personnel. If systems are not adequately protected, this is a finding. + + + False + False + + Determine whether any shared accounts exist. If no shared accounts exist, this is NA. +If shared accounts exist, this is a finding. + + + False + False + + Verify a supported DoD antivirus product has been installed on the system. + +If McAfee VirusScan Enterprise 8.8 Patch 3 or later is not installed on the system, this is a finding. + +If another recognized antivirus product is installed, this would still be a finding; however, the severity may be reduced to a CAT III. + + + False + False + + Determine whether system-level information is backed up in accordance with local recovery time and recovery point objectives. If system-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding. + + + False + False + + Verify the local system boots directly into Windows. + +Open Control Panel. +Select "System". +Select the "Advanced System Settings" link. +Select the "Advanced" tab. +Click the "Startup and Recovery" Settings button. + +If the drop-down list box "Default operating system:" shows any operating system other than Windows Server 2012, this is a finding. + + + False + False + + Review the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. + +Standard user accounts must not be members of the local administrator group. + +If prohibited accounts are members of the local administrators group, this is a finding. + +The built-in Administrator account or other required administrative accounts would not be a finding. + + + False + False + + Verify security configuration tools or equivalent processes are being used to configure Windows systems to meet security requirements. If security configuration tools or equivalent processes are not used, this is a finding. + +Security configuration tools that are integrated into Windows, such as Group Policies and Security Templates, may be used to configure platforms for security compliance. + +If an alternate method is used to configure a system (e.g., manually using the DISA Windows Security STIGs, etc.) and the same configured result is achieved, this is acceptable. + + + False + False + + Open "Devices and Printers" in Control Panel or through Search. +If there are no printers configured, this is NA. + +For each configured printer: +Right click on the printer. +Select "Printer Properties". +Select the "Sharing" tab. +View whether "Share this printer" is checked. + +For any printers with "Share this printer" selected: +Select the Security tab. + +If any standard user accounts or groups have permissions other than "Print", this is a finding. +Standard users will typically be given "Print" permission through the Everyone group. +"All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement. + + + False + False + + Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding. + + + False + False + + Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the value for "Maximum lifetime for service ticket" is 0 or greater than 600 minutes, this is a finding. + + + False + False + + Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the value for "Maximum lifetime for user ticket" is 0 or greater than 10 hours, this is a finding. + + + False + False + + Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the "Maximum lifetime for user ticket renewal" is greater than 7 days, this is a finding. + + + False + False + + Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the "Maximum tolerance for computer clock synchronization" is greater than 5 minutes, this is a finding. + + + False + False + + Determine whether the site monitors system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. If system files are not monitored for unauthorized changes, this is a finding. + +A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. The Asset module within HBSS does not meet this requirement. + + + False + False + + If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. +(System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) + +Run "Computer Management". +Navigate to System Tools >> Shared Folders >> Shares. + +Right click any non-system-created shares. +Select "Properties". +Select the "Share Permissions" tab. + +If the file shares have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. + +Select the "Security" tab. + +If the NTFS permissions have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. + + + False + False + + Run the DUMPSEC utility. +Select "Dump Users as Table" from the "Report" menu. +Select the following fields, and click "Add" for each entry: + +UserName +SID +PswdExpires +AcctDisabled +Groups + +If any accounts have "No" in the "PswdExpires" column, this is a finding. + +The following are exempt from this requirement: +Application Accounts +Domain accounts requiring smart card (CAC/PIV) + +The following PowerShell command may be used on domain controllers to list accounts with the Password Never Expires flag: +Search-ADAccount -PasswordNeverExpires -UsersOnly + + + False + False + + Verify all accounts require passwords. + +Run the DUMPSEC utility. +Select "Dump Users as Table" from the "Report" menu. +Select the following fields, and click "Add" for each entry: + +UserName +SID +PswdRequired +AcctDisabled +Groups + +If any accounts have "No" in the "PswdRequired" column, this is a finding. + +Some built-in or application-generated accounts (e.g., Guest, IWAM_, IUSR, etc.) may not have this flag set, even though there are passwords present. It can be set by entering the following on a command line: "Net user <account_name> /passwordreq:yes". + + + False + False + + Refer to the AD database location obtained in check V-8316. Note the logical drive (e.g., C:) on which the files are located. + +Determine if the server is currently providing file sharing services to users with the following command. +Enter "net share" at a command prompt. + +Note the logical drive(s) or file system partition for any site-created data shares. +Ignore all system shares (e.g., Windows NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored. + +If user shares are located on the same logical partition as the directory server data files, this is a finding. + + + False + False + + Review the roles and services the domain controller is running. +Run "services.msc" to display the Services console. + +Determine if any running services are application components. + +Examples of services indicating the presence of applications are: +-DHCP Server for DHCP server +-IIS Admin Service for IIS web server +-Microsoft Exchange System Attendant for Exchange +-MSSQLServer for SQL Server. + +If any application-related components have the "Started" status, this is a finding. + +Installed roles can be displayed by viewing Server Roles in the Add (or Remove) Roles and Features wizard. (Cancel before any changes are made.) + +Determine if any additional server roles are installed. A basic domain controller set up will include the following: +-Active Directory Domain Services +-DNS Server +-File and Storage Services + +If any roles not requiring installation on a domain controller are installed, this is a finding. + +Supplemental Notes: +A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. + +Some directory servers utilize specialized web servers for administrative functions and databases for data management. These web and database servers are permitted as long as they are dedicated to directory server support and only administrative users have access to them. + + + False + False + + Determine if any system administrators have left the organization within the last year. + +Run the DUMPSEC utility. +Select "Dump Users as Table" from the "Report" menu. +Select the following fields, and click "Add" for each entry: + +UserName +SID +PwsdLastSetTime + +If the built-in Administrator account has a date older than one year in the "PwsdLastSetTime" column, this is a finding. +If any system administrators has left the organization within the last year and the "PwsdLastSetTime" field reflects the built-in Administrator account password was not changed at that time, this is a finding. + + + False + False + + At this time, this is a finding for all Windows domain controllers for sensitive or classified levels as Windows Active Directory Domain Services (AD DS) does not provide a method to restrict anonymous access to the root DSE on domain controllers. + +The following can be used to verify anonymous access is allowed. + +Open a command prompt (not elevated). +Run "ldp.exe". +From the Connection menu, select Bind. +Clear the User, Password, and Domain fields. +Select Simple bind for the Bind type, Click OK. + +RootDSE attributes should display, such as various namingContexts. + +Confirmation of anonymous access will be displayed at the end: +res = ldap_simple_bind_s +Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' + + + False + False + + Verify anonymous access is not allowed to the AD domain naming context. + +Open a command prompt (not elevated). +Run "ldp.exe". +From the Connection menu, select Bind. +Clear the User, Password, and Domain fields. +Select Simple bind for the Bind type, Click OK. + +Confirmation of anonymous access will be displayed at the end: +res = ldap_simple_bind_s +Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' + +From the Browse menu, select Search. +In the Search dialog, enter the DN of the domain naming context (generally something like "dc=disaost,dc=mil") in the Base DN field. +Clear the Attributes field and select Run. + +Error messages should display related to bind and user not authenticated. + +If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding. + + + False + False + + Verify the source of the domain controller's server certificate. + +Run "mmc". +Select "Add/Remove Snap-in" from the File menu. +Select "Certificates" in the left pane and click the "Add >" button. +Select "Computer Account", click "Next". +Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish". +Click "OK". +Select and expand the Certificates (Local Computer) entry in the left pane. +Select and expand the Personal entry in the left pane. +Select the Certificates entry in the left pane. +In the right pane, examine the Issued By field for the certificate to determine the issuing CA. + +If the Issued By field of the PKI certificate being used by the domain controller does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding. + + +There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: + +The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. + +DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE. +http://iase.disa.mil/pki-pke/function_pages/tools.html + + + False + False + + Verify the value for MaxConnIdleTime. + +Open an elevated command prompt. +Enter "ntdsutil". +At the "ntdsutil:" prompt, enter "LDAP policies". +At the "ldap policy:" prompt, enter "connections". +At the "server connections:" prompt, enter "connect to server [host-name]". +(Where [host-name] is the computer name of the domain controller.) +At the "server connections:" prompt, enter "q". +At the "ldap policy:" prompt, enter "show values". + +If the value for MaxConnIdleTime is greater than 300 (the value for five minutes) or it is not specified, this is a finding. + +Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit. + + +Alternately, Dsquery can be used to display MaxConnIdleTime: + +Open an elevated command prompt. +Enter the following command (on a single line). +dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits +The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil). + + + False + False + + Verify active directory user accounts, including administrators, have "Smart card is required for interactive logon" selected. + +Run "PowerShell". +Enter the following: +"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name" +("DistinguishedName" may be substituted for "Name" for more detailed output.) +If any user accounts are listed, this is a finding. + +Alternately: +To view sample accounts in "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"): +Select the Organizational Unit (OU) where the User accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.) +Right click the sample User account and select "Properties". +Select the "Account" tab. +If any User accounts do not have "Smart card is required for interactive logon" checked in the "Account Options" area, this is a finding. + + + False + False + + Verify whether the registry key below exists. If it does not exist or the value is "0", this is not a finding. +If the registry key exists and contains a value other than "0", continue below. + +The values are determined by the selection of encryption suites in the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network Security: Configure encryption types allowed for Kerberos". + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ +Value Name: SupportedEncryptionTypes +Type: REG_DWORD + +Due to the number of possible combinations that may include the DES encryption types, it is not possible to include all acceptable values as viewed directly in the registry. + +If the registry key does exist, the value must be converted to binary to determine configuration of specific bits. This will determine whether this is a finding. + +Note the value for the registry key. +For example, when all suites, including the DES suites are selected, the value will be "0x7fffffff (2147483647)". + +Open the Windows calculator (Run/Search for "calc"). +Select "View", then "Programmer". +Select "Dword" and either "Hex" or "Dec". +Enter the appropriate form of the value found for the registry key (e.g., Hex - enter 0x7fffffff, Dec - enter 2147483647) +Select "Bin". +The returned value may vary in length, up to 32 characters. +If the either of 2 right most characters are "1", this is a finding. +If the both of 2 right most characters are "0", this is not a finding. + + + False + False + + Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates. + +Run "PowerShell" as an administrator. +Execute the following command: +Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint +If the following information is not displayed, this is finding. + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 + +Alternately use the Certificates MMC snap-in: +Run "MMC". +Select "File", "Add/Remove Snap-in". +Select "Certificates", click "Add". +Select "Computer account", click "Next". +Select "Local computer: (the computer this console is running on)", click "Finish". +Click "OK". +Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". + +For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By": +Right click on the certificate and select "Open". +Select the "Details" Tab. +Scroll to the bottom and select "Thumbprint". + +If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Issued To - Issued By - Thumbprint +DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F +DoD Root CA 3 - DoD Interoperability Root CA 2 - FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 +DoD Root CA 3 - DoD Interoperability Root CA 2 - FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 + + + False + False + + Determine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. + +The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. + +Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. + +If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding. + + + False + False + + Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. + +If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding. + + + False + False + + Verify the site has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. If such a policy does not exist or has not been implemented, this is a finding. + + + False + False + + Determine if any system administrators with knowledge of application account passwords have left the organization within the last year. + +Run the DUMPSEC utility. +Select "Dump Users as Table" from the "Report" menu. +Select the following fields, and click "Add" for each entry: + +UserName +SID +PwsdLastSetTime + +If any application accounts listed that are manually managed and have a date older than one year in the "PwsdLastSetTime" column, this is a finding. +If any system administrators with knowledge of application account passwords have left the organization within the last year and the "PwsdLastSetTime" field reflects that application account passwords were not changed at that time, this is a finding. + + + False + False + + Determine whether the site has a policy that requires SAs be trained for all operating systems running on systems under their control. If the site does not have a policy requiring SAs be trained for all operating systems under their control, this is a finding. + + + False + False + + Determine whether audit logs are reviewed on a predetermined schedule. If audit logs are not reviewed on a regular basis, this is a finding. + + + False + False + + Determine whether audit data is retained for at least one year. If the audit data is not retained for at least a year, this is a finding. + + + False + False + + Determine if a process to back up log data to a different system or media than the system being audited has been implemented. If it has not, this is a finding. + + + False + False + + Determine whether user-level information is backed up in accordance with local recovery time and recovery point objectives. If user-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding. + + + False + False + + Verify the operating system employs automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). If it does not, this is a finding. + + + False + False + + Verify the organization has an automated process to install security-related software updates. If it does not, this is a finding. + + + False + False + + Verify the system has software installed and running that provides certificate validation and revocation checking. If it does not, this is a finding. + + + False + False + + Verify the auditing configuration for group policy objects. + +Open "Group Policy Management". (Available from various menus, or run "gpmc.msc".) +Navigate to "Group Policy Objects" in the domain being reviewed (Forest > Domains > Domain). + +For each Group Policy object: +Select the Group Policy Object item in the left pane. +Select the Delegation tab in the right pane. +Select the Advanced button. +Select the Advanced button again and then the Auditing tab. + +If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects + +The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - Parent Object +Applies to - Descendant groupPolicyContainer objects +(Access - Special = Permissions: Write all properties, Modify permissions) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - Parent Object +Applies to - Descendant Organization Unit Objects + + + False + False + + Verify the permissions on the Domain Controllers OU. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Select Advanced Features in the View menu if not previously selected. +Navigate to the Domain Controllers OU (folder in folder icon). +Right click the OU and select Properties. +Select the Security tab. + +If the permissions on the Domain Controllers OU are not at least as restrictive as those below, this is a finding. + +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the Advanced button, selecting the desired Permission entry, and the Edit button. + +SELF - Special permissions + +Authenticated Users - Read, Special permissions +The Special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +SYSTEM - Full Control + +Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Enterprise Admins - Full Control + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions +The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + + + False + False + + Verify the domain controller has a PKI server certificate. + +Run "mmc". +Select "Add/Remove Snap-in" from the File menu. +Select "Certificates" in the left pane and click the "Add >" button. +Select "Computer Account", click "Next". +Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish". +Click "OK". +Select and expand the Certificates (Local Computer) entry in the left pane. +Select and expand the Personal entry in the left pane. +Select the Certificates entry in the left pane. + +If no certificate for the domain controller exists in the right pane, this is a finding. + + + False + False + + Determine if system-level information backups are protected from destruction and stored in a physically secure location. If they are not, this is a finding. + + + False + False + + This requirement is NA if McAfee VirusScan Enterprise (VSE) is used. It will be addressed with the corresponding McAfee VSE STIG. + +Configurations will vary depending on the product. + +Review the antivirus program signature update configuration. + +If the antivirus program is not configured to update the signature files on a daily basis, this is a finding. + +It may not be possible for systems to receive updates on a daily basis due to various factors. If the signature file is more than a week old, this is a finding. + + + False + False + + If no accounts are members of the Backup Operators group, this is NA. + +Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding. + + + False + False + + Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. + +Run "PowerShell" as an administrator. +Execute the following command: +Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint +If the following information is not displayed, this is finding. + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 + +Alternately use the Certificates MMC snap-in: +Run "MMC". +Select "File", "Add/Remove Snap-in". +Select "Certificates", click "Add". +Select "Computer account", click "Next". +Select "Local computer: (the computer this console is running on)", click "Finish". +Click "OK". +Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". + +For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": +Right click on the certificate and select "Open". +Select the "Details" Tab. +Scroll to the bottom and select "Thumbprint". + +If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Issued To - Issued By - Thumbprint +DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 - DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 + + + False + False + + Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. + +The configuration requirements will be determined by the applicable firewall STIG. + + + False + False + + This is applicable to unclassified systems, for other systems this is NA. + +Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + +If an application whitelisting program is not in use on the system, this is a finding. + +Configuration of whitelisting applications will vary by the program. + +AppLocker is a whitelisting application built into Windows Server 2012. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. + +If AppLocker is used, perform the following to view the configuration of AppLocker: +Open PowerShell. + +If the AppLocker PowerShell module has not been previously imported, execute the following first: +Import-Module AppLocker + +Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: +Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml + +This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. + +Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" under the Microsoft Windows section of the following link: + +https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml + + + False + False + + If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPSEC have been implemented. If protection methods have not been implemented, this is a finding. + + + False + False + + Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If it does not, this is a finding. + + + False + False + + Verify the operating system automatically disables temporary user accounts after 72 hours. If it does not, this is a finding. + +Determine if temporary user accounts are used and identify any that may be in existence. +For Domain Accounts: +Open PowerShell. +Run the command "Search-ADAccount -AccountExpiring" to determine if account expiration dates have been configured on any temporary accounts. +For any accounts returned, run the command "Get-ADUser -Identity <Name> -Property WhenCreated" to determine when the account was created. + +Local accounts: +Run "Net user <username>". This will list the account properties, including "Account Expires". + + + False + False + + Verify the operating system is configured such that emergency administrator accounts are automatically removed or disabled after the crisis is resolved or within 72 hours. If it is not, this is a finding. + +Determine if emergency accounts are used and identify any that may be in existence. +For Domain Accounts: +Open PowerShell. +Run the command "Search-ADAccount -AccountExpiring" to determine if account expiration dates have been configured on any emergency accounts. + +Local accounts: +Run "Net user <username>". This will list the account properties, including "Account Expires". + + + False + False + + Verify the operating system, at a minimum, off-loads audit records of interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding. + + + + + + + + + Administrators + False + This Key and Subkeys + FullControl + + + + + Backup Operators + False + This Key Only + ReadKey + + + + + LOCAL SERVICE + False + This Key and Subkeys + ReadKey + + + True + False + False + + HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ + Run "Regedit". +Navigate to the following registry key: +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ + +If the key does not exist, this is a finding. + +Right-click on "winreg" and select "Permissions…". +Select "Advanced". + +If the permissions are not as restrictive as the defaults listed below, this is a finding. + +The following are the same for each permission listed: +Type - Allow +Inherited from - None + +Columns: Principal - Access - Applies to +Administrators - Full Control - This key and subkeys +Backup Operators - Read - This key only +LOCAL SERVICE - Read - This key and subkeys + + + + + + + NT AUTHORITY\SYSTEM + False + + + FullControl + + + + + BUILTIN\Administrators + False + + + FullControl + + + True + False + False + + %windir%\NTDS\*.* + Verify the permissions on the content of the NTDS directory. + +Open the registry editor (regedit). +Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters. +Note the directory locations in the values for: +Database log files path +DSA Database file + +By default they will be \Windows\NTDS. If the locations are different, the following will need to be run for each. + +Open an elevated command prompt (Win+x, Command Prompt (Admin)). +Navigate to the NTDS directory (\Windows\NTDS by default). +Run "icacls *.*". + +If the permissions on each file are not at least as restrictive as the following, this is a finding. + +NT AUTHORITY\SYSTEM:(I)(F) +BUILTIN\Administrators:(I)(F) + +(I) - permission inherited from parent container +(F) - full access + +Do not use File Explorer to attempt to view permissions of the NTDS folder. Accessing the folder through File Explorer will change the permissions on the folder. + + + + + + + TrustedInstaller + False + This Key and Subkeys + FullControl + + + + + SYSTEM + False + This Key and Subkeys + FullControl + + + + + Administrators + False + This Key and Subkeys + FullControl + + + + + Users + False + This Key and Subkeys + ReadKey + + + + + ALL APPLICATION PACKAGES + False + This Key and Subkeys + ReadKey + + + True + False + False + + HKLM:\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Winlogon\ + Run "Regedit". +Navigate to the following registry key: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Right-click on "WinLogon" and select "Permissions…". +Select "Advanced". + +If the permissions are not as restrictive as the defaults listed below, this is a finding. + +The following are the same for each permission listed: +Type - Allow +Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion +Applies to - This key and subkeys + +Columns: Principal - Access +TrustedInstaller - Full Control +SYSTEM - Full Control +Administrators - Full Control +Users - Read +ALL APPLICATION PACKAGES - Read + + + + + + + Users + False + + + ReadKey + + + + + Administrators + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + CREATOR OWNER + False + Subkeys Only + FullControl + + + + + ALL APPLICATION PACKAGES + False + + + ReadKey + + + True + False + False + + HKLM:\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ + Run "Regedit". +Navigate to the following registry keys and review the permissions: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ +HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems) + +If the default permissions listed below have been changed, this is a finding. + +Users - Read +Administrators - Full Control +SYSTEM - Full Control +CREATOR OWNER - Full Control (Subkeys only) +ALL APPLICATION PACKAGES - Read + + + + + + + Eventlog + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + Administrators + False + + + FullControl + + + True + False + False + + %windir%\SYSTEM32\WINEVT\LOGS\Application.evtx + Verify the permissions on the Application event log (Application.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + + + + + Eventlog + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + Administrators + False + + + FullControl + + + True + False + False + + %windir%\SYSTEM32\WINEVT\LOGS\Security.evtx + Verify the permissions on the Security event log (Security.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + + + + + Eventlog + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + Administrators + False + + + FullControl + + + True + False + False + + %windir%\SYSTEM32\WINEVT\LOGS\System.evtx + Verify the permissions on the System event log (System.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + + + Fail + Everyone + False + + + FullControl + + + Success + Everyone + False + + + + + + + Success + Domain Users + False + + + AllExtendedRights + + + Success + Administrators + False + + + AllExtendedRights + + + Success + Everyone + False + + + WriteallProperties,ModifyPermissions,ModifyOwner + + + True + False + False + + {Domain} + Verify the auditing configuration for the Domain object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select the domain being reviewed in the left pane. +Right click the domain name and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the Domain object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - None +Applies to - Special + +Type - Success +Principal - Domain Users +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Administrators +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: Write all properties, Modify permissions, Modify owner) + + + + + Fail + Everyone + False + + + FullControl + + + Success + Everyone + False + + + WriteallProperties,AllExtendedRights,ChangeInfrastructureMaster + + + Success + Everyone + False + + + + + + + True + False + False + + CN=Infrastructure,{Domain} + Verify the auditing configuration for Infrastructure object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select the domain being reviewed in the left pane. +Right click the Infrastructure object in the right pane and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the Infrastructure object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +(Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) + + + + + Fail + Everyone + False + + + FullControl + + + Success + Everyone + False + + + Createallchildobjects,Delete,ModifyPermissions + + + Success + Everyone + False + + + WriteallProperties + + + Success + Everyone + False + + + + + + + True + False + False + + OU=Domain Controllers,{Domain} + Verify the auditing configuration for the Domain Controller OU object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select the Domain Controllers OU under the domain being reviewed in the left pane. +Right click the Domain Controllers OU object and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the Domain Controllers OU object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object and all descendant objects + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: all create, delete and modify permissions) + +Type - Success +Principal - Everyone +Access - Write all properties +Inherited from - None +Applies to - This object and all descendant objects + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objects + + + + + Fail + Everyone + False + + + FullControl + + + Success + Everyone + False + + + WriteallProperties,ModifyPermissions,ModifyOwner + + + Success + Everyone + False + + + + + + + True + False + False + + CN=AdminSDHolder,CN=System,{Domain} + Verify the auditing configuration for the AdminSDHolder object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select System under the domain being reviewed in the left pane. +Right click the AdminSDHolder object in the right pane and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the AdminSDHolder object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Write all properties, Modify permissions, Modify owner) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objects + + + + + Fail + Everyone + False + + + FullControl + + + Success + Everyone + False + + + WriteallProperties,AllExtendedRights,ChangeRIDMaster + + + Success + Everyone + False + + + + + + + True + False + False + + CN=RID Manager$,CN=System,{Domain} + Verify the auditing configuration for the RID Manager$ object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select System under the domain being reviewed in the left pane. +Right-click the RID Manager$ object in the right pane and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the RID Manager$ object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None + (Access - Special = Write all properties, All extended rights, Change RID master) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) + + + + + Allow + Authenticated Users + False + This folder subfolders and files + ReadAndExecute + + + Allow + Server Operators + False + This folder subfolders and files + ReadAndExecute + + + Allow + Administrators + False + This folder only + AppendData,ChangePermissions,CreateDirectories,CreateFiles,Delete,DeleteSubdirectoriesAndFiles,ExecuteFile,ListDirectory,Modify,Read,ReadAndExecute,ReadAttributes,ReadData,ReadExtendedAttributes,ReadPermissions,Synchronize,TakeOwnership,Traverse,Write,WriteAttributes,WriteData,WriteExtendedAttributes + + + Allow + CREATOR OWNER + False + Subfolders and files only + FullControl + + + Allow + Administrators + False + Subfolders and files only + FullControl + + + Allow + SYSTEM + False + This folder subfolders and files + FullControl + + + True + False + False + + %windir%\sysvol + Verify the permissions on the SYSVOL directory. + +Open a command prompt. +Run "net share". +Make note of the directory location of the SYSVOL share. + +By default this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. + +Open File Explorer. +Navigate to \Windows\SYSVOL (or the directory noted previously if different). +Right click the directory and select properties. +Select the Security tab. +Click Advanced. + +If any standard user accounts or groups have greater than read & execute permissions, this is a finding. The default permissions noted below meet this requirement. + +Type - Allow +Principal - Authenticated Users +Access - Read & execute +Inherited from - None +Applies to - This folder, subfolder and files + +Type - Allow +Principal - Server Operators +Access - Read & execute +Inherited from - None +Applies to - This folder, subfolder and files + +Type - Allow +Principal - Administrators +Access - Special +Inherited from - None +Applies to - This folder only +(Access - Special - Basic Permissions: all selected except Full control) + +Type - Allow +Principal - CREATOR OWNER +Access - Full control +Inherited from - None +Applies to - Subfolders and files only + +Type - Allow +Principal - Administrators +Access - Full control +Inherited from - None +Applies to - Subfolders and files only + +Type - Allow +Principal - SYSTEM +Access - Full control +Inherited from - None +Applies to - This folder, subfolders and files + + +Alternately, use Icacls.exe to view the permissions of the SYSVOL directory. +Open a command prompt. +Run "icacls c:\Windows\SYSVOL +The following results should be displayed: + +NT AUTHORITY\Authenticated Users:(RX) +NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) +BUILTIN\Server Operators:(RX) +BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) +BUILTIN\Administrators:(M,WDAC,WO) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(F) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M,WDAC,WO) +CREATOR OWNER:(OI)(CI)(IO)(F) + +(RX) - Read & execute +Run "icacls /help" to view definitions of other permission codes. + + + + + + + TrustedInstaller + False + This folder and subfolders + FullControl + + + + + SYSTEM + False + This folder only + Modify + + + + + SYSTEM + False + Subfolders and files only + FullControl + + + + + Administrators + False + This folder only + Modify + + + + + Administrators + False + Subfolders and files only + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + + + ALL APPLICATION PACKAGES + False + This folder subfolders and files + ReadAndExecute + + + True + False + False + + %ProgramFiles(x86)% + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +For each folder, view the Properties. +Select the "Security" tab, and the "Advanced" button. + +Default Permissions: +\Program Files and \Program Files (x86) +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls "c:\program files" +icacls "c:\program files (x86)" + +The following results should be displayed as each is entered: + +c:\program files +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 files + + + + + + + TrustedInstaller + False + This folder and subfolders + FullControl + + + + + SYSTEM + False + This folder only + Modify + + + + + SYSTEM + False + Subfolders and files only + FullControl + + + + + Administrators + False + This folder only + Modify + + + + + Administrators + False + Subfolders and files only + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + + + ALL APPLICATION PACKAGES + False + This folder subfolders and files + ReadAndExecute + + + True + False + False + + %ProgramFiles% + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +For each folder, view the Properties. +Select the "Security" tab, and the "Advanced" button. + +Default Permissions: +\Program Files and \Program Files (x86) +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls "c:\program files" +icacls "c:\program files (x86)" + +The following results should be displayed as each is entered: + +c:\program files +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 files + + + + + + + SYSTEM + False + This folder subfolders and files + FullControl + + + + + Administrators + False + This folder subfolders and files + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + Users + False + This folder and subfolders + CreateDirectories,AppendData + + + + + Users + False + Subfolders only + CreateFiles,WriteData + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + True + False + False + + %SystemDrive%\ + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the system drive's root directory (usually C:\). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +View the Properties of system drive root directory. +Select the "Security" tab, and the "Advanced" button. + +C:\ +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +SYSTEM - Full control - This folder, subfolders and files +Administrators - Full control - This folder, subfolders and files +Users - Read & execute - This folder, subfolders and files +Users - Create folders / append data - This folder and subfolders +Users - Create files / write data - Subfolders only +CREATOR OWNER - Full Control - Subfolders and files only + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls c:\ + +The following results should be displayed: + +c:\ +NT AUTHORITY\SYSTEM:(OI)(CI)(F) +BUILTIN\Administrators:(OI)(CI)(F) +BUILTIN\Users:(OI)(CI)(RX) +BUILTIN\Users:(CI)(AD) +BUILTIN\Users:(CI)(IO)(WD) +CREATOR OWNER:(OI)(CI)(IO)(F) +Successfully processed 1 files; Failed processing 0 files + + + + + + + TrustedInstaller + False + This folder and subfolders + FullControl + + + + + SYSTEM + False + This folder only + Modify + + + + + SYSTEM + False + Subfolders and files only + FullControl + + + + + Administrators + False + This folder only + Modify + + + + + Administrators + False + Subfolders and files only + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + + + ALL APPLICATION PACKAGES + False + This folder subfolders and files + ReadAndExecute + + + True + False + False + + %windir% + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the Windows installation directory (usually C:\Windows). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +View the Properties of the folder. +Select the "Security" tab, and the "Advanced" button. + +Default Permissions: +\Windows +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls c:\windows + +The following results should be displayed: + +c:\windows +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 files + + + + + + + TrustedInstaller + False + + + FullControl + + + + + Administrators + False + + + ReadAndExecute + + + + + SYSTEM + False + + + ReadAndExecute + + + + + Users + False + + + ReadAndExecute + + + + + ALL APPLICATION PACKAGES + False + + + ReadAndExecute + + + True + False + False + + %windir%\SYSTEM32\eventvwr.exe + Verify the permissions on Event Viewer only allow TrustedInstaller permissions to change or modify. If any groups or accounts other than TrustedInstaller have Full control or Modify, this is a finding. + +Navigate to "%SystemRoot%\SYSTEM32". +View the permissions on "Eventvwr.exe". + +The default permissions below satisfy this requirement. +TrustedInstaller - Full Control +Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read & Execute + + + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ShutdownWithoutLogon + +Value Type: REG_DWORD +Value: 0 + 0 + ShutdownWithoutLogon + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LegalNoticeText + +Value Type: REG_SZ +Value: See message text below + +You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + +Any OS versions that do not support the full text version must state the following: +"I've read & consent to terms in IS user agreem't." + +Deviations are not permitted except as authorized by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. +By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + LegalNoticeText + String + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -le '4' + If the system is not a member of a domain, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: CachedLogonsCount + +Value Type: REG_SZ +Value: 4 (or less) + + CachedLogonsCount + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: RestrictAnonymous + +Value Type: REG_DWORD +Value: 1 + 1 + RestrictAnonymous + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: EnableForcedLogoff + +Value Type: REG_DWORD +Value: 1 + 1 + EnableForcedLogoff + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: EnablePlainTextPassword + +Value Type: REG_DWORD +Value: 0 + 0 + EnablePlainTextPassword + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: AutoAdminLogon + +Type: REG_SZ +Value: 0 + 0 + AutoAdminLogon + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\ + +Value Name: AddPrinterDrivers + +Value Type: REG_DWORD +Value: 1 + 1 + AddPrinterDrivers + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: LmCompatibilityLevel + +Value Type: REG_DWORD +Value: 5 + 5 + LmCompatibilityLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DisableCAD + +Value Type: REG_DWORD +Value: 0 + 0 + DisableCAD + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -match '1|2' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: SCRemoveOption + +Value Type: REG_SZ +Value: 1 (Lock Workstation) or 2 (Force Logoff) + +If configuring this on servers causes issues such as terminating users' remote sessions and the site has a policy in place that any other sessions on the servers such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO. + + SCRemoveOption + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: EnableSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + EnableSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: SealSecureChannel + +Value Type: REG_DWORD +Value: 1 + +If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831). + 1 + SealSecureChannel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: SignSecureChannel + +Value Type: REG_DWORD +Value: 1 + +If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831). + 1 + SignSecureChannel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: DisablePasswordChange + +Value Type: REG_DWORD +Value: 0 + 0 + DisablePasswordChange + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: EnableSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + EnableSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: AllocateDASD + +Value Type: REG_SZ +Value: 0 + 0 + AllocateDASD + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -ge '14' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: PasswordExpiryWarning + +Value Type: REG_DWORD +Value: 14 (or greater) + + PasswordExpiryWarning + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\ + +Value Name: ProtectionMode + +Value Type: REG_DWORD +Value: 1 + 1 + ProtectionMode + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters + True + {0} -le '15' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: autodisconnect + +Value Type: REG_DWORD +Value: 0x0000000f (15) (or less) + + autodisconnect + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ + +Value Name: NoDriveTypeAutoRun + +Type: REG_DWORD +Value: 0x000000ff (255) + 255 + NoDriveTypeAutoRun + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: NullSessionPipes + +Value Type: REG_MULTI_SZ +Value: netlogon, samr, lsarpc + +The default configuration of systems promoted to domain controllers may include a blank entry in the first line prior to "netlogon", "samr", and "lsarpc". This will appear in the registry as a blank entry when viewing the registry key summary; however the value data for "NullSessionPipes" will contain the default entries. + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions. + netlogon;samr;lsarpc + NullSessionPipes + MultiString + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\ + +Value Name: Machine + +Value Type: REG_MULTI_SZ +Value: see below + +System\CurrentControlSet\Control\ProductOptions +System\CurrentControlSet\Control\Server Applications +Software\Microsoft\Windows NT\CurrentVersion + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions. + System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion + Machine + MultiString + + + Present + True + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist, this is not a finding: + +If the following registry value does exist and is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: NullSessionShares + +Value Type: REG_MULTI_SZ +Value: (Blank) + + NullSessionShares + MultiString + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fAllowToGetHelp + +Type: REG_DWORD +Value: 0 + 0 + fAllowToGetHelp + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: LimitBlankPasswordUse + +Value Type: REG_DWORD +Value: 1 + 1 + LimitBlankPasswordUse + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + True + {0} -le '30' -and {0} -gt '0' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: MaximumPasswordAge + +Value Type: REG_DWORD +Value: 30 (or less, but not 0) + + MaximumPasswordAge + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RequireStrongKey + +Value Type: REG_DWORD +Value: 1 + +This setting may prevent a system from being joined to a domain if not configured consistently between systems. + 1 + RequireStrongKey + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: DisableDomainCreds + +Value Type: REG_DWORD +Value: 1 + 1 + DisableDomainCreds + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: EveryoneIncludesAnonymous + +Value Type: REG_DWORD +Value: 0 + 0 + EveryoneIncludesAnonymous + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: ForceGuest + +Value Type: REG_DWORD +Value: 0 + 0 + ForceGuest + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: NoLMHash + +Value Type: REG_DWORD +Value: 1 + 1 + NoLMHash + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LDAP\ + +Value Name: LDAPClientIntegrity + +Value Type: REG_DWORD +Value: 1 + 1 + LDAPClientIntegrity + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ + +Value Name: NTLMMinClientSec + +Value Type: REG_DWORD +Value: 0x20080000 (537395200) + 537395200 + NTLMMinClientSec + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ + +Value Name: Enabled + +Value Type: REG_DWORD +Value: 1 + +Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site. + 1 + Enabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\Kernel\ + +Value Name: ObCaseInsensitive + +Value Type: REG_DWORD +Value: 1 + 1 + ObCaseInsensitive + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fSingleSessionPerUser + +Type: REG_DWORD +Value: 1 + 1 + fSingleSessionPerUser + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fPromptForPassword + +Type: REG_DWORD +Value: 1 + 1 + fPromptForPassword + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: MinEncryptionLevel + +Type: REG_DWORD +Value: 3 + 3 + MinEncryptionLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: PerSessionTempDir + +Type: REG_DWORD +Value: 1 + 1 + PerSessionTempDir + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: DeleteTempDirsOnExit + +Type: REG_DWORD +Value: 1 + 1 + DeleteTempDirsOnExit + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system + False + + Review the registry. +If the following registry value does not exist, this is not a finding (this is the expected result from configuring the policy as outlined in the Fix section.): +If the following registry value exists but is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\system\ + +Value Name: DisableBkGndGroupPolicy + +Type: REG_DWORD +Value: 0 + 0 + DisableBkGndGroupPolicy + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fAllowUnsolicited + +Type: REG_DWORD +Value: 0 + 0 + fAllowUnsolicited + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32time\Parameters + True + '{0}' -match '^(NoSync|NTP|NT5DS|AllSync)$' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\W32time\Parameters\ +Type: REG_SZ +Value Name: Type +Value: Possible values are NoSync, NTP, NT5DS, AllSync + + Type + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32time\Parameters + True + '{0}' -notmatch 'time.windows.com' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\W32time\Parameters\ +Type: REG_SZ +Value Name: NTPServer +Value: "address of the time server" + + NTPServer + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\ + +Value Name: SafeDllSearchMode + +Value Type: REG_DWORD +Value: 1 + 1 + SafeDllSearchMode + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer + False + + Windows Media Player is not installed by default. If it is not installed, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: DisableAutoupdate + +Type: REG_DWORD +Value: 1 + 1 + DisableAutoupdate + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: PreventCodecDownload + +Type: REG_DWORD +Value: 1 + 1 + PreventCodecDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ + +Value Name: NTLMMinServerSec + +Value Type: REG_DWORD +Value: 0x20080000 (537395200) + 537395200 + NTLMMinServerSec + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security + True + {0} -le '90' + If the system is configured to write to an audit server, or is configured to automatically archive full logs, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Eventlog\Security\ + +Value Name: WarningLevel + +Value Type: REG_DWORD +Value: 90 (or less) + + WarningLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: DisableIPSourceRouting + +Value Type: REG_DWORD +Value: 2 + 2 + DisableIPSourceRouting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: EnableICMPRedirect + +Value Type: REG_DWORD +Value: 0 + 0 + EnableICMPRedirect + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: PerformRouterDiscovery + +Value Type: REG_DWORD +Value: 0 + 0 + PerformRouterDiscovery + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + True + {0} -le '300000' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: KeepAliveTime + +Value Type: REG_DWORD +Value: 300000 (or less) + + KeepAliveTime + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ + +Value Name: NoNameReleaseOnDemand + +Value Type: REG_DWORD +Value: 1 + 1 + NoNameReleaseOnDemand + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\NTDS\Parameters\ + +Value Name: LDAPServerIntegrity + +Value Type: REG_DWORD +Value: 2 + 2 + LDAPServerIntegrity + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RefusePasswordChange + +Value Type: REG_DWORD +Value: 0 + 0 + RefusePasswordChange + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + True + {0} -le '3' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: TcpMaxDataRetransmissions + +Value Type: REG_DWORD +Value: 3 (or less) + + TcpMaxDataRetransmissions + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -le '5' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: ScreenSaverGracePeriod + +Value Type: REG_SZ +Value: 5 (or less) + + ScreenSaverGracePeriod + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\ + +Value Name: Machine + +Value Type: REG_MULTI_SZ +Value: see below + +Software\Microsoft\OLAP Server +Software\Microsoft\Windows NT\CurrentVersion\Perflib +Software\Microsoft\Windows NT\CurrentVersion\Print +Software\Microsoft\Windows NT\CurrentVersion\Windows +System\CurrentControlSet\Control\ContentIndex +System\CurrentControlSet\Control\Print\Printers +System\CurrentControlSet\Control\Terminal Server +System\CurrentControlSet\Control\Terminal Server\UserConfig +System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration +System\CurrentControlSet\Services\Eventlog +System\CurrentControlSet\Services\Sysmonlog + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions. + Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Perflib;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;System\CurrentControlSet\Services\Eventlog;System\CurrentControlSet\Services\Sysmonlog + Machine + MultiString + + + Present + True + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Subsystems + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\Subsystems\ + +Value Name: Optional + +Value Type: REG_MULTI_SZ +Value: (Blank) + + Optional + MultiString + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fEncryptRPCTraffic + +Type: REG_DWORD +Value: 1 + 1 + fEncryptRPCTraffic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ + +Value Name: NoGPOListChanges + +Type: REG_DWORD +Value: 0 + 0 + NoGPOListChanges + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RequireSignOrSeal + +Value Type: REG_DWORD +Value: 1 + 1 + RequireSignOrSeal + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: RequireSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + RequireSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: RequireSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + RequireSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: RestrictNullSessAccess + +Value Type: REG_DWORD +Value: 1 + 1 + RestrictNullSessAccess + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ +Type: REG_DWORD +Value Name: Enabled +Value: 1 + 1 + Enabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Parameters + True + '{0}' -match '^(NoSync|NTP|NT5DS|AllSync)$' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\W32Time\Parameters\ +Type: REG_SZ +Value Name: Type +Value: NT5DS (preferred), NTP or Allsync + + Type + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Config + True + {0} -match '2|3' + Verify logging is configured to capture time source switches. + +If the Windows Time Service is used, verify the following registry value. If it is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\W32Time\Config\ + +Value Name: EventLogFlags + +Type: REG_DWORD +Value: 2 or 3 + +If another time synchronization tool is used, review the available configuration options and logs. If the tool has time source logging capability and it is not enabled, this is a finding. + + EventLogFlags + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DontDisplayLastUserName + +Value Type: REG_DWORD +Value: 1 + 1 + DontDisplayLastUserName + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: AuditBaseObjects + +Value Type: REG_DWORD +Value: 0 + 0 + AuditBaseObjects + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: FullPrivilegeAuditing + +Value Type: REG_BINARY +Value: 0 + 0 + FullPrivilegeAuditing + Binary + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: SCENoApplyLegacyAuditPolicy + +Value Type: REG_DWORD +Value: 1 + 1 + SCENoApplyLegacyAuditPolicy + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\IPSEC\ + +Value Name: NoDefaultExempt + +Value Type: REG_DWORD +Value: 3 + 3 + NoDefaultExempt + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: FilterAdministratorToken + +Value Type: REG_DWORD +Value: 1 + 1 + FilterAdministratorToken + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + True + '{0}' -le '4' + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ConsentPromptBehaviorAdmin + +Value Type: REG_DWORD +Value: 4 (Prompt for consent) +3 (Prompt for credentials) +2 (Prompt for consent on the secure desktop) +1 (Prompt for credentials on the secure desktop) + + ConsentPromptBehaviorAdmin + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ConsentPromptBehaviorUser + +Value Type: REG_DWORD +Value: 0 + 0 + ConsentPromptBehaviorUser + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableInstallerDetection + +Value Type: REG_DWORD +Value: 1 + 1 + EnableInstallerDetection + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableSecureUIAPaths + +Value Type: REG_DWORD +Value: 1 + 1 + EnableSecureUIAPaths + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableLUA + +Value Type: REG_DWORD +Value: 1 + 1 + EnableLUA + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: PromptOnSecureDesktop + +Value Type: REG_DWORD +Value: 1 + 1 + PromptOnSecureDesktop + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableVirtualization + +Value Type: REG_DWORD +Value: 1 + 1 + EnableVirtualization + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ + +Value Name: EnumerateAdministrators + +Type: REG_DWORD +Value: 0x00000000 (0) + 0 + EnumerateAdministrators + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: DisablePasswordSaving + +Type: REG_DWORD +Value: 1 + 1 + DisablePasswordSaving + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableCdm + +Type: REG_DWORD +Value: 1 + 1 + fDisableCdm + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DisableHTTPPrinting + +Type: REG_DWORD +Value: 1 + 1 + DisableHTTPPrinting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DisableWebPnPDownload + +Type: REG_DWORD +Value: 1 + 1 + DisableWebPnPDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DontSearchWindowsUpdate + +Type: REG_DWORD +Value: 1 + 1 + DontSearchWindowsUpdate + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: SaveZoneInformation + +Type: REG_DWORD +Value: 2 + 2 + SaveZoneInformation + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: HideZoneInfoOnProperties + +Type: REG_DWORD +Value: 1 + 1 + HideZoneInfoOnProperties + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: ScanWithAntiVirus + +Type: REG_DWORD +Value: 3 + 3 + ScanWithAntiVirus + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Peernet\ + +Value Name: Disabled + +Type: REG_DWORD +Value: 1 + 1 + Disabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ + +Value Name: NC_AllowNetBridge_NLA + +Type: REG_DWORD +Value: 0 + 0 + NC_AllowNetBridge_NLA + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\EventViewer\ + +Value Name: MicrosoftEventVwrDisableLinks + +Type: REG_DWORD +Value: 1 + 1 + MicrosoftEventVwrDisableLinks + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoInternetOpenWith + +Type: REG_DWORD +Value: 1 + 1 + NoInternetOpenWith + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ + +Value Name: DisableEnclosureDownload + +Type: REG_DWORD +Value: 1 + 1 + DisableEnclosureDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: PreXPSP2ShellProtocolBehavior + +Type: REG_DWORD +Value: 0 + 0 + PreXPSP2ShellProtocolBehavior + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: SafeForScripting + +Type: REG_DWORD +Value: 0 + 0 + SafeForScripting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: EnableUserControl + +Type: REG_DWORD +Value: 0 + 0 + EnableUserControl + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: DisableLUAPatching + +Type: REG_DWORD +Value: 1 + 1 + DisableLUAPatching + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer + False + + Windows Media Player is not installed by default. If it is not installed, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: GroupPrivacyAcceptance + +Type: REG_DWORD +Value: 1 + 1 + GroupPrivacyAcceptance + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowLLTDIOOndomain +Value: 0 + 0 + AllowLLTDIOOndomain + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowLLTDIOOnPublicNet +Value: 0 + 0 + AllowLLTDIOOnPublicNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: EnableLLTDIO +Value: 0 + 0 + EnableLLTDIO + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: ProhibitLLTDIOOnPrivateNet +Value: 0 + 0 + ProhibitLLTDIOOnPrivateNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowRspndrOndomain +Value: 0 + 0 + AllowRspndrOndomain + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowRspndrOnPublicNet +Value: 0 + 0 + AllowRspndrOnPublicNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: EnableRspndr +Value: 0 + 0 + EnableRspndr + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: ProhibitRspndrOnPrivateNet +Value: 0 + 0 + ProhibitRspndrOnPrivateNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableFlashConfigRegistrar +Value: 0 + 0 + DisableFlashConfigRegistrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableInBand802DOT11Registrar +Value: 0 + 0 + DisableInBand802DOT11Registrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableUPnPRegistrar +Value: 0 + 0 + DisableUPnPRegistrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableWPDRegistrar +Value: 0 + 0 + DisableWPDRegistrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: EnableRegistrars +Value: 0 + 0 + EnableRegistrars + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\UI\ + +Value Name: DisableWcnUi + +Type: REG_DWORD +Value: 1 + 1 + DisableWcnUi + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: AllowRemoteRPC + +Type: REG_DWORD +Value: 0 + 0 + AllowRemoteRPC + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSystemRestore + +Type: REG_DWORD +Value: 0 + 0 + DisableSystemRestore + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSendGenericDriverNotFoundToWER + +Type: REG_DWORD +Value: 1 + 1 + DisableSendGenericDriverNotFoundToWER + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DontPromptForWindowsUpdate + +Type: REG_DWORD +Value: 1 + 1 + DontPromptForWindowsUpdate + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\HandwritingErrorReports\ + +Value Name: PreventHandwritingErrorReports + +Type: REG_DWORD +Value: 1 + 1 + PreventHandwritingErrorReports + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ + +Value Name: DCSettingIndex + +Type: REG_DWORD +Value: 1 + 1 + DCSettingIndex + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ + +Value Name: ACSettingIndex + +Type: REG_DWORD +Value: 1 + 1 + ACSettingIndex + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: LoggingEnabled + +Type: REG_DWORD +Value: 1 + 1 + LoggingEnabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet + True + {0} -notmatch '1|2' + If the following registry value exists and is set to "1" (Basic) or "2" (Advanced), this is a finding: + +If the registry value does not exist, this is not a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\ + +Value Name: SpyNetReporting + +Type: REG_DWORD +Value: 1 or 2 = a Finding + + SpyNetReporting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoHeapTerminationOnCorruption + +Type: REG_DWORD +Value: 0 + 0 + NoHeapTerminationOnCorruption + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRM + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WMDRM\ + +Value Name: DisableOnline + +Type: REG_DWORD +Value: 1 + 1 + DisableOnline + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoInPlaceSharing + +Type: REG_DWORD +Value: 1 + 1 + NoInPlaceSharing + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableUIADesktopToggle + +Value Type: REG_DWORD +Value: 0 + 0 + EnableUIADesktopToggle + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableCcm + +Type: REG_DWORD +Value: 1 + 1 + fDisableCcm + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableLPT + +Type: REG_DWORD +Value: 1 + 1 + fDisableLPT + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisablePNPRedir + +Type: REG_DWORD +Value: 1 + 1 + fDisablePNPRedir + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fEnableSmartCard + +Type: REG_DWORD +Value: 1 + 1 + fEnableSmartCard + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ValidateAdminCodeSignatures + +Value Type: REG_DWORD +Value: 0 + 0 + ValidateAdminCodeSignatures + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\SQMClient\Windows\ + +Value Name: CEIPEnable + +Type: REG_DWORD +Value: 0 + 0 + CEIPEnable + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ + +Value Name: NoImplicitFeedback + +Type: REG_DWORD +Value: 1 + 1 + NoImplicitFeedback + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ + +Value Name: NoExplicitFeedback + +Type: REG_DWORD +Value: 1 + 1 + NoExplicitFeedback + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanServer\Parameters\ + +Value Name: SmbServerNameHardeningLevel + +Type: REG_DWORD +Value: 0 + 0 + SmbServerNameHardeningLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\ + +Value Name: UseMachineId + +Type: REG_DWORD +Value: 1 + 1 + UseMachineId + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\MSV1_0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\MSV1_0\ + +Value Name: allownullsessionfallback + +Type: REG_DWORD +Value: 0 + 0 + allownullsessionfallback + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\pku2u + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\pku2u\ + +Value Name: AllowOnlineID + +Type: REG_DWORD +Value: 0 + 0 + AllowOnlineID + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ + +Value Name: DisableIPSourceRouting + +Type: REG_DWORD +Value: 2 + 2 + DisableIPSourceRouting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters + True + {0} -le '3' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ + +Value Name: TcpMaxDataRetransmissions + +Value Type: REG_DWORD +Value: 3 (or less) + + TcpMaxDataRetransmissions + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ + +Value Name: NC_StdDomainUserSetLocation + +Type: REG_DWORD +Value: 1 + 1 + NC_StdDomainUserSetLocation + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: Force_Tunneling + +Type: REG_SZ +Value: Enabled + Enabled + Force_Tunneling + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DoNotInstallCompatibleDriverFromWindowsUpdate + +Type: REG_DWORD +Value: 1 + 1 + DoNotInstallCompatibleDriverFromWindowsUpdate + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Device Metadata\ + +Value Name: PreventDeviceMetadataFromNetwork + +Value Type: REG_DWORD +Value: 1 + 1 + PreventDeviceMetadataFromNetwork + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: SearchOrderConfig + +Type: REG_DWORD +Value: 0 + 0 + SearchOrderConfig + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ + +Value Name: DisableQueryRemoteServer + +Type: REG_DWORD +Value: 0 + 0 + DisableQueryRemoteServer + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ + +Value Name: EnableQueryRemoteServer + +Type: REG_DWORD +Value: 0 + 0 + EnableQueryRemoteServer + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ + +Value Name: ScenarioExecutionEnabled + +Type: REG_DWORD +Value: 0 + 0 + ScenarioExecutionEnabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ + +Value Name: DisableInventory + +Type: REG_DWORD +Value: 1 + 1 + DisableInventory + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoAutoplayfornonVolume + +Type: REG_DWORD +Value: 1 + 1 + NoAutoplayfornonVolume + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoDataExecutionPrevention + +Type: REG_DWORD +Value: 0 + 0 + NoDataExecutionPrevention + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoAutorun + +Type: REG_DWORD +Value: 1 + 1 + NoAutorun + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: RestrictAnonymousSAM + +Value Type: REG_DWORD +Value: 1 + 1 + RestrictAnonymousSAM + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + True + '{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LegalNoticeCaption + +Value Type: REG_SZ +Value: See message title options below + +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. + +If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089. + +Automated tools may only search for the titles defined above. If a site-defined title is used, a manual review will be required. + + LegalNoticeCaption + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: 6to4_State + +Type: REG_SZ +Value: Disabled + Disabled + 6to4_State + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\ + +Value Name: IPHTTPS_ClientState + +Type: REG_DWORD +Value: 3 + 3 + IPHTTPS_ClientState + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: ISATAP_State + +Type: REG_SZ +Value: Disabled + Disabled + ISATAP_State + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: Teredo_State + +Type: REG_SZ +Value: Disabled + Disabled + Teredo_State + String + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application + True + {0} -ge '32768' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security + True + {0} -ge '196608' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00030000 (196608) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup + True + {0} -ge '32768' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System + True + {0} -ge '32768' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSendRequestAdditionalSoftwareToWER + +Type: REG_DWORD +Value: 1 + 1 + DisableSendRequestAdditionalSoftwareToWER + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: AlwaysInstallElevated + +Type: REG_DWORD +Value: 0 + 0 + AlwaysInstallElevated + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ + +Value Name: ScreenSaveActive + +Type: REG_SZ +Value: 1 + +Applications requiring continuous, real-time screen display (e.g., network management products) require the following and must be documented with the ISSO: + +-The logon session does not have administrator rights. +-The display station (e.g., keyboard, monitor, etc.) is located in a controlled access area. + 1 + ScreenSaveActive + String + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ + +Value Name: ScreenSaverIsSecure + +Type: REG_SZ +Value: 1 + 1 + ScreenSaverIsSecure + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: EnableIPAutoConfigurationLimits + +Type: REG_DWORD +Value: 1 + 1 + EnableIPAutoConfigurationLimits + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Servicing + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Servicing\ + +Value Name: UseWindowsUpdate + +Type: REG_DWORD +Value: 2 + 2 + UseWindowsUpdate + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DriverServerSelection + +Type: REG_DWORD +Value: 1 + 1 + DriverServerSelection + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Policies\EarlyLaunch\ + +Value Name: DriverLoadPolicy + +Type: REG_DWORD +Value: 1 + 1 + DriverLoadPolicy + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer + False + + The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoUseStoreOpenWith + +Type: REG_DWORD +Value: 1 + 1 + NoUseStoreOpenWith + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Control Panel\International\ + +Value Name: BlockUserInputMethodsForSignIn + +Type: REG_DWORD +Value: 1 + 1 + BlockUserInputMethodsForSignIn + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\System\ + +Value Name: EnumerateLocalUsers + +Type: REG_DWORD +Value: 0 + 0 + EnumerateLocalUsers + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\System\ + +Value Name: DisableLockScreenAppNotifications + +Type: REG_DWORD +Value: 1 + 1 + DisableLockScreenAppNotifications + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ + +Value Name: DisablePcaUI + +Type: REG_DWORD +Value: 0 + 0 + DisablePcaUI + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Appx\ + +Value Name: AllowAllTrustedApps + +Type: REG_DWORD +Value: 1 + 1 + AllowAllTrustedApps + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Biometrics\ + +Value Name: Enabled + +Type: REG_DWORD +Value: 0 + 0 + Enabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\CredUI\ + +Value Name: DisablePasswordReveal + +Type: REG_DWORD +Value: 1 + 1 + DisablePasswordReveal + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\System\ + +Value Name: EnableSmartScreen + +Type: REG_DWORD +Value: 0 + 0 + EnableSmartScreen + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LocationAndSensors\ + +Value Name: DisableLocation + +Type: REG_DWORD +Value: 1 (Enabled) + +If location services are approved for the system by the organization, this may be set to "Disabled" (0). This must be documented with the ISSO. + 1 + DisableLocation + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ + +Value Name: AllowBasicAuthInClear + +Type: REG_DWORD +Value: 0 + 0 + AllowBasicAuthInClear + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ +Type: REG_DWORD +Value Name: AutoDownload +Value: 0x00000002 (2) + 2 + AutoDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate\ +Type: REG_DWORD +Value Name: AutoDownload +Value: 0x00000002 (2) + 2 + AutoDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore + False + + The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ + +Value Name: RemoveWindowsStore + +Type: REG_DWORD +Value: 1 + 1 + RemoveWindowsStore + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowBasic + +Type: REG_DWORD +Value: 0 + 0 + AllowBasic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowUnencryptedTraffic + +Type: REG_DWORD +Value: 0 + 0 + AllowUnencryptedTraffic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowDigest + +Type: REG_DWORD +Value: 0 + 0 + AllowDigest + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: AllowBasic + +Type: REG_DWORD +Value: 0 + 0 + AllowBasic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: AllowUnencryptedTraffic + +Type: REG_DWORD +Value: 0 + 0 + AllowUnencryptedTraffic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: DisableRunAs + +Type: REG_DWORD +Value: 1 + 1 + DisableRunAs + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + True + {0} -le '900' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: InactivityTimeoutSecs + +Value Type: REG_DWORD +Value: 0x00000384 (900) (or less) + + InactivityTimeoutSecs + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ + +Value Name: SCRNSAVE.EXE + +Type: REG_SZ +Value: scrnsave.scr + scrnsave.scr + SCRNSAVE.EXE + String + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: NoDispScrSavPage + +Type: REG_DWORD +Value: 1 + 1 + NoDispScrSavPage + Dword + + + Present + False + HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ + +Value Name: NoCloudApplicationNotification + +Type: REG_DWORD +Value: 1 + 1 + NoCloudApplicationNotification + Dword + + + Present + False + HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ + +Value Name: NoToastApplicationNotificationOnLockScreen + +Type: REG_DWORD +Value: 1 + 1 + NoToastApplicationNotificationOnLockScreen + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: RedirectOnlyDefaultClientPrinter + +Type: REG_DWORD +Value: 1 + 1 + RedirectOnlyDefaultClientPrinter + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ + +Value Name: NoLockScreenSlideshow + +Value Type: REG_DWORD +Value: 1 + 1 + NoLockScreenSlideshow + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ + +Value Name: ProcessCreationIncludeCmdLine_Enabled + +Value Type: REG_DWORD +Value: 0 + 0 + ProcessCreationIncludeCmdLine_Enabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ + +Value Name: DontDisplayNetworkSelectionUI + +Value Type: REG_DWORD +Value: 1 + 1 + DontDisplayNetworkSelectionUI + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + +Value Name: MSAOptional + +Value Type: REG_DWORD +Value: 1 + 1 + MSAOptional + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DisableAutomaticRestartSignOn + +Value Type: REG_DWORD +Value: 1 + 1 + DisableAutomaticRestartSignOn + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\ + +Value Name: ForceKeyProtection + +Type: REG_DWORD +Value: 2 + 2 + ForceKeyProtection + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest + False + + If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ + +Value Name: UseLogonCredential + +Type: REG_DWORD +Value: 0x00000000 (0) + +Note: Microsoft Security Advisory update 2871997 is required for this setting to be effective on Windows 2012. It is not required for Windows 2012 R2. + 0 + UseLogonCredential + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters + False + + This applies to Windows 2012. Windows 2012 R2 uses a different method to disable SMBv1, see WN12-00-000160. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ + +Value Name: SMB1 + +Type: REG_DWORD +Value: 0x00000000 (0) + 0 + SMB1 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\ +Type: REG_MULTI_SZ +Value Name: DependOnService +Value: Bowser MRxSmb20 NSI + Bowser;MRxSmb20;NSI + DependOnService + MultiString + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ +Type: REG_DWORD +Value Name: Start +Value: 0x00000004 (4) + 4 + Start + Dword + + + + + False + Accounts: Guest account status + Disabled + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding. + + + False + Accounts: Rename guest account + + True + '{0}' -ne 'Guest' + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding. + + + False + Accounts: Rename administrator account + + True + '{0}' -ne 'Administrator' + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding. + + + False + Network access: Allow anonymous SID/Name translation + Disabled + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding. + + + False + Network security: Force logoff when logon hours expire + Enabled + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Network security: Force logoff when logon hours expire" is not set to "Enabled", this is a finding. + + + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + DFSR + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + Dnscache + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + DNS + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + gpsvc + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + IsmServ + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + Kdc + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + NetLogon + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + W32Time + Running + Automatic + + + Present + False + False + + Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding. + NTDS + Running + Automatic + + + Present + False + False + + Run "Services.msc". + +Verify the McAfee Agent service is running, depending on the version installed. + +Version - Service Name +McAfee Agent v5.x - McAfee Agent Service +McAfee Agent v4.x - McAfee Framework Service + +If the service is not listed or does not have a Status of "Started", this is a finding. + McAfee + Running + Automatic + + + Present + False + False + + Verify the Fax (fax) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Fax (fax) + fax + Stopped + Disabled + + + Present + False + False + + If the server has the role of an FTP server, this is NA. + +Run "Services.msc". + +If the "Microsoft FTP Service" (Service name: FTPSVC) is installed and not disabled, this is a finding. + FTPSVC + Stopped + Disabled + + + Present + False + False + + Verify the Peer Network Identity Manager (p2pimsvc) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Peer Networking Identity Manager (p2pimsvc) + p2pimsvc + Stopped + Disabled + + + Present + False + False + + Verify the Simple TCP/IP (simptcp) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Simple TCP/IP Services (simptcp) + simptcp + Stopped + Disabled + + + Present + False + False + + Verify the Telnet (tlntsvr) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Telnet (tlntsvr) + tlntsvr + Stopped + Disabled + + + Present + False + False + + Verify the Smart Card Removal Policy service is configured to "Automatic". + +Run "Services.msc". + +If the Startup Type for Smart Card Removal Policy is not set to Automatic, this is a finding. + SCPolicySvc + Running + Automatic + + + + + SeTcbPrivilege + Act as part of the operating system + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. + + + SeDenyNetworkLogonRight + Deny access to this computer from the network + False + Guests + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: + +Guests Group + + + SeSyncAgentPrivilege + Synchronize directory service data + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Synchronize directory service data" user right, this is a finding. + + + SeDebugPrivilege + Debug programs + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding: + +Administrators + + + SeTrustedCredManAccessPrivilege + Access Credential Manager as a trusted caller + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding. + + + SeNetworkLogonRight + Access this computer from the network + True + Administrators,Authenticated Users,Enterprise Domain Controllers + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding: + +Administrators +Authenticated Users +Enterprise Domain Controllers + + + SeInteractiveLogonRight + Allow log on locally + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding: + +Administrators + + + SeRemoteInteractiveLogonRight + Allow log on through Remote Desktop Services + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding: + +Administrators + + + SeBackupPrivilege + Back up files and directories + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding: + +Administrators + + + SeChangeNotifyPrivilege + Bypass traverse checking + True + Administrators,Authenticated Users,Local Service,Network Service,Window Manager\Window Manager Group + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Bypass traverse checking" user right, this is a finding: + +Administrators +Authenticated Users +Local Service +Network Service +Window Manager\Window Manager Group + + + SeSystemtimePrivilege + Change the system time + True + Administrators,Local Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Change the system time" user right, this is a finding: + +Administrators +Local Service + + + SeTimeZonePrivilege + Change the time zone + True + Administrators,Local Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Change the time zone" user right, this is a finding: + +Administrators +Local Service + + + SeCreatePagefilePrivilege + Create a pagefile + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding: + +Administrators + + + SeCreateTokenPrivilege + Create a token object + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Create a token object" user right, this is a finding. + + + SeCreateGlobalPrivilege + Create global objects + True + Administrators,Service,Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding: + +Administrators +Service +Local Service +Network Service + + + SeCreatePermanentPrivilege + Create permanent shared objects + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding. + + + SeCreateSymbolicLinkPrivilege + Create symbolic links + True + Administrators,{Hyper-V} + False + True + '{0}' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$' + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding: + +Administrators + +Systems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines"). This is not a finding. + + + SeDenyBatchLogonRight + Deny log on as a batch job + False + Guests + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding: + +Guests Group + + + SeDenyServiceLogonRight + Deny log on as a service + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are defined for the "Deny log on as a service" user right, this is a finding. + + + SeDenyInteractiveLogonRight + Deny log on locally + False + Guests + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding: + +Guests Group + + + SeDenyRemoteInteractiveLogonRight + Deny log on through Remote Desktop Services + False + Guests + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding: + +Guests Group + + + SeEnableDelegationPrivilege + Enable computer and user accounts to be trusted for delegation + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding: + +Administrators + + + SeRemoteShutdownPrivilege + Force shutdown from a remote system + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding: + +Administrators + + + SeAuditPrivilege + Generate security audits + True + Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding: + +Local Service +Network Service + + + SeImpersonatePrivilege + Impersonate a client after authentication + True + Administrators,Service,Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding: + +Administrators +Service +Local Service +Network Service + + + SeIncreaseBasePriorityPrivilege + Increase scheduling priority + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Increase scheduling priority" user right, this is a finding: + +Administrators + + + SeLoadDriverPrivilege + Load and unload device drivers + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding: + +Administrators + + + SeLockMemoryPrivilege + Lock pages in memory + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding. + + + SeSecurityPrivilege + Manage auditing and security log + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: + +Administrators + +If the organization has an Auditors group, the assignment of this group to the user right would not be a finding. + +If an application requires this user right, this would not be a finding. +Vendor documentation must support the requirement for having the user right. +The requirement must be documented with the ISSO. +The application account must meet requirements for application account passwords, such as length (V-36661) and required changes frequency (V-36662). + + + SeRelabelPrivilege + Modify an object label + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Modify an object label" user right, this is a finding. + + + SeSystemEnvironmentPrivilege + Modify firmware environment values + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Modify firmware environment values" user right, this is a finding: + +Administrators + + + SeManageVolumePrivilege + Perform volume maintenance tasks + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding: + +Administrators + + + SeProfileSingleProcessPrivilege + Profile single process + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Profile single process" user right, this is a finding: + +Administrators + + + SeSystemProfilePrivilege + Profile system performance + True + Administrators,NT Service\WdiServiceHost + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Profile system performance" user right, this is a finding: + +Administrators +NT Service\WdiServiceHost + + + SeAssignPrimaryTokenPrivilege + Replace a process level token + True + Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Replace a process level token" user right, this is a finding: + +Local Service +Network Service + + + SeRestorePrivilege + Restore files and directories + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding: + +Administrators + + + SeShutdownPrivilege + Shut down the system + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Shut down the system" user right, this is a finding: + +Administrators + + + SeTakeOwnershipPrivilege + Take ownership of files or other objects + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding: + +Administrators + + + SeMachineAccountPrivilege + Add workstations to domain + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Add workstations to domain" right, this is a finding: + +Administrators + + + + + FS-SMB1 + Absent + False + False + + This applies to Windows 2012 R2. Windows 2012 uses a different method to disable SMBv1, see WN12-00-000170 and WN12-00-000180. + +Run "Windows PowerShell" with elevated privileges (run as administrator). +Enter the following: +Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol + +If "State : Enabled" is returned, this is a finding. + +Alternately: +Search for "Features". +Select "Turn Windows features on or off". + +If "SMB 1.0/CIFS File Sharing Support" is selected, this is a finding. + + + + + Win32_OperatingSystem + False + -ge + False + + Version + Run "winver.exe". + +If the "About Windows" dialog box does not display +"Microsoft Windows Server +Version 6.2 (Build 9200)" +or greater, this is a finding. + +No preview versions will be used in a production environment. + +Unsupported Service Packs/Releases: +Windows 2012 - any release candidates or versions prior to the initial release. + 6.2.9200 + + + Win32_LogicalDisk + False + -match + False + + FileSystem + Open "Computer Management". + +Select "Disk Management" under "Storage". + +For each local volume, if the file system does not indicate "NTFS", this is a finding. + +"ReFS" (Resilient File System) is also acceptable and would not be a finding. + +This does not apply to system partitions such as the Recovery and EFI System Partition. + NTFS|ReFS + + + diff --git a/src/StigData/Windows-2012R2-DNS-1.7.xml b/src/StigData/Windows-2012R2-DNS-1.7.xml new file mode 100644 index 000000000..b3530239d --- /dev/null +++ b/src/StigData/Windows-2012R2-DNS-1.7.xml @@ -0,0 +1,2425 @@ + + + + $null + $null + False + False + + Note: If the Windows DNS server is in the classified network, this check is Not Applicable. + +Log on to the authoritative DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select “Properties”. + +Select the "Root Hints" tab. + +Verify the "Root Hints" is either empty or only has entries for internal zones under "Name servers:". All Internet root server entries must be removed. + +If "Root Hints" is not empty and the entries on the "Root Hints" tab under "Name servers:" are external to the local network, this is a finding. + + + + + + False + False + + EventLogLevel + 4 + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select “Properties”. + +Click on the “Event Logging” tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + + + False + False + + NoRecursion + $True + Note: If the Windows DNS server is in the classified network, this check is Not Applicable. + +Note: In Windows 2008 DNS Server, if forwarders are configured, the recursion setting must also be enabled since disabling recursion will disable forwarders. + +If forwarders are not used, recursion must be disabled. + +In both cases, the use of root hints must be disabled. The root hints configuration requirement is addressed in WDNS-CM-000004. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select “Properties”. + +Click on the “Forwarders” tab. + +If forwarders are enabled and configured, this check is not applicable. + +If forwarders are not enabled, click on the “Advanced” tab and ensure the "Disable recursion (also disables forwarders)" check box is selected. + +If forwarders are not enabled and configured, and the "Disable recursion (also disables forwarders)" check box in the “Advanced” tab is not selected, this is a finding. + + + + + + False + False + + Windows 2008 DNS servers, hosting Active Directory integrated zones, transfer zone information via AD replication. Windows 2008 DNS servers hosting non-AD-integrated zones as a secondary name server and/or are not hosting AD-integrated zones use zone transfer to sync zone data. + +If the Windows 2008 DNS server only hosts AD-integrated zones and all other name servers for the zones hosted are Active Directory Domain Controllers, this requirement is not applicable. + +If the Windows 2008 DNS server is not an Active Directory Domain Controller, or is a secondary name server for a zone with a non-AD-integrated name server as the master, this requirement is applicable. + +Administrator notification is only possible if a third-party event monitoring system is configured or, at a minimum, there are documented procedures requiring the administrator to review the DNS logs on a routine, daily basis. + +If a third-party event monitoring system is not configured, or a document procedure is not in place requiring the administrator to review the DNS logs on a routine, daily basis, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select “Properties”. + +Click on the “Event Logging” tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +From the right pane, under the SERVERS section, right-click the DNS server. + +From the displayed context menu, click the DNS Manager option. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. + +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select Properties. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. + +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select Properties. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. + +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select Properties. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. + +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select Properties. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. + +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select Properties. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. + +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + False + False + + Note: If the Windows DNS server is in the classified network, this check is Not Applicable. + +Note: In Windows 2008 DNS Server, if forwarders are configured, the recursion setting must also be enabled since disabling recursion will disable forwarders. + +If forwarders are not used, recursion must be disabled. In both cases, the use of root hints must be disabled. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select “Properties”. + +Click on the “Forwarders” tab. + +If forwarders are not being used, this is not applicable. + +Review the IP address(es) for the forwarder(s) use. + +If the DNS Server does not forward to another DoD-managed DNS server or to the DoD Enterprise Recursive Services (ERS), this is a finding. + +If the "Use root hints if no forwarders are available" is selected, this is a finding. + + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Confirm with the DNS administrator that the hosts defined in the zone files do not resolve to hosts in another zone with its fully qualified domain name. + +The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated. Additional exceptions are CNAME records in a multi-domain Active Directory environment pointing to hosts in other internal domains in the same multi-domain environment. + +If resource records are maintained that resolve to a fully qualified domain name in another zone, and the usage is not for resource records resolving to hosts that are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms with a documented and approved mission need, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the RRs to confirm that there are no CNAME records older than 6 months. + +The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated (AO approval of use of a commercial cloud offering would satisfy this requirement). Additional exceptions are CNAME records in a multi-domain Active Directory environment pointing to hosts in other internal domains in the same multi-domain environment. + +If there are zone-spanning CNAME records older than 6 months and the CNAME records resolve to anything other than fully qualified domain names for glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms with an AO-approved and documented mission need, this is a finding. + + + False + False + + Access Windows Explorer. + +Navigate to the following location: +%ALLUSERSPROFILE%\Microsoft\Crypto + +Verify the permissions on the folder, sub-folders and files are limited to SYSTEM and Administrators FULL CONTROL. + +If any other user or group has greater than READ privileges to the %ALLUSERSPROFILE%\Microsoft\Crypto folder, sub-folders and files, this is a finding. + + + False + False + + Access Windows Explorer. + +Navigate to the following location: +%ALLUSERSPROFILE%\Microsoft\Crypto + +Verify the permissions on the folder, sub-folders and files are limited to SYSTEM and Administrators FULL CONTROL. + +If any other user or group has greater than READ privileges to the %ALLUSERSPROFILE%\Microsoft\Crypto folder, sub-folders and files, this is a finding. + + + False + False + + Consult with the SA to determine if there is a third-party CRL server being used for certificate revocation lookup. + +If there is, verify if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site. + +If there is no local cache of revocation data, this is a finding. + + + False + False + + This requirement is not applicable for a Windows 2008 DNS Server which is only hosting AD-integrated zones. + +For a Windows 2008 DNS Server which hosts a mix of AD-integrated zones and manually maintained zones, ask the DNS database administrator if they maintain a separate database with record documentation for the non-AD-integrated zone information. The reviewer should check that the record's last verified date is less than one year prior to the date of the review. + +If a separate database with record documentation is not maintained for the non-AD-integrated zone information, this is a finding. + +If a separate database with record documentation is maintained for the non-AD-integrated zone information, log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the zone records of the non-AD-integrated zones and compare to the separate documentation maintained. + +Determine if any records have not been validated in over a year. + +If zone records exist which have not been validated in over a year, this is a finding. + + + False + False + + Active Directory integrated DNS servers will handle the promotion of a secondary DNS server whenever a primary DNS server loses functionality. + +If all of the DNS servers are AD-integrated, this is not a finding. + +Consult with the System Administrator to determine if there are documented procedures for re-roling a non-AD-integrated secondary name server to a master name server role in the event a master name server loses functionality. + +If there is not any documented procedures for re-roling a non-AD-integrated secondary name server to primary in the event a master name server loses functionality, this is a finding. + + + False + False + + Notification to system administrator is not configurable in Windows 2008. In order for system administrators to be notified when a component fails, the system administrator would need to implement a third-party monitoring system. At a minimum, the system administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day. + +If a third-party monitoring system is not in place to detect and notify the system administrator upon component failures and the system administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding. + + + False + False + + Notification to system administrator is not configurable in Windows 2012. In order for administrator to be notified if functionality of DNSSEC/TSIG has been removed or broken, the ISSO/ISSM/DNS administrator would need to implement a third-party monitoring system. At a minimum, the ISSO/ISSM/DNS administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day. + +If a third-party monitoring system is not in place to detect and notify the ISSO/ISSM/DNS administrator if functionality of DNSSEC/TSIG has been removed or broken and the ISSO/ISSM/DNS administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Notification to system administrator is not configurable in Windows 2008. In order for ISSO/ISSM/DNS administrator to be notified if functionality of Secure Updates has been removed or broken, the ISSO/ISSM/DNS administrator would need to implement a third party monitoring system. At a minimum, the ISSO/ISSM/DNS administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day. + +If a third party monitoring system is not in place to detect and notify the ISSO/ISSM/DNS administrator if functionality of Secure Updates has been removed or broken and the ISSO/ISSM/DNS administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select Properties. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. + +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Once selected, right-click the name of the zone. + +From the displayed context menu, click the “Properties” option. + +On the opened domain's properties box, click the “General” tab. + +Verify the Type: is Active Directory-Integrated. + +Verify the Dynamic updates has "Secure only" or "none" selected. + +If the zone is Active Directory-Integrated and the Dynamic updates are not configured for "Secure only" or "none", this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account. + +Use the Get-DnsServerDiagnostics cmdlet to view the status of individual diagnostic events. + +All diagnostic events should be set to "True". + +If all diagnostic events are not set to "True", this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the zone's RRs in the right window pane. + +For zones signed with DNSSEC, review the DNSKEY encryption in the Data column. + +Example: [DNSKEY][RsaSha1][31021] + +Confirm the encryption algorithm specified in the DNSKEY's Data is at RsaSha1, at a minimum. + +If the specified encryption algorithm is not RsaSha1 or stronger, this is a finding. + + + False + False + + Consult with the System Administrator to determine the backup policy in place for Windows 2008 DNS Server. + +Review the backup methods used and determine if the backup's methods have been successful at backing up the audit records at least every seven days. + +If the organization does not have a backup policy in place for backing up the Windows 2008 DNS Server's audit records and/or the backup methods have not been successful at backing up the audit records at least every seven days, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +View the validity period for the DS Resource Record. + +If the validity period for the DS Resource Record for the child domain is less than two days (48 hours) or more than one week (168 hours), this is a finding. + + + False + False + + Windows 2008 DNS Servers that are Active Directory integrated must be located where required to meet the Active Directory services. + +If all of the Windows 2008 DNS Servers are AD integrated, this check is Not Applicable. + +If any or all of the Windows 2008 DNS Servers are standalone and non-AD-integrated, verify with the System Administrator their geographic location. + +If any or all of the authoritative name servers are located in the same building as the master authoritative name server, and the master authoritative name server is not "hidden", this is a finding. + + + False + False + + Verify the Windows 2008 DNS Server will only accept TCP and UDP port 53 traffic from specific IP addresses/ranges. + +This can be configured via a local or network firewall. + +If the caching name server is not restricted to answering queries from only specific networks, this is a finding. + + + False + False + + Note: Blackhole name servers host records which are manually added and for which the name server is not authoritative. It is configured and intended to block resolvers from getting to a destination by directing the query to a blackhole. If the blackhole name server is not authoritative for any zones and otherwise only serves as a caching/forwarding name server, this check is Not Applicable. + +The non-AD-integrated, standalone, caching Windows 2012 DNS Server must be configured to be DNSSEC-aware. When performing caching and lookups, the caching name server must be able to obtain a zone signing key DNSKEY record and corresponding RRSIG record for the queried record. It will use this information to compute the hash for the hostname being resolved. The caching name server decrypts the RRSIG record for the hostname being resolved with the zone's ZSK to get the RRSIG record hash. The caching name server compares the hashes and ensures they match. + +If the non-AD-integrated, standalone, caching Windows 2012 DNS Server is not configured to be DNSSEC-aware, this is a finding. + + + + False + False + + Validate this check from the Windows 2012 DNS server being configured/reviewed. + +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the account designated as Administrator or DNS Administrator. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Right-click the zone and select DNSSEC, Properties. + +Select the KSK Tab. + +Verify the "DNSKEY signature validity period (hours):” is set to at least 48 hours and no more than 168 hours. + +Select the ZSK Tab. +Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours. + +If either the KSK or ZSK Tab "DNSKEY signature validity period (hours):" values are set to less than 48 hours or more than 168 hours, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account. + +Type the following command: + +PS C:\> Get-DnsServerResourceRecord -ZoneName example.com <enter> + +Where example.com is replaced with the zone hosted on the DNS Server. + +All of the zone's resource records will be returned, among which should be the NSEC3 RRs, as depicted below. + +If NSEC3 RRs are not returned for the zone, this is a finding. + +2vf77rkf63hrgismnuvnb8... NSEC3 0 01:00:00 [RsaSha1][False][50][F2738D980008F73C] +7ceje475rse25gppr3vphs... NSEC3 0 01:00:00 [RsaSha1][False][50][F2738D980008F73C] + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the NS records for the zone. + +Verify each of the name servers, represented by the NS records, is active. + +At a command prompt, type: + +nslookup <enter>; + +At the nslookup prompt, type: + +server=###.###.###.### <enter>; +(where the ###.###.###.### is replaced by the IP of each NS record) + +Enter a FQDN for a known host record in the zone. + +If the NS server does not respond at all or responds with a non-authoritative answer, this is a finding. + + + False + False + + Windows 2008 DNS Servers that are Active Directory-integrated must be located where required to meet the Active Directory services. + +If all of the Windows 2008 DNS Servers are AD-integrated, this check is not applicable. + +If any or all of the Windows 2008 DNS Servers are stand-alone and non-AD-integrated, verify with the System Administrator their geographic dispersal. + +If all of the authoritative name servers are located on the same network segment, and the master authoritative name server is not "hidden", this is a finding. + + + False + False + + Note: Due to the manner in which Active Directory replication increments SOA records for zones when transferring zone information via AD replication, this check is not applicable for AD-integrated zones. + +Log on to the DNS server hosting a non-AD-integrated zone using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the SOA information for the zone and obtain the Serial Number. + +Access each secondary name server for the same zone and review the SOA information. + +Verify the Serial Number is the same on all authoritative name servers. + +If the Serial Number is not the same on one or more authoritative name servers, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select each zone. + +Review the RRs for each zone and verify all of the DNSEC record types are included for the zone. + +NOTE: The DS (Delegation Signer)record should also exist but the requirement for it is validated under WDNS-SC-000011. + +RRSIG (Resource Read Signature) +DNSKEY (Public Key) +NSEC3 (Next Secure 3) + +If the zone does not show all of the DNSSEC record types, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the zone's RRs in the right window pane. + +Review the DNSKEY encryption in the Data column. example: [DNSKEY][RsaSha1][31021] + +Confirm the encryption algorithm specified in the DNSKEY's Data is at RsaSha1, at a minimum. + +If the specified encryption algorithm is not RsaSha1 or stronger, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +For each zone, review the records. + +If any RRs (Resource Records) on an internal DNS server resolve to IP addresses located outside the internal DNS server's network, this is a finding. + +If any RRs (Resource Records) on an external DNS server resolve to IP addresses located inside the network, this is a finding. + + + False + False + + Consult with the System Administrator to review the external Windows 2008 DNS Server's HBSS firewall policy. + +The inbound TCP and UDP ports 53 rule should be configured to only restrict IP addresses from the internal network. + +If the HBSS firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall. + +If neither the DNS server's HBSS firewall policy nor the network firewall is configured to block internal hosts from querying the external DNS server, this is a finding. + + + False + False + + Consult with the System Administrator to review the internal Windows 2008 DNS Server's HBSS firewall policy. + +The inbound TCP and UDP ports 53 rule should be configured to only allow hosts from the internal network to query the internal DNS server. + +If the HBSS firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall. + +If neither the DNS server's HBSS firewall policy nor the network firewall is configured to block external hosts from querying the internal DNS server, this is a finding. + + + False + False + + Verify whether the authoritative primary name server is AD-integrated. + +Verify whether all secondary name servers for every zone for which the primary name server is authoritative are all AD-integrated in the same Active Directory. + +If the authoritative primary name server is AD-integrated and all secondary name servers also part of the same AD, this check is not a finding since AD handles the replication of DNS data. + +If one or more of the secondary name servers are non-AD integrated, verify the primary name server is configured to only send zone transfers to a specific list of secondary name servers. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Right-click the zone and select “Properties”. + +Select the “Zone Transfers” tab. + +If the "Allow zone transfers:" check box is not selected, this is not a finding. + +If the "Allow zone transfers:" check box is selected, verify either "Only to servers listed on the Name Server tab" or "Only to the following servers" is selected. + +If the "To any server" option is selected, this is a finding. + + + False + False + + In an Active Directory-integrated DNS implementation, this is not a finding by virtue of being compliant with the Windows 2008 AD STIG since DNS data within an AD-integrated zone is kept within the Active Directory. + +For a file-back Windows DNS implementation, log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select each zone. + +Right-click each zone and select “Properties”. + +Select the “Security” tab. + +Review the permissions applied to the zone. No group or user should have greater than READ privileges other than the DNS Admins and the System service account under which the DNS Server Service is running. + +If any other account/group has greater than READ privileges, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, review each zone. + +Consult with the DNS Admin to determine if any of the zones also have hostnames needing to be resolved from the external network. + +If the zone is split between internal and external networks, verify separate DNS servers have been implemented for each network. + +If internal and external DNS servers have not been implemented for zones which require resolution from both the internal and external networks, this is a finding. + + + False + False + + Consult with the network IAVM scanner to confirm all Microsoft Operating System IAVMs applicable to Windows 2008/2008 R2 have been applied to the DNS server. + +If the Windows Operating System has not been patched to handle all IAVMs, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Expand the Forward Lookup Zones folder. + +Expand each zone folder and examine the host record entries. The third column titled “Data” will display the IP. + +Verify this column does not contain any IP addresses that begin with the prefixes "FE8", "FE9", "FEA", or "FEB". + +If any non-routable IPv6 link-local scope addresses are in any zone, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, select each zone and examine the host record entries. The third column titled “Data” will display the IP. + +Verify if any contain both IPv4 and IPv6 addresses. + +If any hostnames contain both IPv4 and IPv6 addresses, confirm with the SA that the actual hosts are IPv6-aware. + +If any zone contains hosts with both IPv4 and IPv6 addresses but are determined to be non-IPv6-aware, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Locate the “Network Internet Access” icon, right-click on it and select "Open Network & Sharing Center". + +Click on "Change adapter settings". + +Right-click on the Ethernet and click “Properties”. + +If the display shows Microsoft TCP/IP version 6 with a check, but the DNS server is not hosting any AAAA records, this is a finding. + + + False + False + + By default, the Windows 2012 DNS Server listens on TCP and UDP ports 53. Also by default, Windows 2012 DNS Server sends from random, high-numbered source ports 49152 and above. + +To confirm the listening ports, log onto Windows 2012 DNS Server as an Administrator. + +Open a command window with the Run-as Administrator option. + +In the command window, type the following command: + +netstat -a -b |more <enter> + +The result is a list of all services running on the server, with the respective TCP and UDP ports upon which the services are listening. + +Find Windows 2012 DNS Server service and verify the State is "LISTENING" and the port(s) are TCP 53 and UDP 53. + +If the server is listening on UDP and TCP port 53, this is not a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Authentication of dynamic updates is accomplished in Windows Server 2012 DNS by configuring the zones to only accept secure dynamic updates. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Once selected, right-click the name of the zone, and from the displayed context menu, go to Properties. + +On the opened domain's properties box, click the General tab. + +Verify the Type: is Active Directory-Integrated. + +Verify the Dynamic updates has "Secure only" or "none" selected. + +If the zone is Active Directory-Integrated and the Dynamic updates are not configured for either "Secure only" or "none", this is a finding. + + + + False + False + + Note: This requirement applies to any Windows 2008 DNS Server which host non-AD-integrated zones even if the DNS servers host AD-integrated zones, too. + +If the Windows 2008 DNS Servers only host AD-integrated zones, this requirement is not applicable. + +Log on to the DNS server which hosts non-AD-integrated zones using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute gpme.msc to open the Group Policy Management feature. + +In the “Browse for Group Policy Object” dialog box, double-click “Domain Controllers.domain.com”. + +Click “Default Domain Controllers Policy” and click “OK”. + +In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. + +Click “Connection Security Rules”. + +Confirm at least one rule is configured for TCP 53. + +Double-click on each Rule to verify the following: + +On the “Authentication” tab, "Authentication mode:" is set to "Request authentication for inbound and outbound connections". + +Confirm the "Signing Algorithm" is set to "RSA (default)". + +On the “Remote Computers” tab, Endpoint1 and Endpoint2 are configured with the IP addresses of all DNS servers. + +On the “Protocols and Ports” tab, "Protocol type:" is set to either TCP (depending upon which rule is being reviewed) and the "Endpoint 1 port:" is set to "Specific ports" and "53". + +If there are not rules(s) configured with the specified requirements, this is a finding. + + + False + False + + Authenticity of zone transfers within Windows AD integrated zones is accomplished by AD replication. + +For zones which are completely AD-integrated, this check is not a finding. + +For authenticity of zone transfers between non-AD-integrated zones, DNSSEC must be implemented. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, indicating the zone has been signed with DNSSEC, this is a finding. + + + + False + False + + If the DNS server only hosts AD-integrated zones and there are not any non-AD-integrated DNS servers acting as secondary DNS servers for the zones, this check is not applicable. + +For a non-AD-integrated DNS server: + +Log on to the DNS server using an Administrator account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select, and then right-click the zone name. + +From the displayed context menu, click the “Properties” option. + +On the opened zone's properties box, go to the “Zone Transfers” tab. + +On the displayed interface, verify if the "Allow zone transfers" check box is selected. + +If the "Allow zone transfers" check box is not selected, this is not a finding. + +If the "Allow zone transfers" check box is selected, verify that either the "Only to servers listed on the Name Servers tab" radio button is selected or the "Only to the following servers" radio button is selected. + +If the "To any server" radio button is selected, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Access Services on the Windows DNS Server and locate the DNS Server Service. + +Determine the account under which the DNS Server Service is running. + +Access Windows Explorer. + +Navigate to the following location: + +%ALLUSERSPROFILE%\Microsoft\Crypto + +Right-click on each sub-folder, choose “Properties”, click on the “Security” tab, and click on the “Advanced” button. + +Verify the Owner on the folder, sub-folders, and files are the account under which the DNS Server Service is running. + +If any other user or group is listed as OWNER of the %ALLUSERSPROFILE%\Microsoft\Crypto folder, sub-folders, and files, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +For Active Directory-integrated zones, private zone signing keys replicate automatically to all primary DNS servers through Active Directory replication. Each authoritative server signs its own copy of the zone when it receives the key. For optimal performance, and to prevent increasing the size of the Active Directory database file, the signed copy of the zone remains in memory for Active Directory-integrated zones. A DNSSEC-signed zone is only committed to disk for file-backed zones. Secondary DNS servers pull a full copy of the zone, including signatures, from the primary DNS server. + +If all DNS servers are AD integrated, this check is not applicable. + +If a DNS server is not AD integrated and has file-backed zones, does not accept dynamic updates and has a copy of the private key corresponding to the ZSK, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +In Windows 2012, the NSEC3 salt values are automatically changed when the zone is resigned. + +To validate: +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS Server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the zone's RRs in the right window pane. + +Determine the RRSIG NSEC3PARAM's Inception (in the Data column). Compare the Inception to the RRSIG DNSKEY Inception. The date and time should be the same. + +If the NSEC3PARAM's Inception date and time is different than the DNSKEY Inception Date and Time, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Authenticity of query responses is provided with DNSSEC signing of zones. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by Windows 2012 DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Locate the “Network Internet Access” icon, right-click on it and select "Open Network & Sharing Center". + +Click on "Change adapter settings". + +Right-click on the Ethernet and click “Properties”. + +Select Internet Protocol Version 4 (TCP/IPv4) and click “Properties”. + +Verify the “Use the following IP address” is selected, with an IP address, subnet mask, and default gateway assigned. + +If the “Use the following IP address” is not selected with a configured IP address, subnet mask, and default gateway, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +By default, when DNS servers are configured with DNSSEC signed zones, they will automatically respond to query requests, providing validating data in the response, whenever the query requests that validation. Since this takes place inherently when the zone is signed with DNSSEC, the requirement is satisfied by ensuring zones are signed. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, right-click each zone, and then click “Properties”. + +In the “Properties” dialog box for the zone, click the “WINS” tab. + +Verify the "Use WINS forward lookup" check box is not selected. + +If the "Use WINS forward lookup" check box is selected, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the records for the zone and ensure the complete RRSet of records are present: RRSIG, NSEC3, DNSKEY, indicating DNSSEC compliance. + +If the RRSet of records are not in the zone, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +The Name Resolution Policy Table (NRPT) is configured in, and deployed to clients from, Group Policy and will be pushed to all clients in the domain. The Active Directory zones will be signed and the clients, with NRPT, will require a validation of signed data when querying. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +At the Windows PowerShell prompt, type the following command: + +get-dnsclientnrptpolicy <enter> + +In the results, verify the "DnsSecValidationRequired" is True. + +If there are no results to the get-dnsclientnrptpolicy cmdlet or the "DnsSecValidationRequired" is not True, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: + +PS C:\> Get-DnsServerResourceRecord -ZoneName adatum.com -RRType DS + +Replace adatum.com with the parent zone on the DNS server being evaluated. + +HostName RecordType Timestamp TimeToLive RecordData +-------- ---------- --------- ---------- ---------- +corp DS 0 01:00:00 [58555][Sha1][RsaSha1NSec3] +corp DS 0 01:00:00 [58555][Sha256][RsaSha1NSec3] +corp DS 0 01:00:00 [63513][Sha1][RsaSha1NSec3] +corp DS 0 01:00:00 [63513][Sha256][RsaSha1NSec3] + +If the results do not show the DS records for child domain(s), this is a finding. + +In the previous example, DS records for the child zone, corp.adatum.com, were imported into the parent zone, adatum.com, by using the DSSET file that is located in the c:\windows\system32\dns directory. The DSSET file was located in this directory because the local DNS server is the Key Master for the child zone. + +If the Key Master DNS server for a child zone is not the same computer as the primary authoritative DNS server for the parent zone where the DS record is being added, the DSSET file must be obtained for the child zone and made available to the primary authoritative server for the parent zone. Alternatively, the DS records can be added manually. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log onto each of the validating Windows 2012 DNS Servers. + +In the DNS Manager console tree, navigate to each hosted zone under the Trust Points folder. + +Two DNSKEY trust points should be displayed, one for the active key and one for the standby key. + +If each validating Windows 2012 DNS Servers does not reflect the DNSKEY trust points for each of the hosted zone(s), this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. + +Once the Server Manager window is initialized, from the left pane, click to select the DNS category. + +From the right pane, under the SERVERS section, right-click the DNS server. + +From the context menu that appears, click DNS Manager. + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones. + +From the expanded list, click to select and then right-click the zone name. + +From the displayed context menu, click DNSSEC>>Properties. + +Click the KSK tab. + +For each KSK that is listed under Key signing keys (KSKs), click the KSK, click Edit, and in the Key Rollover section verify the "Enable automatic rollover" check box is selected. + +If the "Enable automatic rollover" check box is not selected for every KSK listed, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from either a Windows 8 client or a Windows 2008 or higher server, authenticated as a Domain Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows 8/Windows 2008 or higher client. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + NOTE: This requirement applies to any Windows 2012 DNS Servers which host non-AD-integrated zones (file based) even if the DNS servers host AD-integrated zones, too. + +If the Windows 2012 DNS Servers only host AD-integrated zones, this requirement is not applicable. + +To protect authenticity of zone transfers between Windows 2012 DNS Servers with file based zones, IPsec must be configured on each pair of name servers in a zone transfer transaction for those zones. + +Log on to the DNS server which hosts non-AD-integrated, file based zones, using the Administrator, Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute gpme.msc to open the Group Policy Management feature. + +In the Browse for Group Policy Object dialog box, double-click Domain Controllers.domain.com. + +Click Default Domain Controllers Policy and click OK. + +In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. + +Click Connection Security Rules. + +Consult with the SA to determine which Rules meet the intent of the server-to-server authentication. + +If Rules exist, double-click on each Rule to verify the following: + +For the "Authentication:" tab, click on the "Customize..." button. + +On the Authentication tab, verify "Authentication mode:" is set to "Request authentication for inbound and outbound connections". + +Confirm the "Signing Algorithm" is set to "RSA (default)". + +Under "Method", ensure the "Advanced:" radio button is selected. + +Click on the "Customize" button. + +For "First authentication methods:", double-click on the entry. + +Verify the "Select the credential to use for first authentication:" has "Computer certificate from this certification authority (CA):" radio button selected. + +Review the certificate specified and verify the certificate used was generated by the internally-managed server performing the Active Directory Certificate Services (AD CS) role. + +If rules do not exist for server-to-server authentication, this is a finding. + +If rules exist for this server to authenticate to other name servers hosting the same file based zones when transacting zone transfers, but the rules are not configured with the above settings, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Once resource records are received by a DNS server via a secure dynamic update, the resource records will automatically become signed by DNSSEC as long as the zone was originally signed by DNSSEC. Authenticity of query responses for resource records dynamically updated can be validated by querying for whether the zone/record is signed by DNSSEC. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace 131.77.60.235 with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an Expirations, date signed, signer and signature, similar to the following: + +Name : www.zonename.mil +QueryType : RRSIG +TTL : 189 +Section : Answer +TypeCovered : CNAME +Algorithm : 8 +LabelCount : 3 +OriginalTtl : 300 +Expiration : 11/21/2014 10:22:28 PM +Signed : 10/22/2014 10:22:28 PM +Signer : zonename.mil +Signature : {87, 232, 34, 134...} + +Name : origin-www.zonename.mil +QueryType : A +TTL : 201 +Section : Answer +IP4Address : 156.112.108.76 + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Authenticity of query responses is provided with DNSSEC signing of zones. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + +Fix Text: Sign, or re-sign, the hosted zone(s) on the DNS server being validated. + +In the DNS Manager console tree on the DNS server being validated, navigate to Forward Lookup Zones. + +Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click Sign the Zone, either using saved parameters or custom parameters. + + + + False + False + + NOTE: This requirement applies to any Windows 2012 DNS Servers which host non-AD-integrated zones even if the DNS servers host AD-integrated zones, too. + +If the Windows 2012 DNS Servers only host AD-integrated zones, this requirement is not applicable. + +Log on to the DNS server which hosts non-AD-integrated zones using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute gpme.msc to open the Group Policy Management feature. + +In the Browse for Group Policy Object dialog box, double-click Domain Controllers.domain.com. + +Click Default Domain Controllers Policy and click OK. + +In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. + +Click Connection Security Rules. + +Consult with the SA to determine which Rules meet the intent of DNSSEC server-to-server authentication. + +Double-click on each Rule to verify the following: +For the "Authentication:" tab, click on the "Customize..." button. + +On the Authentication tab, verify "Authentication mode:" is set to "Request authentication for inbound and outbound connections". + +Confirm the "Signing Algorithm" is set to "RSA (default)". + +Under "Method", ensure the "Advanced:" radio button is selected. Click on the "Customize" button. + +For "First authentication methods:", double-click on the entry. + +Verify the "Select the credential to use for first authentication:" has "Computer certificate from this certification authority (CA):" radio button selected. + +Review the certificate specified and verify the certificate used was generated by the internally-managed server performing the Active Directory Certificate Services (AD CS) role. + +If the certificate used does not meet the requirements, this is a finding. + + + False + False + + To ensure the cryptographic keys are protected after being backed up to another medium (tape, disk, SAN, etc.), consult with the System Administrator to determine the backup policy in place for the DNS Server. + +Determine how and where backed up data is being stored. + +Verify the protection of the backup medium is secured to the same level, or higher, as the server itself. + +If a backup policy does not exist or the backup policy does not specify the protection required for backup medium to be at or above the same level as the server, this is a finding. + + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +In the list of hosts, review the Name Server (NS) records. Determine if any of the hosts listed as NS records are non-AD-integrated servers. + +If the DNS server only hosts AD-integrated zones and there are not any non-AD-integrated DNS servers acting as secondary DNS servers for the zones, this check is not applicable. + +For a non-AD-integrated DNS server, right click on the Forward Lookup zone and select “Properties”. +On the opened zone's properties box, go to the “Zone Transfers” tab. + +On the displayed interface, verify if the "Allow zone transfers" check box is selected. + +If the "Allow zone transfers" check box is selected, click on the “Notify” button and verify “Automatically notify with Servers” is listed on the “Name Servers” tab is selected. + +If the “Notify” button is not enabled for non-AD-integrated DNS servers, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Consult with the System Administrator to determine the IP ranges for the environment. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +If not automatically started, initialize the “Server Manager” window by clicking its icon from the bottom left corner of the screen. + +Once the “Server Manager” window is initialized, from the left pane, click to select the DNS category. + +From the right pane, under the “SERVERS” section, right-click the DNS server. + +From the context menu that appears, click DNS Manager. + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones. + +From the expanded list, click to select and then right-click the zone name. + +Review the zone information and compare to the IP ranges for the environment. + +If any zone information is for a different IP range or domain, this is a finding. + + + False + False + + This functionality should be performed by the Host Based Security System (HBSS), mandatory on all DoD systems. + +Check to ensure McAfee HBSS is installed and fully operational on the Windows 2008 DNS Server. + +If all required HBSS products are not installed and/or the installed products are not enabled, this is a finding. + + + False + False + + The "EnableVersionQuery" property controls what version information the DNS server will respond with when a DNS query with class set to “CHAOS” and type set to “TXT” is received. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Open a command window and execute the command: + +nslookup <enter> +Note: Confirm the Default Server is the DNS Server on which the command is being run. + +At the nslookup prompt, type: + +set type=TXT <enter> +set class=CHAOS <enter> +version.bind <enter> + +If the response returns something similar to text = "Microsoft DNS 6.1.7601 (1DB14556)", this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the zone's Resource Records (RR) and verify HINFO, RP, and LOC RRs are not used. If TXT RRs are used, they must not reveal any information about the organization which could be used for malicious purposes. + +If there are any HINFO, RP, LOC, or revealing TXT RRs in any zone hosted by the DNS Server, this is a finding. + + + + + + + + + Eventlog + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + Administrators + False + + + FullControl + + + True + False + False + + %windir%\SYSTEM32\WINEVT\LOGS\DNS Server.evtx + Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: + +Administrators Auditors (if the site has an Auditors group that further limits this privilege.) + +Verify the permissions on the DNS logs. + +Standard user accounts or groups must not have greater than READ access. + +The default locations are: + +DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx + +Using the file explorer tool navigate to the DNS Server log file. + +Right click on the log file, select the “Security” tab. + +The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + + + + + SYSTEM + False + This folder subfolders and files + FullControl + + + + + Administrators + False + This folder subfolders and files + FullControl + + + True + False + False + + %ALLUSERSPROFILE%\Microsoft\Crypto\Keys + Access Windows Explorer. + +Navigate to the following location: + +%ALLUSERSPROFILE%\Microsoft\Crypto + +Verify the permissions on the keys folder, sub-folders, and files are limited to SYSTEM and Administrators FULL CONTROL. + +If any other user or group has greater than READ privileges to the %ALLUSERSPROFILE%\Microsoft\Crypto folder, sub-folders and files, this is a finding. + + + + + SeSecurityPrivilege + Manage auditing and security log + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: + +Administrators Auditors (if the site has an Auditors group that further limits this privilege.) + +Verify the permissions on the DNS logs. + +Standard user accounts or groups must not have greater than READ access. + +The default locations are: + +DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx + +Using the file explorer tool navigate to the DNS Server log file. + +Right click on the log file, select the “Security” tab. + +The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + SeRemoteInteractiveLogonRight + Allow log on through Remote Desktop Services + True + Administrators + False + False + + If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding: +Administrators + + + + SeDenyNetworkLogonRight + Deny access to this computer from the network + False + Guests + False + False + + If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: +Guests Group + + + + SeDenyInteractiveLogonRight + Deny log on locally + False + Guests + False + False + + If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding: +Guests Group + + + + + + True + False + Microsoft-Windows-DnsServer/Analytical + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select Properties. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account. + +Use the Get-DnsServerDiagnostics cmdlet to view the status of individual diagnostic events. + +All diagnostic events should be set to "True". + +If all diagnostic events are not set to "True", this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + diff --git a/src/StigData/Windows-2012R2-DNS-1.9.xml b/src/StigData/Windows-2012R2-DNS-1.9.xml new file mode 100644 index 000000000..97596a937 --- /dev/null +++ b/src/StigData/Windows-2012R2-DNS-1.9.xml @@ -0,0 +1,2445 @@ + + + + $null + $null + False + False + + Note: If the Windows DNS server is in the classified network, this check is Not Applicable. + +Log on to the authoritative DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select “Properties”. + +Select the "Root Hints" tab. + +Verify the "Root Hints" is either empty or only has entries for internal zones under "Name servers:". All Internet root server entries must be removed. + +If "Root Hints" is not empty and the entries on the "Root Hints" tab under "Name servers:" are external to the local network, this is a finding. + + + + + + False + False + + EventLogLevel + 4 + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select “Properties”. + +Click on the “Event Logging” tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + + + False + False + + NoRecursion + $True + Note: If the Windows DNS server is in the classified network, this check is Not Applicable. + +Note: In Windows 2008 DNS Server, if forwarders are configured, the recursion setting must also be enabled since disabling recursion will disable forwarders. + +If forwarders are not used, recursion must be disabled. + +In both cases, the use of root hints must be disabled. The root hints configuration requirement is addressed in WDNS-CM-000004. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select “Properties”. + +Click on the “Forwarders” tab. + +If forwarders are enabled and configured, this check is not applicable. + +If forwarders are not enabled, click on the “Advanced” tab and ensure the "Disable recursion (also disables forwarders)" check box is selected. + +If forwarders are not enabled and configured, and the "Disable recursion (also disables forwarders)" check box in the “Advanced” tab is not selected, this is a finding. + + + + + + False + False + + Windows 2012 DNS servers, hosting Active Directory integrated zones, transfer zone information via AD replication. Windows 2012 DNS servers hosting non-AD-integrated zones as a secondary name server and/or are not hosting AD-integrated zones use zone transfer to sync zone data. + +If the Windows 2012 DNS server only hosts AD-integrated zones and all other name servers for the zones hosted are Active Directory Domain Controllers, this requirement is not applicable. + +If the Windows 2012 DNS server is not an Active Directory Domain Controller, or is a secondary name server for a zone with a non-AD-integrated name server as the master, this requirement is applicable. + +Administrator notification is only possible if a third-party event monitoring system is configured or, at a minimum, there are documented procedures requiring the administrator to review the DNS logs on a routine, daily basis. + +If a third-party event monitoring system is not configured, or a document procedure is not in place requiring the administrator to review the DNS logs on a routine, daily basis, this is a finding. + + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select “Properties”. + +Click on the “Event Logging” tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +From the right pane, under the SERVERS section, right-click the DNS server. + +From the displayed context menu, click the DNS Manager option. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. + +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select Properties. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. + +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select Properties. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. + +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select Properties. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. + +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select Properties. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. + +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select Properties. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. + +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + False + False + + Note: If the Windows DNS server is in the classified network, this check is Not Applicable. + +Note: In Windows 2008 DNS Server, if forwarders are configured, the recursion setting must also be enabled since disabling recursion will disable forwarders. + +If forwarders are not used, recursion must be disabled. In both cases, the use of root hints must be disabled. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, right-click on the server name for the DNS server and select “Properties”. + +Click on the “Forwarders” tab. + +If forwarders are not being used, this is not applicable. + +Review the IP address(es) for the forwarder(s) use. + +If the DNS Server does not forward to another DoD-managed DNS server or to the DoD Enterprise Recursive Services (ERS), this is a finding. + +If the "Use root hints if no forwarders are available" is selected, this is a finding. + + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Confirm with the DNS administrator that the hosts defined in the zone files do not resolve to hosts in another zone with its fully qualified domain name. + +The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated. Additional exceptions are CNAME records in a multi-domain Active Directory environment pointing to hosts in other internal domains in the same multi-domain environment. + +If resource records are maintained that resolve to a fully qualified domain name in another zone, and the usage is not for resource records resolving to hosts that are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms with a documented and approved mission need, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the RRs to confirm that there are no CNAME records older than 6 months. + +The exceptions are glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms. In the case of third-party CDNs or cloud offerings, an approved mission need must be demonstrated (AO approval of use of a commercial cloud offering would satisfy this requirement). Additional exceptions are CNAME records in a multi-domain Active Directory environment pointing to hosts in other internal domains in the same multi-domain environment. + +If there are zone-spanning CNAME records older than 6 months and the CNAME records resolve to anything other than fully qualified domain names for glue records supporting zone delegations, CNAME records supporting a system migration, or CNAME records that point to third-party Content Delivery Networks (CDN) or cloud computing platforms with an AO-approved and documented mission need, this is a finding. + + + False + False + + Access Windows Explorer. + +Navigate to the following location: +%ALLUSERSPROFILE%\Microsoft\Crypto + +Verify the permissions on the folder, sub-folders and files are limited to “SYSTEM” and Administrators for “FULL CONTROL”. + +If any other user or group has greater than Read/Execute and List Folder contents permissions to the %ALLUSERSPROFILE%\Microsoft\Crypto folder, sub-folders and files, this is a finding. + + + + False + False + + Consult with the SA to determine if there is a third-party CRL server being used for certificate revocation lookup. + +If there is, verify if a documented procedure is in place to store a copy of the CRL locally (local to the site, as an alternative to querying the actual Certificate Authorities). An example would be an OCSP responder installed at the local site. + +If there is no local cache of revocation data, this is a finding. + + + False + False + + This requirement is not applicable for a Windows 2008 DNS Server which is only hosting AD-integrated zones. + +For a Windows 2008 DNS Server which hosts a mix of AD-integrated zones and manually maintained zones, ask the DNS database administrator if they maintain a separate database with record documentation for the non-AD-integrated zone information. The reviewer should check that the record's last verified date is less than one year prior to the date of the review. + +If a separate database with record documentation is not maintained for the non-AD-integrated zone information, this is a finding. + +If a separate database with record documentation is maintained for the non-AD-integrated zone information, log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the zone records of the non-AD-integrated zones and compare to the separate documentation maintained. + +Determine if any records have not been validated in over a year. + +If zone records exist which have not been validated in over a year, this is a finding. + + + False + False + + Active Directory integrated DNS servers will handle the promotion of a secondary DNS server whenever a primary DNS server loses functionality. + +If all of the DNS servers are AD-integrated, this is not a finding. + +Consult with the System Administrator to determine if there are documented procedures for re-roling a non-AD-integrated secondary name server to a master name server role in the event a master name server loses functionality. + +If there is not any documented procedures for re-roling a non-AD-integrated secondary name server to primary in the event a master name server loses functionality, this is a finding. + + + False + False + + Notification to system administrator is not configurable in Windows 2008. In order for system administrators to be notified when a component fails, the system administrator would need to implement a third-party monitoring system. At a minimum, the system administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day. + +If a third-party monitoring system is not in place to detect and notify the system administrator upon component failures and the system administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding. + + + False + False + + Notification to system administrator is not configurable in Windows 2012. In order for administrator to be notified if functionality of DNSSEC/TSIG has been removed or broken, the ISSO/ISSM/DNS administrator would need to implement a third-party monitoring system. At a minimum, the ISSO/ISSM/DNS administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day. + +If a third-party monitoring system is not in place to detect and notify the ISSO/ISSM/DNS administrator if functionality of DNSSEC/TSIG has been removed or broken and the ISSO/ISSM/DNS administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Notification to system administrator is not configurable in Windows 2008. In order for ISSO/ISSM/DNS administrator to be notified if functionality of Secure Updates has been removed or broken, the ISSO/ISSM/DNS administrator would need to implement a third party monitoring system. At a minimum, the ISSO/ISSM/DNS administrator should have a documented procedure in place to review the diagnostic logs on a routine basis every day. + +If a third party monitoring system is not in place to detect and notify the ISSO/ISSM/DNS administrator if functionality of Secure Updates has been removed or broken and the ISSO/ISSM/DNS administrator does not have a documented procedure in place to review the diagnostic logs on a routine basis every day, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +Right-click the DNS server, select Properties. + +Click on the Event Logging tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run eventvwr.msc at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click Analytical and then click on Properties. + +Confirm the "Enable logging" check box is selected. + +If the check box to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Once selected, right-click the name of the zone. + +From the displayed context menu, click the “Properties” option. + +On the opened domain's properties box, click the “General” tab. + +Verify the Type: is Active Directory-Integrated. + +Verify the Dynamic updates has "Secure only" selected. + +If the zone is Active Directory-Integrated and the Dynamic updates are not configured for "Secure only", this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account. + +Use the “Get-DnsServerDiagnostics” cmdlet to view the status of individual diagnostic events. + +Verify following diagnostic events are set to "True": +Queries, Answers, Notifications, Update, QuestionTransactions, UnmatcheResponse, SendPackets, ReceivePackets, TcpPackets, UdpPackets, FullPackets, UseSystemEventLog +Also set to “True” should be: +EnableLoggingForLocalLookupEvent +EnableLoggingForPluginDLLEvent +EnableLoggingForRecursiveLookupEvent +EnableLoggingForRemoteServerEvent +EnableLoggingForRemoteServerEvent +EnableLoggingForServerStartStopEvent +EnableLoggingForTombstoneEvent +EnableLoggingForZoneDataWriteEvent +EnableLoggingForZoneLoadingEvent + +If all required diagnostic events are not set to "True", this is a finding. + + + + False + False + + Note: This requirement applies to any Windows DNS Server which host non-AD-integrated zones even if the DNS servers host AD-integrated zones, too. If the Windows DNS Server only hosts AD-integrated zones and does not host any file-based zones, this is not applicable. +Validate this check from the Windows 2012 DNS server being configured/reviewed. + +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Consult with the System Administrator to determine the backup policy in place for Windows 2008 DNS Server. + +Review the backup methods used and determine if the backup's methods have been successful at backing up the audit records at least every seven days. + +If the organization does not have a backup policy in place for backing up the Windows 2008 DNS Server's audit records and/or the backup methods have not been successful at backing up the audit records at least every seven days, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +View the validity period for the DS Resource Record. + +If the validity period for the DS Resource Record for the child domain is less than two days (48 hours) or more than one week (168 hours), this is a finding. + + + False + False + + Windows 2008 DNS Servers that are Active Directory integrated must be located where required to meet the Active Directory services. + +If all of the Windows 2008 DNS Servers are AD integrated, this check is Not Applicable. + +If any or all of the Windows 2008 DNS Servers are standalone and non-AD-integrated, verify with the System Administrator their geographic location. + +If any or all of the authoritative name servers are located in the same building as the master authoritative name server, and the master authoritative name server is not "hidden", this is a finding. + + + False + False + + Verify the Windows 2008 DNS Server will only accept TCP and UDP port 53 traffic from specific IP addresses/ranges. + +This can be configured via a local or network firewall. + +If the caching name server is not restricted to answering queries from only specific networks, this is a finding. + + + False + False + + Note: Blackhole name servers host records which are manually added and for which the name server is not authoritative. It is configured and intended to block resolvers from getting to a destination by directing the query to a blackhole. If the blackhole name server is not authoritative for any zones and otherwise only serves as a caching/forwarding name server, this check is Not Applicable. + +The non-AD-integrated, standalone, caching Windows 2012 DNS Server must be configured to be DNSSEC-aware. When performing caching and lookups, the caching name server must be able to obtain a zone signing key DNSKEY record and corresponding RRSIG record for the queried record. It will use this information to compute the hash for the hostname being resolved. The caching name server decrypts the RRSIG record for the hostname being resolved with the zone's ZSK to get the RRSIG record hash. The caching name server compares the hashes and ensures they match. + +If the non-AD-integrated, standalone, caching Windows 2012 DNS Server is not configured to be DNSSEC-aware, this is a finding. + + + + False + False + + Note: This requirement applies to any Windows DNS Server which host non-AD-integrated zones even if the DNS servers host AD-integrated zones, too. If the Windows DNS Server only hosts AD-integrated zones and does not host any file-based zones, this is not applicable. +Validate this check from the Windows 2012 DNS server being configured/reviewed. + +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +Note: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the account designated as Administrator or DNS Administrator. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Right-click the zone and select DNSSEC, Properties. + +Select the KSK Tab. + +Verify the "DNSKEY signature validity period (hours):” is set to at least 48 hours and no more than 168 hours. + +Select the ZSK Tab. +Verify the "DNSKEY signature validity period (hours):" is set to at least 48 hours and no more than 168 hours. + +If either the KSK or ZSK Tab "DNSKEY signature validity period (hours):" values are set to less than 48 hours or more than 168 hours, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account. + +Type the following command: + +PS C:\> Get-DnsServerResourceRecord -ZoneName example.com <enter> + +Where example.com is replaced with the zone hosted on the DNS Server. + +All of the zone's resource records will be returned, among which should be the NSEC3 RRs, as depicted below. + +If NSEC3 RRs are not returned for the zone, this is a finding. + +2vf77rkf63hrgismnuvnb8... NSEC3 0 01:00:00 [RsaSha1][False][50][F2738D980008F73C] +7ceje475rse25gppr3vphs... NSEC3 0 01:00:00 [RsaSha1][False][50][F2738D980008F73C] + + + False + False + + NOTE: This check is Not Applicable if Windows DNS server is only serving as a caching server and does not host any zones authoritatively. +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press “Windows Key + R”, execute “dnsmgmt.msc”. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the NS records for the zone. + +Verify each of the name servers, represented by the NS records, is active. + +At a command prompt on any system, type: + +nslookup <enter>; + +At the nslookup prompt, type: + +server=###.###.###.### <enter>; +(where the ###.###.###.### is replaced by the IP of each NS record) + +Enter a FQDN for a known host record in the zone. + +If the NS server does not respond at all or responds with a non-authoritative answer, this is a finding. + + + + False + False + + Windows 2008 DNS Servers that are Active Directory-integrated must be located where required to meet the Active Directory services. + +If all of the Windows 2008 DNS Servers are AD-integrated, this check is not applicable. + +If any or all of the Windows 2008 DNS Servers are stand-alone and non-AD-integrated, verify with the System Administrator their geographic dispersal. + +If all of the authoritative name servers are located on the same network segment, and the master authoritative name server is not "hidden", this is a finding. + + + False + False + + Note: Due to the manner in which Active Directory replication increments SOA records for zones when transferring zone information via AD replication, this check is not applicable for AD-integrated zones. + +Log on to the DNS server hosting a non-AD-integrated zone using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the SOA information for the zone and obtain the Serial Number. + +Access each secondary name server for the same zone and review the SOA information. + +Verify the Serial Number is the same on all authoritative name servers. + +If the Serial Number is not the same on one or more authoritative name servers, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select each zone. + +Review the RRs for each zone and verify all of the DNSEC record types are included for the zone. + +NOTE: The DS (Delegation Signer)record should also exist but the requirement for it is validated under WDNS-SC-000011. + +RRSIG (Resource Read Signature) +DNSKEY (Public Key) +NSEC3 (Next Secure 3) + +If the zone does not show all of the DNSSEC record types, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the zone's RRs in the right window pane. + +Review the DNSKEY encryption in the Data column. example: [DNSKEY][RsaSha1][31021] + +Confirm the encryption algorithm specified in the DNSKEY's Data is at RsaSha1, at a minimum. + +If the specified encryption algorithm is not RsaSha1 or stronger, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +For each zone, review the records. + +If any RRs (Resource Records) on an internal DNS server resolve to IP addresses located outside the internal DNS server's network, this is a finding. + +If any RRs (Resource Records) on an external DNS server resolve to IP addresses located inside the network, this is a finding. + + + False + False + + Consult with the System Administrator to review the external Windows 2008 DNS Server's HBSS firewall policy. + +The inbound TCP and UDP ports 53 rule should be configured to only restrict IP addresses from the internal network. + +If the HBSS firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall. + +If neither the DNS server's HBSS firewall policy nor the network firewall is configured to block internal hosts from querying the external DNS server, this is a finding. + + + False + False + + Consult with the System Administrator to review the internal Windows 2008 DNS Server's HBSS firewall policy. + +The inbound TCP and UDP ports 53 rule should be configured to only allow hosts from the internal network to query the internal DNS server. + +If the HBSS firewall policy is not configured with the restriction, consult with the network firewall administrator to confirm the restriction on the network firewall. + +If neither the DNS server's HBSS firewall policy nor the network firewall is configured to block external hosts from querying the internal DNS server, this is a finding. + + + False + False + + Verify whether the authoritative primary name server is AD-integrated. + +Verify whether all secondary name servers for every zone for which the primary name server is authoritative are all AD-integrated in the same Active Directory. + +If the authoritative primary name server is AD-integrated and all secondary name servers also part of the same AD, this check is not a finding since AD handles the replication of DNS data. + +If one or more of the secondary name servers are non-AD integrated, verify the primary name server is configured to only send zone transfers to a specific list of secondary name servers. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Right-click the zone and select “Properties”. + +Select the “Zone Transfers” tab. + +If the "Allow zone transfers:" check box is not selected, this is not a finding. + +If the "Allow zone transfers:" check box is selected, verify either "Only to servers listed on the Name Server tab" or "Only to the following servers" is selected. + +If the "To any server" option is selected, this is a finding. + + + False + False + + In an Active Directory-integrated DNS implementation, this is not a finding by virtue of being compliant with the Windows 2008 AD STIG since DNS data within an AD-integrated zone is kept within the Active Directory. + +For a file-back Windows DNS implementation, log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select each zone. + +Right-click each zone and select “Properties”. + +Select the “Security” tab. + +Review the permissions applied to the zone. No group or user should have greater than READ privileges other than the DNS Admins and the System service account under which the DNS Server Service is running. + +If any other account/group has greater than READ privileges, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, review each zone. + +Consult with the DNS Admin to determine if any of the zones also have hostnames needing to be resolved from the external network. + +If the zone is split between internal and external networks, verify separate DNS servers have been implemented for each network. + +If internal and external DNS servers have not been implemented for zones which require resolution from both the internal and external networks, this is a finding. + + + False + False + + Consult with the network IAVM scanner to confirm all Microsoft Operating System IAVMs applicable to Windows 2008/2008 R2 have been applied to the DNS server. + +If the Windows Operating System has not been patched to handle all IAVMs, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Expand the Forward Lookup Zones folder. + +Expand each zone folder and examine the host record entries. The third column titled “Data” will display the IP. + +Verify this column does not contain any IP addresses that begin with the prefixes "FE8", "FE9", "FEA", or "FEB". + +If any non-routable IPv6 link-local scope addresses are in any zone, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, select each zone and examine the host record entries. The third column titled “Data” will display the IP. + +Verify if any contain both IPv4 and IPv6 addresses. + +If any hostnames contain both IPv4 and IPv6 addresses, confirm with the SA that the actual hosts are IPv6-aware. + +If any zone contains hosts with both IPv4 and IPv6 addresses but are determined to be non-IPv6-aware, this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Locate the “Network Internet Access” icon, right-click on it and select "Open Network & Sharing Center". + +Click on "Change adapter settings". + +Right-click on the Ethernet and click “Properties”. + +If the display shows Microsoft TCP/IP version 6 with a check, but the DNS server is not hosting any AAAA records, this is a finding. + + + False + False + + By default, the Windows 2012 DNS Server listens on TCP and UDP ports 53. Also by default, Windows 2012 DNS Server sends from random, high-numbered source ports 49152 and above. + +To confirm the listening ports, log onto Windows 2012 DNS Server as an Administrator. + +Open a command window with the Run-as Administrator option. + +In the command window, type the following command: + +netstat -a -b |more <enter> + +The result is a list of all services running on the server, with the respective TCP and UDP ports upon which the services are listening. + +Find Windows 2012 DNS Server service and verify the State is "LISTENING" and the port(s) are TCP 53 and UDP 53. + +If the server is listening on UDP and TCP port 53, this is not a finding. + + + False + False + + Authentication of dynamic updates is accomplished in Windows Server 2012 DNS by configuring the zones to only accept secure dynamic updates. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Once selected, right-click the name of the zone, and from the displayed context menu, go to Properties. + +On the opened domain's properties box, click the General tab. + +Verify the Type: is Active Directory-Integrated. + +Verify the Dynamic updates has "Secure only" selected. + +If the zone is Active Directory-Integrated and the Dynamic updates are not configured for "Secure only", this is a finding. + + + False + False + + Note: This requirement applies to any Windows 2008 DNS Server which host non-AD-integrated zones even if the DNS servers host AD-integrated zones, too. + +If the Windows 2008 DNS Servers only host AD-integrated zones, this requirement is not applicable. + +Log on to the DNS server which hosts non-AD-integrated zones using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute gpme.msc to open the Group Policy Management feature. + +In the “Browse for Group Policy Object” dialog box, double-click “Domain Controllers.domain.com”. + +Click “Default Domain Controllers Policy” and click “OK”. + +In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. + +Click “Connection Security Rules”. + +Confirm at least one rule is configured for TCP 53. + +Double-click on each Rule to verify the following: + +On the “Authentication” tab, "Authentication mode:" is set to "Request authentication for inbound and outbound connections". + +Confirm the "Signing Algorithm" is set to "RSA (default)". + +On the “Remote Computers” tab, Endpoint1 and Endpoint2 are configured with the IP addresses of all DNS servers. + +On the “Protocols and Ports” tab, "Protocol type:" is set to either TCP (depending upon which rule is being reviewed) and the "Endpoint 1 port:" is set to "Specific ports" and "53". + +If there are not rules(s) configured with the specified requirements, this is a finding. + + + False + False + + Authenticity of zone transfers within Windows AD integrated zones is accomplished by AD replication. + +For zones which are completely AD-integrated, this check is not a finding. + +For authenticity of zone transfers between non-AD-integrated zones, DNSSEC must be implemented. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, indicating the zone has been signed with DNSSEC, this is a finding. + + + + False + False + + If the DNS server only hosts AD-integrated zones and there are not any non-AD-integrated DNS servers acting as secondary DNS servers for the zones, this check is not applicable. + +For a non-AD-integrated DNS server: + +Log on to the DNS server using an Administrator account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select, and then right-click the zone name. + +From the displayed context menu, click the “Properties” option. + +On the opened zone's properties box, go to the “Zone Transfers” tab. + +On the displayed interface, verify if the "Allow zone transfers" check box is selected. + +If the "Allow zone transfers" check box is not selected, this is not a finding. + +If the "Allow zone transfers" check box is selected, verify that either the "Only to servers listed on the Name Servers tab" radio button is selected or the "Only to the following servers" radio button is selected. + +If the "To any server" radio button is selected, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Access Services on the Windows DNS Server and locate the DNS Server Service. + +Determine the account under which the DNS Server Service is running. + +Access Windows Explorer. + +Navigate to the following location: + +%ALLUSERSPROFILE%\Microsoft\Crypto + +Right-click on each sub-folder, choose “Properties”, click on the “Security” tab, and click on the “Advanced” button. + +Verify the Owner on the folder, sub-folders, and files are the account under which the DNS Server Service is running. + +If any other user or group is listed as OWNER of the %ALLUSERSPROFILE%\Microsoft\Crypto folder, sub-folders, and files, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +For Active Directory-integrated zones, private zone signing keys replicate automatically to all primary DNS servers through Active Directory replication. Each authoritative server signs its own copy of the zone when it receives the key. For optimal performance, and to prevent increasing the size of the Active Directory database file, the signed copy of the zone remains in memory for Active Directory-integrated zones. A DNSSEC-signed zone is only committed to disk for file-backed zones. Secondary DNS servers pull a full copy of the zone, including signatures, from the primary DNS server. + +If all DNS servers are AD integrated, this check is not applicable. + +If a DNS server is not AD integrated and has file-backed zones, does not accept dynamic updates and has a copy of the private key corresponding to the ZSK, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +In Windows 2012, the NSEC3 salt values are automatically changed when the zone is resigned. + +To validate: +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS Server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the zone's RRs in the right window pane. + +Determine the RRSIG NSEC3PARAM's Inception (in the Data column). Compare the Inception to the RRSIG DNSKEY Inception. The date and time should be the same. + +If the NSEC3PARAM's Inception date and time is different than the DNSKEY Inception Date and Time, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Authenticity of query responses is provided with DNSSEC signing of zones. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by Windows 2012 DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Locate the “Network Internet Access” icon, right-click on it and select "Open Network & Sharing Center". + +Click on "Change adapter settings". + +Right-click on the Ethernet and click “Properties”. + +Select Internet Protocol Version 4 (TCP/IPv4) and click “Properties”. + +Verify the “Use the following IP address” is selected, with an IP address, subnet mask, and default gateway assigned. + +If the “Use the following IP address” is not selected with a configured IP address, subnet mask, and default gateway, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +By default, when DNS servers are configured with DNSSEC signed zones, they will automatically respond to query requests, providing validating data in the response, whenever the query requests that validation. Since this takes place inherently when the zone is signed with DNSSEC, the requirement is satisfied by ensuring zones are signed. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, right-click each zone, and then click “Properties”. + +In the “Properties” dialog box for the zone, click the “WINS” tab. + +Verify the "Use WINS forward lookup" check box is not selected. + +If the "Use WINS forward lookup" check box is selected, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the records for the zone and ensure the complete RRSet of records are present: RRSIG, NSEC3, DNSKEY, indicating DNSSEC compliance. + +If the RRSet of records are not in the zone, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +The Name Resolution Policy Table (NRPT) is configured in, and deployed to clients from, Group Policy and will be pushed to all clients in the domain. The Active Directory zones will be signed and the clients, with NRPT, will require a validation of signed data when querying. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +At the Windows PowerShell prompt, type the following command: + +get-dnsclientnrptpolicy <enter> + +In the results, verify the "DnsSecValidationRequired" is True. + +If there are no results to the get-dnsclientnrptpolicy cmdlet or the "DnsSecValidationRequired" is not True, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: + +PS C:\> Get-DnsServerResourceRecord -ZoneName adatum.com -RRType DS + +Replace adatum.com with the parent zone on the DNS server being evaluated. + +HostName RecordType Timestamp TimeToLive RecordData +-------- ---------- --------- ---------- ---------- +corp DS 0 01:00:00 [58555][Sha1][RsaSha1NSec3] +corp DS 0 01:00:00 [58555][Sha256][RsaSha1NSec3] +corp DS 0 01:00:00 [63513][Sha1][RsaSha1NSec3] +corp DS 0 01:00:00 [63513][Sha256][RsaSha1NSec3] + +If the results do not show the DS records for child domain(s), this is a finding. + +In the previous example, DS records for the child zone, corp.adatum.com, were imported into the parent zone, adatum.com, by using the DSSET file that is located in the c:\windows\system32\dns directory. The DSSET file was located in this directory because the local DNS server is the Key Master for the child zone. + +If the Key Master DNS server for a child zone is not the same computer as the primary authoritative DNS server for the parent zone where the DS record is being added, the DSSET file must be obtained for the child zone and made available to the primary authoritative server for the parent zone. Alternatively, the DS records can be added manually. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log onto each of the validating Windows 2012 DNS Servers. + +In the DNS Manager console tree, navigate to each hosted zone under the Trust Points folder. + +Two DNSKEY trust points should be displayed, one for the active key and one for the standby key. + +If each validating Windows 2012 DNS Servers does not reflect the DNSKEY trust points for each of the hosted zone(s), this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +If not automatically started, initialize the Server Manager window by clicking its icon from the bottom left corner of the screen. + +Once the Server Manager window is initialized, from the left pane, click to select the DNS category. + +From the right pane, under the SERVERS section, right-click the DNS server. + +From the context menu that appears, click DNS Manager. + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones. + +From the expanded list, click to select and then right-click the zone name. + +From the displayed context menu, click DNSSEC>>Properties. + +Click the KSK tab. + +For each KSK that is listed under Key signing keys (KSKs), click the KSK, click Edit, and in the Key Rollover section verify the "Enable automatic rollover" check box is selected. + +If the "Enable automatic rollover" check box is not selected for every KSK listed, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from either a Windows 8 client or a Windows 2008 or higher server, authenticated as a Domain Administrator. + +Determine a valid host in the zone. + +Open the Windows PowerShell prompt on the Windows 8/Windows 2008 or higher client. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + NOTE: This requirement applies to any Windows 2012 DNS Servers which host non-AD-integrated zones (file based) even if the DNS servers host AD-integrated zones, too. + +If the Windows 2012 DNS Servers only host AD-integrated zones, this requirement is not applicable. + +To protect authenticity of zone transfers between Windows 2012 DNS Servers with file based zones, IPsec must be configured on each pair of name servers in a zone transfer transaction for those zones. + +Log on to the DNS server which hosts non-AD-integrated, file based zones, using the Administrator, Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute gpme.msc to open the Group Policy Management feature. + +In the Browse for Group Policy Object dialog box, double-click Domain Controllers.domain.com. + +Click Default Domain Controllers Policy and click OK. + +In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. + +Click Connection Security Rules. + +Consult with the SA to determine which Rules meet the intent of the server-to-server authentication. + +If Rules exist, double-click on each Rule to verify the following: + +For the "Authentication:" tab, click on the "Customize..." button. + +On the Authentication tab, verify "Authentication mode:" is set to "Request authentication for inbound and outbound connections". + +Confirm the "Signing Algorithm" is set to "RSA (default)". + +Under "Method", ensure the "Advanced:" radio button is selected. + +Click on the "Customize" button. + +For "First authentication methods:", double-click on the entry. + +Verify the "Select the credential to use for first authentication:" has "Computer certificate from this certification authority (CA):" radio button selected. + +Review the certificate specified and verify the certificate used was generated by the internally-managed server performing the Active Directory Certificate Services (AD CS) role. + +If rules do not exist for server-to-server authentication, this is a finding. + +If rules exist for this server to authenticate to other name servers hosting the same file based zones when transacting zone transfers, but the rules are not configured with the above settings, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Once resource records are received by a DNS server via a secure dynamic update, the resource records will automatically become signed by DNSSEC as long as the zone was originally signed by DNSSEC. Authenticity of query responses for resource records dynamically updated can be validated by querying for whether the zone/record is signed by DNSSEC. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace 131.77.60.235 with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an Expirations, date signed, signer and signature, similar to the following: + +Name : www.zonename.mil +QueryType : RRSIG +TTL : 189 +Section : Answer +TypeCovered : CNAME +Algorithm : 8 +LabelCount : 3 +OriginalTtl : 300 +Expiration : 11/21/2014 10:22:28 PM +Signed : 10/22/2014 10:22:28 PM +Signer : zonename.mil +Signature : {87, 232, 34, 134...} + +Name : origin-www.zonename.mil +QueryType : A +TTL : 201 +Section : Answer +IP4Address : 156.112.108.76 + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Authenticity of query responses is provided with DNSSEC signing of zones. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + +Fix Text: Sign, or re-sign, the hosted zone(s) on the DNS server being validated. + +In the DNS Manager console tree on the DNS server being validated, navigate to Forward Lookup Zones. + +Right-click the zone (repeat for each hosted zone), point to DNSSEC, and then click Sign the Zone, either using saved parameters or custom parameters. + + + + False + False + + NOTE: This requirement applies to any Windows 2012 DNS Servers which host non-AD-integrated zones even if the DNS servers host AD-integrated zones, too. + +If the Windows 2012 DNS Servers only host AD-integrated zones, this requirement is not applicable. + +Log on to the DNS server which hosts non-AD-integrated zones using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute gpme.msc to open the Group Policy Management feature. + +In the Browse for Group Policy Object dialog box, double-click Domain Controllers.domain.com. + +Click Default Domain Controllers Policy and click OK. + +In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP. + +Click Connection Security Rules. + +Consult with the SA to determine which Rules meet the intent of DNSSEC server-to-server authentication. + +Double-click on each Rule to verify the following: +For the "Authentication:" tab, click on the "Customize..." button. + +On the Authentication tab, verify "Authentication mode:" is set to "Request authentication for inbound and outbound connections". + +Confirm the "Signing Algorithm" is set to "RSA (default)". + +Under "Method", ensure the "Advanced:" radio button is selected. Click on the "Customize" button. + +For "First authentication methods:", double-click on the entry. + +Verify the "Select the credential to use for first authentication:" has "Computer certificate from this certification authority (CA):" radio button selected. + +Review the certificate specified and verify the certificate used was generated by the internally-managed server performing the Active Directory Certificate Services (AD CS) role. + +If the certificate used does not meet the requirements, this is a finding. + + + False + False + + To ensure the cryptographic keys are protected after being backed up to another medium (tape, disk, SAN, etc.), consult with the System Administrator to determine the backup policy in place for the DNS Server. + +Determine how and where backed up data is being stored. + +Verify the protection of the backup medium is secured to the same level, or higher, as the server itself. + +If a backup policy does not exist or the backup policy does not specify the protection required for backup medium to be at or above the same level as the server, this is a finding. + + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +In the list of hosts, review the Name Server (NS) records. Determine if any of the hosts listed as NS records are non-AD-integrated servers. + +If the DNS server only hosts AD-integrated zones and there are not any non-AD-integrated DNS servers acting as secondary DNS servers for the zones, this check is not applicable. + +For a non-AD-integrated DNS server, right click on the Forward Lookup zone and select “Properties”. +On the opened zone's properties box, go to the “Zone Transfers” tab. + +On the displayed interface, verify if the "Allow zone transfers" check box is selected. + +If the "Allow zone transfers" check box is selected, click on the “Notify” button and verify “Automatically notify with Servers” is listed on the “Name Servers” tab is selected. + +If the “Notify” button is not enabled for non-AD-integrated DNS servers, this is a finding. + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Note: This check is Not applicable for Windows 2012 DNS Servers that only host Active Directory integrated zones or for Windows 2012 DNS servers on a Classified network. + +Validate this check from the Windows 2012 DNS server being configured/reviewed. +Log on to the Windows 2012 DNS server using the account designated as Administrator or DNS Administrator. +Determine a valid host in the zone. +Open the Windows PowerShell prompt on the Windows 2012 DNS server being configured/reviewed. + +Issue the following command: +(Replace www.zonename.mil with a FQDN of a valid host in the zone being validated. Replace ###.###.###.### with the FQDN or IP address of the Windows 2012 DNS Server hosting the signed zone.) + +resolve-dnsname www.zonename.mil -server ###.###.###.### -dnssecok <enter> + +NOTE: It is important to use the -server switch followed by the DNS Server name/IP address. + +The result should show the "A" record results. + +In addition, the results should show QueryType: RRSIG with an expiration, date signed, signer and signature, similar to the following: + +Name: www.zonename.mil +QueryType: RRSIG +TTL: 189 +Section: Answer +TypeCovered: CNAME +Algorithm: 8 +LabelCount: 3 +OriginalTtl: 300 +Expiration: 11/21/2014 10:22:28 PM +Signed: 10/22/2014 10:22:28 PM +Signer: zonename.mil +Signature: {87, 232, 34, 134...} + +Name: origin-www.zonename.mil +QueryType: A +TTL: 201 +Section: Answer +IP4Address: ###.###.###.### + +If the results do not show the RRSIG and signature information, this is a finding. + + + + False + False + + Consult with the System Administrator to determine the IP ranges for the environment. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +If not automatically started, initialize the “Server Manager” window by clicking its icon from the bottom left corner of the screen. + +Once the “Server Manager” window is initialized, from the left pane, click to select the DNS category. + +From the right pane, under the “SERVERS” section, right-click the DNS server. + +From the context menu that appears, click DNS Manager. + +On the opened DNS Manager snap-in from the left pane, expand the server name and then expand Forward Lookup Zones. + +From the expanded list, click to select and then right-click the zone name. + +Review the zone information and compare to the IP ranges for the environment. + +If any zone information is for a different IP range or domain, this is a finding. + + + False + False + + This functionality should be performed by the Host Based Security System (HBSS), mandatory on all DoD systems. + +Check to ensure McAfee HBSS is installed and fully operational on the Windows 2008 DNS Server. + +If all required HBSS products are not installed and/or the installed products are not enabled, this is a finding. + + + False + False + + The "EnableVersionQuery" property controls what version information the DNS server will respond with when a DNS query with class set to “CHAOS” and type set to “TXT” is received. + +Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Open a command window and execute the command: + +nslookup <enter> +Note: Confirm the Default Server is the DNS Server on which the command is being run. + +At the nslookup prompt, type: + +set type=TXT <enter> +set class=CHAOS <enter> +version.bind <enter> + +If the response returns something similar to text = "Microsoft DNS 6.1.7601 (1DB14556)", this is a finding. + + + False + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. + +Press Windows Key + R, execute dnsmgmt.msc. + +On the opened DNS Manager snap-in from the left pane, expand the server name for the DNS server, and then expand Forward Lookup Zones. + +From the expanded list, click to select the zone. + +Review the zone's Resource Records (RR) and verify HINFO, RP, and LOC RRs are not used. If TXT RRs are used, they must not reveal any information about the organization which could be used for malicious purposes. + +If there are any HINFO, RP, LOC, or revealing TXT RRs in any zone hosted by the DNS Server, this is a finding. + + + + + + + + + Eventlog + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + Administrators + False + + + FullControl + + + True + False + False + + %windir%\SYSTEM32\WINEVT\LOGS\DNS Server.evtx + Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: + +Administrators Auditors (if the site has an Auditors group that further limits this privilege.) + +Verify the permissions on the DNS logs. + +Standard user accounts or groups must not have greater than READ access. + +The default locations are: + +DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx + +Using the file explorer tool navigate to the DNS Server log file. + +Right click on the log file, select the “Security” tab. + +The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + + + + + SYSTEM + False + This folder subfolders and files + FullControl + + + + + Administrators + False + This folder subfolders and files + FullControl + + + True + False + False + + %ALLUSERSPROFILE%\Microsoft\Crypto\Keys + Access Windows Explorer. + +Navigate to the following location: + +%ALLUSERSPROFILE%\Microsoft\Crypto + +Verify the permissions on the keys folder, sub-folders, and files are limited to SYSTEM and Administrators FULL CONTROL. + +If any other user or group has greater than READ privileges to the %ALLUSERSPROFILE%\Microsoft\Crypto folder, sub-folders and files, this is a finding. + + + + + SeSecurityPrivilege + Manage auditing and security log + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: + +Administrators Auditors (if the site has an Auditors group that further limits this privilege.) + +Verify the permissions on the DNS logs. + +Standard user accounts or groups must not have greater than READ access. + +The default locations are: + +DNS Server %SystemRoot%\System32\Winevt\Logs\DNS Server.evtx + +Using the file explorer tool navigate to the DNS Server log file. + +Right click on the log file, select the “Security” tab. + +The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + SeRemoteInteractiveLogonRight + Allow log on through Remote Desktop Services + True + Administrators + False + False + + If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding: +Administrators + + + + SeDenyNetworkLogonRight + Deny access to this computer from the network + False + Guests + False + False + + If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: +Guests Group + + + + SeDenyInteractiveLogonRight + Deny log on locally + False + Guests + False + False + + If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding: +Guests Group + + + + + + True + False + Microsoft-Windows-DnsServer/Analytical + False + + Log on to the DNS server using the Domain Admin or Enterprise Admin account. +Open an elevated Windows PowerShell prompt on a DNS server using the Domain Admin or Enterprise Admin account. + +Use the “Get-DnsServerDiagnostics” cmdlet to view the status of individual diagnostic events. + +Verify following diagnostic events are set to "True": +UseSystemEventLog + +Press “Windows Key + R”, execute “dnsmgmt.msc”. + +Right-click on the DNS server, select “Properties”. + +Click the “Event Logging” tab. By default, all events are logged. + +Verify "Errors and warnings" or "All events" is selected. + +If any option other than "Errors and warnings" or "All events" is selected, this is a finding. + +For Windows 2012 R2 DNS Server, the Enhanced DNS logging and diagnostics in Windows Server 2012 R2 must also be enabled. + +Run “eventvwr.msc” at an elevated command prompt. + +In the Event viewer, navigate to the applications and Services Logs\Microsoft\Windows\DNS Server. + +Right-click on the DNS Server, point to View, and then click "Show Analytic and Debug Logs". + +Right-click on Analytical and then click “Properties”. + +Confirm the "Enable logging" check box is selected. + +If the checkbox to enable analytic and debug logs is not enabled on a Windows 2012 R2 DNS server, this is a finding. + + + + \ No newline at end of file diff --git a/src/StigData/Windows-2012R2-IISSite-1.2.org.default.xml b/src/StigData/Windows-2012R2-IISSite-1.2.org.default.xml new file mode 100644 index 000000000..a81a9499b --- /dev/null +++ b/src/StigData/Windows-2012R2-IISSite-1.2.org.default.xml @@ -0,0 +1,25 @@ + + + + + + + + + + + + + + + + + + + diff --git a/src/StigData/Windows-2012R2-IISSite-1.2.xml b/src/StigData/Windows-2012R2-IISSite-1.2.xml new file mode 100644 index 000000000..eaca3c197 --- /dev/null +++ b/src/StigData/Windows-2012R2-IISSite-1.2.xml @@ -0,0 +1,1376 @@ + + + + False + False + + Note: If the server being reviewed is a private IIS 8.5 web server, this is Not Applicable. + +Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name. + +Double-click the "SSL Settings" icon. + +Verify "Require SSL" check box is selected. + +If the "Require SSL" check box is not selected, this is a finding. + + + False + False + + For "Handler Mappings", the ISSO must document and approve all allowable scripts the website allows (white list) and denies (black list) by the website. The white list and black list will be compared to the "Handler Mappings" in IIS 8.5. "Handler Mappings" at the site level take precedence over "Handler Mappings" at the server level. + +Open the IIS 8.5 Manager. + +Click the site name under review. + +Double-click "Handler Mappings". + +If any script file extensions from the black list are enabled, this is a finding. + + + False + False + + For "Handler Mappings", the ISSO must document and approve all allowable file extensions the website allows (white list) and denies (black list) by the website. The white list and black list will be compared to the "Handler Mappings" in IIS 8.5. "Handler Mappings" at the site level take precedence over "Handler Mappings" at the server level. + +Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Double-click "Request Filtering". + +If any file name extensions from the black list have "Allowed" set to "True", this is a finding. + + + False + False + + Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable. + +Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Double-click the "SSL Settings" icon. + +Verify the "Clients Certificate Required" check box is selected. + +If the "Clients Certificate Required" check box is not selected, this is a finding. + + + False + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name. + +Under the "ASP.NET" section, select "Session State". + +Under "Session State" Mode Settings, verify the "In Process" mode is selected. + +If the "In Process" mode is selected, this is not a finding. + +Alternative method: + +Click the site name. + +Select "Configuration Editor" under the "Management" section. + +From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". + +Verify the "mode" reflects "InProc". + +If the "mode" is not set to "InProc", this is a finding. + + + False + False + + Note: This requirement is only for each site's root directory. + +Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Click the site name under review. + +Double-click "Default Document". + +In the "Actions" pane, verify the "Default Document" feature is enabled. + +If an "Enable" option is listed under the "Actions" pane, the "Default Document" feature is not enabled and this is a finding. + +If "Default Document" is "Enabled, review the document types. + +Click the "Content View" tab, click on each listed "Default Document" and click on "Explore" under the "Actions" pane. Verify there is a document of that type in the directory. + +If "Default Document" is "Enabled" but no listed document types are present in the "Content View", this is a finding. + + + False + False + + Interview the System Administrator and Web Manager. + +Ask for documentation for the IIS 8.5 web server administration. + +Verify there are documented procedures for shutting down an IIS 8.5 website in the event of an attack. The procedure should, at a minimum, provide the following steps: + +Determine the respective website for the application at risk of an attack. + +Access the IIS 8.5 web server IIS 8.5 Manager. + +Select the respective website. + +In the "Actions" pane, under "Manage Website", click on "Stop". + +If necessary, stop all websites. + +If necessary, stop the IIS 8.5 web server by selecting the web server in the IIS 8.5 Manager. + +In the "Actions" pane, under "Manage Server", click on "Stop". + +If there are not documented procedures with, at a minimum, the mentioned steps for stopping a website, this is a finding. + + + False + False + + Review the website to determine if HTTP and HTTPs (e.g., 80 and 443) are used in accordance with those ports and services registered and approved for use by the DoD PPSM. Any variation in PPS will be documented, registered, and approved by the PPSM. + +Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name under review. + +In the “Action” Pane, click “Bindings”. + +Review the ports and protocols. If unknown ports or protocols are used, then this is a finding. + + + False + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Double-click the "SSL Settings" icon under the "IIS" section. + +Verify "Require SSL" is checked. + +Verify "Client Certificates Required" is selected. + +Click the site under review. + +Select "Configuration Editor" under the "Management" section. + +From the "Section:" drop-down list at the top of the configuration editor, locate “system.webServer/security/access”. + +The value for "sslFlags" set must include "ssl128". + +If the "Require SSL" is not selected, this is a finding. + +If the "Client Certificates Required" is not selected, this is a finding. + +If the "sslFlags" is not set to "ssl128", this is a finding. + + + False + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Double-click the "SSL Settings" icon under the "IIS" section. + +Verify "Require SSL" is checked. + +Verify "Client Certificates Required" is selected. + +Click the site under review. + +Under "Configuration Editor" under the "Management" section. + +From the "Section:" drop-down list at the top of the configuration editor, locate “system.webServer/security/access”. + +The value for "sslFlags" should be ssl128. + +If the "Require SSL" is not selected, this is a finding. + +If the "Client Certificates Required" is not selected, this is a finding. + +If the "sslFlags" is not set to "ssl128", this is a finding. + + + False + False + + From the "Section:" drop-down list, select "system.web/httpCookies". +Verify the "require SSL" is set to "True". + + + False + False + + From the "Section:" drop-down list, select "system.web/sessionState". +Verify the "compressionEnabled" is set to "False". + + + False + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Double-click the "SSL Settings" icon under the "IIS" section. + +Verify "Require SSL" is checked. + +Verify "Client Certificates Required" is selected. + +Click the site under review. + +Select "Configuration Editor" under the "Management" section. + +From the "Section:" drop-down list at the top of the configuration editor, locate “system.webServer/security/access”. + +The value for "sslFlags" should be ssl128. + +If the "Require SSL" is not selected, this is a finding. + +If the "Client Certificates Required" is not selected, this is a finding. + +If the "sslFlags" is not set to "ssl128", this is a finding. + + + False + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Double-click the "SSL Settings" icon under the "IIS" section. + +Verify "Require SSL" is checked. + +Verify "Client Certificates Required" is selected. + +Click the site under review. + +Select "Configuration Editor" under the "Management" section. + +From the "Section:" drop-down list at the top of the configuration editor, locate “system.webServer/security/access”. + +The values for "sslFlags" must include ssl128. + +If the "Require SSL" is not selected, this is a finding. + +If the "Client Certificates Required" is not selected, this is a finding. + +If the "sslFlags" is not set to "ssl128", this is a finding. + + + False + False + + Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, with supporting documentation from the ISSO, this check can be downgraded to a Cat III. + +Open the IIS 8.5 Manager. + +Perform for each Application Pool. + +Click the “Application Pools”. + +Highlight an Application Pool and click "Advanced Settings" in the “Action” Pane. + +Scroll down to the "Recycling section" and verify the value for "Request Limit" is set to a value other than "0". + +If the "Request Limit" is set to a value of "0", this is a finding. + + + False + False + + Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, mitigation steps can be set, to include setting the “Fixed number or requests”, “Specific time”, and “Private memory usage” in the recycling conditions lieu of the “Virtual memory” setting. If mitigation is used in lieu of this requirement, with supporting documentation from the ISSO, this check can be downgraded to a Cat III. + +Open the IIS 8.5 Manager. + +Perform for each Application Pool. + +Click on “Application Pools”. + +Highlight an Application Pool and click "Advanced Settings" in the Action Pane. + +In the "Advanced Settings" dialog box scroll down to the "Recycling" section and verify the value for "Virtual Memory Limit" is not set to 0. + +If the value for "Virtual Memory Limit" is set to 0, this is a finding. + + + + False + False + + Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. + +Open the IIS 8.5 Manager. + +Perform for each Application Pool. + +Click the “Application Pools”. + +Highlight an Application Pool and click "Advanced Settings" in the “Action” Pane. + +Scroll down to the "Recycling" section and verify the value for "Private Memory Limit" is set to a value other than "0". + +If the "Private Memory Limit" is set to a value of "0", this is a finding. + + + False + False + + Note: Recycling Application Pools can create an unstable environment in a 64-bit SharePoint environment. If operational issues arise, with supporting documentation from the ISSO this check can be downgraded to a Cat III. + +Open the IIS 8.5 Manager. + +Perform for each Application Pool. + +Click the “Application Pools”. + +Highlight an Application Pool and click "Advanced Settings" in the “Action” Pane. + +Scroll down to the "Recycling" section and expand the "Generate Recycle Event Log Entry" section. + +Verify both the "Regular time interval" and "Specific time" options are set to "True". + +If both the "Regular time interval" and "Specific time" options are not set to "True", this is a finding. + + + + + False + + Date,Time,ClientIP,UserName,Method,UriQuery,ProtocolVersion,Referer + + + + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name. + +Click the "Logging" icon. + +Under Format select "W3C". + +Click “Select Fields”, verify at a minimum the following fields are checked: Date, Time, Client IP Address, User Name, Method, URI Query, Protocol Status, and Referrer. + +If the "W3C" is not selected as the logging format OR any of the required fields are not selected, this is a finding. + + + False + + + + + File,ETW + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name. + +Click the "Logging" icon. + +Under Log Event Destination, verify the "Both log file and ETW event" radio button is selected. + +If the "Both log file and ETW event" radio button is not selected, this is a finding. + + + False + + + RequestHeader + Connection + + + RequestHeader + Warning + + + ServerVariable + HTTP_CONNECTION + + + + W3C + + + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Select the website being reviewed. + +Under "IIS", double-click the "Logging" icon. + +Verify the "Format:" under "Log File" is configured to "W3C". + +Select the "Fields" button. + +Under "Custom Fields", verify the following fields are selected: + +Request Header >> Connection + +Request Header >> Warning + +Server Variable >> HTTP_CONNECTION + +If any of the above fields are not selected, this is a finding. + + + False + + + ServerVariable + HTTP_USER_AGENT + + + RequestHeader + User-Agent + + + RequestHeader + Authorization + + + ResponseHeader + Content-Type + + + UserAgent,UserName,Referer + W3C + + + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Access the IIS 8.5 web server IIS 8.5 Manager. + +Under "IIS", double-click the "Logging" icon. + +Verify the "Format:" under "Log File" is configured to "W3C". + +Select the "Fields" button. + +Under "Standard Fields", verify "User Agent", "User Name" and "Referrer" are selected. + +Under "Custom Fields", verify the following fields have been configured: + +Server Variable >> HTTP_USER_AGENT + +Request Header >> User-Agent + +Request Header >> Authorization + +Response Header >> Content-Type + +If any of the above fields are not selected, this is a finding. + + + False + + + + daily + + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Access the IIS 8.5 web server IIS 8.5 Manager. + +Under "IIS" double-click on the "Logging" icon. + +In the "Logging" configuration box, determine the "Directory:" to which the "W3C" logging is being written. + +Confirm with the System Administrator that the designated log path is of sufficient size to maintain the logging. + +Under "Log File Rollover", verify the "Do not create new log files" is not selected. + +Verify a schedule is configured to rollover log files on a regular basis. + +Consult with the System Administrator to determine if there is a documented process for moving the log files off of the IIS 8.5 web server to another logging device. + +If the designated logging path device is not of sufficient space to maintain all log files and there is not a schedule to rollover files on a regular basis, this is a finding. + + + + + False + False + + Access the IIS 8.5 IIS Manager. + +Click the IIS 8.5 server. + +Select "Configuration Editor" under the "Management" section. + +From the "Section:" drop-down list at the top of the configuration editor, locate "system.applicationHost/sites". + +Expand "siteDefaults". +Expand "limits". + +Review the results and verify the value is greater than zero for the "maxconnections" parameter. + +If the maxconnections parameter is set to zero, this is a finding. + + + False + False + + Interview the System Administrator to review the configuration of the IIS 8.5 architecture and determine if inbound web traffic is passed through a proxy. + +If the IIS 8.5 is receiving inbound web traffic through a proxy, the audit logs must be reviewed to determine if correct source information is being passed through by the proxy server. + +Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name. + +Click the "Logging" icon. + +Click on "View log file" button. + +When log file is displaced, review source IP information in log entries and verify entries do not reflect the IP address of the proxy server. + +If the log entries in the log file(s) reflect the IP address of the proxy server as the source, this is a finding. + + + False + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name. + +Click the "Logging" icon. + +Click "Browse" and navigate to the directory where the log files are stored. + +Right-click the log file name to review and click “Properties”. + +Click the “Security” tab; verify only authorized groups are listed, if others are listed, this is a finding. + +Note: The log file should be restricted as follows: + +SYSTEM, Auditors group: Full +SAs, web managers: Read + + + + False + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name. + +Click the "Logging" icon. + +Click "Browse" and navigate to the directory where the log files are stored. + +Right-click the log file name to review and click “Properties”. + +Click the “Security” tab; verify only authorized groups are listed, if others are listed, this is a finding. + +Note: The log file should be restricted as follows: + +SYSTEM, Auditors group: Full + + + False + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Select the IIS 8.5 website. + +Review the features listed under the "IIS" section. + +If the "WebDAV Authoring Rules" icon exists, this is a finding. + + + False + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Right-click on the site name under review. + +Select “Edit Bindings”. + +Verify there are hostname entries and unique IP addresses assigned to port 80 for HTTP and port 443 for HTTPS. + +If both hostname entries and unique IP addresses are not configure to port 80 for HTTP and port 443 for HTTPS, this is a finding. + + + False + False + + Check the account used for anonymous access to the website. + +Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Double-click "Authentication" in the IIS section of the website’s Home Pane. + +If Anonymous access is disabled, this is Not a Finding. + +If enabled, click “Anonymous Authentication” and then click “Edit” in the "Actions" pane. + +If the “Specific user” radio button is enabled and an ID is specified in the adjacent control box, this is the ID being used for anonymous access. + +Check privileged groups that may allow the anonymous account inappropriate membership. + +Click “Start” and then double-click “Server Manager”. + +Expand Configuration; expand Local Users and Groups; and then click “Groups”. + +Review group members. + +Privileged Groups: +Administrators +Backup Operators +Certificate Services (of any designation) +Distributed COM Users +Event Log Readers +Network Configuration Operators +Performance Log Users +Performance Monitor Users +Power Users +Print Operators +Remote Desktop Users +Replicator +Users + +Double-click each group and review its members. + +If the IUSR account or any account used for anonymous access is a member of any group with privileged access, this is a finding. + + + False + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name under review. + +Click the "Advanced Settings" from the "Actions" pane. + +Review the Physical Path. + +If the Path is on the same partition as the OS, this is a finding. + + + False + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name under review. + +Click “Bindings” in the “Action” Pane. + +Click the “HTTPS type” from the box. + +Click “Edit”. + +Click “View” and then review and verify the certificate path. + +If the list of CAs in the trust hierarchy does not lead to the DoD PKI Root CA, DoD-approved external certificate authority (ECA), or DoD-approved external partner, this is a finding. + +If HTTPS is not an available type under site bindings, this is a finding. + + + False + False + + Open the IIS 8.5 Manager. + +Click "Application Pools". + +In the list of Application Pools, review the "Applications" column and verify none show more than "1" application. + +If any Application Pools show being applied to more than 1 application, this is a finding. + + + False + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Double-click “Configuration Editor”. + +From the drop-down box select “system.webserver serverRuntime”. + +If “alternateHostName” has no assigned value, this is a finding. + + + False + False + + Determine whether scripts are used on the web server for the target website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. If the website does not utilize CGI or ASP, this finding is Not Applicable. + +All interactive programs must be placed in unique designated folders based on CGI or ASP script type. + +Open the IIS 8.5 Manager. + +Right-click the IIS 8.5 web site name and select Explore. + +Search for the listed script extensions. Each script type must be in its unique designated folder. + +If scripts are not segregated from web content and in their own unique folders, then this is a finding. + + + False + False + + Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. + +If the website does not utilize CGI, this finding is Not Applicable. + +All interactive programs must have restrictive permissions. + +Open the IIS 8.5 Manager. + +Right-click the IIS 8.5 web site name and select “Explore”. + +Search for the listed script extensions. + +Review the permissions to the CGI scripts and verify only the permissions listed, or more restrictive permissions are assigned. + +Administrators: FULL +TrustedInstaller: FULL +ALL APPLICATION PACKAGES: Read +SYSTEM: FULL +ApplicationPoolId: READ +Custom Service Account: READ +Users: READ + +If the permissions are less restrictive than listed above, this is a finding. + + + False + False + + Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, .asp, and .aspx. + +If the website does not utilize CGI, this finding is Not Applicable. + +Open the IIS 8.5 Manager. + +Right-click the IIS 8.5 web site name and select “Explore”. + +Search for the listed script extensions + +Search for the following files: *.bak, *.old, *.temp, *.tmp, *.backup, or “copy of...”. + +If files with these extensions are found, this is a finding. + + + False + False + + Note: This requirement is only applicable for private DoD websites. + +If a banner is required, the following banner page must be in place: + +“You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +- At any time, the USG may inspect and seize data stored on this IS. + +- Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +- This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy. + +- Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” + +OR + +If your system cannot meet the character limits to store this amount of text in the banner, the following is another option for the warning banner: + +"I've read & consent to terms in IS user agreem't." + +NOTE: While DoDI 8500.01 does not contain a copy of the banner to be used, it does point to the RMF Knowledge Service for a copy of the required text. It is also noted that the banner is to be displayed only once when the individual enters the site and not for each page. + +If the access-controlled website does not display this banner page before entry, this is a finding. + + + + + Absent + .exe + False + application/octet-stream + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: +Open the IIS 8.5 Manager. +Click on the IIS 8.5 site. +Under IIS, double-click the “MIME Types” icon. +From the "Group by:" drop-down list, select "Content Type". +From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions: +If any OS shell MIME types are configured, this is a finding. +.exe + + + Absent + .dll + False + application/x-msdownload + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: +Open the IIS 8.5 Manager. +Click on the IIS 8.5 site. +Under IIS, double-click the “MIME Types” icon. +From the "Group by:" drop-down list, select "Content Type". +From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions: +If any OS shell MIME types are configured, this is a finding. +.dll + + + Absent + .com + False + application/octet-stream + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: +Open the IIS 8.5 Manager. +Click on the IIS 8.5 site. +Under IIS, double-click the “MIME Types” icon. +From the "Group by:" drop-down list, select "Content Type". +From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions: +If any OS shell MIME types are configured, this is a finding. +.com + + + Absent + .bat + False + application/x-bat + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: +Open the IIS 8.5 Manager. +Click on the IIS 8.5 site. +Under IIS, double-click the “MIME Types” icon. +From the "Group by:" drop-down list, select "Content Type". +From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions: +If any OS shell MIME types are configured, this is a finding. +.bat + + + Absent + .csh + False + application/x-csh + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: +Open the IIS 8.5 Manager. +Click on the IIS 8.5 site. +Under IIS, double-click the “MIME Types” icon. +From the "Group by:" drop-down list, select "Content Type". +From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions: +If any OS shell MIME types are configured, this is a finding. +.csh + + + + + False + idleTimeout + True + [TimeSpan]{0} -le [TimeSpan]'00:20:00' + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the Application Pools. + +Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. + +Scroll down to the "Process Model" section and verify the value for "Idle Time-out" is set to "20". + +If the "Idle Time-out" is not set to "20" or less, this is a finding. + + + + + False + queueLength + True + {0} -le 1000 + Open the IIS 8.5 Manager. + +Perform for each Application Pool. + +Click the “Application Pools”. + +Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. + +Scroll down to the "General" section and verify the value for "Queue Length" is set to 1000. + +If the "Queue Length" is set to "1000" or less, this is not a finding. + + + + + False + pingingEnabled + False + + Open the Internet Information Services (IIS) Manager. + +Click the “Application Pools”. + +Perform for each Application Pool. + +Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. + +Scroll down to the "Process Model" section and verify the value for "Ping Enabled" is set to "True". + +If the value for "Ping Enabled" is not set to "True", this is a finding. + $true + + + False + rapidFailProtection + False + + Open the IIS 8.5 Manager. + +Click the “Application Pools”. + +Perform for each Application Pool. + +Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. + +Scroll down to the "Rapid Fail Protection" section and verify the value for "Enabled" is set to "True". + +If the "Rapid Fail Protection:Enabled" is not set to "True", this is a finding. + $true + + + False + rapidFailProtectionInterval + True + [TimeSpan]{0} -le [TimeSpan]'00:05:00' + Open the IIS 8.5 Manager. + +Click the “Application Pools”. + +Perform for each Application Pool. + +Highlight an Application Pool to review and click "Advanced Settings" in the "Actions" pane. + +Scroll down to the "Rapid Fail Protection" section and verify the value for "Failure Interval" is set to "5". + +If the "Failure Interval" is not set to "5" or less, this is a finding. + + + + + + + /system.web/sessionState + False + mode + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name. + +Under the "ASP.NET" section, select "Session State". + +Under "Session State Mode Settings", verify the "In Process" mode is selected. + +If the "Session State Mode Settings" is set to "In Process", this is not a finding. + +Alternative method: + +Click the site name. + +Select "Configuration Editor" under the "Management" section. + +From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". + +Verify the "mode" reflects "InProc". + +If the "mode" is not set to "InProc", this is a finding. + InProc + + + /system.web/sessionState + False + cookieless + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name. + +Under the "ASP.NET" section, select "Session State". + +Under "Cookie Settings", verify the "Use Cookies" mode is selected from the "Mode:" drop-down list. + +If the "Use Cookies" mode is selected, this is not a finding. + +Alternative method: + +Click the site name. + +Select "Configuration Editor" under the "Management" section. + +From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". + +Verify the "cookieless" is set to "UseCookies". + +If the "cookieless" is not set to "UseCookies", this is a finding. + + UseCookies + + + /system.webServer/security/access + False + sslflags + False + + Note: If the server being reviewed is a public IIS 8.5 web server, this is Not Applicable. + +Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name. + +Double-click the "SSL Settings" icon. + +Verify "Require SSL" check box is selected. + +If the "Require SSL" check box is not selected, this is a finding. + Ssl,SslNegotiateCert,SslRequireCert,Ssl128 + + + /system.web/trust + False + level + True + '{0}' -cmatch '^(Full|High)$' + Note: If the server being reviewed is a non-production website, this is Not Applicable. + +Note: Setting a web application Trust Level to MEDIUM may deny some application permissions. If compatibility issues with applications require trust level to be less than "Medium", this check can be downgraded to a Cat III with supporting documentation from the ISSO, + +Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name under review. + +Double-click the ".NET Trust Level" icon. + +If the ".NET Trust Level" is not set to Medium or less, this is a finding. + + + + + /system.webServer/security/requestFiltering/requestlimits + False + maxUrl + True + {0} -le 4096 + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click on the site name. + +Double-click the "Request Filtering" icon. + +Click “Edit Feature Settings” in the "Actions" pane. + +If the "maxUrl" value is not set to "4096" or less, this is a finding. + + + + + /system.webServer/security/requestFiltering/requestlimits + False + maxAllowedContentLength + True + {0} -le 30000000 + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click on the site name. + +Double-click the "Request Filtering" icon. + +Click “Edit Feature Settings” in the "Actions" pane. + +If the "maxAllowedContentLength" value is not set to "30000000" or less, this is a finding. + + + + + /system.webServer/security/requestFiltering/requestlimits + False + maxQueryString + True + {0} -le 2048 + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click on the site name. + +Double-click the "Request Filtering" icon. + +Click “Edit Feature Settings” in the "Actions" pane. + +If the "Maximum Query String" value is not set to "2048" or less, this is a finding. + + + + + /system.webServer/security/requestFiltering + False + allowHighBitCharacters + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click on the site name. + +Double-click the "Request Filtering" icon. + +Click “Edit Feature Settings” in the "Actions" pane. + +If the "Allow high-bit characters" check box is checked, this is a finding. + false + + + /system.webServer/security/requestFiltering + False + allowDoubleEscaping + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click on the site name. + +Double-click the "Request Filtering" icon. + +Click “Edit Feature Settings” in the "Actions" pane. + +If the "Allow double escaping" check box is checked, this is a finding. + false + + + /system.webServer/security/requestFiltering/fileExtensions + False + allowUnlisted + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click on the site name. + +Double-click the "Request Filtering" icon. + +Click “Edit Feature Settings” in the "Actions" pane. + +If "Allow unlisted file extensions" check box is checked, this is a finding. + false + + + /system.webServer/directoryBrowse + False + enabled + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Click the Site. + +Double-click the "Directory Browsing" icon. + +If the "Directory Browsing" is not installed, this is Not Applicable. + +Under the "Actions" pane verify "Directory Browsing" is "Disabled". + +If "Directory Browsing" is not "Disabled", this is a finding. + false + + + /system.webServer/httpErrors + False + errormode + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name under review. + +Double-click the "Error Pages" icon. + +Click each error message and click "Edit Feature" setting from the "Actions" pane. + +If any error message is not set to “Detailed errors for local requests and custom error pages for remote requests”, this is a finding. + DetailedLocalOnly + + + /system.web/compilation + False + debug + False + + Note: If the ".NET feature" is not installed, this check is Not Applicable. + +Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Open the IIS 8.5 Manager. + +Click the site name under review. + +Double-click ".NET Compilation". + +Scroll down to the "Behavior" section and verify the value for "Debug" is set to "False". + +If the "Debug" value is not set to "False", this is a finding. + false + + + /system.web/sessionState + False + timeout + True + [TimeSpan]{0} -le [TimeSpan]'00:20:00' + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + + Open the IIS 8.5 Manager. + + Click the site name. + + Select "Configuration Editor" under the "Management" section. + + From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". + 76837 + Verify the "timeout" is set to "00:20:00 or less”, using the lowest value possible depending upon the application. + Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications. + + If "timeout" is not set to "00:20:00 or less”, this is a finding. + + + + + + + /system.webServer/asp/session + False + keepSessionIdSecure + False + + Follow the procedures below for each site hosted on the IIS 8.5 web server: + +Access the IIS 8.5 Manager. + +Select the website being reviewed. + +Under "Management" section, double-click the "Configuration Editor" icon. + +From the "Section:" drop-down list, select “system.webServer/asp". + +Expand the "session" section. + +Verify the "keepSessionIdSecure" is set to "True". + +If the "keepSessionIdSecure" is not set to "True", this is a finding. + True + + + /system.web/httpCookies + False + requireSSL + False + + From the "Section:" drop-down list, select "system.web/httpCookies". +Verify the "require SSL" is set to "True". + True + + + /system.web/sessionState + False + compressionEnabled + False + + From the "Section:" drop-down list, select "system.web/sessionState". +Verify the "compressionEnabled" is set to "False". + False + + + diff --git a/src/StigData/Windows-2012R2-MS-2.12.org.default.xml b/src/StigData/Windows-2012R2-MS-2.12.org.default.xml new file mode 100644 index 000000000..2385d315b --- /dev/null +++ b/src/StigData/Windows-2012R2-MS-2.12.org.default.xml @@ -0,0 +1,69 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/StigData/Windows-2012R2-MS-2.12.xml b/src/StigData/Windows-2012R2-MS-2.12.xml new file mode 100644 index 000000000..caa9d7b51 --- /dev/null +++ b/src/StigData/Windows-2012R2-MS-2.12.xml @@ -0,0 +1,7221 @@ + + + + False + True + '{0}' -le '3' -and '{0}' -ne '0' + Account lockout threshold + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy. + +If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding. + + + False + True + '{0}' -ge '15' + Reset account lockout counter after + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. + +If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding. + + + False + True + '{0}' -ge '15' -or '{0}' -eq '0' + Account lockout duration + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. + +If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding. + +Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding. + + + False + True + '{0}' -le '60' -and '{0}' -ne '0' + Maximum password age + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding. + + + False + True + '{0}' -ne '0' + Minimum password age + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Minimum password age" is set to "0" days ("Password can be changed immediately."), this is a finding. + + + False + True + '{0}' -ge '24' + Enforce password history + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding. + + + False + False + + Password must meet complexity requirements + Enabled + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. + +Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes. + + + False + False + + Store passwords using reversible encryption + Disabled + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding. + + + False + True + '{0}' -ge '14' + Minimum password length + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Minimum password length," is less than "14" characters, this is a finding. + + + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Logon -> Credential Validation - Success + Credential Validation + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Logon -> Credential Validation - Failure + Credential Validation + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Other Account Management Events - Success + Other Account Management Events + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Security Group Management - Success + Security Group Management + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> User Account Management - Success + User Account Management + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> User Account Management - Failure + User Account Management + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Detailed Tracking -> Process Creation - Success + Process Creation + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logoff - Success + Logoff + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logon - Success + Logon + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logon - Failure + Logon + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Special Logon - Success + Special Logon + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Audit Policy Change - Success + Audit Policy Change + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Audit Policy Change - Failure + Audit Policy Change + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Authentication Policy Change - Success + Authentication Policy Change + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Privilege Use -> Sensitive Privilege Use - Success + Sensitive Privilege Use + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Privilege Use -> Sensitive Privilege Use - Failure + Sensitive Privilege Use + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> IPsec Driver - Success + IPsec Driver + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> IPsec Driver - Failure + IPsec Driver + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> Security State Change - Success + Security State Change + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> Security System Extension - Success + Security System Extension + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> System Integrity - Success + System Integrity + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> System Integrity - Failure + System Integrity + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access >> Removable Storage - Failure + +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. + Removable Storage + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access >> Removable Storage - Success + +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. + Removable Storage + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access -> Central Policy Staging - Failure + Central Policy Staging + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access -> Central Policy Staging - Success + Central Policy Staging + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Authorization Policy Change - Success + Authorization Policy Change + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Logon/Logoff >> Account Lockout - Success + Account Lockout + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff >> Account Lockout - Failure + Account Lockout + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +System >> Other System Events - Success + Other System Events + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +System >> Other System Events - Failure + Other System Events + + + + + False + False + + Determine whether any shared accounts exist. If no shared accounts exist, this is NA. + +Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. + +If unapproved shared accounts exist, this is a finding. + + + False + False + + Run "PowerShell". + +Member servers and standalone systems: +Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) + +"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { + $user = ([ADSI]$_.Path) + $lastLogin = $user.Properties.LastLogin.Value + $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 + if ($lastLogin -eq $null) { + $lastLogin = 'Never' + } + Write-Host $user.Name $lastLogin $enabled +}" + +This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). +For example: User1 10/31/2015 5:49:56 AM True + +Domain Controllers: +Enter the following command in PowerShell. +"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" + +This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. + +Review the list of accounts returned by the above queries to determine the finding validity for each account reported. + +Exclude the following accounts: +Built-in administrator account (Renamed, SID ending in 500) +Built-in guest account (Renamed, Disabled, SID ending in 501) +Application accounts + +If any enabled accounts have not been logged on to within the past 35 days, this is a finding. + +Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO. + + + False + False + + If FTP is not installed on the system, this is NA. + +Determine the IP address and port number assigned to FTP sites from documentation or configuration. + +If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". + +Select "Sites" under the server name. + +For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. + +Open a "Command Prompt". + +Attempt to log on as the user "anonymous" with the following commands: + +Note: Returned results may vary depending on the FTP server software. + +C:\> "ftp" +ftp> "Open IP Address Port" +(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) +(Connected to IP Address +220 Microsoft FTP Service) + +User (IP Address): "anonymous" +(331 Anonymous access allowed, send identity (e-mail name) as password.) + +Password: "password" +(230 User logged in.) +ftp> + +If the response indicates that an anonymous FTP login was permitted, this is a finding. + +If accounts with administrator privileges are used to access FTP, this is a CAT I finding. + + + False + False + + If FTP is not installed on the system, this is NA. + +Determine the IP address and port number assigned to FTP sites from documentation or configuration. + +If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". + +Select "Sites" under the server name. + +For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. + +Open a "Command Prompt". + +Access the FTP site and review accessible directories with the following commands: + +Note: Returned results may vary depending on the FTP server software. + +C:\> "ftp" +ftp> "Open IP Address Port" +(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) +(Connected to IP Address +220 Microsoft FTP Service) + +User (IP Address): "FTP User" +(Substituting [FTP User] with an account identified that is allowed access. If it was determined that anonymous access was allowed to the site [see V-1120], also review access using "anonymous".) + (331 Password required) + +Password: "Password" +(Substituting [Password] with password for the account attempting access.) +(230 User ftpuser logged in.) + +ftp> "Dir" + +If the FTP session indicates access to areas of the system other than the specific folder for FTP data, such as the root of the drive, Program Files or Windows directories, this is a finding. + + + False + False + + If no accounts are members of the Backup Operators group, this is NA. + +Any accounts that are members of the Backup Operators group, including application accounts, must be documented with the ISSO. If documentation of accounts that are members of the Backup Operators group is not maintained this is a finding. + + + False + False + + Determine whether there is a host-based Intrusion Detection System on each server. + +If the HIPS component of HBSS is installed and active on the host and the Alerts of blocked activity are being logged and monitored, this will meet the requirement of this finding. + +A HID device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the site ISSO. + +If a host-based Intrusion Detection System is not installed on the system, this is a finding. + + + False + False + + Required services will vary between organizations, and on the role of the individual system. Organizations will develop their own list of services which will be documented and justified with the ISSO. The site's list will be provided for any security review. Services common to multiple systems can be addressed in one document. Exceptions for individual systems should be identified separately by system. + +Individual services specifically required to be disabled per the STIG are identified in separate requirements. + +If the site has not documented the services required for their system(s), this is a finding. + +The following can be used to view the services on a system: +Run "Services.msc". + +Services for Windows Server 2012 roles are managed automatically, adding those necessary for a particular role. The following lists the default services for a baseline installation as a reference. This can be used as a basis for documenting the services necessary. + +Default Installation +Name - Startup Type +Application Experience - Manual (Trigger Start) +Application Identity - Manual (Trigger Start) +Application Information - Manual +Application Layer Gateway Service - Manual +Application Management - Manual +Background Intelligent Transfer Service - Automatic (Delayed Start) +Background Tasks Infrastructure Service - Automatic +Base Filtering Engine - Automatic +Certificate Propagation - Manual +CNG Key Isolation - Manual (Trigger Start) +COM+ Event System - Automatic +COM+ System Application - Manual +Computer Browser - Disabled +Credential Manager - Manual +Cryptographic Services - Automatic +DCOM Server Process Launcher - Automatic +Device Association Service - Manual (Trigger Start) +Device Install Service - Manual (Trigger Start) +Device Setup Manager - Manual (Trigger Start) +DHCP Client - Automatic +Diagnostic Policy Service - Automatic (Delayed Start) +Diagnostic Service Host - Manual +Diagnostic System Host - Manual +Distributed Link Tracking Client - Automatic +Distributed Transaction Coordinator - Automatic (Delayed Start) +DNS Client - Automatic (Trigger Start) +Encrypting File System (EFS) - Manual (Trigger Start) +Extensible Authentication Protocol - Manual +Function Discovery Provider Host - Manual +Function Discovery Resource Publication - Manual +Group Policy Client - Automatic (Trigger Start) +Health Key and Certificate Management - Manual +Human Interface Device Access - Manual (Trigger Start) +Hyper-V Data Exchange Service - Manual (Trigger Start) +Hyper-V Guest Shutdown Service - Manual (Trigger Start) +Hyper-V Heartbeat Service - Manual (Trigger Start) +Hyper-V Remote Desktop Virtualization Service - Manual (Trigger Start) +Hyper-V Time Synchronization Service - Manual (Trigger Start) +Hyper-V Volume Shadow Copy Requestor - Manual (Trigger Start) +IKE and AuthIP IPsec Keying Modules - Manual (Trigger Start) +Interactive Services Detection - Manual +Internet Connection Sharing (ICS) - Disabled +IP Helper - Automatic +IPsec Policy Agent - Manual (Trigger Start) +KDC Proxy Server service (KPS) - Manual +KtmRm for Distributed Transaction Coordinator - Manual (Trigger Start) +Link-Layer Topology Discovery Mapper - Manual +Local Session Manager - Automatic +Microsoft iSCSI Initiator Service - Manual +Microsoft Software Shadow Copy Provider - Manual +Multimedia Class Scheduler - Manual +Net.Tcp Port Sharing Service - Disabled +Netlogon - Manual +Network Access Protection Agent - Manual +Network Connections - Manual +Network Connectivity Assistant - Manual (Trigger Start) +Network List Service - Manual +Network Location Awareness - Automatic +Network Store Interface Service - Automatic +Optimize drives - Manual +Performance Counter DLL Host - Manual +Performance Logs & Alerts - Manual +Plug and Play - Manual +Portable Device Enumerator Service - Manual (Trigger Start) +Power - Automatic +Print Spooler - Automatic +Printer Extensions and Notifications - Manual +Problem Reports and Solutions Control Panel Support - Manual +Remote Access Auto Connection Manager - Manual +Remote Access Connection Manager - Manual +Remote Desktop Configuration - Manual +Remote Desktop Services - Manual +Remote Desktop Services UserMode Port Redirector - Manual +Remote Procedure Call (RPC) - Automatic +Remote Procedure Call (RPC) Locator - Manual +Remote Registry - Automatic (Trigger Start) +Resultant Set of Policy Provider - Manual +Routing and Remote Access - Disabled +RPC Endpoint Mapper - Automatic +Secondary Logon - Manual +Secure Socket Tunneling Protocol Service - Manual +Security Accounts Manager - Automatic +Server - Automatic +Shell Hardware Detection - Automatic +Smart Card - Disabled +Smart Card Removal Policy - Manual +SNMP Trap - Manual +Software Protection - Automatic (Delayed Start, Trigger Start) +Special Administration Console Helper - Manual +Spot Verifier - Manual (Trigger Start) +SSDP Discovery - Disabled +Superfetch - Manual +System Event Notification Service - Automatic +Task Scheduler - Automatic +TCP/IP NetBIOS Helper - Automatic (Trigger Start) +Telephony - Manual +Themes - Automatic +Thread Ordering Server - Manual +UPnP Device Host - Disabled +User Access Logging Service - Automatic (Delayed Start) +User Profile Service - Automatic +Virtual Disk - Manual +Volume Shadow Copy - Manual +Windows All-User Install Agent - Manual (Trigger Start) +Windows Audio - Manual +Windows Audio Endpoint Builder - Manual +Windows Color System - Manual +Windows Driver Foundation - User-mode Driver Framework - Manual (Trigger Start) +Windows Error Reporting Service - Manual (Trigger Start) +Windows Event Collector - Manual +Windows Event Log - Automatic +Windows Firewall - Automatic +Windows Font Cache Service - Automatic +Windows Installer - Manual +Windows Licensing Monitoring Service - Automatic +Windows Management Instrumentation - Automatic +Windows Modules Installer - Manual +Windows Remote Management (WS-Management) - Automatic +Windows Store Service (WSService) - Manual (Trigger Start) +Windows Time - Manual (Trigger Start) +Windows Update - Manual +WinHTTP Web Proxy Auto-Discovery Service - Manual +Wired AutoConfig - Manual +WMI Performance Adapter - Manual +Workstation - Automatic + + + False + False + + Search all drives for *.p12 and *.pfx files. + +If any files with these extensions exist, this is a finding. + +This does not apply to server-based applications that have a requirement for certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO. + + + False + False + + Verify the DoD Root CA certificates are installed as Trusted Root Certification Authorities. + +The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks. + +Run "PowerShell" as an administrator. +Execute the following command: +Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint +If the following information is not displayed, this is finding. + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB + +Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 + +Alternately use the Certificates MMC snap-in: +Run "MMC". +Select "File", "Add/Remove Snap-in". +Select "Certificates", click "Add". +Select "Computer account", click "Next". +Select "Local computer: (the computer this console is running on)", click "Finish". +Click "OK". +Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". +If there are no entries for "DoD Root CA 2", "DoD Root CA 3", and "DoD Root CA 4", this is a finding. + +For each of the DoD Root CA certificates noted above: +Right click on the certificate and select "Open". +Select the "Details" Tab. +Scroll to the bottom and select "Thumbprint". + +If the value for the "Thumbprint" field is not as noted below, this is a finding. +DoD Root CA 2 - 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 +DoD Root CA 3 - D73CA91102A2204A36459ED32213B467D7CE97FB +DoD Root CA 4 - B8269F25DBD937ECAFD4C35A9838571723F2D026 + + + False + False + + Review the necessary documentation that identifies the members of the Administrators group. If a list of all users belonging to the Administrators group is not maintained with the ISSO, this is a finding. + + + False + False + + Determine whether system-related documentation is backed up in accordance with local recovery time and recovery point objectives. If system-related documentation is not backed up in accordance with local recovery time and recovery point objectives, this is a finding. + + + False + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ +Type: REG_DWORD +Value Name: Start +Value: 0x00000004 (4) + + + False + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\ +Type: REG_MULTI_SZ +Value Name: DependOnService +Value: Default values after removing MRxSmb10 include the following, which are not a finding: + + + + + False + False + + Verify servers are located in controlled access areas that are accessible only to authorized personnel. If systems are not adequately protected, this is a finding. + + + False + False + + Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. + +If there is no anti-virus solution installed on the system, this is a finding. + + + False + False + + Determine whether system-level information is backed up in accordance with local recovery time and recovery point objectives. If system-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding. + + + False + False + + Verify the local system boots directly into Windows. + +Open Control Panel. +Select "System". +Select the "Advanced System Settings" link. +Select the "Advanced" tab. +Click the "Startup and Recovery" Settings button. + +If the drop-down list box "Default operating system:" shows any operating system other than Windows Server 2012, this is a finding. + + + False + False + + Review the local Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. + +For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group. + +Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from this. AD admin platforms may use the Domain Admins group or a domain administrative group created specifically for AD admin platforms (see V-43711 in the Active Directory Domain STIG). + +Standard user accounts must not be members of the local Administrator group. + +If prohibited accounts are members of the local Administrators group, this is a finding. + +The built-in Administrator account or other required administrative accounts would not be a finding. + + + False + False + + Verify security configuration tools or equivalent processes are being used to configure Windows systems to meet security requirements. If security configuration tools or equivalent processes are not used, this is a finding. + +Security configuration tools that are integrated into Windows, such as Group Policies and Security Templates, may be used to configure platforms for security compliance. + +If an alternate method is used to configure a system (e.g., manually using the DISA Windows Security STIGs, etc.) and the same configured result is achieved, this is acceptable. + + + False + False + + Open "Devices and Printers" in Control Panel or through Search. +If there are no printers configured, this is NA. + +For each configured printer: +Right click on the printer. +Select "Printer Properties". +Select the "Sharing" tab. +View whether "Share this printer" is checked. + +For any printers with "Share this printer" selected: +Select the Security tab. + +If any standard user accounts or groups have permissions other than "Print", this is a finding. +Standard users will typically be given "Print" permission through the Everyone group. +"All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement. + + + False + False + + Determine whether the site monitors system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. If system files are not monitored for unauthorized changes, this is a finding. + +A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. The Asset module within HBSS does not meet this requirement. + + + False + False + + If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. +(System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) + +Run "Computer Management". +Navigate to System Tools >> Shared Folders >> Shares. + +Right click any non-system-created shares. +Select "Properties". +Select the "Share Permissions" tab. + +If the file shares have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. + +Select the "Security" tab. + +If the NTFS permissions have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. + + + False + False + + Review the password never expires status for enabled user accounts. + +Open "Windows PowerShell" with elevated privileges (run as administrator). + +Domain Controllers: + +Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | Where PasswordNeverExpires -eq True | FT Name, PasswordNeverExpires, Enabled". + +Exclude application accounts and disabled accounts (e.g., Guest). +Domain accounts requiring smart card (CAC/PIV) may also be excluded. + +If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding. + +Member servers and standalone systems: + +Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'. + +Exclude application accounts and disabled accounts (e.g., Guest). + +If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding. + + + False + False + + Review the password required status for enabled user accounts. + +Open "Windows PowerShell". + +Domain Controllers: + +Enter "Get-ADUser -Filter * -Properties PasswordNotRequired | Where PasswordNotRequired -eq True | FT Name, PasswordNotRequired, Enabled". + +Exclude disabled accounts (e.g., Guest). + +If "PasswordNotRequired" is "True" for any enabled user account, this is a finding. + +Member servers and standalone systems: + +Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. + +Exclude disabled accounts (e.g., Guest). + +If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding. + + + False + False + + Review the password last set date for the built-in Administrator account. + +Domain controllers: + +Open "Windows PowerShell". + +Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | FL Name, SID, PasswordLastSet". + +If the "PasswordLastSet" date is greater than one year old, this is a finding. + +Member servers and standalone systems: + +Open "Windows PowerShell" or "Command Prompt". + +Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account. + +(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.) + +If the "PasswordLastSet" date is greater than one year old, this is a finding. + + + False + False + + Verify whether the registry key below exists. If it does not exist or the value is "0", this is not a finding. +If the registry key exists and contains a value other than "0", continue below. + +The values are determined by the selection of encryption suites in the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network Security: Configure encryption types allowed for Kerberos". + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ +Value Name: SupportedEncryptionTypes +Type: REG_DWORD + +Due to the number of possible combinations that may include the DES encryption types, it is not possible to include all acceptable values as viewed directly in the registry. + +If the registry key does exist, the value must be converted to binary to determine configuration of specific bits. This will determine whether this is a finding. + +Note the value for the registry key. +For example, when all suites, including the DES suites are selected, the value will be "0x7fffffff (2147483647)". + +Open the Windows calculator (Run/Search for "calc"). +Select "View", then "Programmer". +Select "Dword" and either "Hex" or "Dec". +Enter the appropriate form of the value found for the registry key (e.g., Hex - enter 0x7fffffff, Dec - enter 2147483647) +Select "Bin". +The returned value may vary in length, up to 32 characters. +If the either of 2 right most characters are "1", this is a finding. +If the both of 2 right most characters are "0", this is not a finding. + + + False + False + + Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates. + +Run "PowerShell" as an administrator. +Execute the following command: +Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint +If the following information is not displayed, this is finding. + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 + +Alternately use the Certificates MMC snap-in: +Run "MMC". +Select "File", "Add/Remove Snap-in". +Select "Certificates", click "Add". +Select "Computer account", click "Next". +Select "Local computer: (the computer this console is running on)", click "Finish". +Click "OK". +Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". + +For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By": +Right click on the certificate and select "Open". +Select the "Details" Tab. +Scroll to the bottom and select "Thumbprint". + +If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Issued To - Issued By - Thumbprint +DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F +DoD Root CA 3 - DoD Interoperability Root CA 2 - FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 +DoD Root CA 3 - DoD Interoperability Root CA 2 - FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 + + + False + False + + Determine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. + +The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. + +Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. + +If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding. + + + False + False + + Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. + +If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding. + + + False + False + + Verify the site has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. If such a policy does not exist or has not been implemented, this is a finding. + + + False + False + + Determine if manually managed application/service accounts exist. If none exist, this is NA. + +If passwords for manually managed application/service accounts are not changed at least annually or when an administrator with knowledge of the password leaves the organization, this is a finding. + +Identify manually managed application/service accounts. + +To determine the date a password was last changed: + +Domain controllers: + +Open "Windows PowerShell". + +Enter "Get-ADUser -Identity [application account name] -Properties PasswordLastSet | FL Name, PasswordLastSet", where [application account name] is the name of the manually managed application/service account. + +If the "PasswordLastSet" date is more than one year old, this is a finding. + +Member servers and standalone systems: + +Open "Windows PowerShell" or "Command Prompt". + +Enter 'Net User [application account name] | Find /i "Password Last Set"', where [application account name] is the name of the manually managed application/service account. + +If the "Password Last Set" date is more than one year old, this is a finding. + + + False + False + + Determine whether the site has a policy that requires SAs be trained for all operating systems running on systems under their control. If the site does not have a policy requiring SAs be trained for all operating systems under their control, this is a finding. + + + False + False + + Determine whether audit logs are reviewed on a predetermined schedule. If audit logs are not reviewed on a regular basis, this is a finding. + + + False + False + + Determine whether audit data is retained for at least one year. If the audit data is not retained for at least a year, this is a finding. + + + False + False + + Determine if a process to back up log data to a different system or media than the system being audited has been implemented. If it has not, this is a finding. + + + False + False + + Determine whether user-level information is backed up in accordance with local recovery time and recovery point objectives. If user-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding. + + + False + False + + Verify the operating system employs automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). If it does not, this is a finding. + + + False + False + + Verify the organization has an automated process to install security-related software updates. If it does not, this is a finding. + + + False + False + + Verify the system has software installed and running that provides certificate validation and revocation checking. If it does not, this is a finding. + + + False + False + + Determine if system-level information backups are protected from destruction and stored in a physically secure location. If they are not, this is a finding. + + + False + False + + If no accounts are members of the Backup Operators group, this is NA. + +Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding. + + + False + False + + Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. + +Run "PowerShell" as an administrator. +Execute the following command: +Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint +If the following information is not displayed, this is finding. + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 + +Alternately use the Certificates MMC snap-in: +Run "MMC". +Select "File", "Add/Remove Snap-in". +Select "Certificates", click "Add". +Select "Computer account", click "Next". +Select "Local computer: (the computer this console is running on)", click "Finish". +Click "OK". +Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". + +For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": +Right click on the certificate and select "Open". +Select the "Details" Tab. +Scroll to the bottom and select "Thumbprint". + +If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Issued To - Issued By - Thumbprint +DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 - DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 + + + False + False + + Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. + +The configuration requirements will be determined by the applicable firewall STIG. + + + False + False + + This is applicable to unclassified systems, for other systems this is NA. + +Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + +If an application whitelisting program is not in use on the system, this is a finding. + +Configuration of whitelisting applications will vary by the program. + +AppLocker is a whitelisting application built into Windows Server 2012. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. + +If AppLocker is used, perform the following to view the configuration of AppLocker: +Open PowerShell. + +If the AppLocker PowerShell module has not been previously imported, execute the following first: +Import-Module AppLocker + +Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: +Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml + +This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. + +Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" under the Microsoft Windows section of the following link: + +https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml + + + False + False + + If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPSEC have been implemented. If protection methods have not been implemented, this is a finding. + + + False + False + + Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If it does not, this is a finding. + + + False + False + + Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA. + +Review temporary user accounts for expiration dates. + +Open "PowerShell". + +Domain Controllers: + +Enter "Search-ADAccount -AccountExpiring -TimeSpan 3:00:00:00 | FT Name, AccountExpirationDate" +This will return any accounts configured to expire within the next 3 days. (The "TimeSpan" value to can be changed to find accounts configured to expire at various times such as 30 for the next month.) + +If any accounts identified as temporary are not listed, this is a finding. + +For any temporary accounts returned by the previous query: +Enter "Get-ADUser -Identity [Name] -Property WhenCreated" to determine when the account was created. + +If the "WhenCreated" date and "AccountExpirationDate" from the previous query are greater than 3 days apart, this is a finding. + +Member servers and standalone systems: + +Enter "Net User [username]", where [username] is the name of the temporary user account. + +If "Account expires" has not been defined within 72 hours for any temporary user account, this is a finding. + +If the "Password last set" date and "Account expires" date are greater than 72 hours apart, this is a finding. (Net User does not provide an account creation date.) + + + False + False + + Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA. + +If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved. + +If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding. + +Domain Controllers: + +Enter "Search-ADAccount -AccountExpiring -TimeSpan 3:00:00:00 | FT Name, AccountExpirationDate" +This will return any accounts configured to expire within the next 3 days. (The "TimeSpan" value to can be changed to find accounts configured to expire at various times such as 30 for the next month.) + +If any accounts identified as emergency administrator accounts are not listed, this is a finding. + +For any emergency administrator accounts returned by the previous query: +Enter "Get-ADUser -Identity [Name] -Property WhenCreated" to determine when the account was created. + +If the "WhenCreated" date and "AccountExpirationDate" from the previous query are greater than 3 days apart, this is a finding. + +Member servers and standalone systems: + +Enter "Net User [username]", where [username] is the name of the emergency administrator accounts. + +If "Account expires" has not been defined within 72 hours for any emergency administrator accounts, this is a finding. + +If the "Password last set" date and "Account expires" date are greater than 72 hours apart, this is a finding. (Net User does not provide an account creation date.) + + + False + False + + Verify the operating system, at a minimum, off-loads audit records of interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding. + + + False + False + + Review the effective User Rights setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +Review each User Right listed for any unresolved SIDs to determine whether they are valid, such as due to being temporarily disconnected from the domain. (Unresolved SIDs have the format of "*S-1-…".) + +If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding. + + + + + + + + + Administrators + False + This Key and Subkeys + FullControl + + + + + Backup Operators + False + This Key Only + ReadKey + + + + + LOCAL SERVICE + False + This Key and Subkeys + ReadKey + + + True + False + False + + HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ + Run "Regedit". +Navigate to the following registry key: +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ + +If the key does not exist, this is a finding. + +Right-click on "winreg" and select "Permissions…". +Select "Advanced". + +If the permissions are not as restrictive as the defaults listed below, this is a finding. + +The following are the same for each permission listed: +Type - Allow +Inherited from - None + +Columns: Principal - Access - Applies to +Administrators - Full Control - This key and subkeys +Backup Operators - Read - This key only +LOCAL SERVICE - Read - This key and subkeys + + + + + + + TrustedInstaller + False + This Key and Subkeys + FullControl + + + + + SYSTEM + False + This Key and Subkeys + FullControl + + + + + Administrators + False + This Key and Subkeys + FullControl + + + + + Users + False + This Key and Subkeys + ReadKey + + + + + ALL APPLICATION PACKAGES + False + This Key and Subkeys + ReadKey + + + True + False + False + + HKLM:\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Winlogon\ + Run "Regedit". +Navigate to the following registry key: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Right-click on "WinLogon" and select "Permissions…". +Select "Advanced". + +If the permissions are not as restrictive as the defaults listed below, this is a finding. + +The following are the same for each permission listed: +Type - Allow +Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion +Applies to - This key and subkeys + +Columns: Principal - Access +TrustedInstaller - Full Control +SYSTEM - Full Control +Administrators - Full Control +Users - Read +ALL APPLICATION PACKAGES - Read + + + + + + + Users + False + + + ReadKey + + + + + Administrators + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + CREATOR OWNER + False + Subkeys Only + FullControl + + + + + ALL APPLICATION PACKAGES + False + + + ReadKey + + + True + False + False + + HKLM:\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ + Run "Regedit". +Navigate to the following registry keys and review the permissions: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ +HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems) + +If the default permissions listed below have been changed, this is a finding. + +Users - Read +Administrators - Full Control +SYSTEM - Full Control +CREATOR OWNER - Full Control (Subkeys only) +ALL APPLICATION PACKAGES - Read + + + + + + + Eventlog + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + Administrators + False + + + FullControl + + + True + False + False + + %windir%\SYSTEM32\WINEVT\LOGS\Application.evtx + Verify the permissions on the Application event log (Application.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + + + + + Eventlog + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + Administrators + False + + + FullControl + + + True + False + False + + %windir%\SYSTEM32\WINEVT\LOGS\Security.evtx + Verify the permissions on the Security event log (Security.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + + + + + Eventlog + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + Administrators + False + + + FullControl + + + True + False + False + + %windir%\SYSTEM32\WINEVT\LOGS\System.evtx + Verify the permissions on the System event log (System.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + + + + + TrustedInstaller + False + This folder and subfolders + FullControl + + + + + SYSTEM + False + This folder only + Modify + + + + + SYSTEM + False + Subfolders and files only + FullControl + + + + + Administrators + False + This folder only + Modify + + + + + Administrators + False + Subfolders and files only + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + + + ALL APPLICATION PACKAGES + False + This folder subfolders and files + ReadAndExecute + + + True + False + False + + %ProgramFiles(x86)% + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +For each folder, view the Properties. +Select the "Security" tab, and the "Advanced" button. + +Default Permissions: +\Program Files (x86) +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls "c:\program files" +icacls "c:\program files (x86)" + +The following results should be displayed as each is entered: + +c:\program files +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 files + + + + + + + + TrustedInstaller + False + This folder and subfolders + FullControl + + + + + SYSTEM + False + This folder only + Modify + + + + + SYSTEM + False + Subfolders and files only + FullControl + + + + + Administrators + False + This folder only + Modify + + + + + Administrators + False + Subfolders and files only + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + + + ALL APPLICATION PACKAGES + False + This folder subfolders and files + ReadAndExecute + + + True + False + False + + %ProgramFiles% + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +For each folder, view the Properties. +Select the "Security" tab, and the "Advanced" button. + +Default Permissions: +\Program Files +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls "c:\program files" +icacls "c:\program files (x86)" + +The following results should be displayed as each is entered: + +c:\program files +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 files + + + + + + + + SYSTEM + False + This folder subfolders and files + FullControl + + + + + Administrators + False + This folder subfolders and files + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + Users + False + This folder and subfolders + CreateDirectories,AppendData + + + + + Users + False + Subfolders only + CreateFiles,WriteData + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + True + False + False + + %SystemDrive%\ + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the system drive's root directory (usually C:\). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +View the Properties of system drive root directory. +Select the "Security" tab, and the "Advanced" button. + +C:\ +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +SYSTEM - Full control - This folder, subfolders and files +Administrators - Full control - This folder, subfolders and files +Users - Read & execute - This folder, subfolders and files +Users - Create folders / append data - This folder and subfolders +Users - Create files / write data - Subfolders only +CREATOR OWNER - Full Control - Subfolders and files only + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls c:\ + +The following results should be displayed: + +c:\ +NT AUTHORITY\SYSTEM:(OI)(CI)(F) +BUILTIN\Administrators:(OI)(CI)(F) +BUILTIN\Users:(OI)(CI)(RX) +BUILTIN\Users:(CI)(AD) +BUILTIN\Users:(CI)(IO)(WD) +CREATOR OWNER:(OI)(CI)(IO)(F) +Successfully processed 1 files; Failed processing 0 files + + + + + + + TrustedInstaller + False + This folder and subfolders + FullControl + + + + + SYSTEM + False + This folder only + Modify + + + + + SYSTEM + False + Subfolders and files only + FullControl + + + + + Administrators + False + This folder only + Modify + + + + + Administrators + False + Subfolders and files only + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + + + ALL APPLICATION PACKAGES + False + This folder subfolders and files + ReadAndExecute + + + True + False + False + + %windir% + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the Windows installation directory (usually C:\Windows). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +View the Properties of the folder. +Select the "Security" tab, and the "Advanced" button. + +Default Permissions: +\Windows +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls c:\windows + +The following results should be displayed: + +c:\windows +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 files + + + + + + + TrustedInstaller + False + + + FullControl + + + + + Administrators + False + + + ReadAndExecute + + + + + SYSTEM + False + + + ReadAndExecute + + + + + Users + False + + + ReadAndExecute + + + + + ALL APPLICATION PACKAGES + False + + + ReadAndExecute + + + True + False + False + + %windir%\SYSTEM32\eventvwr.exe + Verify the permissions on Event Viewer only allow TrustedInstaller permissions to change or modify. If any groups or accounts other than TrustedInstaller have Full control or Modify, this is a finding. + +Navigate to "%SystemRoot%\SYSTEM32". +View the permissions on "Eventvwr.exe". + +The default permissions below satisfy this requirement. +TrustedInstaller - Full Control +Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read & Execute + + + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ShutdownWithoutLogon + +Value Type: REG_DWORD +Value: 0 + 0 + ShutdownWithoutLogon + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LegalNoticeText + +Value Type: REG_SZ +Value: See message text below + +You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. +By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + LegalNoticeText + String + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -le '4' + If the system is not a member of a domain, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: CachedLogonsCount + +Value Type: REG_SZ +Value: 4 (or less) + + CachedLogonsCount + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: RestrictAnonymous + +Value Type: REG_DWORD +Value: 1 + 1 + RestrictAnonymous + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: EnableForcedLogoff + +Value Type: REG_DWORD +Value: 1 + 1 + EnableForcedLogoff + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: EnablePlainTextPassword + +Value Type: REG_DWORD +Value: 0 + 0 + EnablePlainTextPassword + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: AutoAdminLogon + +Type: REG_SZ +Value: 0 + 0 + AutoAdminLogon + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanManPrintServices\Servers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\ + +Value Name: AddPrinterDrivers + +Value Type: REG_DWORD +Value: 1 + 1 + AddPrinterDrivers + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: LmCompatibilityLevel + +Value Type: REG_DWORD +Value: 5 + 5 + LmCompatibilityLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DisableCAD + +Value Type: REG_DWORD +Value: 0 + 0 + DisableCAD + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -match '1|2' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: SCRemoveOption + +Value Type: REG_SZ +Value: 1 (Lock Workstation) or 2 (Force Logoff) + +If configuring this on servers causes issues such as terminating users' remote sessions and the site has a policy in place that any other sessions on the servers such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO. + + SCRemoveOption + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: EnableSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + EnableSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: SealSecureChannel + +Value Type: REG_DWORD +Value: 1 + +If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831). + 1 + SealSecureChannel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: SignSecureChannel + +Value Type: REG_DWORD +Value: 1 + +If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831). + 1 + SignSecureChannel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: DisablePasswordChange + +Value Type: REG_DWORD +Value: 0 + 0 + DisablePasswordChange + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: EnableSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + EnableSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: AllocateDASD + +Value Type: REG_SZ +Value: 0 + 0 + AllocateDASD + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -ge '14' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: PasswordExpiryWarning + +Value Type: REG_DWORD +Value: 14 (or greater) + + PasswordExpiryWarning + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\ + +Value Name: ProtectionMode + +Value Type: REG_DWORD +Value: 1 + 1 + ProtectionMode + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters + True + {0} -le '15' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: autodisconnect + +Value Type: REG_DWORD +Value: 0x0000000f (15) (or less) + + autodisconnect + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ + +Value Name: NoDriveTypeAutoRun + +Type: REG_DWORD +Value: 0x000000ff (255) + 255 + NoDriveTypeAutoRun + Dword + + + Present + True + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: NullSessionPipes + +Value Type: REG_MULTI_SZ +Value: (blank) + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions. + + + NullSessionPipes + MultiString + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\ + +Value Name: Machine + +Value Type: REG_MULTI_SZ +Value: see below + +System\CurrentControlSet\Control\ProductOptions +System\CurrentControlSet\Control\Server Applications +Software\Microsoft\Windows NT\CurrentVersion + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions. + System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion + Machine + MultiString + + + Present + True + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist, this is not a finding: + +If the following registry value does exist and is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: NullSessionShares + +Value Type: REG_MULTI_SZ +Value: (Blank) + + + NullSessionShares + MultiString + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fAllowToGetHelp + +Type: REG_DWORD +Value: 0 + 0 + fAllowToGetHelp + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: LimitBlankPasswordUse + +Value Type: REG_DWORD +Value: 1 + 1 + LimitBlankPasswordUse + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + True + {0} -le '30' -and {0} -gt '0' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: MaximumPasswordAge + +Value Type: REG_DWORD +Value: 30 (or less, but not 0) + + MaximumPasswordAge + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RequireStrongKey + +Value Type: REG_DWORD +Value: 1 + +This setting may prevent a system from being joined to a domain if not configured consistently between systems. + 1 + RequireStrongKey + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: DisableDomainCreds + +Value Type: REG_DWORD +Value: 1 + 1 + DisableDomainCreds + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: EveryoneIncludesAnonymous + +Value Type: REG_DWORD +Value: 0 + 0 + EveryoneIncludesAnonymous + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: ForceGuest + +Value Type: REG_DWORD +Value: 0 + 0 + ForceGuest + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: NoLMHash + +Value Type: REG_DWORD +Value: 1 + 1 + NoLMHash + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LDAP\ + +Value Name: LDAPClientIntegrity + +Value Type: REG_DWORD +Value: 1 + 1 + LDAPClientIntegrity + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ + +Value Name: NTLMMinClientSec + +Value Type: REG_DWORD +Value: 0x20080000 (537395200) + 537395200 + NTLMMinClientSec + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ + +Value Name: Enabled + +Value Type: REG_DWORD +Value: 1 + +Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site. + 1 + Enabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\Kernel\ + +Value Name: ObCaseInsensitive + +Value Type: REG_DWORD +Value: 1 + 1 + ObCaseInsensitive + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fSingleSessionPerUser + +Type: REG_DWORD +Value: 1 + 1 + fSingleSessionPerUser + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fPromptForPassword + +Type: REG_DWORD +Value: 1 + 1 + fPromptForPassword + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: MinEncryptionLevel + +Type: REG_DWORD +Value: 3 + 3 + MinEncryptionLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: PerSessionTempDir + +Type: REG_DWORD +Value: 1 + 1 + PerSessionTempDir + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: DeleteTempDirsOnExit + +Type: REG_DWORD +Value: 1 + 1 + DeleteTempDirsOnExit + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system + False + + Review the registry. +If the following registry value does not exist, this is not a finding (this is the expected result from configuring the policy as outlined in the Fix section.): +If the following registry value exists but is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\system\ + +Value Name: DisableBkGndGroupPolicy + +Type: REG_DWORD +Value: 0 + 0 + DisableBkGndGroupPolicy + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fAllowUnsolicited + +Type: REG_DWORD +Value: 0 + 0 + fAllowUnsolicited + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32time\Parameters + True + '{0}' -match '^(NoSync|NTP|NT5DS|AllSync)$' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\W32time\Parameters\ +Type: REG_SZ +Value Name: Type +Value: Possible values are NoSync, NTP, NT5DS, AllSync + + Type + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32time\Parameters + True + '{0}' -notmatch 'time.windows.com' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\W32time\Parameters\ +Type: REG_SZ +Value Name: NTPServer +Value: "address of the time server" + + NTPServer + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\ + +Value Name: SafeDllSearchMode + +Value Type: REG_DWORD +Value: 1 + 1 + SafeDllSearchMode + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer + False + + Windows Media Player is not installed by default. If it is not installed, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: DisableAutoupdate + +Type: REG_DWORD +Value: 1 + 1 + DisableAutoupdate + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: PreventCodecDownload + +Type: REG_DWORD +Value: 1 + 1 + PreventCodecDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ + +Value Name: NTLMMinServerSec + +Value Type: REG_DWORD +Value: 0x20080000 (537395200) + 537395200 + NTLMMinServerSec + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security + True + {0} -le '90' + If the system is configured to write to an audit server, or is configured to automatically archive full logs, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Eventlog\Security\ + +Value Name: WarningLevel + +Value Type: REG_DWORD +Value: 90 (or less) + + WarningLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: DisableIPSourceRouting + +Value Type: REG_DWORD +Value: 2 + 2 + DisableIPSourceRouting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: EnableICMPRedirect + +Value Type: REG_DWORD +Value: 0 + 0 + EnableICMPRedirect + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: PerformRouterDiscovery + +Value Type: REG_DWORD +Value: 0 + 0 + PerformRouterDiscovery + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + True + {0} -le '300000' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: KeepAliveTime + +Value Type: REG_DWORD +Value: 300000 (or less) + + KeepAliveTime + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ + +Value Name: NoNameReleaseOnDemand + +Value Type: REG_DWORD +Value: 1 + 1 + NoNameReleaseOnDemand + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + True + {0} -le '3' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: TcpMaxDataRetransmissions + +Value Type: REG_DWORD +Value: 3 (or less) + + TcpMaxDataRetransmissions + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -le '5' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: ScreenSaverGracePeriod + +Value Type: REG_SZ +Value: 5 (or less) + + ScreenSaverGracePeriod + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\ + +Value Name: Machine + +Value Type: REG_MULTI_SZ +Value: see below + +Software\Microsoft\OLAP Server +Software\Microsoft\Windows NT\CurrentVersion\Perflib +Software\Microsoft\Windows NT\CurrentVersion\Print +Software\Microsoft\Windows NT\CurrentVersion\Windows +System\CurrentControlSet\Control\ContentIndex +System\CurrentControlSet\Control\Print\Printers +System\CurrentControlSet\Control\Terminal Server +System\CurrentControlSet\Control\Terminal Server\UserConfig +System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration +System\CurrentControlSet\Services\Eventlog +System\CurrentControlSet\Services\Sysmonlog + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions. + Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Perflib;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;System\CurrentControlSet\Services\Eventlog;System\CurrentControlSet\Services\Sysmonlog + Machine + MultiString + + + Present + True + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Subsystems + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\Subsystems\ + +Value Name: Optional + +Value Type: REG_MULTI_SZ +Value: (Blank) + + + Optional + MultiString + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fEncryptRPCTraffic + +Type: REG_DWORD +Value: 1 + 1 + fEncryptRPCTraffic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\GroupPolicy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ + +Value Name: NoGPOListChanges + +Type: REG_DWORD +Value: 0 + 0 + NoGPOListChanges + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RequireSignOrSeal + +Value Type: REG_DWORD +Value: 1 + 1 + RequireSignOrSeal + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: RequireSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + RequireSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: RequireSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + RequireSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: RestrictNullSessAccess + +Value Type: REG_DWORD +Value: 1 + 1 + RestrictNullSessAccess + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DontDisplayLastUserName + +Value Type: REG_DWORD +Value: 1 + 1 + DontDisplayLastUserName + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: AuditBaseObjects + +Value Type: REG_DWORD +Value: 0 + 0 + AuditBaseObjects + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: FullPrivilegeAuditing + +Value Type: REG_BINARY +Value: 0 + 0 + FullPrivilegeAuditing + Binary + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: SCENoApplyLegacyAuditPolicy + +Value Type: REG_DWORD +Value: 1 + 1 + SCENoApplyLegacyAuditPolicy + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\IPSEC\ + +Value Name: NoDefaultExempt + +Value Type: REG_DWORD +Value: 3 + 3 + NoDefaultExempt + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: FilterAdministratorToken + +Value Type: REG_DWORD +Value: 1 + 1 + FilterAdministratorToken + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + True + '{0}' -le '4' + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ConsentPromptBehaviorAdmin + +Value Type: REG_DWORD +Value: 4 (Prompt for consent) +3 (Prompt for credentials) +2 (Prompt for consent on the secure desktop) +1 (Prompt for credentials on the secure desktop) + + ConsentPromptBehaviorAdmin + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ConsentPromptBehaviorUser + +Value Type: REG_DWORD +Value: 0 + 0 + ConsentPromptBehaviorUser + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableInstallerDetection + +Value Type: REG_DWORD +Value: 1 + 1 + EnableInstallerDetection + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableSecureUIAPaths + +Value Type: REG_DWORD +Value: 1 + 1 + EnableSecureUIAPaths + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableLUA + +Value Type: REG_DWORD +Value: 1 + 1 + EnableLUA + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: PromptOnSecureDesktop + +Value Type: REG_DWORD +Value: 1 + 1 + PromptOnSecureDesktop + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableVirtualization + +Value Type: REG_DWORD +Value: 1 + 1 + EnableVirtualization + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ + +Value Name: EnumerateAdministrators + +Type: REG_DWORD +Value: 0x00000000 (0) + 0 + EnumerateAdministrators + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: DisablePasswordSaving + +Type: REG_DWORD +Value: 1 + 1 + DisablePasswordSaving + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableCdm + +Type: REG_DWORD +Value: 1 + 1 + fDisableCdm + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ + +Value Name: RestrictRemoteClients + +Type: REG_DWORD +Value: 1 + 1 + RestrictRemoteClients + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DisableHTTPPrinting + +Type: REG_DWORD +Value: 1 + 1 + DisableHTTPPrinting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DisableWebPnPDownload + +Type: REG_DWORD +Value: 1 + 1 + DisableWebPnPDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DontSearchWindowsUpdate + +Type: REG_DWORD +Value: 1 + 1 + DontSearchWindowsUpdate + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: SaveZoneInformation + +Type: REG_DWORD +Value: 2 + 2 + SaveZoneInformation + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: HideZoneInfoOnProperties + +Type: REG_DWORD +Value: 1 + 1 + HideZoneInfoOnProperties + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: ScanWithAntiVirus + +Type: REG_DWORD +Value: 3 + 3 + ScanWithAntiVirus + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Peernet\ + +Value Name: Disabled + +Type: REG_DWORD +Value: 1 + 1 + Disabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ + +Value Name: NC_AllowNetBridge_NLA + +Type: REG_DWORD +Value: 0 + 0 + NC_AllowNetBridge_NLA + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\EventViewer\ + +Value Name: MicrosoftEventVwrDisableLinks + +Type: REG_DWORD +Value: 1 + 1 + MicrosoftEventVwrDisableLinks + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoInternetOpenWith + +Type: REG_DWORD +Value: 1 + 1 + NoInternetOpenWith + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the system is a member of a domain, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LogonType + +Type: REG_DWORD +Value: 0 + 0 + LogonType + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ + +Value Name: DisableEnclosureDownload + +Type: REG_DWORD +Value: 1 + 1 + DisableEnclosureDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: PreXPSP2ShellProtocolBehavior + +Type: REG_DWORD +Value: 0 + 0 + PreXPSP2ShellProtocolBehavior + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: SafeForScripting + +Type: REG_DWORD +Value: 0 + 0 + SafeForScripting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: EnableUserControl + +Type: REG_DWORD +Value: 0 + 0 + EnableUserControl + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: DisableLUAPatching + +Type: REG_DWORD +Value: 1 + 1 + DisableLUAPatching + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer + False + + Windows Media Player is not installed by default. If it is not installed, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: GroupPrivacyAcceptance + +Type: REG_DWORD +Value: 1 + 1 + GroupPrivacyAcceptance + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowLLTDIOOndomain +Value: 0 + 0 + AllowLLTDIOOndomain + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowLLTDIOOnPublicNet +Value: 0 + 0 + AllowLLTDIOOnPublicNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: EnableLLTDIO +Value: 0 + 0 + EnableLLTDIO + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: ProhibitLLTDIOOnPrivateNet +Value: 0 + 0 + ProhibitLLTDIOOnPrivateNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowRspndrOndomain +Value: 0 + 0 + AllowRspndrOndomain + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowRspndrOnPublicNet +Value: 0 + 0 + AllowRspndrOnPublicNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: EnableRspndr +Value: 0 + 0 + EnableRspndr + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: ProhibitRspndrOnPrivateNet +Value: 0 + 0 + ProhibitRspndrOnPrivateNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableFlashConfigRegistrar +Value: 0 + 0 + DisableFlashConfigRegistrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableInBand802DOT11Registrar +Value: 0 + 0 + DisableInBand802DOT11Registrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableUPnPRegistrar +Value: 0 + 0 + DisableUPnPRegistrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableWPDRegistrar +Value: 0 + 0 + DisableWPDRegistrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: EnableRegistrars +Value: 0 + 0 + EnableRegistrars + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\UI\ + +Value Name: DisableWcnUi + +Type: REG_DWORD +Value: 1 + 1 + DisableWcnUi + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: AllowRemoteRPC + +Type: REG_DWORD +Value: 0 + 0 + AllowRemoteRPC + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSystemRestore + +Type: REG_DWORD +Value: 0 + 0 + DisableSystemRestore + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSendGenericDriverNotFoundToWER + +Type: REG_DWORD +Value: 1 + 1 + DisableSendGenericDriverNotFoundToWER + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DontPromptForWindowsUpdate + +Type: REG_DWORD +Value: 1 + 1 + DontPromptForWindowsUpdate + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\HandwritingErrorReports\ + +Value Name: PreventHandwritingErrorReports + +Type: REG_DWORD +Value: 1 + 1 + PreventHandwritingErrorReports + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ + +Value Name: DCSettingIndex + +Type: REG_DWORD +Value: 1 + 1 + DCSettingIndex + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ + +Value Name: ACSettingIndex + +Type: REG_DWORD +Value: 1 + 1 + ACSettingIndex + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: LoggingEnabled + +Type: REG_DWORD +Value: 1 + 1 + LoggingEnabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet + True + {0} -notmatch '1|2' + If the following registry value exists and is set to "1" (Basic) or "2" (Advanced), this is a finding: + +If the registry value does not exist, this is not a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\ + +Value Name: SpyNetReporting + +Type: REG_DWORD +Value: 1 or 2 = a Finding + + SpyNetReporting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoHeapTerminationOnCorruption + +Type: REG_DWORD +Value: 0 + 0 + NoHeapTerminationOnCorruption + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRM + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WMDRM\ + +Value Name: DisableOnline + +Type: REG_DWORD +Value: 1 + 1 + DisableOnline + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoInPlaceSharing + +Type: REG_DWORD +Value: 1 + 1 + NoInPlaceSharing + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableUIADesktopToggle + +Value Type: REG_DWORD +Value: 0 + 0 + EnableUIADesktopToggle + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableCcm + +Type: REG_DWORD +Value: 1 + 1 + fDisableCcm + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableLPT + +Type: REG_DWORD +Value: 1 + 1 + fDisableLPT + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisablePNPRedir + +Type: REG_DWORD +Value: 1 + 1 + fDisablePNPRedir + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fEnableSmartCard + +Type: REG_DWORD +Value: 1 + 1 + fEnableSmartCard + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ValidateAdminCodeSignatures + +Value Type: REG_DWORD +Value: 0 + 0 + ValidateAdminCodeSignatures + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\SQMClient\Windows\ + +Value Name: CEIPEnable + +Type: REG_DWORD +Value: 0 + 0 + CEIPEnable + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ + +Value Name: NoImplicitFeedback + +Type: REG_DWORD +Value: 1 + 1 + NoImplicitFeedback + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ + +Value Name: NoExplicitFeedback + +Type: REG_DWORD +Value: 1 + 1 + NoExplicitFeedback + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanServer\Parameters\ + +Value Name: SmbServerNameHardeningLevel + +Type: REG_DWORD +Value: 0 + 0 + SmbServerNameHardeningLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\ + +Value Name: UseMachineId + +Type: REG_DWORD +Value: 1 + 1 + UseMachineId + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\MSV1_0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\MSV1_0\ + +Value Name: allownullsessionfallback + +Type: REG_DWORD +Value: 0 + 0 + allownullsessionfallback + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\pku2u + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\pku2u\ + +Value Name: AllowOnlineID + +Type: REG_DWORD +Value: 0 + 0 + AllowOnlineID + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ + +Value Name: DisableIPSourceRouting + +Type: REG_DWORD +Value: 2 + 2 + DisableIPSourceRouting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters + True + {0} -le '3' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ + +Value Name: TcpMaxDataRetransmissions + +Value Type: REG_DWORD +Value: 3 (or less) + + TcpMaxDataRetransmissions + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ + +Value Name: NC_StdDomainUserSetLocation + +Type: REG_DWORD +Value: 1 + 1 + NC_StdDomainUserSetLocation + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: Force_Tunneling + +Type: REG_SZ +Value: Enabled + Enabled + Force_Tunneling + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DoNotInstallCompatibleDriverFromWindowsUpdate + +Type: REG_DWORD +Value: 1 + 1 + DoNotInstallCompatibleDriverFromWindowsUpdate + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Device Metadata\ + +Value Name: PreventDeviceMetadataFromNetwork + +Value Type: REG_DWORD +Value: 1 + 1 + PreventDeviceMetadataFromNetwork + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: SearchOrderConfig + +Type: REG_DWORD +Value: 0 + 0 + SearchOrderConfig + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ + +Value Name: DisableQueryRemoteServer + +Type: REG_DWORD +Value: 0 + 0 + DisableQueryRemoteServer + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ + +Value Name: EnableQueryRemoteServer + +Type: REG_DWORD +Value: 0 + 0 + EnableQueryRemoteServer + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ + +Value Name: ScenarioExecutionEnabled + +Type: REG_DWORD +Value: 0 + 0 + ScenarioExecutionEnabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ + +Value Name: DisableInventory + +Type: REG_DWORD +Value: 1 + 1 + DisableInventory + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoAutoplayfornonVolume + +Type: REG_DWORD +Value: 1 + 1 + NoAutoplayfornonVolume + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoDataExecutionPrevention + +Type: REG_DWORD +Value: 0 + 0 + NoDataExecutionPrevention + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoAutorun + +Type: REG_DWORD +Value: 1 + 1 + NoAutorun + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: RestrictAnonymousSAM + +Value Type: REG_DWORD +Value: 1 + 1 + RestrictAnonymousSAM + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + True + '{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LegalNoticeCaption + +Value Type: REG_SZ +Value: See message title options below + +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. + +If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089. + +Automated tools may only search for the titles defined above. If a site-defined title is used, a manual review will be required. + + LegalNoticeCaption + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: 6to4_State + +Type: REG_SZ +Value: Disabled + Disabled + 6to4_State + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\ + +Value Name: IPHTTPS_ClientState + +Type: REG_DWORD +Value: 3 + 3 + IPHTTPS_ClientState + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: ISATAP_State + +Type: REG_SZ +Value: Disabled + Disabled + ISATAP_State + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: Teredo_State + +Type: REG_SZ +Value: Disabled + Disabled + Teredo_State + String + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application + True + {0} -ge '32768' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security + True + {0} -ge '196608' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00030000 (196608) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup + True + {0} -ge '32768' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System + True + {0} -ge '32768' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSendRequestAdditionalSoftwareToWER + +Type: REG_DWORD +Value: 1 + 1 + DisableSendRequestAdditionalSoftwareToWER + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: AlwaysInstallElevated + +Type: REG_DWORD +Value: 0 + 0 + AlwaysInstallElevated + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the system is not a member of a domain, this is NA. +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LocalAccountTokenFilterPolicy + +Type: REG_DWORD +Value: 0x00000000 (0) + +This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to 1 may be required. + 0 + LocalAccountTokenFilterPolicy + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\ControlPanel\Desktop + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ + +Value Name: ScreenSaveActive + +Type: REG_SZ +Value: 1 + +Applications requiring continuous, real-time screen display (e.g., network management products) require the following and must be documented with the ISSO: + +-The logon session does not have administrator rights. +-The display station (e.g., keyboard, monitor, etc.) is located in a controlled access area. + 1 + ScreenSaveActive + String + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\ControlPanel\Desktop + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ + +Value Name: ScreenSaverIsSecure + +Type: REG_SZ +Value: 1 + 1 + ScreenSaverIsSecure + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: EnableIPAutoConfigurationLimits + +Type: REG_DWORD +Value: 1 + 1 + EnableIPAutoConfigurationLimits + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Servicing + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Servicing\ + +Value Name: UseWindowsUpdate + +Type: REG_DWORD +Value: 2 + 2 + UseWindowsUpdate + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DriverServerSelection + +Type: REG_DWORD +Value: 1 + 1 + DriverServerSelection + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Policies\EarlyLaunch\ + +Value Name: DriverLoadPolicy + +Type: REG_DWORD +Value: 1 + 1 + DriverLoadPolicy + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer + False + + The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoUseStoreOpenWith + +Type: REG_DWORD +Value: 1 + 1 + NoUseStoreOpenWith + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\ControlPanel\International + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Control Panel\International\ + +Value Name: BlockUserInputMethodsForSignIn + +Type: REG_DWORD +Value: 1 + 1 + BlockUserInputMethodsForSignIn + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\System\ + +Value Name: EnumerateLocalUsers + +Type: REG_DWORD +Value: 0 + 0 + EnumerateLocalUsers + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\System\ + +Value Name: DisableLockScreenAppNotifications + +Type: REG_DWORD +Value: 1 + 1 + DisableLockScreenAppNotifications + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ + +Value Name: DisablePcaUI + +Type: REG_DWORD +Value: 0 + 0 + DisablePcaUI + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Appx\ + +Value Name: AllowAllTrustedApps + +Type: REG_DWORD +Value: 1 + 1 + AllowAllTrustedApps + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Biometrics\ + +Value Name: Enabled + +Type: REG_DWORD +Value: 0 + 0 + Enabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\CredUI\ + +Value Name: DisablePasswordReveal + +Type: REG_DWORD +Value: 1 + 1 + DisablePasswordReveal + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ + +Value Name: EnableSmartScreen + +Type: REG_DWORD +Value: 0x00000002 (2) + 2 + EnableSmartScreen + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LocationAndSensors\ + +Value Name: DisableLocation + +Type: REG_DWORD +Value: 1 (Enabled) + +If location services are approved for the system by the organization, this may be set to "Disabled" (0). This must be documented with the ISSO. + 1 + DisableLocation + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ + +Value Name: AllowBasicAuthInClear + +Type: REG_DWORD +Value: 0 + 0 + AllowBasicAuthInClear + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ +Type: REG_DWORD +Value Name: AutoDownload +Value: 0x00000002 (2) + 2 + AutoDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate\ +Type: REG_DWORD +Value Name: AutoDownload +Value: 0x00000002 (2) + 2 + AutoDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore + False + + The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ + +Value Name: RemoveWindowsStore + +Type: REG_DWORD +Value: 1 + 1 + RemoveWindowsStore + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowBasic + +Type: REG_DWORD +Value: 0 + 0 + AllowBasic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowUnencryptedTraffic + +Type: REG_DWORD +Value: 0 + 0 + AllowUnencryptedTraffic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowDigest + +Type: REG_DWORD +Value: 0 + 0 + AllowDigest + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: AllowBasic + +Type: REG_DWORD +Value: 0 + 0 + AllowBasic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: AllowUnencryptedTraffic + +Type: REG_DWORD +Value: 0 + 0 + AllowUnencryptedTraffic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: DisableRunAs + +Type: REG_DWORD +Value: 1 + 1 + DisableRunAs + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + True + {0} -le '900' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: InactivityTimeoutSecs + +Value Type: REG_DWORD +Value: 0x00000384 (900) (or less) + + InactivityTimeoutSecs + Dword + + + Present + False + HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ + +Value Name: NoCloudApplicationNotification + +Type: REG_DWORD +Value: 1 + 1 + NoCloudApplicationNotification + Dword + + + Present + False + HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ + +Value Name: NoToastApplicationNotificationOnLockScreen + +Type: REG_DWORD +Value: 1 + 1 + NoToastApplicationNotificationOnLockScreen + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: RedirectOnlyDefaultClientPrinter + +Type: REG_DWORD +Value: 1 + 1 + RedirectOnlyDefaultClientPrinter + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ + +Value Name: NoLockScreenSlideshow + +Value Type: REG_DWORD +Value: 1 + 1 + NoLockScreenSlideshow + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ + +Value Name: ProcessCreationIncludeCmdLine_Enabled + +Value Type: REG_DWORD +Value: 0x00000001 (1) + 1 + ProcessCreationIncludeCmdLine_Enabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ + +Value Name: DontDisplayNetworkSelectionUI + +Value Type: REG_DWORD +Value: 1 + 1 + DontDisplayNetworkSelectionUI + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + +Value Name: MSAOptional + +Value Type: REG_DWORD +Value: 1 + 1 + MSAOptional + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DisableAutomaticRestartSignOn + +Value Type: REG_DWORD +Value: 1 + 1 + DisableAutomaticRestartSignOn + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\ + +Value Name: ForceKeyProtection + +Type: REG_DWORD +Value: 2 + 2 + ForceKeyProtection + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest + False + + If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ + +Value Name: UseLogonCredential + +Type: REG_DWORD +Value: 0x00000000 (0) + +Note: Microsoft Security Advisory update 2871997 is required for this setting to be effective on Windows 2012. It is not required for Windows 2012 R2. + 0 + UseLogonCredential + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters + False + + This requirement specifically applies to Windows 2012 but can also be used for Windows 2012 R2. + +Different methods are available to disable SMBv1 on Windows 2012 R2, if V-73805 is configured on Windows 2012 R2, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ + +Value Name: SMB1 + +Type: REG_DWORD +Value: 0x00000000 (0) + 0 + SMB1 + Dword + + + + + False + Accounts: Guest account status + Disabled + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding. + + + False + Accounts: Rename guest account + + True + '{0}' -ne 'Guest' + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding. + + + False + Accounts: Rename administrator account + + True + '{0}' -ne 'Administrator' + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding. + + + False + Network access: Allow anonymous SID/Name translation + Disabled + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding. + + + False + Network security: Force logoff when logon hours expire + Enabled + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Network security: Force logoff when logon hours expire" is not set to "Enabled", this is a finding. + + + + + Present + False + False + + Run "Services.msc". + +Verify the McAfee Agent service is running, depending on the version installed. + +Version - Service Name +McAfee Agent v5.x - McAfee Agent Service +McAfee Agent v4.x - McAfee Framework Service + +If the service is not listed or does not have a Status of "Started", this is a finding. + McAfee + Running + Automatic + + + Present + False + False + + Verify the Fax (fax) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Fax (fax) + fax + Stopped + Disabled + + + Present + False + False + + If the server has the role of an FTP server, this is NA. + +Run "Services.msc". + +If the "Microsoft FTP Service" (Service name: FTPSVC) is installed and not disabled, this is a finding. + FTPSVC + Stopped + Disabled + + + Present + False + False + + Verify the Peer Network Identity Manager (p2pimsvc) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Peer Networking Identity Manager (p2pimsvc) + p2pimsvc + Stopped + Disabled + + + Present + False + False + + Verify the Simple TCP/IP (simptcp) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Simple TCP/IP Services (simptcp) + simptcp + Stopped + Disabled + + + Present + False + False + + Verify the Telnet (tlntsvr) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Telnet (tlntsvr) + tlntsvr + Stopped + Disabled + + + Present + False + False + + Verify the Smart Card Removal Policy service is configured to "Automatic". + +Run "Services.msc". + +If the Startup Type for Smart Card Removal Policy is not set to Automatic, this is a finding. + SCPolicySvc + Running + Automatic + + + + + SeTcbPrivilege + Act as part of the operating system + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. + + + SeDenyNetworkLogonRight + Deny access to this computer from the network + False + Enterprise Admins,Domain Admins,"Local account and member of Administrators group" or "Local account",Guests + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: + +Domain Systems Only: +Enterprise Admins group +Domain Admins group +"Local account and member of Administrators group" or "Local account" (see Note below) + +All Systems: +Guests group + +Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups. + +Note: Windows Server 2012 R2 added new built-in security groups, "Local account" and "Local account and member of Administrators group". "Local account" is more restrictive but may cause issues on servers such as systems that provide Failover Clustering. +Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012. + + + SeDebugPrivilege + Debug programs + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding: + +Administrators + + + SeTrustedCredManAccessPrivilege + Access Credential Manager as a trusted caller + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding. + + + SeNetworkLogonRight + Access this computer from the network + True + Administrators,Authenticated Users + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Access this computer from the network" user right, this is a finding: + +Administrators +Authenticated Users + +Systems dedicated to managing Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG), must only allow Administrators, removing the Authenticated Users group. + + + SeInteractiveLogonRight + Allow log on locally + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding: + +Administrators + + + SeRemoteInteractiveLogonRight + Allow log on through Remote Desktop Services + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding: + +Administrators + +If the system serves the Remote Desktop Services role, the Remote Desktop Users group or another more restrictive group may be included. + +Organizations may grant this to other groups, such as more restrictive groups with administrative or management functions, if required. Remote Desktop Services access must be restricted to the accounts that require it. This must be documented with the ISSO. + + + SeBackupPrivilege + Back up files and directories + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding: + +Administrators + + + SeSystemtimePrivilege + Change the system time + True + Administrators,Local Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Change the system time" user right, this is a finding: + +Administrators +Local Service + + + SeCreatePagefilePrivilege + Create a pagefile + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding: + +Administrators + + + SeCreateTokenPrivilege + Create a token object + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Create a token object" user right, this is a finding. + + + SeCreateGlobalPrivilege + Create global objects + True + Administrators,Service,Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding: + +Administrators +Service +Local Service +Network Service + + + SeCreatePermanentPrivilege + Create permanent shared objects + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding. + + + SeCreateSymbolicLinkPrivilege + Create symbolic links + True + Administrators,{Hyper-V} + False + True + '{0}' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$' + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding: + +Administrators + +Systems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines"). This is not a finding. + + + SeDenyBatchLogonRight + Deny log on as a batch job + False + Enterprise Admins,Domain Admins,Guests + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding: + +Domain Systems Only: +Enterprise Admins Group +Domain Admins Group + +All Systems: +Guests Group + + + SeDenyServiceLogonRight + Deny log on as a service + True + Enterprise Admins,Domain Admins + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on as a service" user right on domain-joined systems, this is a finding: + +Enterprise Admins Group +Domain Admins Group + +If any accounts or groups are defined for the "Deny log on as a service" user right on non-domain-joined systems, this is a finding. + + + SeDenyInteractiveLogonRight + Deny log on locally + False + Enterprise Admins,Domain Admins,Guests + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding: + +Domain Systems Only: +Enterprise Admins Group +Domain Admins Group + +Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from this. + +All Systems: +Guests Group + + + SeDenyRemoteInteractiveLogonRight + Deny log on through Remote Desktop Services + False + Enterprise Admins,Domain Admins,Local account,Guests + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding: + +Domain Systems Only: +Enterprise Admins group +Domain Admins group +Local account (see Note below) + +All Systems: +Guests group + +Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups. + +Note: Windows Server 2012 R2 added new built-in security groups, including "Local account", for assigning permissions and rights to all local accounts. +Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012. + + + SeEnableDelegationPrivilege + Enable computer and user accounts to be trusted for delegation + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding. + + + SeRemoteShutdownPrivilege + Force shutdown from a remote system + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding: + +Administrators + + + SeAuditPrivilege + Generate security audits + True + Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding: + +Local Service +Network Service + + + SeImpersonatePrivilege + Impersonate a client after authentication + True + Administrators,Service,Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding: + +Administrators +Service +Local Service +Network Service + + + SeIncreaseBasePriorityPrivilege + Increase scheduling priority + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Increase scheduling priority" user right, this is a finding: + +Administrators + + + SeLoadDriverPrivilege + Load and unload device drivers + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding: + +Administrators + + + SeLockMemoryPrivilege + Lock pages in memory + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding. + + + SeSecurityPrivilege + Manage auditing and security log + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: + +Administrators + +If the organization has an Auditors group, the assignment of this group to the user right would not be a finding. + +If an application requires this user right, this would not be a finding. +Vendor documentation must support the requirement for having the user right. +The requirement must be documented with the ISSO. +The application account must meet requirements for application account passwords, such as length (V-36661) and required changes frequency (V-36662). + + + SeRelabelPrivilege + Modify an object label + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Modify an object label" user right, this is a finding. + + + SeSystemEnvironmentPrivilege + Modify firmware environment values + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Modify firmware environment values" user right, this is a finding: + +Administrators + + + SeManageVolumePrivilege + Perform volume maintenance tasks + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding: + +Administrators + + + SeProfileSingleProcessPrivilege + Profile single process + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Profile single process" user right, this is a finding: + +Administrators + + + SeSystemProfilePrivilege + Profile system performance + True + Administrators,NT Service\WdiServiceHost + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Profile system performance" user right, this is a finding: + +Administrators +NT Service\WdiServiceHost + + + SeAssignPrimaryTokenPrivilege + Replace a process level token + True + Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Replace a process level token" user right, this is a finding: + +Local Service +Network Service + + + SeRestorePrivilege + Restore files and directories + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding: + +Administrators + + + SeTakeOwnershipPrivilege + Take ownership of files or other objects + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding: + +Administrators + + + + + SMB1Protocol + Absent + False + False + + This requirement applies to Windows 2012 R2, it is NA for Windows 2012 (see V-73519 and V-73523 for 2012 requirements). + +Different methods are available to disable SMBv1 on Windows 2012 R2. This is the preferred method, however if V-73519 and V-73523 are configured, this is NA. + +Run "Windows PowerShell" with elevated privileges (run as administrator). +Enter the following: +Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol + +If "State : Enabled" is returned, this is a finding. + +Alternately: +Search for "Features". +Select "Turn Windows features on or off". + +If "SMB 1.0/CIFS File Sharing Support" is selected, this is a finding. + + + + + Win32_OperatingSystem + False + -ge + False + + Version + Run "winver.exe". + +If the "About Windows" dialog box does not display +"Microsoft Windows Server +Version 6.2 (Build 9200)" +or greater, this is a finding. + +No preview versions will be used in a production environment. + +Unsupported Service Packs/Releases: +Windows 2012 - any release candidates or versions prior to the initial release. + 6.2.9200 + + + Win32_LogicalDisk + False + -match + False + + FileSystem + Open "Computer Management". + +Select "Disk Management" under "Storage". + +For each local volume, if the file system does not indicate "NTFS", this is a finding. + +"ReFS" (Resilient File System) is also acceptable and would not be a finding. + +This does not apply to system partitions such as the Recovery and EFI System Partition. + NTFS|ReFS + + + \ No newline at end of file diff --git a/src/StigData/Windows-2012R2-MS-2.9.org.default.xml b/src/StigData/Windows-2012R2-MS-2.9.org.default.xml new file mode 100644 index 000000000..e2ebf6f3d --- /dev/null +++ b/src/StigData/Windows-2012R2-MS-2.9.org.default.xml @@ -0,0 +1,69 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/StigData/Windows-2012R2-MS-2.9.xml b/src/StigData/Windows-2012R2-MS-2.9.xml new file mode 100644 index 000000000..6516b9370 --- /dev/null +++ b/src/StigData/Windows-2012R2-MS-2.9.xml @@ -0,0 +1,7330 @@ + + + + False + True + '{0}' -le '3' -and '{0}' -ne '0' + Account lockout threshold + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy. + +If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding. + + + False + True + '{0}' -ge '15' + Reset account lockout counter after + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. + +If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding. + + + False + True + '{0}' -ge '15' -or '{0}' -eq '0' + Account lockout duration + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. + +If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding. + +Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding. + + + False + True + '{0}' -le '60' -and '{0}' -ne '0' + Maximum password age + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding. + + + False + True + '{0}' -ne '0' + Minimum password age + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Minimum password age" is set to "0" days ("Password can be changed immediately."), this is a finding. + + + False + True + '{0}' -ge '24' + Enforce password history + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding. + + + False + False + + Password must meet complexity requirements + Enabled + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. + +Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes. + + + False + False + + Store passwords using reversible encryption + Disabled + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding. + + + False + True + '{0}' -ge '14' + Minimum password length + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Minimum password length," is less than "14" characters, this is a finding. + + + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Logon -> Credential Validation - Success + Credential Validation + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Logon -> Credential Validation - Failure + Credential Validation + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Computer Account Management - Success + Computer Account Management + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Computer Account Management - Failure + Computer Account Management + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Other Account Management Events - Success + Other Account Management Events + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Other Account Management Events - Failure + Other Account Management Events + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Security Group Management - Success + Security Group Management + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Security Group Management - Failure + Security Group Management + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> User Account Management - Success + User Account Management + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> User Account Management - Failure + User Account Management + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Detailed Tracking -> Process Creation - Success + Process Creation + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logoff - Success + Logoff + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logon - Success + Logon + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logon - Failure + Logon + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Special Logon - Success + Special Logon + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Audit Policy Change - Success + Audit Policy Change + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Audit Policy Change - Failure + Audit Policy Change + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Authentication Policy Change - Success + Authentication Policy Change + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Privilege Use -> Sensitive Privilege Use - Success + Sensitive Privilege Use + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Privilege Use -> Sensitive Privilege Use - Failure + Sensitive Privilege Use + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> IPsec Driver - Success + IPsec Driver + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> IPsec Driver - Failure + IPsec Driver + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> Security State Change - Success + Security State Change + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> Security State Change - Failure + Security State Change + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> Security System Extension - Success + Security System Extension + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> Security System Extension - Failure + Security System Extension + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> System Integrity - Success + System Integrity + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> System Integrity - Failure + System Integrity + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access >> Removable Storage - Failure + +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. + Removable Storage + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access >> Removable Storage - Success + +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. + Removable Storage + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access -> Central Policy Staging - Failure + Central Policy Staging + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access -> Central Policy Staging - Success + Central Policy Staging + + + Success + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Authorization Policy Change - Success + Authorization Policy Change + + + Failure + Present + False + False + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Authorization Policy Change - Failure + Authorization Policy Change + + + + + False + False + + Run "PowerShell". + +Member servers and standalone systems: +Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) + +"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { + $user = ([ADSI]$_.Path) + $lastLogin = $user.Properties.LastLogin.Value + $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 + if ($lastLogin -eq $null) { + $lastLogin = 'Never' + } + Write-Host $user.Name $lastLogin $enabled +}" + +This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). +For example: User1 10/31/2015 5:49:56 AM True + +Domain Controllers: +Enter the following command in PowerShell. +"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" + +This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. + +Review the list of accounts returned by the above queries to determine the finding validity for each account reported. + +Exclude the following accounts: +Built-in administrator account (Renamed, SID ending in 500) +Built-in guest account (Renamed, Disabled, SID ending in 501) +Application accounts + +If any enabled accounts have not been logged on to within the past 35 days, this is a finding. + +Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO. + + + False + False + + If FTP is not installed on the system, this is NA. + +Determine the IP address and port number assigned to FTP sites from documentation or configuration. + +If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". + +Select "Sites" under the server name. + +For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. + +Open a "Command Prompt". + +Attempt to log on as the user "anonymous" with the following commands: + +Note: Returned results may vary depending on the FTP server software. + +C:\> "ftp" +ftp> "Open IP Address Port" +(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) +(Connected to IP Address +220 Microsoft FTP Service) + +User (IP Address): "anonymous" +(331 Anonymous access allowed, send identity (e-mail name) as password.) + +Password: "password" +(230 User logged in.) +ftp> + +If the response indicates that an anonymous FTP login was permitted, this is a finding. + +If accounts with administrator privileges are used to access FTP, this is a CAT I finding. + + + False + False + + If FTP is not installed on the system, this is NA. + +Determine the IP address and port number assigned to FTP sites from documentation or configuration. + +If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". + +Select "Sites" under the server name. + +For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. + +Open a "Command Prompt". + +Access the FTP site and review accessible directories with the following commands: + +Note: Returned results may vary depending on the FTP server software. + +C:\> "ftp" +ftp> "Open IP Address Port" +(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) +(Connected to IP Address +220 Microsoft FTP Service) + +User (IP Address): "FTP User" +(Substituting [FTP User] with an account identified that is allowed access. If it was determined that anonymous access was allowed to the site [see V-1120], also review access using "anonymous".) + (331 Password required) + +Password: "Password" +(Substituting [Password] with password for the account attempting access.) +(230 User ftpuser logged in.) + +ftp> "Dir" + +If the FTP session indicates access to areas of the system other than the specific folder for FTP data, such as the root of the drive, Program Files or Windows directories, this is a finding. + + + False + False + + If no accounts are members of the Backup Operators group, this is NA. + +Any accounts that are members of the Backup Operators group, including application accounts, must be documented with the ISSO. If documentation of accounts that are members of the Backup Operators group is not maintained this is a finding. + + + False + False + + Determine whether there is a host-based Intrusion Detection System on each server. + +If the HIPS component of HBSS is installed and active on the host and the Alerts of blocked activity are being logged and monitored, this will meet the requirement of this finding. + +A HID device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the site ISSO. + +If a host-based Intrusion Detection System is not installed on the system, this is a finding. + + + False + False + + Required services will vary between organizations, and on the role of the individual system. Organizations will develop their own list of services which will be documented and justified with the ISSO. The site's list will be provided for any security review. Services common to multiple systems can be addressed in one document. Exceptions for individual systems should be identified separately by system. + +Individual services specifically required to be disabled per the STIG are identified in separate requirements. + +If the site has not documented the services required for their system(s), this is a finding. + +The following can be used to view the services on a system: +Run "Services.msc". + +Services for Windows Server 2012 roles are managed automatically, adding those necessary for a particular role. The following lists the default services for a baseline installation as a reference. This can be used as a basis for documenting the services necessary. + +Default Installation +Name - Startup Type +Application Experience - Manual (Trigger Start) +Application Identity - Manual (Trigger Start) +Application Information - Manual +Application Layer Gateway Service - Manual +Application Management - Manual +Background Intelligent Transfer Service - Automatic (Delayed Start) +Background Tasks Infrastructure Service - Automatic +Base Filtering Engine - Automatic +Certificate Propagation - Manual +CNG Key Isolation - Manual (Trigger Start) +COM+ Event System - Automatic +COM+ System Application - Manual +Computer Browser - Disabled +Credential Manager - Manual +Cryptographic Services - Automatic +DCOM Server Process Launcher - Automatic +Device Association Service - Manual (Trigger Start) +Device Install Service - Manual (Trigger Start) +Device Setup Manager - Manual (Trigger Start) +DHCP Client - Automatic +Diagnostic Policy Service - Automatic (Delayed Start) +Diagnostic Service Host - Manual +Diagnostic System Host - Manual +Distributed Link Tracking Client - Automatic +Distributed Transaction Coordinator - Automatic (Delayed Start) +DNS Client - Automatic (Trigger Start) +Encrypting File System (EFS) - Manual (Trigger Start) +Extensible Authentication Protocol - Manual +Function Discovery Provider Host - Manual +Function Discovery Resource Publication - Manual +Group Policy Client - Automatic (Trigger Start) +Health Key and Certificate Management - Manual +Human Interface Device Access - Manual (Trigger Start) +Hyper-V Data Exchange Service - Manual (Trigger Start) +Hyper-V Guest Shutdown Service - Manual (Trigger Start) +Hyper-V Heartbeat Service - Manual (Trigger Start) +Hyper-V Remote Desktop Virtualization Service - Manual (Trigger Start) +Hyper-V Time Synchronization Service - Manual (Trigger Start) +Hyper-V Volume Shadow Copy Requestor - Manual (Trigger Start) +IKE and AuthIP IPsec Keying Modules - Manual (Trigger Start) +Interactive Services Detection - Manual +Internet Connection Sharing (ICS) - Disabled +IP Helper - Automatic +IPsec Policy Agent - Manual (Trigger Start) +KDC Proxy Server service (KPS) - Manual +KtmRm for Distributed Transaction Coordinator - Manual (Trigger Start) +Link-Layer Topology Discovery Mapper - Manual +Local Session Manager - Automatic +Microsoft iSCSI Initiator Service - Manual +Microsoft Software Shadow Copy Provider - Manual +Multimedia Class Scheduler - Manual +Net.Tcp Port Sharing Service - Disabled +Netlogon - Manual +Network Access Protection Agent - Manual +Network Connections - Manual +Network Connectivity Assistant - Manual (Trigger Start) +Network List Service - Manual +Network Location Awareness - Automatic +Network Store Interface Service - Automatic +Optimize drives - Manual +Performance Counter DLL Host - Manual +Performance Logs & Alerts - Manual +Plug and Play - Manual +Portable Device Enumerator Service - Manual (Trigger Start) +Power - Automatic +Print Spooler - Automatic +Printer Extensions and Notifications - Manual +Problem Reports and Solutions Control Panel Support - Manual +Remote Access Auto Connection Manager - Manual +Remote Access Connection Manager - Manual +Remote Desktop Configuration - Manual +Remote Desktop Services - Manual +Remote Desktop Services UserMode Port Redirector - Manual +Remote Procedure Call (RPC) - Automatic +Remote Procedure Call (RPC) Locator - Manual +Remote Registry - Automatic (Trigger Start) +Resultant Set of Policy Provider - Manual +Routing and Remote Access - Disabled +RPC Endpoint Mapper - Automatic +Secondary Logon - Manual +Secure Socket Tunneling Protocol Service - Manual +Security Accounts Manager - Automatic +Server - Automatic +Shell Hardware Detection - Automatic +Smart Card - Disabled +Smart Card Removal Policy - Manual +SNMP Trap - Manual +Software Protection - Automatic (Delayed Start, Trigger Start) +Special Administration Console Helper - Manual +Spot Verifier - Manual (Trigger Start) +SSDP Discovery - Disabled +Superfetch - Manual +System Event Notification Service - Automatic +Task Scheduler - Automatic +TCP/IP NetBIOS Helper - Automatic (Trigger Start) +Telephony - Manual +Themes - Automatic +Thread Ordering Server - Manual +UPnP Device Host - Disabled +User Access Logging Service - Automatic (Delayed Start) +User Profile Service - Automatic +Virtual Disk - Manual +Volume Shadow Copy - Manual +Windows All-User Install Agent - Manual (Trigger Start) +Windows Audio - Manual +Windows Audio Endpoint Builder - Manual +Windows Color System - Manual +Windows Driver Foundation - User-mode Driver Framework - Manual (Trigger Start) +Windows Error Reporting Service - Manual (Trigger Start) +Windows Event Collector - Manual +Windows Event Log - Automatic +Windows Firewall - Automatic +Windows Font Cache Service - Automatic +Windows Installer - Manual +Windows Licensing Monitoring Service - Automatic +Windows Management Instrumentation - Automatic +Windows Modules Installer - Manual +Windows Remote Management (WS-Management) - Automatic +Windows Store Service (WSService) - Manual (Trigger Start) +Windows Time - Manual (Trigger Start) +Windows Update - Manual +WinHTTP Web Proxy Auto-Discovery Service - Manual +Wired AutoConfig - Manual +WMI Performance Adapter - Manual +Workstation - Automatic + + + False + False + + Search all drives for *.p12 and *.pfx files. + +If any files with these extensions exist, this is a finding. + +This does not apply to server-based applications that have a requirement for .p12 certificate files (e.g., Oracle Wallet Manager). Some applications create files with extensions of .p12 that are NOT certificate installation files. Removal of noncertificate installation files from systems is not required. These must be documented with the ISSO. + + + False + False + + Verify the DoD Root CA certificates are installed as Trusted Root Certification Authorities. + +Run "PowerShell" as an administrator. +Execute the following command: +Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint +If the following information is not displayed, this is finding. + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB + +Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 + +Alternately use the Certificates MMC snap-in: +Run "MMC". +Select "File", "Add/Remove Snap-in". +Select "Certificates", click "Add". +Select "Computer account", click "Next". +Select "Local computer: (the computer this console is running on)", click "Finish". +Click "OK". +Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". +If there are no entries for "DoD Root CA 2", "DoD Root CA 3", and "DoD Root CA 4", this is a finding. + +For each of the DoD Root CA certificates noted above: +Right click on the certificate and select "Open". +Select the "Details" Tab. +Scroll to the bottom and select "Thumbprint". + +If the value for the "Thumbprint" field is not as noted below, this is a finding. +DoD Root CA 2 - 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 +DoD Root CA 3 - D73CA91102A2204A36459ED32213B467D7CE97FB +DoD Root CA 4 - B8269F25DBD937ECAFD4C35A9838571723F2D026 + +The thumbprints referenced apply to unclassified systems; see PKE documentation for other networks. + + + False + False + + Review the necessary documentation that identifies the members of the Administrators group. If a list of all users belonging to the Administrators group is not maintained with the ISSO, this is a finding. + + + False + False + + Determine whether system-related documentation is backed up in accordance with local recovery time and recovery point objectives. If system-related documentation is not backed up in accordance with local recovery time and recovery point objectives, this is a finding. + + + + + False + False + + Verify servers are located in controlled access areas that are accessible only to authorized personnel. If systems are not adequately protected, this is a finding. + + + False + False + + Determine whether any shared accounts exist. If no shared accounts exist, this is NA. +If shared accounts exist, this is a finding. + + + False + False + + Verify a supported DoD antivirus product has been installed on the system. + +If McAfee VirusScan Enterprise 8.8 Patch 3 or later is not installed on the system, this is a finding. + +If another recognized antivirus product is installed, this would still be a finding; however, the severity may be reduced to a CAT III. + + + False + False + + Determine whether system-level information is backed up in accordance with local recovery time and recovery point objectives. If system-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding. + + + False + False + + Verify the local system boots directly into Windows. + +Open Control Panel. +Select "System". +Select the "Advanced System Settings" link. +Select the "Advanced" tab. +Click the "Startup and Recovery" Settings button. + +If the drop-down list box "Default operating system:" shows any operating system other than Windows Server 2012, this is a finding. + + + False + False + + Review the local Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. + +For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group. + +Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from this. AD admin platforms may use the Domain Admins group or a domain administrative group created specifically for AD admin platforms (see V-43711 in the Active Directory Domain STIG). + +Standard user accounts must not be members of the local Administrator group. + +If prohibited accounts are members of the local Administrators group, this is a finding. + +The built-in Administrator account or other required administrative accounts would not be a finding. + + + False + False + + Verify security configuration tools or equivalent processes are being used to configure Windows systems to meet security requirements. If security configuration tools or equivalent processes are not used, this is a finding. + +Security configuration tools that are integrated into Windows, such as Group Policies and Security Templates, may be used to configure platforms for security compliance. + +If an alternate method is used to configure a system (e.g., manually using the DISA Windows Security STIGs, etc.) and the same configured result is achieved, this is acceptable. + + + False + False + + Open "Devices and Printers" in Control Panel or through Search. +If there are no printers configured, this is NA. + +For each configured printer: +Right click on the printer. +Select "Printer Properties". +Select the "Sharing" tab. +View whether "Share this printer" is checked. + +For any printers with "Share this printer" selected: +Select the Security tab. + +If any standard user accounts or groups have permissions other than "Print", this is a finding. +Standard users will typically be given "Print" permission through the Everyone group. +"All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement. + + + False + False + + Determine whether the site monitors system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. If system files are not monitored for unauthorized changes, this is a finding. + +A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. The Asset module within HBSS does not meet this requirement. + + + False + False + + If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. +(System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) + +Run "Computer Management". +Navigate to System Tools >> Shared Folders >> Shares. + +Right click any non-system-created shares. +Select "Properties". +Select the "Share Permissions" tab. + +If the file shares have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. + +Select the "Security" tab. + +If the NTFS permissions have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. + + + False + False + + Run the DUMPSEC utility. +Select "Dump Users as Table" from the "Report" menu. +Select the following fields, and click "Add" for each entry: + +UserName +SID +PswdExpires +AcctDisabled +Groups + +If any accounts have "No" in the "PswdExpires" column, this is a finding. + +The following are exempt from this requirement: +Application Accounts +Domain accounts requiring smart card (CAC/PIV) + +The following PowerShell command may be used on domain controllers to list accounts with the Password Never Expires flag: +Search-ADAccount -PasswordNeverExpires -UsersOnly + + + False + False + + Verify all accounts require passwords. + +Run the DUMPSEC utility. +Select "Dump Users as Table" from the "Report" menu. +Select the following fields, and click "Add" for each entry: + +UserName +SID +PswdRequired +AcctDisabled +Groups + +If any accounts have "No" in the "PswdRequired" column, this is a finding. + +Some built-in or application-generated accounts (e.g., Guest, IWAM_, IUSR, etc.) may not have this flag set, even though there are passwords present. It can be set by entering the following on a command line: "Net user <account_name> /passwordreq:yes". + + + False + False + + Determine if any system administrators have left the organization within the last year. + +Run the DUMPSEC utility. +Select "Dump Users as Table" from the "Report" menu. +Select the following fields, and click "Add" for each entry: + +UserName +SID +PwsdLastSetTime + +If the built-in Administrator account has a date older than one year in the "PwsdLastSetTime" column, this is a finding. +If any system administrators has left the organization within the last year and the "PwsdLastSetTime" field reflects the built-in Administrator account password was not changed at that time, this is a finding. + + + False + False + + Verify whether the registry key below exists. If it does not exist or the value is "0", this is not a finding. +If the registry key exists and contains a value other than "0", continue below. + +The values are determined by the selection of encryption suites in the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network Security: Configure encryption types allowed for Kerberos". + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ +Value Name: SupportedEncryptionTypes +Type: REG_DWORD + +Due to the number of possible combinations that may include the DES encryption types, it is not possible to include all acceptable values as viewed directly in the registry. + +If the registry key does exist, the value must be converted to binary to determine configuration of specific bits. This will determine whether this is a finding. + +Note the value for the registry key. +For example, when all suites, including the DES suites are selected, the value will be "0x7fffffff (2147483647)". + +Open the Windows calculator (Run/Search for "calc"). +Select "View", then "Programmer". +Select "Dword" and either "Hex" or "Dec". +Enter the appropriate form of the value found for the registry key (e.g., Hex - enter 0x7fffffff, Dec - enter 2147483647) +Select "Bin". +The returned value may vary in length, up to 32 characters. +If the either of 2 right most characters are "1", this is a finding. +If the both of 2 right most characters are "0", this is not a finding. + + + False + False + + Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates. + +Run "PowerShell" as an administrator. +Execute the following command: +Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint +If the following information is not displayed, this is finding. + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 + +Alternately use the Certificates MMC snap-in: +Run "MMC". +Select "File", "Add/Remove Snap-in". +Select "Certificates", click "Add". +Select "Computer account", click "Next". +Select "Local computer: (the computer this console is running on)", click "Finish". +Click "OK". +Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". + +For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By": +Right click on the certificate and select "Open". +Select the "Details" Tab. +Scroll to the bottom and select "Thumbprint". + +If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Issued To - Issued By - Thumbprint +DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F +DoD Root CA 3 - DoD Interoperability Root CA 2 - FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 +DoD Root CA 3 - DoD Interoperability Root CA 2 - FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 + + + False + False + + Determine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. + +The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. + +Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. + +If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding. + + + False + False + + Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. + +If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding. + + + False + False + + Verify the site has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. If such a policy does not exist or has not been implemented, this is a finding. + + + False + False + + Determine if any system administrators with knowledge of application account passwords have left the organization within the last year. + +Run the DUMPSEC utility. +Select "Dump Users as Table" from the "Report" menu. +Select the following fields, and click "Add" for each entry: + +UserName +SID +PwsdLastSetTime + +If any application accounts listed that are manually managed and have a date older than one year in the "PwsdLastSetTime" column, this is a finding. +If any system administrators with knowledge of application account passwords have left the organization within the last year and the "PwsdLastSetTime" field reflects that application account passwords were not changed at that time, this is a finding. + + + False + False + + Determine whether the site has a policy that requires SAs be trained for all operating systems running on systems under their control. If the site does not have a policy requiring SAs be trained for all operating systems under their control, this is a finding. + + + False + False + + Determine whether audit logs are reviewed on a predetermined schedule. If audit logs are not reviewed on a regular basis, this is a finding. + + + False + False + + Determine whether audit data is retained for at least one year. If the audit data is not retained for at least a year, this is a finding. + + + False + False + + Determine if a process to back up log data to a different system or media than the system being audited has been implemented. If it has not, this is a finding. + + + False + False + + Determine whether user-level information is backed up in accordance with local recovery time and recovery point objectives. If user-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding. + + + False + False + + Verify the operating system employs automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). If it does not, this is a finding. + + + False + False + + Verify the organization has an automated process to install security-related software updates. If it does not, this is a finding. + + + False + False + + Verify the system has software installed and running that provides certificate validation and revocation checking. If it does not, this is a finding. + + + False + False + + Determine if system-level information backups are protected from destruction and stored in a physically secure location. If they are not, this is a finding. + + + False + False + + This requirement is NA if McAfee VirusScan Enterprise (VSE) is used. It will be addressed with the corresponding McAfee VSE STIG. + +Configurations will vary depending on the product. + +Review the antivirus program signature update configuration. + +If the antivirus program is not configured to update the signature files on a daily basis, this is a finding. + +It may not be possible for systems to receive updates on a daily basis due to various factors. If the signature file is more than a week old, this is a finding. + + + False + False + + If no accounts are members of the Backup Operators group, this is NA. + +Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding. + + + False + False + + Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. + +Run "PowerShell" as an administrator. +Execute the following command: +Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint +If the following information is not displayed, this is finding. + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 + +Alternately use the Certificates MMC snap-in: +Run "MMC". +Select "File", "Add/Remove Snap-in". +Select "Certificates", click "Add". +Select "Computer account", click "Next". +Select "Local computer: (the computer this console is running on)", click "Finish". +Click "OK". +Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". + +For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": +Right click on the certificate and select "Open". +Select the "Details" Tab. +Scroll to the bottom and select "Thumbprint". + +If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Issued To - Issued By - Thumbprint +DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 - DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 + + + False + False + + Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. + +The configuration requirements will be determined by the applicable firewall STIG. + + + False + False + + This is applicable to unclassified systems, for other systems this is NA. + +Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + +If an application whitelisting program is not in use on the system, this is a finding. + +Configuration of whitelisting applications will vary by the program. + +AppLocker is a whitelisting application built into Windows Server 2012. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. + +If AppLocker is used, perform the following to view the configuration of AppLocker: +Open PowerShell. + +If the AppLocker PowerShell module has not been previously imported, execute the following first: +Import-Module AppLocker + +Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: +Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml + +This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. + +Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" under the Microsoft Windows section of the following link: + +https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml + + + False + False + + If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPSEC have been implemented. If protection methods have not been implemented, this is a finding. + + + False + False + + Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If it does not, this is a finding. + + + False + False + + Verify the operating system automatically disables temporary user accounts after 72 hours. If it does not, this is a finding. + +Determine if temporary user accounts are used and identify any that may be in existence. +For Domain Accounts: +Open PowerShell. +Run the command "Search-ADAccount -AccountExpiring" to determine if account expiration dates have been configured on any temporary accounts. +For any accounts returned, run the command "Get-ADUser -Identity <Name> -Property WhenCreated" to determine when the account was created. + +Local accounts: +Run "Net user <username>". This will list the account properties, including "Account Expires". + + + False + False + + Verify the operating system is configured such that emergency administrator accounts are automatically removed or disabled after the crisis is resolved or within 72 hours. If it is not, this is a finding. + +Determine if emergency accounts are used and identify any that may be in existence. +For Domain Accounts: +Open PowerShell. +Run the command "Search-ADAccount -AccountExpiring" to determine if account expiration dates have been configured on any emergency accounts. + +Local accounts: +Run "Net user <username>". This will list the account properties, including "Account Expires". + + + False + False + + Verify the operating system, at a minimum, off-loads audit records of interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding. + + + + + + + + + Administrators + False + This Key and Subkeys + FullControl + + + + + Backup Operators + False + This Key Only + ReadKey + + + + + LOCAL SERVICE + False + This Key and Subkeys + ReadKey + + + True + False + False + + HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ + Run "Regedit". +Navigate to the following registry key: +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ + +If the key does not exist, this is a finding. + +Right-click on "winreg" and select "Permissions…". +Select "Advanced". + +If the permissions are not as restrictive as the defaults listed below, this is a finding. + +The following are the same for each permission listed: +Type - Allow +Inherited from - None + +Columns: Principal - Access - Applies to +Administrators - Full Control - This key and subkeys +Backup Operators - Read - This key only +LOCAL SERVICE - Read - This key and subkeys + + + + + + + TrustedInstaller + False + This Key and Subkeys + FullControl + + + + + SYSTEM + False + This Key and Subkeys + FullControl + + + + + Administrators + False + This Key and Subkeys + FullControl + + + + + Users + False + This Key and Subkeys + ReadKey + + + + + ALL APPLICATION PACKAGES + False + This Key and Subkeys + ReadKey + + + True + False + False + + HKLM:\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Winlogon\ + Run "Regedit". +Navigate to the following registry key: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Right-click on "WinLogon" and select "Permissions…". +Select "Advanced". + +If the permissions are not as restrictive as the defaults listed below, this is a finding. + +The following are the same for each permission listed: +Type - Allow +Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion +Applies to - This key and subkeys + +Columns: Principal - Access +TrustedInstaller - Full Control +SYSTEM - Full Control +Administrators - Full Control +Users - Read +ALL APPLICATION PACKAGES - Read + + + + True + False + False + + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding: + +Domain Systems Only: +Enterprise Admins group +Domain Admins group +Local account (see Note below) + +All Systems: +Guests group + +Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups. + +Note: Windows Server 2012 R2 added new built-in security groups, including "Local account", for assigning permissions and rights to all local accounts. +Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012. + + + + + + + Users + False + + + ReadKey + + + + + Administrators + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + CREATOR OWNER + False + Subkeys Only + FullControl + + + + + ALL APPLICATION PACKAGES + False + + + ReadKey + + + True + False + False + + HKLM:\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ + Run "Regedit". +Navigate to the following registry keys and review the permissions: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ +HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems) + +If the default permissions listed below have been changed, this is a finding. + +Users - Read +Administrators - Full Control +SYSTEM - Full Control +CREATOR OWNER - Full Control (Subkeys only) +ALL APPLICATION PACKAGES - Read + + + + + + + Eventlog + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + Administrators + False + + + FullControl + + + True + False + False + + %windir%\SYSTEM32\WINEVT\LOGS\Application.evtx + Verify the permissions on the Application event log (Application.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + + + + + Eventlog + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + Administrators + False + + + FullControl + + + True + False + False + + %windir%\SYSTEM32\WINEVT\LOGS\Security.evtx + Verify the permissions on the Security event log (Security.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + + + + + Eventlog + False + + + FullControl + + + + + SYSTEM + False + + + FullControl + + + + + Administrators + False + + + FullControl + + + True + False + False + + %windir%\SYSTEM32\WINEVT\LOGS\System.evtx + Verify the permissions on the System event log (System.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. + + + + + + + TrustedInstaller + False + This folder and subfolders + FullControl + + + + + SYSTEM + False + This folder only + Modify + + + + + SYSTEM + False + Subfolders and files only + FullControl + + + + + Administrators + False + This folder only + Modify + + + + + Administrators + False + Subfolders and files only + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + + + ALL APPLICATION PACKAGES + False + This folder subfolders and files + ReadAndExecute + + + True + False + False + + %ProgramFiles(x86)% + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +For each folder, view the Properties. +Select the "Security" tab, and the "Advanced" button. + +Default Permissions: +\Program Files and \Program Files (x86) +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls "c:\program files" +icacls "c:\program files (x86)" + +The following results should be displayed as each is entered: + +c:\program files +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 files + + + + + + + TrustedInstaller + False + This folder and subfolders + FullControl + + + + + SYSTEM + False + This folder only + Modify + + + + + SYSTEM + False + Subfolders and files only + FullControl + + + + + Administrators + False + This folder only + Modify + + + + + Administrators + False + Subfolders and files only + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + + + ALL APPLICATION PACKAGES + False + This folder subfolders and files + ReadAndExecute + + + True + False + False + + %ProgramFiles% + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +For each folder, view the Properties. +Select the "Security" tab, and the "Advanced" button. + +Default Permissions: +\Program Files and \Program Files (x86) +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls "c:\program files" +icacls "c:\program files (x86)" + +The following results should be displayed as each is entered: + +c:\program files +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 files + + + + + + + SYSTEM + False + This folder subfolders and files + FullControl + + + + + Administrators + False + This folder subfolders and files + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + Users + False + This folder and subfolders + CreateDirectories,AppendData + + + + + Users + False + Subfolders only + CreateFiles,WriteData + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + True + False + False + + %SystemDrive%\ + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the system drive's root directory (usually C:\). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +View the Properties of system drive root directory. +Select the "Security" tab, and the "Advanced" button. + +C:\ +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +SYSTEM - Full control - This folder, subfolders and files +Administrators - Full control - This folder, subfolders and files +Users - Read & execute - This folder, subfolders and files +Users - Create folders / append data - This folder and subfolders +Users - Create files / write data - Subfolders only +CREATOR OWNER - Full Control - Subfolders and files only + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls c:\ + +The following results should be displayed: + +c:\ +NT AUTHORITY\SYSTEM:(OI)(CI)(F) +BUILTIN\Administrators:(OI)(CI)(F) +BUILTIN\Users:(OI)(CI)(RX) +BUILTIN\Users:(CI)(AD) +BUILTIN\Users:(CI)(IO)(WD) +CREATOR OWNER:(OI)(CI)(IO)(F) +Successfully processed 1 files; Failed processing 0 files + + + + + + + TrustedInstaller + False + This folder and subfolders + FullControl + + + + + SYSTEM + False + This folder only + Modify + + + + + SYSTEM + False + Subfolders and files only + FullControl + + + + + Administrators + False + This folder only + Modify + + + + + Administrators + False + Subfolders and files only + FullControl + + + + + Users + False + This folder subfolders and files + ReadAndExecute + + + + + CREATOR OWNER + False + Subfolders and files only + FullControl + + + + + ALL APPLICATION PACKAGES + False + This folder subfolders and files + ReadAndExecute + + + True + False + False + + %windir% + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the Windows installation directory (usually C:\Windows). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +View the Properties of the folder. +Select the "Security" tab, and the "Advanced" button. + +Default Permissions: +\Windows +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls c:\windows + +The following results should be displayed: + +c:\windows +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 files + + + + + + + TrustedInstaller + False + + + FullControl + + + + + Administrators + False + + + ReadAndExecute + + + + + SYSTEM + False + + + ReadAndExecute + + + + + Users + False + + + ReadAndExecute + + + + + ALL APPLICATION PACKAGES + False + + + ReadAndExecute + + + True + False + False + + %windir%\SYSTEM32\eventvwr.exe + Verify the permissions on Event Viewer only allow TrustedInstaller permissions to change or modify. If any groups or accounts other than TrustedInstaller have Full control or Modify, this is a finding. + +Navigate to "%SystemRoot%\SYSTEM32". +View the permissions on "Eventvwr.exe". + +The default permissions below satisfy this requirement. +TrustedInstaller - Full Control +Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read & Execute + + + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ShutdownWithoutLogon + +Value Type: REG_DWORD +Value: 0 + 0 + ShutdownWithoutLogon + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LegalNoticeText + +Value Type: REG_SZ +Value: See message text below + +You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + +Any OS versions that do not support the full text version must state the following: +"I've read & consent to terms in IS user agreem't." + +Deviations are not permitted except as authorized by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. +By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + LegalNoticeText + String + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -le '4' + If the system is not a member of a domain, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: CachedLogonsCount + +Value Type: REG_SZ +Value: 4 (or less) + + CachedLogonsCount + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: RestrictAnonymous + +Value Type: REG_DWORD +Value: 1 + 1 + RestrictAnonymous + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: EnableForcedLogoff + +Value Type: REG_DWORD +Value: 1 + 1 + EnableForcedLogoff + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: EnablePlainTextPassword + +Value Type: REG_DWORD +Value: 0 + 0 + EnablePlainTextPassword + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: AutoAdminLogon + +Type: REG_SZ +Value: 0 + 0 + AutoAdminLogon + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\ + +Value Name: AddPrinterDrivers + +Value Type: REG_DWORD +Value: 1 + 1 + AddPrinterDrivers + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: LmCompatibilityLevel + +Value Type: REG_DWORD +Value: 5 + 5 + LmCompatibilityLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DisableCAD + +Value Type: REG_DWORD +Value: 0 + 0 + DisableCAD + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -match '1|2' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: SCRemoveOption + +Value Type: REG_SZ +Value: 1 (Lock Workstation) or 2 (Force Logoff) + +If configuring this on servers causes issues such as terminating users' remote sessions and the site has a policy in place that any other sessions on the servers such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO. + + SCRemoveOption + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: EnableSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + EnableSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: SealSecureChannel + +Value Type: REG_DWORD +Value: 1 + +If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831). + 1 + SealSecureChannel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: SignSecureChannel + +Value Type: REG_DWORD +Value: 1 + +If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831). + 1 + SignSecureChannel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: DisablePasswordChange + +Value Type: REG_DWORD +Value: 0 + 0 + DisablePasswordChange + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: EnableSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + EnableSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: AllocateDASD + +Value Type: REG_SZ +Value: 0 + 0 + AllocateDASD + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -ge '14' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: PasswordExpiryWarning + +Value Type: REG_DWORD +Value: 14 (or greater) + + PasswordExpiryWarning + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\ + +Value Name: ProtectionMode + +Value Type: REG_DWORD +Value: 1 + 1 + ProtectionMode + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters + True + {0} -le '15' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: autodisconnect + +Value Type: REG_DWORD +Value: 0x0000000f (15) (or less) + + autodisconnect + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ + +Value Name: NoDriveTypeAutoRun + +Type: REG_DWORD +Value: 0x000000ff (255) + 255 + NoDriveTypeAutoRun + Dword + + + Present + True + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: NullSessionPipes + +Value Type: REG_MULTI_SZ +Value: (blank) + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions. + + NullSessionPipes + MultiString + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\ + +Value Name: Machine + +Value Type: REG_MULTI_SZ +Value: see below + +System\CurrentControlSet\Control\ProductOptions +System\CurrentControlSet\Control\Server Applications +Software\Microsoft\Windows NT\CurrentVersion + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions. + System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion + Machine + MultiString + + + Present + True + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist, this is not a finding: + +If the following registry value does exist and is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: NullSessionShares + +Value Type: REG_MULTI_SZ +Value: (Blank) + + NullSessionShares + MultiString + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fAllowToGetHelp + +Type: REG_DWORD +Value: 0 + 0 + fAllowToGetHelp + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: LimitBlankPasswordUse + +Value Type: REG_DWORD +Value: 1 + 1 + LimitBlankPasswordUse + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + True + {0} -le '30' -and {0} -gt '0' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: MaximumPasswordAge + +Value Type: REG_DWORD +Value: 30 (or less, but not 0) + + MaximumPasswordAge + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RequireStrongKey + +Value Type: REG_DWORD +Value: 1 + +This setting may prevent a system from being joined to a domain if not configured consistently between systems. + 1 + RequireStrongKey + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: DisableDomainCreds + +Value Type: REG_DWORD +Value: 1 + 1 + DisableDomainCreds + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: EveryoneIncludesAnonymous + +Value Type: REG_DWORD +Value: 0 + 0 + EveryoneIncludesAnonymous + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: ForceGuest + +Value Type: REG_DWORD +Value: 0 + 0 + ForceGuest + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: NoLMHash + +Value Type: REG_DWORD +Value: 1 + 1 + NoLMHash + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LDAP\ + +Value Name: LDAPClientIntegrity + +Value Type: REG_DWORD +Value: 1 + 1 + LDAPClientIntegrity + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ + +Value Name: NTLMMinClientSec + +Value Type: REG_DWORD +Value: 0x20080000 (537395200) + 537395200 + NTLMMinClientSec + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ + +Value Name: Enabled + +Value Type: REG_DWORD +Value: 1 + +Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site. + 1 + Enabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\Kernel\ + +Value Name: ObCaseInsensitive + +Value Type: REG_DWORD +Value: 1 + 1 + ObCaseInsensitive + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fSingleSessionPerUser + +Type: REG_DWORD +Value: 1 + 1 + fSingleSessionPerUser + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fPromptForPassword + +Type: REG_DWORD +Value: 1 + 1 + fPromptForPassword + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: MinEncryptionLevel + +Type: REG_DWORD +Value: 3 + 3 + MinEncryptionLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: PerSessionTempDir + +Type: REG_DWORD +Value: 1 + 1 + PerSessionTempDir + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: DeleteTempDirsOnExit + +Type: REG_DWORD +Value: 1 + 1 + DeleteTempDirsOnExit + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system + False + + Review the registry. +If the following registry value does not exist, this is not a finding (this is the expected result from configuring the policy as outlined in the Fix section.): +If the following registry value exists but is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\system\ + +Value Name: DisableBkGndGroupPolicy + +Type: REG_DWORD +Value: 0 + 0 + DisableBkGndGroupPolicy + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fAllowUnsolicited + +Type: REG_DWORD +Value: 0 + 0 + fAllowUnsolicited + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32time\Parameters + True + '{0}' -match '^(NoSync|NTP|NT5DS|AllSync)$' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\W32time\Parameters\ +Type: REG_SZ +Value Name: Type +Value: Possible values are NoSync, NTP, NT5DS, AllSync + + Type + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\W32time\Parameters + True + '{0}' -notmatch 'time.windows.com' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\W32time\Parameters\ +Type: REG_SZ +Value Name: NTPServer +Value: "address of the time server" + + NTPServer + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\ + +Value Name: SafeDllSearchMode + +Value Type: REG_DWORD +Value: 1 + 1 + SafeDllSearchMode + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer + False + + Windows Media Player is not installed by default. If it is not installed, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: DisableAutoupdate + +Type: REG_DWORD +Value: 1 + 1 + DisableAutoupdate + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: PreventCodecDownload + +Type: REG_DWORD +Value: 1 + 1 + PreventCodecDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ + +Value Name: NTLMMinServerSec + +Value Type: REG_DWORD +Value: 0x20080000 (537395200) + 537395200 + NTLMMinServerSec + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security + True + {0} -le '90' + If the system is configured to write to an audit server, or is configured to automatically archive full logs, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Eventlog\Security\ + +Value Name: WarningLevel + +Value Type: REG_DWORD +Value: 90 (or less) + + WarningLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: DisableIPSourceRouting + +Value Type: REG_DWORD +Value: 2 + 2 + DisableIPSourceRouting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: EnableICMPRedirect + +Value Type: REG_DWORD +Value: 0 + 0 + EnableICMPRedirect + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: PerformRouterDiscovery + +Value Type: REG_DWORD +Value: 0 + 0 + PerformRouterDiscovery + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + True + {0} -le '300000' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: KeepAliveTime + +Value Type: REG_DWORD +Value: 300000 (or less) + + KeepAliveTime + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ + +Value Name: NoNameReleaseOnDemand + +Value Type: REG_DWORD +Value: 1 + 1 + NoNameReleaseOnDemand + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + True + {0} -le '3' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: TcpMaxDataRetransmissions + +Value Type: REG_DWORD +Value: 3 (or less) + + TcpMaxDataRetransmissions + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon + True + {0} -le '5' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: ScreenSaverGracePeriod + +Value Type: REG_SZ +Value: 5 (or less) + + ScreenSaverGracePeriod + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\ + +Value Name: Machine + +Value Type: REG_MULTI_SZ +Value: see below + +Software\Microsoft\OLAP Server +Software\Microsoft\Windows NT\CurrentVersion\Perflib +Software\Microsoft\Windows NT\CurrentVersion\Print +Software\Microsoft\Windows NT\CurrentVersion\Windows +System\CurrentControlSet\Control\ContentIndex +System\CurrentControlSet\Control\Print\Printers +System\CurrentControlSet\Control\Terminal Server +System\CurrentControlSet\Control\Terminal Server\UserConfig +System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration +System\CurrentControlSet\Services\Eventlog +System\CurrentControlSet\Services\Sysmonlog + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions. + Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Perflib;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;System\CurrentControlSet\Services\Eventlog;System\CurrentControlSet\Services\Sysmonlog + Machine + MultiString + + + Present + True + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Subsystems + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\Subsystems\ + +Value Name: Optional + +Value Type: REG_MULTI_SZ +Value: (Blank) + + Optional + MultiString + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fEncryptRPCTraffic + +Type: REG_DWORD +Value: 1 + 1 + fEncryptRPCTraffic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ + +Value Name: NoGPOListChanges + +Type: REG_DWORD +Value: 0 + 0 + NoGPOListChanges + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RequireSignOrSeal + +Value Type: REG_DWORD +Value: 1 + 1 + RequireSignOrSeal + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: RequireSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + RequireSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: RequireSecuritySignature + +Value Type: REG_DWORD +Value: 1 + 1 + RequireSecuritySignature + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: RestrictNullSessAccess + +Value Type: REG_DWORD +Value: 1 + 1 + RestrictNullSessAccess + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DontDisplayLastUserName + +Value Type: REG_DWORD +Value: 1 + 1 + DontDisplayLastUserName + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: AuditBaseObjects + +Value Type: REG_DWORD +Value: 0 + 0 + AuditBaseObjects + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: FullPrivilegeAuditing + +Value Type: REG_BINARY +Value: 0 + 0 + FullPrivilegeAuditing + Binary + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: SCENoApplyLegacyAuditPolicy + +Value Type: REG_DWORD +Value: 1 + 1 + SCENoApplyLegacyAuditPolicy + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\IPSEC\ + +Value Name: NoDefaultExempt + +Value Type: REG_DWORD +Value: 3 + 3 + NoDefaultExempt + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: FilterAdministratorToken + +Value Type: REG_DWORD +Value: 1 + 1 + FilterAdministratorToken + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + True + '{0}' -le '4' + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ConsentPromptBehaviorAdmin + +Value Type: REG_DWORD +Value: 4 (Prompt for consent) +3 (Prompt for credentials) +2 (Prompt for consent on the secure desktop) +1 (Prompt for credentials on the secure desktop) + + ConsentPromptBehaviorAdmin + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ConsentPromptBehaviorUser + +Value Type: REG_DWORD +Value: 0 + 0 + ConsentPromptBehaviorUser + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableInstallerDetection + +Value Type: REG_DWORD +Value: 1 + 1 + EnableInstallerDetection + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableSecureUIAPaths + +Value Type: REG_DWORD +Value: 1 + 1 + EnableSecureUIAPaths + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableLUA + +Value Type: REG_DWORD +Value: 1 + 1 + EnableLUA + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: PromptOnSecureDesktop + +Value Type: REG_DWORD +Value: 1 + 1 + PromptOnSecureDesktop + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableVirtualization + +Value Type: REG_DWORD +Value: 1 + 1 + EnableVirtualization + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ + +Value Name: EnumerateAdministrators + +Type: REG_DWORD +Value: 0x00000000 (0) + 0 + EnumerateAdministrators + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: DisablePasswordSaving + +Type: REG_DWORD +Value: 1 + 1 + DisablePasswordSaving + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableCdm + +Type: REG_DWORD +Value: 1 + 1 + fDisableCdm + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ + +Value Name: RestrictRemoteClients + +Type: REG_DWORD +Value: 1 + 1 + RestrictRemoteClients + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DisableHTTPPrinting + +Type: REG_DWORD +Value: 1 + 1 + DisableHTTPPrinting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DisableWebPnPDownload + +Type: REG_DWORD +Value: 1 + 1 + DisableWebPnPDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DontSearchWindowsUpdate + +Type: REG_DWORD +Value: 1 + 1 + DontSearchWindowsUpdate + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: SaveZoneInformation + +Type: REG_DWORD +Value: 2 + 2 + SaveZoneInformation + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: HideZoneInfoOnProperties + +Type: REG_DWORD +Value: 1 + 1 + HideZoneInfoOnProperties + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: ScanWithAntiVirus + +Type: REG_DWORD +Value: 3 + 3 + ScanWithAntiVirus + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Peernet\ + +Value Name: Disabled + +Type: REG_DWORD +Value: 1 + 1 + Disabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ + +Value Name: NC_AllowNetBridge_NLA + +Type: REG_DWORD +Value: 0 + 0 + NC_AllowNetBridge_NLA + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\EventViewer\ + +Value Name: MicrosoftEventVwrDisableLinks + +Type: REG_DWORD +Value: 1 + 1 + MicrosoftEventVwrDisableLinks + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoInternetOpenWith + +Type: REG_DWORD +Value: 1 + 1 + NoInternetOpenWith + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the system is a member of a domain, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LogonType + +Type: REG_DWORD +Value: 0 + 0 + LogonType + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ + +Value Name: DisableEnclosureDownload + +Type: REG_DWORD +Value: 1 + 1 + DisableEnclosureDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: PreXPSP2ShellProtocolBehavior + +Type: REG_DWORD +Value: 0 + 0 + PreXPSP2ShellProtocolBehavior + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: SafeForScripting + +Type: REG_DWORD +Value: 0 + 0 + SafeForScripting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: EnableUserControl + +Type: REG_DWORD +Value: 0 + 0 + EnableUserControl + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: DisableLUAPatching + +Type: REG_DWORD +Value: 1 + 1 + DisableLUAPatching + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer + False + + Windows Media Player is not installed by default. If it is not installed, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: GroupPrivacyAcceptance + +Type: REG_DWORD +Value: 1 + 1 + GroupPrivacyAcceptance + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowLLTDIOOndomain +Value: 0 + 0 + AllowLLTDIOOndomain + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowLLTDIOOnPublicNet +Value: 0 + 0 + AllowLLTDIOOnPublicNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: EnableLLTDIO +Value: 0 + 0 + EnableLLTDIO + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: ProhibitLLTDIOOnPrivateNet +Value: 0 + 0 + ProhibitLLTDIOOnPrivateNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowRspndrOndomain +Value: 0 + 0 + AllowRspndrOndomain + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: AllowRspndrOnPublicNet +Value: 0 + 0 + AllowRspndrOnPublicNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: EnableRspndr +Value: 0 + 0 + EnableRspndr + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ +Type: REG_DWORD +Value Name: ProhibitRspndrOnPrivateNet +Value: 0 + 0 + ProhibitRspndrOnPrivateNet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableFlashConfigRegistrar +Value: 0 + 0 + DisableFlashConfigRegistrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableInBand802DOT11Registrar +Value: 0 + 0 + DisableInBand802DOT11Registrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableUPnPRegistrar +Value: 0 + 0 + DisableUPnPRegistrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: DisableWPDRegistrar +Value: 0 + 0 + DisableWPDRegistrar + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ +Type: REG_DWORD +Value Name: EnableRegistrars +Value: 0 + 0 + EnableRegistrars + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\UI\ + +Value Name: DisableWcnUi + +Type: REG_DWORD +Value: 1 + 1 + DisableWcnUi + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: AllowRemoteRPC + +Type: REG_DWORD +Value: 0 + 0 + AllowRemoteRPC + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSystemRestore + +Type: REG_DWORD +Value: 0 + 0 + DisableSystemRestore + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSendGenericDriverNotFoundToWER + +Type: REG_DWORD +Value: 1 + 1 + DisableSendGenericDriverNotFoundToWER + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DontPromptForWindowsUpdate + +Type: REG_DWORD +Value: 1 + 1 + DontPromptForWindowsUpdate + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\HandwritingErrorReports\ + +Value Name: PreventHandwritingErrorReports + +Type: REG_DWORD +Value: 1 + 1 + PreventHandwritingErrorReports + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ + +Value Name: DCSettingIndex + +Type: REG_DWORD +Value: 1 + 1 + DCSettingIndex + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ + +Value Name: ACSettingIndex + +Type: REG_DWORD +Value: 1 + 1 + ACSettingIndex + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: LoggingEnabled + +Type: REG_DWORD +Value: 1 + 1 + LoggingEnabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet + True + {0} -notmatch '1|2' + If the following registry value exists and is set to "1" (Basic) or "2" (Advanced), this is a finding: + +If the registry value does not exist, this is not a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\ + +Value Name: SpyNetReporting + +Type: REG_DWORD +Value: 1 or 2 = a Finding + + SpyNetReporting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoHeapTerminationOnCorruption + +Type: REG_DWORD +Value: 0 + 0 + NoHeapTerminationOnCorruption + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRM + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WMDRM\ + +Value Name: DisableOnline + +Type: REG_DWORD +Value: 1 + 1 + DisableOnline + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoInPlaceSharing + +Type: REG_DWORD +Value: 1 + 1 + NoInPlaceSharing + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableUIADesktopToggle + +Value Type: REG_DWORD +Value: 0 + 0 + EnableUIADesktopToggle + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableCcm + +Type: REG_DWORD +Value: 1 + 1 + fDisableCcm + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableLPT + +Type: REG_DWORD +Value: 1 + 1 + fDisableLPT + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisablePNPRedir + +Type: REG_DWORD +Value: 1 + 1 + fDisablePNPRedir + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fEnableSmartCard + +Type: REG_DWORD +Value: 1 + 1 + fEnableSmartCard + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ValidateAdminCodeSignatures + +Value Type: REG_DWORD +Value: 0 + 0 + ValidateAdminCodeSignatures + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\SQMClient\Windows\ + +Value Name: CEIPEnable + +Type: REG_DWORD +Value: 0 + 0 + CEIPEnable + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ + +Value Name: NoImplicitFeedback + +Type: REG_DWORD +Value: 1 + 1 + NoImplicitFeedback + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ + +Value Name: NoExplicitFeedback + +Type: REG_DWORD +Value: 1 + 1 + NoExplicitFeedback + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanServer\Parameters\ + +Value Name: SmbServerNameHardeningLevel + +Type: REG_DWORD +Value: 0 + 0 + SmbServerNameHardeningLevel + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\ + +Value Name: UseMachineId + +Type: REG_DWORD +Value: 1 + 1 + UseMachineId + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\MSV1_0 + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\MSV1_0\ + +Value Name: allownullsessionfallback + +Type: REG_DWORD +Value: 0 + 0 + allownullsessionfallback + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\pku2u + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\pku2u\ + +Value Name: AllowOnlineID + +Type: REG_DWORD +Value: 0 + 0 + AllowOnlineID + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ + +Value Name: DisableIPSourceRouting + +Type: REG_DWORD +Value: 2 + 2 + DisableIPSourceRouting + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters + True + {0} -le '3' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ + +Value Name: TcpMaxDataRetransmissions + +Value Type: REG_DWORD +Value: 3 (or less) + + TcpMaxDataRetransmissions + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ + +Value Name: NC_StdDomainUserSetLocation + +Type: REG_DWORD +Value: 1 + 1 + NC_StdDomainUserSetLocation + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: Force_Tunneling + +Type: REG_SZ +Value: Enabled + Enabled + Force_Tunneling + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DoNotInstallCompatibleDriverFromWindowsUpdate + +Type: REG_DWORD +Value: 1 + 1 + DoNotInstallCompatibleDriverFromWindowsUpdate + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Device Metadata\ + +Value Name: PreventDeviceMetadataFromNetwork + +Value Type: REG_DWORD +Value: 1 + 1 + PreventDeviceMetadataFromNetwork + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: SearchOrderConfig + +Type: REG_DWORD +Value: 0 + 0 + SearchOrderConfig + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ + +Value Name: DisableQueryRemoteServer + +Type: REG_DWORD +Value: 0 + 0 + DisableQueryRemoteServer + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ + +Value Name: EnableQueryRemoteServer + +Type: REG_DWORD +Value: 0 + 0 + EnableQueryRemoteServer + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ + +Value Name: ScenarioExecutionEnabled + +Type: REG_DWORD +Value: 0 + 0 + ScenarioExecutionEnabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ + +Value Name: DisableInventory + +Type: REG_DWORD +Value: 1 + 1 + DisableInventory + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoAutoplayfornonVolume + +Type: REG_DWORD +Value: 1 + 1 + NoAutoplayfornonVolume + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoDataExecutionPrevention + +Type: REG_DWORD +Value: 0 + 0 + NoDataExecutionPrevention + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoAutorun + +Type: REG_DWORD +Value: 1 + 1 + NoAutorun + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: RestrictAnonymousSAM + +Value Type: REG_DWORD +Value: 1 + 1 + RestrictAnonymousSAM + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + True + '{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LegalNoticeCaption + +Value Type: REG_SZ +Value: See message title options below + +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. + +If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089. + +Automated tools may only search for the titles defined above. If a site-defined title is used, a manual review will be required. + + LegalNoticeCaption + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: 6to4_State + +Type: REG_SZ +Value: Disabled + Disabled + 6to4_State + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\ + +Value Name: IPHTTPS_ClientState + +Type: REG_DWORD +Value: 3 + 3 + IPHTTPS_ClientState + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: ISATAP_State + +Type: REG_SZ +Value: Disabled + Disabled + ISATAP_State + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: Teredo_State + +Type: REG_SZ +Value: Disabled + Disabled + Teredo_State + String + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application + True + {0} -ge '32768' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security + True + {0} -ge '196608' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00030000 (196608) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup + True + {0} -ge '32768' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System + True + {0} -ge '32768' + If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) + + MaxSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSendRequestAdditionalSoftwareToWER + +Type: REG_DWORD +Value: 1 + 1 + DisableSendRequestAdditionalSoftwareToWER + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: AlwaysInstallElevated + +Type: REG_DWORD +Value: 0 + 0 + AlwaysInstallElevated + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the system is not a member of a domain, this is NA. +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LocalAccountTokenFilterPolicy + +Type: REG_DWORD +Value: 0x00000000 (0) + +This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to 1 may be required. + 0 + LocalAccountTokenFilterPolicy + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ + +Value Name: ScreenSaveActive + +Type: REG_SZ +Value: 1 + +Applications requiring continuous, real-time screen display (e.g., network management products) require the following and must be documented with the ISSO: + +-The logon session does not have administrator rights. +-The display station (e.g., keyboard, monitor, etc.) is located in a controlled access area. + 1 + ScreenSaveActive + String + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ + +Value Name: ScreenSaverIsSecure + +Type: REG_SZ +Value: 1 + 1 + ScreenSaverIsSecure + String + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: EnableIPAutoConfigurationLimits + +Type: REG_DWORD +Value: 1 + 1 + EnableIPAutoConfigurationLimits + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Servicing + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Servicing\ + +Value Name: UseWindowsUpdate + +Type: REG_DWORD +Value: 2 + 2 + UseWindowsUpdate + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DriverServerSelection + +Type: REG_DWORD +Value: 1 + 1 + DriverServerSelection + Dword + + + Present + False + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Policies\EarlyLaunch\ + +Value Name: DriverLoadPolicy + +Type: REG_DWORD +Value: 1 + 1 + DriverLoadPolicy + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer + False + + The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoUseStoreOpenWith + +Type: REG_DWORD +Value: 1 + 1 + NoUseStoreOpenWith + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Control Panel\International\ + +Value Name: BlockUserInputMethodsForSignIn + +Type: REG_DWORD +Value: 1 + 1 + BlockUserInputMethodsForSignIn + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\System\ + +Value Name: EnumerateLocalUsers + +Type: REG_DWORD +Value: 0 + 0 + EnumerateLocalUsers + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\System\ + +Value Name: DisableLockScreenAppNotifications + +Type: REG_DWORD +Value: 1 + 1 + DisableLockScreenAppNotifications + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ + +Value Name: DisablePcaUI + +Type: REG_DWORD +Value: 0 + 0 + DisablePcaUI + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Appx\ + +Value Name: AllowAllTrustedApps + +Type: REG_DWORD +Value: 1 + 1 + AllowAllTrustedApps + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Biometrics\ + +Value Name: Enabled + +Type: REG_DWORD +Value: 0 + 0 + Enabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\CredUI\ + +Value Name: DisablePasswordReveal + +Type: REG_DWORD +Value: 1 + 1 + DisablePasswordReveal + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\System\ + +Value Name: EnableSmartScreen + +Type: REG_DWORD +Value: 0 + 0 + EnableSmartScreen + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LocationAndSensors\ + +Value Name: DisableLocation + +Type: REG_DWORD +Value: 1 (Enabled) + +If location services are approved for the system by the organization, this may be set to "Disabled" (0). This must be documented with the ISSO. + 1 + DisableLocation + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ + +Value Name: AllowBasicAuthInClear + +Type: REG_DWORD +Value: 0 + 0 + AllowBasicAuthInClear + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ +Type: REG_DWORD +Value Name: AutoDownload +Value: 0x00000002 (2) + 2 + AutoDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate\ +Type: REG_DWORD +Value Name: AutoDownload +Value: 0x00000002 (2) + 2 + AutoDownload + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore + False + + The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ + +Value Name: RemoveWindowsStore + +Type: REG_DWORD +Value: 1 + 1 + RemoveWindowsStore + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowBasic + +Type: REG_DWORD +Value: 0 + 0 + AllowBasic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowUnencryptedTraffic + +Type: REG_DWORD +Value: 0 + 0 + AllowUnencryptedTraffic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowDigest + +Type: REG_DWORD +Value: 0 + 0 + AllowDigest + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: AllowBasic + +Type: REG_DWORD +Value: 0 + 0 + AllowBasic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: AllowUnencryptedTraffic + +Type: REG_DWORD +Value: 0 + 0 + AllowUnencryptedTraffic + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: DisableRunAs + +Type: REG_DWORD +Value: 1 + 1 + DisableRunAs + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System + True + {0} -le '900' + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: InactivityTimeoutSecs + +Value Type: REG_DWORD +Value: 0x00000384 (900) (or less) + + InactivityTimeoutSecs + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ + +Value Name: SCRNSAVE.EXE + +Type: REG_SZ +Value: scrnsave.scr + scrnsave.scr + SCRNSAVE.EXE + String + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: NoDispScrSavPage + +Type: REG_DWORD +Value: 1 + 1 + NoDispScrSavPage + Dword + + + Present + False + HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ + +Value Name: NoCloudApplicationNotification + +Type: REG_DWORD +Value: 1 + 1 + NoCloudApplicationNotification + Dword + + + Present + False + HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ + +Value Name: NoToastApplicationNotificationOnLockScreen + +Type: REG_DWORD +Value: 1 + 1 + NoToastApplicationNotificationOnLockScreen + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: RedirectOnlyDefaultClientPrinter + +Type: REG_DWORD +Value: 1 + 1 + RedirectOnlyDefaultClientPrinter + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ + +Value Name: NoLockScreenSlideshow + +Value Type: REG_DWORD +Value: 1 + 1 + NoLockScreenSlideshow + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ + +Value Name: ProcessCreationIncludeCmdLine_Enabled + +Value Type: REG_DWORD +Value: 0 + 0 + ProcessCreationIncludeCmdLine_Enabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ + +Value Name: DontDisplayNetworkSelectionUI + +Value Type: REG_DWORD +Value: 1 + 1 + DontDisplayNetworkSelectionUI + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + +Value Name: MSAOptional + +Value Type: REG_DWORD +Value: 1 + 1 + MSAOptional + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + False + + This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DisableAutomaticRestartSignOn + +Value Type: REG_DWORD +Value: 1 + 1 + DisableAutomaticRestartSignOn + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography + False + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\ + +Value Name: ForceKeyProtection + +Type: REG_DWORD +Value: 2 + 2 + ForceKeyProtection + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest + False + + If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ + +Value Name: UseLogonCredential + +Type: REG_DWORD +Value: 0x00000000 (0) + +Note: Microsoft Security Advisory update 2871997 is required for this setting to be effective on Windows 2012. It is not required for Windows 2012 R2. + 0 + UseLogonCredential + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters + False + + This applies to Windows 2012. Windows 2012 R2 uses a different method to disable SMBv1, see WN12-00-000160. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ + +Value Name: SMB1 + +Type: REG_DWORD +Value: 0x00000000 (0) + 0 + SMB1 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\ +Type: REG_MULTI_SZ +Value Name: DependOnService +Value: Bowser MRxSmb20 NSI + Bowser;MRxSmb20;NSI + DependOnService + MultiString + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ +Type: REG_DWORD +Value Name: Start +Value: 0x00000004 (4) + 4 + Start + Dword + + + + + False + Accounts: Guest account status + Disabled + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding. + + + False + Accounts: Rename guest account + + True + '{0}' -ne 'Guest' + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding. + + + False + Accounts: Rename administrator account + + True + '{0}' -ne 'Administrator' + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding. + + + False + Network access: Allow anonymous SID/Name translation + Disabled + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding. + + + False + Network security: Force logoff when logon hours expire + Enabled + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Network security: Force logoff when logon hours expire" is not set to "Enabled", this is a finding. + + + + + Present + False + False + + Run "Services.msc". + +Verify the McAfee Agent service is running, depending on the version installed. + +Version - Service Name +McAfee Agent v5.x - McAfee Agent Service +McAfee Agent v4.x - McAfee Framework Service + +If the service is not listed or does not have a Status of "Started", this is a finding. + McAfee + Running + Automatic + + + Present + False + False + + Verify the Fax (fax) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Fax (fax) + fax + Stopped + Disabled + + + Present + False + False + + If the server has the role of an FTP server, this is NA. + +Run "Services.msc". + +If the "Microsoft FTP Service" (Service name: FTPSVC) is installed and not disabled, this is a finding. + FTPSVC + Stopped + Disabled + + + Present + False + False + + Verify the Peer Network Identity Manager (p2pimsvc) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Peer Networking Identity Manager (p2pimsvc) + p2pimsvc + Stopped + Disabled + + + Present + False + False + + Verify the Simple TCP/IP (simptcp) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Simple TCP/IP Services (simptcp) + simptcp + Stopped + Disabled + + + Present + False + False + + Verify the Telnet (tlntsvr) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Telnet (tlntsvr) + tlntsvr + Stopped + Disabled + + + Present + False + False + + Verify the Smart Card Removal Policy service is configured to "Automatic". + +Run "Services.msc". + +If the Startup Type for Smart Card Removal Policy is not set to Automatic, this is a finding. + SCPolicySvc + Running + Automatic + + + + + SeTcbPrivilege + Act as part of the operating system + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. + + + SeDenyNetworkLogonRight + Deny access to this computer from the network + False + Enterprise Admins,Domain Admins,"Local account and member of Administrators group" or "Local account" (see Note below),Guests,Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups. + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: + +Domain Systems Only: +Enterprise Admins group +Domain Admins group +"Local account and member of Administrators group" or "Local account" (see Note below) + +All Systems: +Guests group + +Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups. + +Note: Windows Server 2012 R2 added new built-in security groups, "Local account" and "Local account and member of Administrators group". "Local account" is more restrictive but may cause issues on servers such as systems that provide Failover Clustering. +Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012. + + + SeDebugPrivilege + Debug programs + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding: + +Administrators + + + SeTrustedCredManAccessPrivilege + Access Credential Manager as a trusted caller + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding. + + + SeNetworkLogonRight + Access this computer from the network + True + Administrators,Authenticated Users,Systems dedicated to managing Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG), must only allow Administrators, removing the Authenticated Users group. + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Access this computer from the network" user right, this is a finding: + +Administrators +Authenticated Users + +Systems dedicated to managing Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG), must only allow Administrators, removing the Authenticated Users group. + + + SeInteractiveLogonRight + Allow log on locally + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding: + +Administrators + + + SeRemoteInteractiveLogonRight + Allow log on through Remote Desktop Services + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding: + +Administrators + +If the system serves the Remote Desktop Services role, the Remote Desktop Users group or another more restrictive group may be included. + +Organizations may grant this to other groups, such as more restrictive groups with administrative or management functions, if required. Remote Desktop Services access must be restricted to the accounts that require it. This must be documented with the ISSO. + + + SeBackupPrivilege + Back up files and directories + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding: + +Administrators + + + SeChangeNotifyPrivilege + Bypass traverse checking + True + Administrators,Authenticated Users,Local Service,Network Service,Window Manager\Window Manager Group + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Bypass traverse checking" user right, this is a finding: + +Administrators +Authenticated Users +Local Service +Network Service +Window Manager\Window Manager Group + + + SeSystemtimePrivilege + Change the system time + True + Administrators,Local Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Change the system time" user right, this is a finding: + +Administrators +Local Service + + + SeTimeZonePrivilege + Change the time zone + True + Administrators,Local Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Change the time zone" user right, this is a finding: + +Administrators +Local Service + + + SeCreatePagefilePrivilege + Create a pagefile + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding: + +Administrators + + + SeCreateTokenPrivilege + Create a token object + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Create a token object" user right, this is a finding. + + + SeCreateGlobalPrivilege + Create global objects + True + Administrators,Service,Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding: + +Administrators +Service +Local Service +Network Service + + + SeCreatePermanentPrivilege + Create permanent shared objects + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding. + + + SeCreateSymbolicLinkPrivilege + Create symbolic links + True + Administrators,{Hyper-V} + False + True + '{0}' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$' + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding: + +Administrators + +Systems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines"). This is not a finding. + + + SeDenyBatchLogonRight + Deny log on as a batch job + False + Enterprise Admins,Domain Admins,Guests + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding: + +Domain Systems Only: +Enterprise Admins Group +Domain Admins Group + +All Systems: +Guests Group + + + SeDenyServiceLogonRight + Deny log on as a service + True + Enterprise Admins,Domain Admins + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on as a service" user right on domain-joined systems, this is a finding: + +Enterprise Admins Group +Domain Admins Group + +If any accounts or groups are defined for the "Deny log on as a service" user right on non-domain-joined systems, this is a finding. + + + SeDenyInteractiveLogonRight + Deny log on locally + False + Enterprise Admins,Domain Admins,Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from this.,Guests + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding: + +Domain Systems Only: +Enterprise Admins Group +Domain Admins Group + +Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from this. + +All Systems: +Guests Group + + + SeDenyRemoteInteractiveLogonRight + Deny log on through Remote Desktop Services + False + Enterprise Admins,Domain Admins,Local account (see Note below),Guests,Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups. + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding: + +Domain Systems Only: +Enterprise Admins group +Domain Admins group +Local account (see Note below) + +All Systems: +Guests group + +Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups. + +Note: Windows Server 2012 R2 added new built-in security groups, including "Local account", for assigning permissions and rights to all local accounts. +Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012. + + + SeEnableDelegationPrivilege + Enable computer and user accounts to be trusted for delegation + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding. + + + SeRemoteShutdownPrivilege + Force shutdown from a remote system + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding: + +Administrators + + + SeAuditPrivilege + Generate security audits + True + Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding: + +Local Service +Network Service + + + SeImpersonatePrivilege + Impersonate a client after authentication + True + Administrators,Service,Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding: + +Administrators +Service +Local Service +Network Service + + + SeIncreaseBasePriorityPrivilege + Increase scheduling priority + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Increase scheduling priority" user right, this is a finding: + +Administrators + + + SeLoadDriverPrivilege + Load and unload device drivers + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding: + +Administrators + + + SeLockMemoryPrivilege + Lock pages in memory + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding. + + + SeSecurityPrivilege + Manage auditing and security log + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: + +Administrators + +If the organization has an Auditors group, the assignment of this group to the user right would not be a finding. + +If an application requires this user right, this would not be a finding. +Vendor documentation must support the requirement for having the user right. +The requirement must be documented with the ISSO. +The application account must meet requirements for application account passwords, such as length (V-36661) and required changes frequency (V-36662). + + + SeRelabelPrivilege + Modify an object label + True + NULL + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are granted the "Modify an object label" user right, this is a finding. + + + SeSystemEnvironmentPrivilege + Modify firmware environment values + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Modify firmware environment values" user right, this is a finding: + +Administrators + + + SeManageVolumePrivilege + Perform volume maintenance tasks + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding: + +Administrators + + + SeProfileSingleProcessPrivilege + Profile single process + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Profile single process" user right, this is a finding: + +Administrators + + + SeSystemProfilePrivilege + Profile system performance + True + Administrators,NT Service\WdiServiceHost + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Profile system performance" user right, this is a finding: + +Administrators +NT Service\WdiServiceHost + + + SeAssignPrimaryTokenPrivilege + Replace a process level token + True + Local Service,Network Service + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Replace a process level token" user right, this is a finding: + +Local Service +Network Service + + + SeRestorePrivilege + Restore files and directories + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding: + +Administrators + + + SeShutdownPrivilege + Shut down the system + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Shut down the system" user right, this is a finding: + +Administrators + + + SeTakeOwnershipPrivilege + Take ownership of files or other objects + True + Administrators + False + False + + Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding: + +Administrators + + + + + FS-SMB1 + Absent + False + False + + This applies to Windows 2012 R2. Windows 2012 uses a different method to disable SMBv1, see WN12-00-000170 and WN12-00-000180. + +Run "Windows PowerShell" with elevated privileges (run as administrator). +Enter the following: +Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol + +If "State : Enabled" is returned, this is a finding. + +Alternately: +Search for "Features". +Select "Turn Windows features on or off". + +If "SMB 1.0/CIFS File Sharing Support" is selected, this is a finding. + + + + + Win32_OperatingSystem + False + -ge + False + + Version + Run "winver.exe". + +If the "About Windows" dialog box does not display +"Microsoft Windows Server +Version 6.2 (Build 9200)" +or greater, this is a finding. + +No preview versions will be used in a production environment. + +Unsupported Service Packs/Releases: +Windows 2012 - any release candidates or versions prior to the initial release. + 6.2.9200 + + + Win32_LogicalDisk + False + -match + False + + FileSystem + Open "Computer Management". + +Select "Disk Management" under "Storage". + +For each local volume, if the file system does not indicate "NTFS", this is a finding. + +"ReFS" (Resilient File System) is also acceptable and would not be a finding. + +This does not apply to system partitions such as the Recovery and EFI System Partition. + NTFS|ReFS + + + diff --git a/src/StigData/Windows-All-ADDomain-2.8.org.default.xml b/src/StigData/Windows-All-ADDomain-2.8.org.default.xml new file mode 100644 index 000000000..a3a78dc3a --- /dev/null +++ b/src/StigData/Windows-All-ADDomain-2.8.org.default.xml @@ -0,0 +1,8 @@ + + \ No newline at end of file diff --git a/src/StigData/Windows-All-ADDomain-2.8.xml b/src/StigData/Windows-All-ADDomain-2.8.xml new file mode 100644 index 000000000..1ae895b7b --- /dev/null +++ b/src/StigData/Windows-All-ADDomain-2.8.xml @@ -0,0 +1,547 @@ + + + + False + False + + 1. Interview the IAM or site representative and obtain the list of accounts that have been delegated AD object ownership or update permissions and that are not members of Windows built-in administrative groups. +(This includes accounts for help desk or support personnel who are not Administrators, but have authority in AD to maintain user accounts or printers.) + +2. If accounts with delegated authority are defined and there is no list, then this is a finding. + +3. Count the number of accounts on the list. + +4. If the number of accounts with delegated authority is greater than 10, review the site documentation that justifies this number. Validate that the IAM explicitly acknowledges the need to have a high number of privileged users. + +5. If the number of accounts with delegated authority is greater than 10 and there is no statement in the documentation that justifies the number, then this is a finding. + + + False + False + + 1. Review the site's network diagram(s) to determine if domain controllers for the domain are located in multiple enclaves. The object is to determine if network traffic is traversing enclave network boundaries. + +2. Request information about RODC or ADAM instances are installed. In particular, request details of Active Diretory functionality installed or extended into the DMZ or configured/allowed to cross the sites outbound firewall boundary. Ensure communications and replication traffic is encrypted. + +3. If domain controllers are not located in multiple enclaves, then this check is not applicable. + +4. If domain controllers are located in multiple enclaves, verify that a VPN is used to transport the network traffic (replication, user logon, queries, etc.). + +5. If a VPN solution is not used to transport directory network traffic across enclave boundaries, then this is a finding. + +6. If the ADAM mode is in use and a migration plan for converting to RODC is not in place, then this is a finding. + + + False + False + + 1. Interview the site representative. Ask about the location of the domain controllers. + +2. If domain controllers are not located in multiple enclaves, then this check is not applicable. + +3. If domain controllers are located in multiple enclaves and a VPN is not used, then this check is not applicable. + +4. If domain controllers are located in multiple enclaves and a VPN is used, review the site network diagram(s) with the SA, NSO, or network reviewer as required to determine if the AD network traffic is visible to a network or host IDS. + +5. If the AD network traffic is not visible to a network or host IDS, then this is a finding. + + + False + False + + Determine the Availability categorization information for the domain. +If the Availability categorization of the domain is low, this is NA. +If the Availability categorization of the domain is moderate or high, verify the domain is supported by more than one domain controller. +Start "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"). +Expand the left pane item that matches the domain being reviewed. +Select the Domain Controllers Organizational Unit (OU) in the left pane. + +If there is only one domain controller in the OU, this is a finding. + + + False + False + + Determine the Availability categorization information for the domain. +If the Availability categorization of the domain is low, this is NA. +If the Availability categorization of the domain is moderate or high, verify the organization's disaster recovery plans includes documentation on the AD hierarchy (forest, tree and domain structure). + (A chart showing forest hierarchy and domain names is the minimum suggested.) + +If the disaster recovery plans do not include directory hierarchy information, this is a finding. + + + False + False + + 1. Refer to the list of actual manual AD trusts (cross-directory configurations) collected from the site representative. + +2. If there are no manual AD trusts (cross-directory configurations) defined, this check is not applicable. +For AD, this includes external, forest, or realm trust relationship types. + +3. Obtain a copy of the site’s supplemental INFOCON procedures as required by Strategic Command Directive (SD) 527-1. + +4. Verify that it has been determined by the IAM whether INFOCON response actions need to include procedures to disable manual AD trusts (cross-directory configurations). The objective is to determine if the need has been explicitly evaluated. + +5. If it has been determined that actions to disable manual AD trusts (cross-directory configurations) are not necessary, then this check is not applicable. + +6. If it has been determined that actions to disable manual AD trusts (cross-directory configurations) *are* necessary, verify that the policy to implement these actions has been documented. + +7. If actions to disable manual AD trusts (cross-directory configurations) *are* needed and no policy has been documented, then this is a finding. + + + False + False + + Start "Active Directory Domains and Trusts" (Available from various menus or run "domain.msc"). +Select the left pane item that matches the name of the domain being reviewed. +Right-click the domain name and select "Properties". +Select the "Trusts" tab. + +For each outbound and inbound external, forest, and realm trust, record the name of the other party (domain name), the trust type, transitivity, and the trust direction. (Keep this trust information for use in subsequent checks.) + +Compare the list of trusts identified with documentation maintained by the ISSO. + +For each trust, the documentation must contain the following: +Type (external, forest, or realm) +Name of the other party +Confidentiality, Availability, and Integrity categorization +Classification level of the other party +Trust direction (inbound and/or outbound) +Transitivity +Status of the Selective Authentication option +Status of the SID filtering option + +If an identified trust is not listed in the documentation or if any of the required items are not documented, this is a finding. + + + False + False + + 1. Before performing this check, perform V-8530 which validates the trusts within the documentation are current within AD. + +2. Obtain documentation of the site's approved trusts from the site representative. + +3. For each of the identified trusts, verify that the documentation includes a justification or explanation of the need-to-know basis of the trust. + +4. If the need for the trust is not documented, then this is a finding. + + + False + False + + 1. Refer to the list of identified trusts and the trust documentation provided by the site representative. (Obtained in V-8530) + +2. For each of the identified trusts between DoD organizations, compare the classification level (unclassified, confidential, secret, and top secret) of the domain being reviewed with the classification level of the other trust party as noted in the documentation. + +3. If the classification level of the domain being reviewed is different than the classification level of any of the entities for which a trust relationship is defined, then this is a finding. + + + + False + False + + 1. Refer to the list of identified trusts obtained in a previous check (V8530). + +2. For each of the identified trusts, determine if the other trust party is a non-DoD entity. For example, if the fully qualified domain name of the other party does not end in “.mil”, the other party is probably not a DoD entity. + +3. Review the local documentation approving the external network connection and documentation indicating explicit approval of the trust by the DAA. + +4. The external network connection documentation is maintained by the IAO\NSO for compliance with the Network Infrastructure STIG. + +5. If any trust is defined with a non-DoD system and there is no documentation indicating approval of the external network connection and explicit DAA approval of the trust, then this is a finding. + + + False + False + + Open "Active Directory Domains and Trusts". (Available from various menus or run "domain.msc".) +Right click the domain in the left pane and select Properties. +Select the Trusts tab. +Note any existing trusts and the type. +If no trusts exist, this is NA. + +If the trust type is External, run the following command on the trusting domain: +"netdom trust <trusting domain> /d:<trusted domain> /quarantine" +If the result does not specify "SID filtering is enabled for this trust. Only SIDs from the trusted domain will be accepted for authorization data returned during authentication. SIDs from other domains will be removed.", this is a finding. + +If the trust type is Forest, run the following command on the trusting domain: +"netdom trust <trusting domain> /d:<trusted domain> /enablesidhistory" +If the result does not specify "SID history is disabled for this trust", this is a finding. + + + False + False + + Open "Active Directory Domains and Trusts". (Available from various menus or run "domain.msc".) +Right click the domain name in the left pane and select "Properties". +Select the "Trusts" tab. +For each outgoing forest trust, right-click the trust item and select "Properties". +Select the "Authentication" tab. + +If the "Selective Authentication" option is not selected on every outgoing forest trust, this is a finding. + + + False + False + + Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). +Expand the domain being reviewed in the left pane and select the "Builtin" container. +Double-click on the "Pre-Windows 2000 Compatible Access" group in the right pane. +Select the "Members" tab. + +If the "Anonymous Logon" or "Everyone" groups are members, this is a finding. +(By default, these groups are not included in current Windows versions.) + + + False + False + + Start "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"). + +Review the membership of the "Incoming Forest Trust Builders" group. + +Navigate to the "Built-in" container. + +Right-click on the "Incoming Forest Trust Builders", select "Properties" and then the "Members" tab. + +If any accounts are not documented as necessary with the ISSO, this is a finding. + +Review the membership of the "Group Policy Creator Owner" group. + +Navigate to the "Users" container. + +Right-click on the "Group Policy Creator Owner", select "Properties" and then the "Members" tab. + +If any accounts are not documented as necessary with the ISSO, this is a finding. + +It is possible to move some system-defined groups from their default locations. If a group is not in the location noted, review other containers to locate. + + + False + False + + 1. Start the Active Directory Users and Computers console (Start, Run, “dsa.msc”). + +2. Select and expand the left pane item that matches the name of the domain being reviewed. + +3. Select the Built-in container. +a. If the Incoming Forest Trust Builders group is defined, double-click on the group, and select the Members tab +b. Examine the defined accounts to see if they are from a domain that is not in the forest being reviewed. + +4. Select the Users container +a. For each group (Domain Admins, Enterprise Admins, Schema Admins, and Group Policy Creator Owners), double-click on the group, and select the Members tab. +b. Examine the defined accounts to see if they are from a domain that is not in the forest being reviewed. + +5. If any account in a privileged group is from a domain outside the forest being reviewed and that outside forest is not maintained by the same organization (e.g., enclave) or subject to the same security policies, then this is a finding. + +Supplementary Notes: +Note: An account that is from an outside domain appears in the format “outside-domain-NetBIOSname\account” or “account@outside-domain-fully-qualified-name”. Examples are “AOFN21\jsmith” or “jsmith@AOFN21.OST.COM”. It may be necessary to use the AD Domains and Trusts (domain.msc) console to determine if the domain is from another AD forest. + +Note: It is possible to move the highly privileged AD security groups out of the AD Users container. If the Domain Admins, Enterprise Admins, Schema Admins, or Group Policy Creator Owners groups are not in the AD Users container, ask the SA for the new location and use that location for this check. + + + False + False + + Open "Active Directory Domains and Trusts" (run "domain.msc") or "Active Directory Users and Computers" (run "dsa.msc"). +Right click in the left pane on the name of the Domain being reviewed. +Select "Raise domain functional level…" +The current domain functional level will be displayed (as well as the option to raise the domain functional level). +Select "Cancel" to exit. + +Alternately, using PowerShell (Windows 2008 R2 or later). +Select "Active Directory Module for Windows PowerShell", available in Administrative Tools or the Start Screen. +Run "Get-ADDomain". +View the value for "DomainMode:" + +If the domain functional level is not Windows Server 2008 or later, this is a finding. + +Using the highest domain functional level supported by the domain controllers is recommended. + + + False + False + + Open "Active Directory Sites and Services". (Available from various menus or run "dssite.msc".) +Expand "Sites" in the left pane. +If only a single site exists, this is NA. By default the first site in a domain is named "Default-First-Site-Name" but may have been changed. +If more than one site exists, expand "Inter-Site Transports" and select "IP". +For each site link that is defined in the right pane perform the following: +Right click the site link item and select "Properties". + +If the interval on the "General" tab for the "Replicate every" field is greater than "1440", this is a finding. + +Click the "Change Schedule" button. + +If the time frames selected for "Replication Available" do not allow for replication to occur at least daily, this is a finding. + +Click the Cancel buttons to exit. + + + False + False + + Review the organization's procedures for the backing up active directory data. +Verify the frequency at which active directory data is backed up. +If the Availability categorization of the domain is low, this must be at least weekly. +If the Availability categorization of the domain is moderate or high, this must be at least daily. +Verify the type of backup is appropriate to capturing the directory data. For AD domain controllers, this must include a System State data backup. + +If any of these conditions are not met, this is a finding. + + + False + False + + Verify the organization has a process that addresses DSRM password change frequency. + +If DSRM passwords are not changed at least annually, this is a finding. + + + False + False + + 1. Verify that the domain and forest in which the domain controller resides have been reviewed using the requirements in the appropriate document in the Active Directory STIG. + +2. The security assessment must be conducted at the same time or no more than 1 year prior to the review of the domain controller. + +3. VMS asset information, dated reports, or other documentation can be used to provide verification. + +4. If it is not possible to verify that the domain and forest have been reviewed, then this is a finding. + + + False + False + + 1. Verify that the site has applied the Network Infrastucture STIG to configure the VPN and IPSec. + +2. Verify that IPSec and other communications and security configurations for the management and replication of the RODC will be managed by use of the minimum required Group Policy Objects (GPOs). + +3. Include an inspection of the RODC server in the DMZ when inspection for least privilege. + +4. Verify that required patches and compatibility packs are installed if RODC is used with Windows 2003 (or earlier) clients. + +5. If RODC server and configuration does not comply with requirements, then this is a finding. + + + False + False + + Review the Enterprise Admins group in Active Directory Users and Computers. Any accounts that are members of the Enterprise Admins group must be documented with the IAO. Each Enterprise Administrator must have a separate unique account specifically for managing the Active Directory forest. + +If any account listed in the Enterprise Admins group is a member of other administrator groups including the Domain Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding. + + + False + False + + Review the Domain Admins group in Active Directory Users and Computers. Any accounts that are members of the Domain Admins group must be documented with the IAO. Each Domain Administrator must have a separate unique account specifically for managing the Active Directory domain and domain controllers. + +If any account listed in the Domain Admins group is a member of other administrator groups including the Enterprise Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding. + + + False + False + + Review the membership groups in Active Directory Users and Computers. Membership groups must be designated at the domain level specifically for domain member server administrators. Domain member server administrator groups and any accounts that are members of the groups must be documented with the IAO. Each member server administrator must have a separate unique account specifically for managing member servers. + +If any account listed in a domain member server administrator group is a member of other administrator groups including the Enterprise Admins group, the Domain Admins group, or domain workstation administrator groups, this is a finding. + + + False + False + + Review the membership groups in Active Directory Users and Computers. Membership groups must be designated at the domain level specifically for domain workstation administrators. Domain workstation administrator groups and any accounts that are members of the groups must be documented with the IAO. Each domain workstation administrator must have a separate unique account specifically for managing domain workstations. + +If any account listed in a domain workstation administrator group is a member of other administrator groups including the Enterprise Admins group, the Domain Admins group, or domain member server administrator groups, this is a finding. + + + False + False + + Review the properties of all privileged accounts in Active Directory Users and Computers. Under the Account tab, verify "Account is sensitive and cannot be delegated" is selected in the Account Options section. If delegation is not prohibited for any privileged account, this is a finding. + + + False + False + + If Active Directory is only managed with local logons to domain controllers, not remotely, this can be marked NA. + +Verify that any domain systems used to manage Active Directory remotely are used exclusively for managing Active Directory. If domain systems used for managing Active Directory are used for additional functions, this is a finding. + +In situations where an additional physical machine dedicated to AD admin tasks is not practicable, virtual machines (VM) may be securely employed in either of the following configurations: +-Windows 8, Windows Server 2012 or later for the AD admin management role. +-Use local guest VMs running within Hyper-V for all other tasks to include admin roles on other servers as well as any user tasks such as web browsing or email. + +-Use a Type-1 Hypervisor with separate guest VMs for AD admin management roles and any other roles. + +In either case, the higher integrity AD admin platform and the lower integrity platforms must be separate. The AD admin platform must be configured not to forward the AD admin credentials to other guest VMs or to make the AD admin credentials available to other guest VMs. Additionally, guest VMs for user and less critical admin activities must apply the security requirements from the applicable STIG, especially so that AD admin accounts are denied all logon types. + + + False + False + + Verify access to the internet is prevented for systems dedicated to managing Active Directory. Various methods may be employed to accomplish this, such as restrictions at boundary firewalls, through proxy services, or with the Windows Firewall. + +Review the Internet access restrictions with the administrator. If Internet access is not prevented, this is a finding. + + + False + False + + Verify local administrator accounts on domain systems are using unique passwords. If local administrator accounts on domain systems are sharing a password, this is a finding. + +Microsoft's Local Administrator Password Solution (LAPS) provides an automated solution for maintaining and regularly changing the local administrator password for domain-joined systems. + +Other automated solutions that provide this capability may also be used. + +If LAPS has been installed and enabled in the domain, the following PowerShell query will return a list of systems that do not have a local administrator password managed by LAPS. (The LAPS PowerShell module requires PowerShell 2.0 or higher and .NET Framework 4.0.) + +Start PowerShell. +If the LAPS PowerShell module has not been previously imported, execute the following first: "Import-Module AdmPwd.ps". +Execute "Get-PwdAdmPassword -ComputerName * | Where-object {$_.password -eq $null}" + +If any systems are listed, this is a finding. + +Ignore computers with "OU=Domain Controllers" in the DistinguishedName field. + + + False + False + + Verify separate smart cards are used for EA and DA accounts from smart cards used for other accounts. EA and DA accounts may be on the same smart card but must be separate from any other accounts. If separate smart cards for EA and DA accounts from other accounts are not used, this is a finding. + + + False + False + + If the domain does not have any public facing servers, this is NA. + +Review the local Administrators group on public facing servers. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. + +For public facing servers, the Domain Admins group must be replaced by a domain member server administrator group whose members are different from any used to manage internal servers. + +If any domain accounts or groups used to manage internal servers are members of the local administrators group, this is a finding. + + + False + False + + Verify the operating system version on AD admin platforms is at least Windows 7, Windows Server 2008 R2, or later. If the operating system is an earlier version, this is a finding. + + + False + False + + Review the local Administrators group of AD admin platforms. Verify separate domain administrative accounts are used to manage AD admin platforms from non-AD admin platforms. These should be dedicated domain accounts where practicable. Otherwise EA/DA accounts may be used. If accounts used to manage AD admin platforms are used for any non-AD admin platforms, this is a finding. + + + False + False + + Verify account usage events for administrative accounts are being monitored. This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools. + +Monitor for the events listed below, at minimum. If these events are not monitored, this is a finding. + +Account Lockouts (Subcategory: User Account Management) +4740 - A user account is locked out. +User Added to Privileged Group (Subcategory: Security Group Management) +4728 - A member was added to a security-enabled global group. +4732 - A member was added to a security-enabled local group. +4756 - A member was added to a security-enabled universal group. +Successful User Account Login (Subcategory: Logon) +4624 - An account was successfully logged on. +Failed User Account Login (Subcategory: Logon) +4625 - An account failed to log on. +Account Login with Explicit Credentials (Subcategory: Logon) +4648 - A logon was attempted using explicit credentials. + + + False + False + + Verify attempts to use local accounts to log on remotely from other systems are being monitored. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools. + +Monitor for the events listed below. If these events are not monitored, this is a finding. + +More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs. +Search for the event IDs listed with the following additional attributes: +Logon Type = 3 (Network) +Authentication Package Name = NTLM +Not a domain logon and not the ANONYMOUS LOGON account + +Successful User Account Login (Subcategory: Logon) +4624 - An account was successfully logged on. +Failed User Account Login (Subcategory: Logon) +4625 - An account failed to log on. + + + False + False + + Verify Remote Desktop logins are being monitored. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools. + +Monitor for the events listed below. If these events are not monitored, this is a finding. + +More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs. +Search for the event IDs listed with the following additional attributes: +Logon Type = 10 (RemoteInteractive) +Authentication Package Name = Negotiate + +Successful User Account Login (Subcategory: Logon) +4624 - An account was successfully logged on. + + + False + False + + Verify firewall rules prevent outbound communications from AD admin platforms, except for domain controllers being managed. If outbound communications are allowed between AD admin platforms and any other systems other than domain controllers, this is a finding. + + + False + False + + If no Windows service \ application accounts with manually managed passwords have administrative privileges, this is NA. + +Verify Windows service \ application accounts with administrative privileges and manually managed passwords, have passwords changed at least every 60 days. + + + False + False + + Verify domain controllers are blocked from Internet access. Various methods may be employed to accomplish this, such as restrictions at boundary firewalls, through proxy services, host based firewalls or IPsec. + +Review the Internet access restrictions with the administrator. If Internet access is not prevented, this is a finding. + +If a critical function requires Internet access, this must be documented and approved by the organization. + + + False + False + + Windows Server 2016 with a domain functional level of Windows Server 2016: + +Open "Active Directory Administrative Center". + +Right-click on the domain name and select "Properties". + +If the "Domain functional level:" is not "Windows Server 2016", another method must be used to reset the NT hashes. See below for other options. + +If the "Domain functional level:" is "Windows Server 2016" and "Enable rolling of expiring NTLM secrets during sign on, for users who are required to use Microsoft Passport or smart card for interactive sign on" is not checked, this is a finding. + +Active Directory domains with a domain functional level below Windows Server 2016: + +Verify the organization rotates the NT hash for smart card-enforced accounts every 60 days. + +This can be accomplished with the use of scripts. + +DoD PKI-PKE has provided a script under PKI and PKE Tools at http://iase.disa.mil/pki-pke/Pages/tools.aspx. See the User Guide for additional information. + +NSA has also provided a PowerShell script with Pass-the-Hash guidance at https://github.com/iadgov/Pass-the-Hash-Guidance. Running the "Invoke-SmartcardHashRefresh" cmdlet in the "PtHTools" module will trigger a change of the underlying NT hash. See the site for additional information. + +Manually rolling the NT hash requires disabling and re-enabling the "Smart Card required for interactive logon" option for each smart card-enforced account, which is not practical for large groups of users. + +If NT hashes for smart card-enforced accounts are not rotated every 60 days, this is a finding. + + + \ No newline at end of file diff --git a/src/StigData/Windows-All-ADDomain-2.9.org.default.xml b/src/StigData/Windows-All-ADDomain-2.9.org.default.xml new file mode 100644 index 000000000..5602a6c4a --- /dev/null +++ b/src/StigData/Windows-All-ADDomain-2.9.org.default.xml @@ -0,0 +1,8 @@ + + \ No newline at end of file diff --git a/src/StigData/Windows-All-ADDomain-2.9.xml b/src/StigData/Windows-All-ADDomain-2.9.xml new file mode 100644 index 000000000..df1a7db21 --- /dev/null +++ b/src/StigData/Windows-All-ADDomain-2.9.xml @@ -0,0 +1,573 @@ + + + + False + False + + 1. Interview the IAM or site representative and obtain the list of accounts that have been delegated AD object ownership or update permissions and that are not members of Windows built-in administrative groups. +(This includes accounts for help desk or support personnel who are not Administrators, but have authority in AD to maintain user accounts or printers.) + +2. If accounts with delegated authority are defined and there is no list, then this is a finding. + +3. Count the number of accounts on the list. + +4. If the number of accounts with delegated authority is greater than 10, review the site documentation that justifies this number. Validate that the IAM explicitly acknowledges the need to have a high number of privileged users. + +5. If the number of accounts with delegated authority is greater than 10 and there is no statement in the documentation that justifies the number, then this is a finding. + + + False + False + + Determine the Availability categorization information for the domain. +If the Availability categorization of the domain is low, this is NA. +If the Availability categorization of the domain is moderate or high, verify the organization's disaster recovery plans includes documentation on the AD hierarchy (forest, tree and domain structure). + (A chart showing forest hierarchy and domain names is the minimum suggested.) + +If the disaster recovery plans do not include directory hierarchy information, this is a finding. + + + False + False + + 1. Refer to the list of actual manual AD trusts (cross-directory configurations) collected from the site representative. + +2. If there are no manual AD trusts (cross-directory configurations) defined, this check is not applicable. +For AD, this includes external, forest, or realm trust relationship types. + +3. Obtain a copy of the site’s supplemental INFOCON procedures as required by Strategic Command Directive (SD) 527-1. + +4. Verify that it has been determined by the IAM whether INFOCON response actions need to include procedures to disable manual AD trusts (cross-directory configurations). The objective is to determine if the need has been explicitly evaluated. + +5. If it has been determined that actions to disable manual AD trusts (cross-directory configurations) are not necessary, then this check is not applicable. + +6. If it has been determined that actions to disable manual AD trusts (cross-directory configurations) *are* necessary, verify that the policy to implement these actions has been documented. + +7. If actions to disable manual AD trusts (cross-directory configurations) *are* needed and no policy has been documented, then this is a finding. + + + False + False + + Start "Active Directory Domains and Trusts" (Available from various menus or run "domain.msc"). +Select the left pane item that matches the name of the domain being reviewed. +Right-click the domain name and select "Properties". +Select the "Trusts" tab. + +For each outbound and inbound external, forest, and realm trust, record the name of the other party (domain name), the trust type, transitivity, and the trust direction. (Keep this trust information for use in subsequent checks.) + +Compare the list of trusts identified with documentation maintained by the ISSO. + +For each trust, the documentation must contain the following: +Type (external, forest, or realm) +Name of the other party +Confidentiality, Availability, and Integrity categorization +Classification level of the other party +Trust direction (inbound and/or outbound) +Transitivity +Status of the Selective Authentication option +Status of the SID filtering option + +If an identified trust is not listed in the documentation or if any of the required items are not documented, this is a finding. + + + False + False + + 1. Before performing this check, perform V-8530 which validates the trusts within the documentation are current within AD. + +2. Obtain documentation of the site's approved trusts from the site representative. + +3. For each of the identified trusts, verify that the documentation includes a justification or explanation of the need-to-know basis of the trust. + +4. If the need for the trust is not documented, then this is a finding. + + + False + False + + 1. Refer to the list of identified trusts and the trust documentation provided by the site representative. (Obtained in V-8530) + +2. For each of the identified trusts between DoD organizations, compare the classification level (unclassified, confidential, secret, and top secret) of the domain being reviewed with the classification level of the other trust party as noted in the documentation. + +3. If the classification level of the domain being reviewed is different than the classification level of any of the entities for which a trust relationship is defined, then this is a finding. + + + + False + False + + 1. Refer to the list of identified trusts obtained in a previous check (V8530). + +2. For each of the identified trusts, determine if the other trust party is a non-DoD entity. For example, if the fully qualified domain name of the other party does not end in “.mil”, the other party is probably not a DoD entity. + +3. Review the local documentation approving the external network connection and documentation indicating explicit approval of the trust by the DAA. + +4. The external network connection documentation is maintained by the IAO\NSO for compliance with the Network Infrastructure STIG. + +5. If any trust is defined with a non-DoD system and there is no documentation indicating approval of the external network connection and explicit DAA approval of the trust, then this is a finding. + + + False + False + + Start "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"). + +Review the membership of the "Incoming Forest Trust Builders" group. + +Navigate to the "Built-in" container. + +Right-click on the "Incoming Forest Trust Builders", select "Properties" and then the "Members" tab. + +If any accounts are not documented as necessary with the ISSO, this is a finding. + +Review the membership of the "Group Policy Creator Owner" group. + +Navigate to the "Users" container. + +Right-click on the "Group Policy Creator Owner", select "Properties" and then the "Members" tab. + +If any accounts are not documented as necessary with the ISSO, this is a finding. + +It is possible to move some system-defined groups from their default locations. If a group is not in the location noted, review other containers to locate. + + + False + False + + 1. Verify that the domain and forest in which the domain controller resides have been reviewed using the requirements in the appropriate document in the Active Directory STIG. + +2. The security assessment must be conducted at the same time or no more than 1 year prior to the review of the domain controller. + +3. VMS asset information, dated reports, or other documentation can be used to provide verification. + +4. If it is not possible to verify that the domain and forest have been reviewed, then this is a finding. + + + False + False + + Review the Enterprise Admins group in Active Directory Users and Computers. Any accounts that are members of the Enterprise Admins group must be documented with the IAO. Each Enterprise Administrator must have a separate unique account specifically for managing the Active Directory forest. + +If any account listed in the Enterprise Admins group is a member of other administrator groups including the Domain Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding. + + + False + False + + Review the Domain Admins group in Active Directory Users and Computers. Any accounts that are members of the Domain Admins group must be documented with the IAO. Each Domain Administrator must have a separate unique account specifically for managing the Active Directory domain and domain controllers. + +If any account listed in the Domain Admins group is a member of other administrator groups including the Enterprise Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding. + + + False + False + + Review the membership groups in Active Directory Users and Computers. Membership groups must be designated at the domain level specifically for domain member server administrators. Domain member server administrator groups and any accounts that are members of the groups must be documented with the IAO. Each member server administrator must have a separate unique account specifically for managing member servers. + +If any account listed in a domain member server administrator group is a member of other administrator groups including the Enterprise Admins group, the Domain Admins group, or domain workstation administrator groups, this is a finding. + + + False + False + + Review the membership groups in Active Directory Users and Computers. Membership groups must be designated at the domain level specifically for domain workstation administrators. Domain workstation administrator groups and any accounts that are members of the groups must be documented with the IAO. Each domain workstation administrator must have a separate unique account specifically for managing domain workstations. + +If any account listed in a domain workstation administrator group is a member of other administrator groups including the Enterprise Admins group, the Domain Admins group, or domain member server administrator groups, this is a finding. + + + False + False + + Verify domain controllers are blocked from Internet access. Various methods may be employed to accomplish this, such as restrictions at boundary firewalls, through proxy services, host based firewalls or IPsec. + +Review the Internet access restrictions with the administrator. If Internet access is not prevented, this is a finding. + +If a critical function requires Internet access, this must be documented and approved by the organization. + + + + + False + False + + 1. Review the site's network diagram(s) to determine if domain controllers for the domain are located in multiple enclaves. The object is to determine if network traffic is traversing enclave network boundaries. + +2. Request information about RODC or ADAM instances are installed. In particular, request details of Active Diretory functionality installed or extended into the DMZ or configured/allowed to cross the sites outbound firewall boundary. Ensure communications and replication traffic is encrypted. + +3. If domain controllers are not located in multiple enclaves, then this check is not applicable. + +4. If domain controllers are located in multiple enclaves, verify that a VPN is used to transport the network traffic (replication, user logon, queries, etc.). + +5. If a VPN solution is not used to transport directory network traffic across enclave boundaries, then this is a finding. + +6. If the ADAM mode is in use and a migration plan for converting to RODC is not in place, then this is a finding. + + + False + False + + 1. Interview the site representative. Ask about the location of the domain controllers. + +2. If domain controllers are not located in multiple enclaves, then this check is not applicable. + +3. If domain controllers are located in multiple enclaves and a VPN is not used, then this check is not applicable. + +4. If domain controllers are located in multiple enclaves and a VPN is used, review the site network diagram(s) with the SA, NSO, or network reviewer as required to determine if the AD network traffic is visible to a network or host IDS. + +5. If the AD network traffic is not visible to a network or host IDS, then this is a finding. + + + False + False + + Determine the Availability categorization information for the domain. +If the Availability categorization of the domain is low, this is NA. +If the Availability categorization of the domain is moderate or high, verify the domain is supported by more than one domain controller. +Start "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"). +Expand the left pane item that matches the domain being reviewed. +Select the Domain Controllers Organizational Unit (OU) in the left pane. + +If there is only one domain controller in the OU, this is a finding. + + + False + False + + Open "Active Directory Domains and Trusts". (Available from various menus or run "domain.msc".) +Right click the domain in the left pane and select Properties. +Select the Trusts tab. +Note any existing trusts and the type. +If no trusts exist, this is NA. + +If the trust type is External, run the following command on the trusting domain: +"netdom trust <trusting domain> /d:<trusted domain> /quarantine" +If the result does not specify "SID filtering is enabled for this trust. Only SIDs from the trusted domain will be accepted for authorization data returned during authentication. SIDs from other domains will be removed.", this is a finding. + +If the trust type is Forest, run the following command on the trusting domain: +"netdom trust <trusting domain> /d:<trusted domain> /enablesidhistory" +If the result does not specify "SID history is disabled for this trust", this is a finding. + + + False + False + + Open "Active Directory Domains and Trusts". (Available from various menus or run "domain.msc".) +Right click the domain name in the left pane and select "Properties". +Select the "Trusts" tab. +For each outgoing forest trust, right-click the trust item and select "Properties". +Select the "Authentication" tab. + +If the "Selective Authentication" option is not selected on every outgoing forest trust, this is a finding. + + + False + False + + Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). +Expand the domain being reviewed in the left pane and select the "Builtin" container. +Double-click on the "Pre-Windows 2000 Compatible Access" group in the right pane. +Select the "Members" tab. + +If the "Anonymous Logon" or "Everyone" groups are members, this is a finding. +(By default, these groups are not included in current Windows versions.) + + + False + False + + 1. Start the Active Directory Users and Computers console (Start, Run, “dsa.msc”). + +2. Select and expand the left pane item that matches the name of the domain being reviewed. + +3. Select the Built-in container. +a. If the Incoming Forest Trust Builders group is defined, double-click on the group, and select the Members tab +b. Examine the defined accounts to see if they are from a domain that is not in the forest being reviewed. + +4. Select the Users container +a. For each group (Domain Admins, Enterprise Admins, Schema Admins, and Group Policy Creator Owners), double-click on the group, and select the Members tab. +b. Examine the defined accounts to see if they are from a domain that is not in the forest being reviewed. + +5. If any account in a privileged group is from a domain outside the forest being reviewed and that outside forest is not maintained by the same organization (e.g., enclave) or subject to the same security policies, then this is a finding. + +Supplementary Notes: +Note: An account that is from an outside domain appears in the format “outside-domain-NetBIOSname\account” or “account@outside-domain-fully-qualified-name”. Examples are “AOFN21\jsmith” or “jsmith@AOFN21.OST.COM”. It may be necessary to use the AD Domains and Trusts (domain.msc) console to determine if the domain is from another AD forest. + +Note: It is possible to move the highly privileged AD security groups out of the AD Users container. If the Domain Admins, Enterprise Admins, Schema Admins, or Group Policy Creator Owners groups are not in the AD Users container, ask the SA for the new location and use that location for this check. + + + False + False + + Open "Active Directory Domains and Trusts" (run "domain.msc") or "Active Directory Users and Computers" (run "dsa.msc"). +Right click in the left pane on the name of the Domain being reviewed. +Select "Raise domain functional level…" +The current domain functional level will be displayed (as well as the option to raise the domain functional level). +Select "Cancel" to exit. + +Alternately, using PowerShell (Windows 2008 R2 or later). +Select "Active Directory Module for Windows PowerShell", available in Administrative Tools or the Start Screen. +Run "Get-ADDomain". +View the value for "DomainMode:" + +If the domain functional level is not Windows Server 2008 or later, this is a finding. + +Using the highest domain functional level supported by the domain controllers is recommended. + + + False + False + + Open "Active Directory Sites and Services". (Available from various menus or run "dssite.msc".) +Expand "Sites" in the left pane. +If only a single site exists, this is NA. By default the first site in a domain is named "Default-First-Site-Name" but may have been changed. +If more than one site exists, expand "Inter-Site Transports" and select "IP". +For each site link that is defined in the right pane perform the following: +Right click the site link item and select "Properties". + +If the interval on the "General" tab for the "Replicate every" field is greater than "1440", this is a finding. + +Click the "Change Schedule" button. + +If the time frames selected for "Replication Available" do not allow for replication to occur at least daily, this is a finding. + +Click the Cancel buttons to exit. + + + False + False + + Review the organization's procedures for the backing up active directory data. +Verify the frequency at which active directory data is backed up. +If the Availability categorization of the domain is low, this must be at least weekly. +If the Availability categorization of the domain is moderate or high, this must be at least daily. +Verify the type of backup is appropriate to capturing the directory data. For AD domain controllers, this must include a System State data backup. + +If any of these conditions are not met, this is a finding. + + + False + False + + Verify the organization has a process that addresses DSRM password change frequency. + +If DSRM passwords are not changed at least annually, this is a finding. + + + False + False + + 1. Verify that the site has applied the Network Infrastucture STIG to configure the VPN and IPSec. + +2. Verify that IPSec and other communications and security configurations for the management and replication of the RODC will be managed by use of the minimum required Group Policy Objects (GPOs). + +3. Include an inspection of the RODC server in the DMZ when inspection for least privilege. + +4. Verify that required patches and compatibility packs are installed if RODC is used with Windows 2003 (or earlier) clients. + +5. If RODC server and configuration does not comply with requirements, then this is a finding. + + + False + False + + Review the properties of all privileged accounts in Active Directory Users and Computers. Under the Account tab, verify "Account is sensitive and cannot be delegated" is selected in the Account Options section. If delegation is not prohibited for any privileged account, this is a finding. + + + False + False + + If Active Directory is only managed with local logons to domain controllers, not remotely, this can be marked NA. + +Verify that any domain systems used to manage Active Directory remotely are used exclusively for managing Active Directory. If domain systems used for managing Active Directory are used for additional functions, this is a finding. + +In situations where an additional physical machine dedicated to AD admin tasks is not practicable, virtual machines (VM) may be securely employed in either of the following configurations: +-Windows 8, Windows Server 2012 or later for the AD admin management role. +-Use local guest VMs running within Hyper-V for all other tasks to include admin roles on other servers as well as any user tasks such as web browsing or email. + +-Use a Type-1 Hypervisor with separate guest VMs for AD admin management roles and any other roles. + +In either case, the higher integrity AD admin platform and the lower integrity platforms must be separate. The AD admin platform must be configured not to forward the AD admin credentials to other guest VMs or to make the AD admin credentials available to other guest VMs. Additionally, guest VMs for user and less critical admin activities must apply the security requirements from the applicable STIG, especially so that AD admin accounts are denied all logon types. + + + False + False + + Verify access to the internet is prevented for systems dedicated to managing Active Directory. Various methods may be employed to accomplish this, such as restrictions at boundary firewalls, through proxy services, or with the Windows Firewall. + +Review the Internet access restrictions with the administrator. If Internet access is not prevented, this is a finding. + + + False + False + + Verify local administrator accounts on domain systems are using unique passwords. If local administrator accounts on domain systems are sharing a password, this is a finding. + +Microsoft's Local Administrator Password Solution (LAPS) provides an automated solution for maintaining and regularly changing a local administrator password for domain-joined systems. LAPS can manage a single local administrator account. The default is the built-in administrator account however it can be configured to manage an administrator account of a different name. If additional local administrator accounts exist across systems, the organization must have a process to require unique passwords on each system for the additional accounts. + +Other automated solutions that provide this capability may also be used. + +If LAPS has been installed and enabled in the domain, the following PowerShell query will return a list of systems that do not have a local administrator password managed by LAPS. (The LAPS PowerShell module requires PowerShell 2.0 or higher and .NET Framework 4.0.) + +Open "Windows PowerShell". +If the LAPS PowerShell module has not been previously imported, execute the following first: "Import-Module AdmPwd.ps". +Execute "Get-AdmPwdPassword -ComputerName * | Where-object {$_.password -eq $null}" + +If any systems are listed, this is a finding. + +Ignore computers with "OU=Domain Controllers" in the DistinguishedName field. + + + False + False + + Verify separate smart cards are used for EA and DA accounts from smart cards used for other accounts. EA and DA accounts may be on the same smart card but must be separate from any other accounts. If separate smart cards for EA and DA accounts from other accounts are not used, this is a finding. + + + False + False + + If the domain does not have any public facing servers, this is NA. + +Review the local Administrators group on public facing servers. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. + +For public facing servers, the Domain Admins group must be replaced by a domain member server administrator group whose members are different from any used to manage internal servers. + +If any domain accounts or groups used to manage internal servers are members of the local administrators group, this is a finding. + + + False + False + + Verify the operating system version on AD admin platforms is at least Windows 7, Windows Server 2008 R2, or later. If the operating system is an earlier version, this is a finding. + + + False + False + + Review the local Administrators group of AD admin platforms. Verify separate domain administrative accounts are used to manage AD admin platforms from non-AD admin platforms. These should be dedicated domain accounts where practicable. Otherwise EA/DA accounts may be used. If accounts used to manage AD admin platforms are used for any non-AD admin platforms, this is a finding. + + + False + False + + Verify account usage events for administrative accounts are being monitored. This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools. + +Monitor for the events listed below, at minimum. If these events are not monitored, this is a finding. + +Account Lockouts (Subcategory: User Account Management) +4740 - A user account is locked out. +User Added to Privileged Group (Subcategory: Security Group Management) +4728 - A member was added to a security-enabled global group. +4732 - A member was added to a security-enabled local group. +4756 - A member was added to a security-enabled universal group. +Successful User Account Login (Subcategory: Logon) +4624 - An account was successfully logged on. +Failed User Account Login (Subcategory: Logon) +4625 - An account failed to log on. +Account Login with Explicit Credentials (Subcategory: Logon) +4648 - A logon was attempted using explicit credentials. + + + False + False + + Verify attempts to use local accounts to log on remotely from other systems are being monitored. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools. + +Monitor for the events listed below. If these events are not monitored, this is a finding. + +More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs. +Search for the event IDs listed with the following additional attributes: +Logon Type = 3 (Network) +Authentication Package Name = NTLM +Not a domain logon and not the ANONYMOUS LOGON account + +Successful User Account Login (Subcategory: Logon) +4624 - An account was successfully logged on. +Failed User Account Login (Subcategory: Logon) +4625 - An account failed to log on. + + + False + False + + Verify Remote Desktop logins are being monitored. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools. + +Monitor for the events listed below. If these events are not monitored, this is a finding. + +More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs. +Search for the event IDs listed with the following additional attributes: +Logon Type = 10 (RemoteInteractive) +Authentication Package Name = Negotiate + +Successful User Account Login (Subcategory: Logon) +4624 - An account was successfully logged on. + + + False + False + + Verify firewall rules prevent outbound communications from AD admin platforms, except for domain controllers being managed. If outbound communications are allowed between AD admin platforms and any other systems other than domain controllers, this is a finding. + + + False + False + + If no Windows service \ application accounts with manually managed passwords have administrative privileges, this is NA. + +Verify Windows service \ application accounts with administrative privileges and manually managed passwords, have passwords changed at least every 60 days. + + + False + False + + Windows Server 2016 with a domain functional level of Windows Server 2016: + +Open "Active Directory Administrative Center". + +Right-click on the domain name and select "Properties". + +If the "Domain functional level:" is not "Windows Server 2016", another method must be used to reset the NT hashes. See below for other options. + +If the "Domain functional level:" is "Windows Server 2016" and "Enable rolling of expiring NTLM secrets during sign on, for users who are required to use Microsoft Passport or smart card for interactive sign on" is not checked, this is a finding. + +Active Directory domains with a domain functional level below Windows Server 2016: + +Verify the organization rotates the NT hash for smart card-enforced accounts every 60 days. + +This can be accomplished with the use of scripts. + +DoD PKI-PKE has provided a script under PKI and PKE Tools at http://iase.disa.mil/pki-pke/Pages/tools.aspx. See the User Guide for additional information. + +NSA has also provided a PowerShell script with Pass-the-Hash guidance at https://github.com/iadgov/Pass-the-Hash-Guidance. Running the "Invoke-SmartcardHashRefresh" cmdlet in the "PtHTools" module will trigger a change of the underlying NT hash. See the site for additional information. + +Manually rolling the NT hash requires disabling and re-enabling the "Smart Card required for interactive logon" option for each smart card-enforced account, which is not practical for large groups of users. + +If NT hashes for smart card-enforced accounts are not rotated every 60 days, this is a finding. + + + False + False + + If the domain functional level is not at least Windows 2012 R2, this is NA. + +Open "Windows PowerShell". + +Enter "Get-ADDomain | FL DomainMode" to determine the domain functional level. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Compare membership of the Protected Users group to membership of the following groups. By default, the groups are under the node referenced; however, it is possible to move those under "Users" to another location. +Enterprise Admins (Users node) +Domain Admins (Users node) +Schema Admins (Users node) +Administrators (Builtin node) +Account Operators (Builtin node) +Backup Operators (Builtin node) + +It is recommended that one account be excluded to ensure availability if there are issues with Kerberos. + +Excluding the account left out for availability, if all members of the domain level groups above are not also members of the Protected Users group, this is a finding. + + + \ No newline at end of file diff --git a/src/StigData/Windows-All-ADForest-2.7.org.default.xml b/src/StigData/Windows-All-ADForest-2.7.org.default.xml new file mode 100644 index 000000000..efe2df9d0 --- /dev/null +++ b/src/StigData/Windows-All-ADForest-2.7.org.default.xml @@ -0,0 +1,8 @@ + + \ No newline at end of file diff --git a/src/StigData/Windows-All-ADForest-2.7.xml b/src/StigData/Windows-All-ADForest-2.7.xml new file mode 100644 index 000000000..0cf71fa5b --- /dev/null +++ b/src/StigData/Windows-All-ADForest-2.7.xml @@ -0,0 +1,154 @@ + + + + False + False + + 1. Interview the IAO. + +2. Obtain a copy of the site’s configuration management procedures documentation. + +3. Verify that there is a local policy that requires changes to the directory schema to be processed through a configuration management process. This applies to directory schema changes whether implemented in a database or other types of files. For AD, this refers to changes to the AD schema. + +4. If there is no policy that requires changes to the directory schema to be processed through a configuration management process, then this is a finding. + + + + False + False + + 1. At the command line prompt enter (on a single line): +dsquery * "cn=Directory Service, +cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -scope base -attr * + +(Where dc=[forest-name] is the fully qualified LDAP name of the root of the domain being reviewed.) + +Example: +The following is an example of the dsquery command for the vcfn.ost.com forest. + +dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, dc=vcfn,dc=ost,dc=com -scope base -attr * + +2. If the dsHeuristics attribute is listed, note the assigned value. + +3. If the dsHeuristics attribute is defined and has a “2” as the 7th character, then this is a finding. + +Examples of values that would be a finding as follows: + “0000002”, “0010002”, “0000002000001”. +(The 7th character controls anonymous access.) + +Supplementary Notes: +Domain controllers have this option disabled by default. However, this check verifies that the option has not been enabled. + +The dsHeuristics option can be configured with the Windows Support Tools Active Directory Service Interfaces Editor (ADSI Edit) console (adsiedit.msc). + + + False + False + + Start a Schema management console. (See supplemental notes.) +Select, then right-click on the Active Directory Schema entry in the left pane. +Select Permissions. + +If any of the permissions for the Schema object are not at least as restrictive as those below, this is a finding. + +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the Advanced button, selecting the desired entry, and the Edit button. + +Authenticated Users: +Read +Special Permissions +The Special permissions for Authenticated Users are List and Read type. If detailed permissions include any additional Permissions or Properties this is a finding. + +System: +Full Control + +Enterprise Read-only Domain Controllers: +Replicating Directory Changes +Replicating Directory Changes All +Replicating Directory Changes In Filtered Set + +Schema Admins: +Read +Write +Create all child objects +Change schema master +Manage replication topology +Monitor active directory replication +Read only replication secret synchronization +Reanimate tombstones +Replicating Directory Changes +Replicating Directory Changes All +Replicating Directory Changes In Filtered Set +Replication synchronization +Update schema cache +Special permissions +(Special permissions = all except Full, Delete, and Delete subtree when detailed permissions viewed.) + +Administrators: +Manage replication topology +Replicating Directory Changes +Replicating Directory Changes All +Replicating Directory Changes In Filtered Set +Replication Synchronization + +Enterprise Domain Controllers: +Manage replication topology +Replicating Directory Changes +Replicating Directory Changes All +Replicating Directory Changes In Filtered Set +Replication Synchronization + +Supplemental Notes: +If the Schema management console has not already been configured on the computer, create a console by using the following: + +The steps for adding the snap-in may vary depending on the Windows version. +Register the required DLL module by typing the following at a command line "regsvr32 schmmgmt.dll". +Run "mmc.exe" to start a Microsoft Management Console. +Select Add/Remove Snap-in from the File menu. +From the Available Standalone Snap-ins list, select Active Directory Schema +Select the Add button. +Select the OK button. + +When done using the console, select Exit from the File (or Console) menu. +Select the No button to the Save console settings… prompt (unless the SA wishes to retain this console). If the console is retained, the recommended name is schmmgmt.msc and the recommended location is the [systemroot]\system32 directory. + + + False + False + + Open "Active Directory Users and Computers" on a domain controller in the forest root domain. + +Navigate to the "Users" container. + +Right-click on "Schema Admins" and select "Properties", and then select the "Members" tab. + +If any accounts other than the built-in Administrators group are members, verify their necessity with the ISSO. + +If any accounts are members of the group when schema changes are not being made, this is a finding. + + + + + Present + False + 3. Use Registry Editor to navigate to the following: HKLM\System\CurrentControlSet\Services\W32Time\Parameters + False + + 1. Use Registry Editor to navigate to the following: HLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient + +2. If the value for “Enabled” is not “1”, then this is a finding. + +3. Use Registry Editor to navigate to the following: HKLM\System\CurrentControlSet\Services\W32Time\Parameters + +4. If the value for “Type” is not “NTP”, then this is a finding. + +Note: If these checks indicate a finding because the NtpClient is not enabled, ask the SA to demonstrate that +a) an alternate time synchronization tool is installed and enabled and that +b) a DoD-authorized external time source is being used. + +5. If the Windows Time service is not enabled or no alternate tool is installed and enabled in its place, then this is a finding. + + + + + + \ No newline at end of file diff --git a/src/StigData/Windows-All-FW-1.6.org.default.xml b/src/StigData/Windows-All-FW-1.6.org.default.xml new file mode 100644 index 000000000..0a3883152 --- /dev/null +++ b/src/StigData/Windows-All-FW-1.6.org.default.xml @@ -0,0 +1,23 @@ + + + + + + + + + + + + + + + + + diff --git a/src/StigData/Windows-All-FW-1.6.xml b/src/StigData/Windows-All-FW-1.6.xml new file mode 100644 index 000000000..f4a1aea49 --- /dev/null +++ b/src/StigData/Windows-All-FW-1.6.xml @@ -0,0 +1,610 @@ + + + + False + False + + This requirement is NA for servers and non domain workstations. + +Verify firewall exceptions for inbound connections on domain workstations only allow authorized management systems and remote management hosts. + +Review inbound firewall exception rules in Windows Firewall with Advanced Security. Firewall rules can be complex and should be reviewed with the firewall administrator. + +One method for restricting inbound connections is to only allow exceptions for a specific scope of remote IP addresses. + +If allowed inbound exceptions are not limited to authorized management systems and remote management hosts, this is a finding. + + + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ +Type: REG_DWORD +Value Name: EnableFirewall +Value: 0x00000001 (1) + 1 + EnableFirewall + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ +Type: REG_DWORD +Value Name: EnableFirewall +Value: 0x00000001 (1) + 1 + EnableFirewall + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\ +Type: REG_DWORD +Value Name: EnableFirewall +Value: 0x00000001 (1) + 1 + EnableFirewall + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ +Type: REG_DWORD +Value Name: EnableFirewall +Value: 0x00000001 (1) + 1 + EnableFirewall + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\ +Type: REG_DWORD +Value Name: EnableFirewall +Value: 0x00000001 (1) + 1 + EnableFirewall + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\ +Type: REG_DWORD +Value Name: EnableFirewall +Value: 0x00000001 (1) + 1 + EnableFirewall + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ +Type: REG_DWORD +Value Name: DefaultInboundAction +Value: 0x00000001 (1) + 1 + DefaultInboundAction + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ +Type: REG_DWORD +Value Name: DefaultInboundAction +Value: 0x00000001 (1) + 1 + DefaultInboundAction + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ +Type: REG_DWORD +Value Name: DefaultOutboundAction +Value: 0x00000000 (0) + 0 + DefaultOutboundAction + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ +Type: REG_DWORD +Value Name: DefaultOutboundAction +Value: 0x00000000 (0) + 0 + DefaultOutboundAction + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + True + {0} -ge '16384' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\ +Type: REG_DWORD +Value Name: LogFileSize +Value: 0x00004000 (16384) (or greater) + + LogFileSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging + True + {0} -ge '16384' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\ +Type: REG_DWORD +Value Name: LogFileSize +Value: 0x00004000 (16384) (or greater) + + LogFileSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\ +Type: REG_DWORD +Value Name: LogDroppedPackets +Value: 0x00000001 (1) + 1 + LogDroppedPackets + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\ +Type: REG_DWORD +Value Name: LogDroppedPackets +Value: 0x00000001 (1) + 1 + LogDroppedPackets + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\ +Type: REG_DWORD +Value Name: LogSuccessfulConnections +Value: 0x00000001 (1) + 1 + LogSuccessfulConnections + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\ +Type: REG_DWORD +Value Name: LogSuccessfulConnections +Value: 0x00000001 (1) + 1 + LogSuccessfulConnections + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\ +Type: REG_DWORD +Value Name: DefaultInboundAction +Value: 0x00000001 (1) + 1 + DefaultInboundAction + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ +Type: REG_DWORD +Value Name: DefaultInboundAction +Value: 0x00000001 (1) + 1 + DefaultInboundAction + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\ +Type: REG_DWORD +Value Name: DefaultOutboundAction +Value: 0x00000000 (0) + 0 + DefaultOutboundAction + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ +Type: REG_DWORD +Value Name: DefaultOutboundAction +Value: 0x00000000 (0) + 0 + DefaultOutboundAction + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + True + {0} -ge '16384' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\ +Type: REG_DWORD +Value Name: LogFileSize +Value: 0x00004000 (16384) (or greater) + + LogFileSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging + True + {0} -ge '16384' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\ +Type: REG_DWORD +Value Name: LogFileSize +Value: 0x00004000 (16384) (or greater) + + LogFileSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\ +Type: REG_DWORD +Value Name: LogDroppedPackets +Value: 0x00000001 (1) + 1 + LogDroppedPackets + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\ +Type: REG_DWORD +Value Name: LogDroppedPackets +Value: 0x00000001 (1) + 1 + LogDroppedPackets + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\ +Type: REG_DWORD +Value Name: LogSuccessfulConnections +Value: 0x00000001 (1) + 1 + LogSuccessfulConnections + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\ +Type: REG_DWORD +Value Name: LogSuccessfulConnections +Value: 0x00000001 (1) + 1 + LogSuccessfulConnections + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\ +Type: REG_DWORD +Value Name: DefaultInboundAction +Value: 0x00000001 (1) + 1 + DefaultInboundAction + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\ +Type: REG_DWORD +Value Name: DefaultInboundAction +Value: 0x00000001 (1) + 1 + DefaultInboundAction + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\ +Type: REG_DWORD +Value Name: DefaultOutboundAction +Value: 0x00000000 (0) + 0 + DefaultOutboundAction + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\ +Type: REG_DWORD +Value Name: DefaultOutboundAction +Value: 0x00000000 (0) + 0 + DefaultOutboundAction + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + False + + If the system is not a member of a domain, this is NA. + +If the firewall's Public Profile is not enabled (see V-17417), this requirement is also a finding. + +Verify the registry value below. + +If this registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\ + +Value Name: AllowLocalPolicyMerge + +Type: REG_DWORD +Value: 0x00000000 (0) + 0 + AllowLocalPolicyMerge + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + False + + If the system is not a member of a domain, this is NA. + +If the firewall's Public Profile is not enabled (see V-17417), this requirement is also a finding. + +Verify the registry value below. + +If this registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\ + +Value Name: AllowLocalIPsecPolicyMerge + +Type: REG_DWORD +Value: 0x00000000 (0) + 0 + AllowLocalIPsecPolicyMerge + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + True + {0} -ge '16384' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\ +Type: REG_DWORD +Value Name: LogFileSize +Value: 0x00004000 (16384) (or greater) + + LogFileSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging + True + {0} -ge '16384' + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\ +Type: REG_DWORD +Value Name: LogFileSize +Value: 0x00004000 (16384) (or greater) + + LogFileSize + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\ +Type: REG_DWORD +Value Name: LogDroppedPackets +Value: 0x00000001 (1) + 1 + LogDroppedPackets + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\ +Type: REG_DWORD +Value Name: LogDroppedPackets +Value: 0x00000001 (1) + 1 + LogDroppedPackets + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\ +Type: REG_DWORD +Value Name: LogSuccessfulConnections +Value: 0x00000001 (1) + 1 + LogSuccessfulConnections + Dword + + + Present + False + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging + False + + Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\ +Type: REG_DWORD +Value Name: LogSuccessfulConnections +Value: 0x00000001 (1) + 1 + LogSuccessfulConnections + Dword + + + diff --git a/src/StigData/Windows-All-IE11-1.13.org.default.xml b/src/StigData/Windows-All-IE11-1.13.org.default.xml new file mode 100644 index 000000000..f3a3d4017 --- /dev/null +++ b/src/StigData/Windows-All-IE11-1.13.org.default.xml @@ -0,0 +1,8 @@ + + \ No newline at end of file diff --git a/src/StigData/Windows-All-IE11-1.13.xml b/src/StigData/Windows-All-IE11-1.13.xml new file mode 100644 index 000000000..dbd5dc225 --- /dev/null +++ b/src/StigData/Windows-All-IE11-1.13.xml @@ -0,0 +1,1663 @@ + + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Advanced Page >> "Turn off Encryption Support" must be "Enabled". Verify the only options selected are "Use TLS 1.1" and "Use TLS 1.2" from the drop-down box. + +Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + +If the value for "SecureProtocols" is not REG_DWORD = "2560", this is a finding. + 2560 + SecureProtocols + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page 'Turn on certificate address mismatch warning' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "WarnOnBadCertRecving" is REG_DWORD = 1, this is not a finding. + 1 + WarnOnBadCertRecving + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Criteria + False + + If the system is on the SIPRNet, this requirement is NA. + +Open Internet Explorer. +From the menu bar, select "Tools". +From the "Tools" drop-down menu, select "Internet Options". From the "Internet Options" window, select the "Advanced" tab, from the "Advanced" tab window, scroll down to the "Security" category, and verify the "Check for publisher's certificate revocation" box is selected. + +Procedure: Use the Windows Registry Editor to navigate to the following key: + HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Criteria + +If the value "State" is "REG_DWORD = 23C00", this is not a finding. + 23C00" + State + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Download signed ActiveX controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1001" is REG_DWORD = 3, this is not a finding. + 3 + 1001 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Download unsigned ActiveX controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1004" is REG_DWORD = 3, this is not a finding. + 3 + 1004 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Initialize and script ActiveX controls not marked as safe' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1201" is REG_DWORD = 3, this is not a finding. + 3 + 1201 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow font downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1604" is REG_DWORD = 3, this is not a finding. + 3 + 1604 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding. + 0 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Access data sources across domains' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1406" is REG_DWORD = 3, this is not a finding. + 3 + 1406 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow drag and drop or copy and paste files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value for "1802" is REG_DWORD = 3, this is not a finding. + 3 + 1802 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Launching applications and files in an IFRAME' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1804" is REG_DWORD = 3, this is not a finding. + 3 + 1804 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Navigate windows and frames across different domains' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 Criteria: If the value "1607" is REG_DWORD = 3, this is not a finding. + 3 + 1607 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Userdata persistence' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1606" is REG_DWORD = 3, this is not a finding. + 3 + 1606 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow cut, copy or paste operations from the clipboard via script' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1407" is REG_DWORD = 3, this is not a finding. + 3 + 1407 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Logon options' must be 'Enabled', and 'Prompt for user name and password' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1A00" is REG_DWORD = 65536 (decimal), this is not a finding. + 65536 + 1A00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Intranet Zone -> 'Java permissions' must be 'Enabled', and 'High Safety' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value "1C00" is REG_DWORD = 65536, (Decimal), this is not a finding. + 65536 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Trusted Sites Zone -> 'Java permissions' must be 'Enabled', and 'High Safety' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value "1C00" is REG_DWORD = 65536, (Decimal), this is not a finding. + 65536 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Security Page-> Internet Zone 'Enable dragging of content from different domains within a window' must be 'Enabled', and 'Disabled' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2708" is REG_DWORD = 3, this is not a finding. + 3 + 2708 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Security Page-> Restricted Sites Zone 'Enable dragging of content from different domains across windows' must be 'Enabled', and 'Disabled' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2709" is REG_DWORD = 3, this is not a finding. + 3 + 2709 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict ActiveX Install -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict ActiveX Install -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Security Page-> Restricted Sites Zone 'Enable dragging of content from different domains within a window' must be 'Enabled', and 'Disabled' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2708" is REG_DWORD = 3, this is not a finding. + 3 + 2708 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Download signed ActiveX controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1001" is REG_DWORD = 3, this is not a finding. + 3 + 1001 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Download unsigned ActiveX controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1004" is REG_DWORD = 3, this is not a finding. + 3 + 1004 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Initialize and script ActiveX controls not marked as safe' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1201" is REG_DWORD = 3, this is not a finding. + 3 + 1201 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Run ActiveX controls and plugins' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1200" is REG_DWORD = 3, this is not a finding. + 3 + 1200 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Script ActiveX controls marked safe for scripting' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1405" is REG_DWORD = 3, this is not a finding. + 3 + 1405 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow file downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1803" is REG_DWORD = 3, this is not a finding. + 3 + 1803 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow font downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1604" is REG_DWORD = 3, this is not a finding. + 3 + 1604 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding. + 0 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Access data sources across domains' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1406" is REG_DWORD = 3, this is not a finding. + 3 + 1406 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow META REFRESH' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1608" is REG_DWORD = 3, this is not a finding. + 3 + 1608 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow drag and drop or copy and paste files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1802" is REG_DWORD=3, this is not a finding. + 3 + 1802 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Launching applications and files in an IFRAME' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1804" is REG_DWORD = 3, this is not a finding. + 3 + 1804 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Navigate windows and frames across different domains' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1607" is REG_DWORD = 3, this is not a finding. + 3 + 1607 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Userdata persistence' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1606" is REG_DWORD = 3, this is not a finding. + 3 + 1606 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow active scripting' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1400" is REG_DWORD = 3, this is not a finding. + 3 + 1400 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow cut, copy or paste operations from the clipboard via script' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1407" is REG_DWORD = 3, this is not a finding. + 3 + 1407 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Logon options' must be 'Enabled', and 'Anonymous logon' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1A00" is REG_DWORD = 196608 (decimal), this is not a finding. + 196608 + 1A00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Delete Browsing History -> 'Disable Configuring History' must be 'Enabled', and '40' entered in 'Days to keep pages in History'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel Criteria: If the value "History" is REG_DWORD = 1, this is not a finding. + 1 + History + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History + False + + Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History Criteria: If the value "DaysToKeep" is REG_DWORD = 40 (decimal), this is not a finding. + 40 + DaysToKeep + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer 'Security Zones: Do not allow users to add/delete sites' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "Security_zones_map_edit" is REG_DWORD = 1, this is not a finding. + 1 + Security_zones_map_edit + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer 'Security Zones: Do not allow users to change policies' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "Security_options_edit" is REG_DWORD = 1, this is not a finding. + 1 + Security_options_edit + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer 'Security Zones: Use only machine settings' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "Security_HKLM_only" is REG_DWORD = 1, this is not a finding. + 1 + Security_HKLM_only + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Turn off the Security Settings Check feature' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Security Criteria: If the value "DisableSecuritySettingsCheck" is REG_DWORD = 0, this is not a finding. + 0 + DisableSecuritySettingsCheck + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download + False + + Note: Some legitimate software and controls may have an invalid signature. You should carefully test such software in isolation before it is allowed to be used on an organization's network. + +The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> 'Allow software to run or install even if the signature is invalid' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Download Criteria: If the value "RunInvalidSignatures" is REG_DWORD = 0, this is not a finding. + 0 + RunInvalidSignatures + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> 'Check for server certificate revocation' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "CertificateRevocation" is REG_DWORD = 1, this is not a finding. + 1 + CertificateRevocation + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> 'Check for signatures on downloaded programs' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Download Criteria: If the value "CheckExeSignatures" is REG_SZ = yes, this is not a finding. + yes + CheckExeSignatures + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> 'Intranet Sites: Include all network paths (UNCs)' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Criteria: If the value "UNCAsIntranet" is REG_DWORD = 0, this is not a finding. + 0 + UNCAsIntranet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow script-initiated windows without size or position constraints' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2102" is REG_DWORD = 3, this is not a finding. + 3 + 2102 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow script-initiated windows without size or position constraints' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2102" is REG_DWORD = 3, this is not a finding. + 3 + 2102 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow Scriptlets' must be 'Enabled', and 'Disable' from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1209" is REG_DWORD = 3, this is not a finding. + 3 + 1209 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Automatic prompting for file downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2200" is REG_DWORD = 3, this is not a finding. + 3 + 2200 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Local Machine Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding. + 0 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Locked-Down Local Machine Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding. + 0 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Locked-Down Intranet Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 Criteria: If the value" 1C00" is REG_DWORD = 0, this is not a finding. + 0 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Locked-Down Trusted Sites Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding. + 0 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Locked-Down Restricted Sites Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding. + 0 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow loading of XAML files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2402" is REG_DWORD = 3, this is not a finding. + 3 + 2402 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow loading of XAML files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2402" is REG_DWORD = 3, this is not a finding. + 3 + 2402 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Turn on Protected Mode' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2500" is REG_DWORD = 0, this is not a finding. + 0 + 2500 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Turn on Protected Mode' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2500" is REG_DWORD = 0, this is not a finding. + 0 + 2500 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Use Pop-up Blocker' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1809" is REG_DWORD = 0, this is not a finding. + 0 + 1809 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Use Pop-up Blocker' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1809" is REG_DWORD = 0, this is not a finding. + 0 + 1809 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Web sites in less privileged Web content zones can navigate into this zone' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2101" is REG_DWORD = 3, this is not a finding. + 3 + 2101 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Web sites in less privileged Web content zones can navigate into this zone' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2101" is REG_DWORD = 3, this is not a finding. + 3 + 2101 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow binary and script behaviors' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2000" is REG_DWORD = 3, this is not a finding. + 3 + 2000 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Automatic prompting for file downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2200" is REG_DWORD = 3, this is not a finding. + 3 + 2200 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Consistent Mime Handling -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Consistent Mime Handling -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Consistent Mime Handling -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Mime Sniffing Safety Feature -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Mime Sniffing Safety Feature -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Mime Sniffing Safety Feature -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> MK Protocol Security Restriction -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> MK Protocol Security Restriction -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> MK Protocol Security Restriction -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Protection From Zone Elevation -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Protection From Zone Elevation -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Protection From Zone Elevation -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict File Download -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict File Download -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict File Download -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Scripted Window Security Restrictions -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Scripted Window Security Restrictions -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS Criteria: If the value "explorer.exe is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Scripted Window Security Restrictions -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Run .NET Framework-reliant components not signed with Authenticode' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2004" is REG_DWORD = 3, this is not a finding. + 3 + 2004 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Run .NET Framework-reliant components signed with Authenticode' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2001" is REG_DWORD = 3, this is not a finding. + 3 + 2001 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Scripting of Java applets' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1402" is REG_DWORD = 3, this is not a finding. + 3 + 1402 + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main + False + + The policy value for User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Disable AutoComplete for forms' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "Use FormSuggest" is REG_SZ = no, this is not a finding. + no + Use FormSuggest + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Turn off Crash Detection' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key:HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions Criteria: If the value "NoCrashDetection" is REG_DWORD = 1, this is not a finding. + 1 + NoCrashDetection + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main + False + + The policy value for User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Turn on the auto-complete feature for user names and passwords on forms' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "FormSuggest Passwords" is REG_SZ = 'no', this is not a finding. + no + FormSuggest Passwords + String + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main + False + + Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "FormSuggest PW Ask" is REG_SZ = 'no', this is not a finding. + no + FormSuggest PW Ask + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter + False + + If the system is on the SIPRNet, this requirement is NA. + +The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> "Prevent Managing SmartScreen Filter" must be "Enabled", and "On" selected from the drop-down box. + +Procedure: Use the Windows Registry Editor to navigate to the following key: + +HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter + +Criteria: If the value "EnabledV9" is "REG_DWORD = 1", this is not a finding. + 1 + EnabledV9 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Delete Browsing History -> 'Allow deleting browsing history on exit' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy Criteria: If the value "ClearBrowsingHistoryOnExit" is REG_DWORD = 0, this is not a finding. + 0 + ClearBrowsingHistoryOnExit + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Delete Browsing History -> 'Prevent Deleting Web sites that the User has Visited' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy Criteria: If the value "CleanHistory" is REG_DWORD = 0, this is not a finding. + 0 + CleanHistory + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Privacy -> 'Turn off InPrivate Browsing' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy Criteria: If the value "EnableInPrivateBrowsing" is REG_DWORD = 0, this is not a finding. + 0 + EnableInPrivateBrowsing + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow scripting of Internet Explorer WebBrowser controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1206" is REG_DWORD = 3, this is not a finding. + 3 + 1206 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Include local path when user is uploading files to a server' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "160A" is REG_DWORD = 3, this is not a finding. + 3 + 160A + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features-> Notification Bar-> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Show security warning for potentially unsafe files' must be 'Enabled', and 'Prompt' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1806" is REG_DWORD = 1, this is not a finding. + 1 + 1806 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features-> Notification Bar-> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> ' Allow only approved domains to use ActiveX controls without prompt' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "120b" is REG_DWORD = 3, this is not a finding. + 3 + 120b + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features-> Notification Bar-> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Turn on Cross-Site Scripting Filter' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1409" is REG_DWORD = 0, this is not a finding. + 0 + 1409 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow scripting of Internet Explorer WebBrowser controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1206" is REG_DWORD = 3, this is not a finding. + 3 + 1206 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Include local path when user is uploading files to a server' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "160A" is REG_DWORD = 3, this is not a finding. + 3 + 160A + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Show security warning for potentially unsafe files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1806" is REG_DWORD = 3, this is not a finding. + 3 + 1806 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow only approved domains to use ActiveX controls without prompt' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "120b" is REG_DWORD = 3, this is not a finding. + 3 + 120b + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Turn on Cross-Site Scripting Filter' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1409" is REG_DWORD = 0, this is not a finding. + 0 + 1409 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict ActiveX Install -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone 'Allow updates to status bar via script' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2103" is REG_DWORD = 3, this is not a finding. + 3 + 2103 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone 'Run .NET Framework-reliant components not signed with Authenticode' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2004" is REG_DWORD = 3, this is not a finding. + 3 + 2004 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone 'Run .NET Framework-reliant components signed with Authenticode' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2001" is REG_DWORD = 3, this is not a finding. + 3 + 2001 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone 'Allow Scriptlets' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1209" is REG_DWORD = 3, this is not a finding. + 3 + 1209 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone 'Allow updates to status bar via script' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2103" is REG_DWORD = 3, this is not a finding. + 3 + 2103 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Advanced Page 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "DisableEPMCompat" is REG_DWORD = 1, this is not a finding. + 1 + DisableEPMCompat + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Security Page-> Internet Zone 'Enable dragging of content from different domains across windows' must be 'Enabled', and 'Disabled' selected from the drop-down box. Procedure: Use the windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2709" is REG_DWORD = 3, this is not a finding. + 3 + 2709 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Advanced Page 'Turn on Enhanced Protected Mode' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "Isolation" is REG_SZ = 'PMEM', this is not a finding. + PMEM + Isolation + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Advanced Page 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "Isolation64Bit" is REG_DWORD = 1, this is not a finding. + 1 + Isolation64Bit + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page -> Internet Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding. + 0 + 270C + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page -> Intranet Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding. + 0 + 270C + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page ->Local Machine Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding. + 0 + 270C + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page -> Restricted Sites Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding. + 0 + 270C + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page -> Trusted Sites Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding. + 0 + 270C + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter. + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> ”Prevent bypassing SmartScreen Filter warnings” must be ”Enabled”. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter. + +Criteria: If the value "PreventOverride" is REG_DWORD = 1, this is not a finding. + + 1 + PreventOverride + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter. + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> ”Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the internet” must be ”Enabled”. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter. + +Criteria: If the value "PreventOverrideAppRepUnknown" is REG_DWORD = 1, this is not a finding. + + 1 + PreventOverrideAppRepUnknown + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX. + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> ”Prevent per-user installation of ActiveX controls” must be ”Enabled”. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX. + +Criteria: If the value "BlockNonAdminActiveXInstall" is REG_DWORD = 1, this is not a finding. + + 1 + BlockNonAdminActiveXInstall + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings. + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> ”Prevent ignoring certificate errors” must be ”Enabled”. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings. + +Criteria: If the value "PreventIgnoreCertErrors" is REG_DWORD = 1, this is not a finding. + + 1 + PreventIgnoreCertErrors + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3. + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Internet Zone >> ”Turn on SmartScreen Filter scan” must be ”Enabled” and ”Enable” selected from the drop-down box. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3. + +Criteria: If the value "2301" is REG_DWORD = 0, this is not a finding. + + 0 + 2301 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4. + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Restricted Sites Zone >> ”Turn on SmartScreen Filter scan” must be ”Enabled” and ”Enable” selected from the drop-down box. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4. + +Criteria: If the value "2301" is REG_DWORD = 0, this is not a finding. + + 0 + 2301 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1. + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Intranet Zone >> ”Initialize and script ActiveX controls not marked as safe” must be ”Enabled” and ”Disable” selected from the drop-down box. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1. + +Criteria: If the value "1201" is REG_DWORD = 3, this is not a finding. + + 3 + 1201 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2. + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Trusted Sites Zone >> ”Initialize and script ActiveX controls not marked as safe” must be ”Enabled” and ”Disable” selected from the drop-down box. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2. + +Criteria: If the value "1201" is REG_DWORD = 3, this is not a finding. + + 3 + 1201 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings. + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> "Allow fallback to SSL 3.0 (Internet Explorer)" must be "Enabled", and "No Sites" selected from the drop-down box. If "Allow fallback to SSL 3.0 (Internet Explorer)" is not "Enabled" or any other drop-down option is selected, this is a finding. + +Procedure: Use the Windows Registry Editor to navigate to the following key: + +HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings. + +Criteria: If the value "EnableSSL3Fallback" is REG_DWORD=0, this is not a finding. + 0 + EnableSSL3Fallback + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext + False + + In the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> Add-on Management, verify "Remove the Run this time button for outdated ActiveX controls in IE" is set to “Enabled”. + +Use the Windows Registry Editor to navigate to the following key: + +HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext + +If the value "RunThisTimeEnabled" is REG_DWORD = 0, this is not a finding. + 0 + RunThisTimeEnabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext + False + + In the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> Add-on Management, verify "Turn off blocking of outdated ActiveX controls for Internet Explorer" is set to “Disabled”. + +Use the Windows Registry Editor to navigate to the following key: + +HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext + +If the value "VersionCheckEnabled" is REG_DWORD = 1, this is not a finding. + 1 + VersionCheckEnabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + Note: Only applies to Windows 10 version 1607 and higher and Windows Server 2016 systems. For other Windows versions, this check is Not Applicable. + +In the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Internet Zone, verify "Allow only approved domains to use the TDC ActiveX control" is “Enabled”. + +In the Options window, verify the “Only allow approved domains to use the TDC ActiveX control" drop-down box is set to “Enable”. + +Procedure: Use the Windows Registry Editor to navigate to the following key: + +HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + +Criteria: + +If the value "120c" is REG_DWORD = “3”, this is not a finding. + 3 + 120c + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + Note: Only applies to Windows 10 version 1607 and higher and Windows Server 2016 systems. For other Windows versions, this check is Not Applicable. + +In the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Restricted Sites Zone, verify "Allow only approved domains to use the TDC ActiveX control" is “Enabled”. + +In the Options window, verify the “Only allow approved domains to use the TDC ActiveX control" drop-down box is set to “Enable”. + +Procedure: Use the Windows Registry Editor to navigate to the following key: + +HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + +Criteria: + +If the value "120c" is REG_DWORD = “3”, this is not a finding. + 3 + 120c + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Internet Zone >> "Allow VBScript to run in Internet Explorer" must be "Enabled", and "Disable" must be selected from the drop-down box. + +Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + +If the value for "140C" is not REG_DWORD = 3, this is a finding. + +Note: This policy setting will only exist on Windows 10 Redstone 2 or later, and is otherwise not applicable. + + 3 + 140C + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Restricted Sites Zone >> "Allow VBScript to run in Internet Explorer" must be "Enabled", and "Disable" must be selected from the drop-down box. + +Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + +If the value for "140C" is not REG_DWORD = 3, this is a finding. + +Note: This policy setting will only exist on Windows 10 Redstone 2 or later, and is otherwise not applicable. + + 3 + 140C + Dword + + + diff --git a/src/StigData/Windows-All-IE11-1.15.org.default.xml b/src/StigData/Windows-All-IE11-1.15.org.default.xml new file mode 100644 index 000000000..abc11b09c --- /dev/null +++ b/src/StigData/Windows-All-IE11-1.15.org.default.xml @@ -0,0 +1,8 @@ + + \ No newline at end of file diff --git a/src/StigData/Windows-All-IE11-1.15.xml b/src/StigData/Windows-All-IE11-1.15.xml new file mode 100644 index 000000000..107820155 --- /dev/null +++ b/src/StigData/Windows-All-IE11-1.15.xml @@ -0,0 +1,1663 @@ + + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Advanced Page >> "Turn off Encryption Support" must be "Enabled". Verify the only options selected are "Use TLS 1.1" and "Use TLS 1.2" from the drop-down box. + +Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + +If the value for "SecureProtocols" is not REG_DWORD = "2560", this is a finding. + 2560 + SecureProtocols + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page 'Turn on certificate address mismatch warning' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "WarnOnBadCertRecving" is REG_DWORD = 1, this is not a finding. + 1 + WarnOnBadCertRecving + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Criteria + False + + If the system is on the SIPRNet, this requirement is NA. + +Open Internet Explorer. +From the menu bar, select "Tools". +From the "Tools" drop-down menu, select "Internet Options". From the "Internet Options" window, select the "Advanced" tab, from the "Advanced" tab window, scroll down to the "Security" category, and verify the "Check for publisher's certificate revocation" box is selected. + +Procedure: Use the Windows Registry Editor to navigate to the following key: + HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Criteria + +If the value "State" is "REG_DWORD = 23C00", this is not a finding. + 23C00 + State + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Download signed ActiveX controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1001" is REG_DWORD = 3, this is not a finding. + 3 + 1001 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Download unsigned ActiveX controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1004" is REG_DWORD = 3, this is not a finding. + 3 + 1004 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Initialize and script ActiveX controls not marked as safe' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1201" is REG_DWORD = 3, this is not a finding. + 3 + 1201 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow font downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1604" is REG_DWORD = 3, this is not a finding. + 3 + 1604 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding. + 0 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Access data sources across domains' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1406" is REG_DWORD = 3, this is not a finding. + 3 + 1406 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow drag and drop or copy and paste files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value for "1802" is REG_DWORD = 3, this is not a finding. + 3 + 1802 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Launching applications and files in an IFRAME' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1804" is REG_DWORD = 3, this is not a finding. + 3 + 1804 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Navigate windows and frames across different domains' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 Criteria: If the value "1607" is REG_DWORD = 3, this is not a finding. + 3 + 1607 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Userdata persistence' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1606" is REG_DWORD = 3, this is not a finding. + 3 + 1606 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow cut, copy or paste operations from the clipboard via script' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1407" is REG_DWORD = 3, this is not a finding. + 3 + 1407 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Logon options' must be 'Enabled', and 'Prompt for user name and password' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1A00" is REG_DWORD = 65536 (decimal), this is not a finding. + 65536 + 1A00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Intranet Zone -> 'Java permissions' must be 'Enabled', and 'High Safety' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value "1C00" is REG_DWORD = 65536, (Decimal), this is not a finding. + 65536 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Trusted Sites Zone -> 'Java permissions' must be 'Enabled', and 'High Safety' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value "1C00" is REG_DWORD = 65536, (Decimal), this is not a finding. + 65536 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Security Page-> Internet Zone 'Enable dragging of content from different domains within a window' must be 'Enabled', and 'Disabled' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2708" is REG_DWORD = 3, this is not a finding. + 3 + 2708 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Security Page-> Restricted Sites Zone 'Enable dragging of content from different domains across windows' must be 'Enabled', and 'Disabled' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2709" is REG_DWORD = 3, this is not a finding. + 3 + 2709 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict ActiveX Install -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict ActiveX Install -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Security Page-> Restricted Sites Zone 'Enable dragging of content from different domains within a window' must be 'Enabled', and 'Disabled' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2708" is REG_DWORD = 3, this is not a finding. + 3 + 2708 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Download signed ActiveX controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1001" is REG_DWORD = 3, this is not a finding. + 3 + 1001 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Download unsigned ActiveX controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1004" is REG_DWORD = 3, this is not a finding. + 3 + 1004 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Initialize and script ActiveX controls not marked as safe' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1201" is REG_DWORD = 3, this is not a finding. + 3 + 1201 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Run ActiveX controls and plugins' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1200" is REG_DWORD = 3, this is not a finding. + 3 + 1200 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Script ActiveX controls marked safe for scripting' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1405" is REG_DWORD = 3, this is not a finding. + 3 + 1405 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow file downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1803" is REG_DWORD = 3, this is not a finding. + 3 + 1803 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow font downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1604" is REG_DWORD = 3, this is not a finding. + 3 + 1604 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding. + 0 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Access data sources across domains' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1406" is REG_DWORD = 3, this is not a finding. + 3 + 1406 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow META REFRESH' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1608" is REG_DWORD = 3, this is not a finding. + 3 + 1608 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow drag and drop or copy and paste files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1802" is REG_DWORD=3, this is not a finding. + 3 + 1802 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Launching applications and files in an IFRAME' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1804" is REG_DWORD = 3, this is not a finding. + 3 + 1804 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Navigate windows and frames across different domains' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1607" is REG_DWORD = 3, this is not a finding. + 3 + 1607 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Userdata persistence' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1606" is REG_DWORD = 3, this is not a finding. + 3 + 1606 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow active scripting' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1400" is REG_DWORD = 3, this is not a finding. + 3 + 1400 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow cut, copy or paste operations from the clipboard via script' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1407" is REG_DWORD = 3, this is not a finding. + 3 + 1407 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Logon options' must be 'Enabled', and 'Anonymous logon' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1A00" is REG_DWORD = 196608 (decimal), this is not a finding. + 196608 + 1A00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Delete Browsing History -> 'Disable Configuring History' must be 'Enabled', and '40' entered in 'Days to keep pages in History'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel Criteria: If the value "History" is REG_DWORD = 1, this is not a finding. + 1 + History + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History + False + + Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History Criteria: If the value "DaysToKeep" is REG_DWORD = 40 (decimal), this is not a finding. + 40 + DaysToKeep + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer 'Security Zones: Do not allow users to add/delete sites' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "Security_zones_map_edit" is REG_DWORD = 1, this is not a finding. + 1 + Security_zones_map_edit + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer 'Security Zones: Do not allow users to change policies' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "Security_options_edit" is REG_DWORD = 1, this is not a finding. + 1 + Security_options_edit + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer 'Security Zones: Use only machine settings' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "Security_HKLM_only" is REG_DWORD = 1, this is not a finding. + 1 + Security_HKLM_only + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Turn off the Security Settings Check feature' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Security Criteria: If the value "DisableSecuritySettingsCheck" is REG_DWORD = 0, this is not a finding. + 0 + DisableSecuritySettingsCheck + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download + False + + Note: Some legitimate software and controls may have an invalid signature. You should carefully test such software in isolation before it is allowed to be used on an organization's network. + +The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> 'Allow software to run or install even if the signature is invalid' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Download Criteria: If the value "RunInvalidSignatures" is REG_DWORD = 0, this is not a finding. + 0 + RunInvalidSignatures + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> 'Check for server certificate revocation' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Criteria: If the value "CertificateRevocation" is REG_DWORD = 1, this is not a finding. + 1 + CertificateRevocation + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> 'Check for signatures on downloaded programs' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Download Criteria: If the value "CheckExeSignatures" is REG_SZ = yes, this is not a finding. + yes + CheckExeSignatures + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> 'Intranet Sites: Include all network paths (UNCs)' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Criteria: If the value "UNCAsIntranet" is REG_DWORD = 0, this is not a finding. + 0 + UNCAsIntranet + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow script-initiated windows without size or position constraints' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2102" is REG_DWORD = 3, this is not a finding. + 3 + 2102 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow script-initiated windows without size or position constraints' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2102" is REG_DWORD = 3, this is not a finding. + 3 + 2102 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow Scriptlets' must be 'Enabled', and 'Disable' from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1209" is REG_DWORD = 3, this is not a finding. + 3 + 1209 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Automatic prompting for file downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2200" is REG_DWORD = 3, this is not a finding. + 3 + 2200 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Local Machine Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding. + 0 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Locked-Down Local Machine Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding. + 0 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Locked-Down Intranet Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 Criteria: If the value" 1C00" is REG_DWORD = 0, this is not a finding. + 0 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Locked-Down Trusted Sites Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding. + 0 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Locked-Down Restricted Sites Zone -> 'Java permissions' must be 'Enabled', and 'Disable Java' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following keys: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 Criteria: If the value "1C00" is REG_DWORD = 0, this is not a finding. + 0 + 1C00 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow loading of XAML files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2402" is REG_DWORD = 3, this is not a finding. + 3 + 2402 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow loading of XAML files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2402" is REG_DWORD = 3, this is not a finding. + 3 + 2402 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Turn on Protected Mode' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2500" is REG_DWORD = 0, this is not a finding. + 0 + 2500 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Turn on Protected Mode' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2500" is REG_DWORD = 0, this is not a finding. + 0 + 2500 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Use Pop-up Blocker' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1809" is REG_DWORD = 0, this is not a finding. + 0 + 1809 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Use Pop-up Blocker' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1809" is REG_DWORD = 0, this is not a finding. + 0 + 1809 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Web sites in less privileged Web content zones can navigate into this zone' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2101" is REG_DWORD = 3, this is not a finding. + 3 + 2101 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Web sites in less privileged Web content zones can navigate into this zone' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2101" is REG_DWORD = 3, this is not a finding. + 3 + 2101 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow binary and script behaviors' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2000" is REG_DWORD = 3, this is not a finding. + 3 + 2000 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Automatic prompting for file downloads' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2200" is REG_DWORD = 3, this is not a finding. + 3 + 2200 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Consistent Mime Handling -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Consistent Mime Handling -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Consistent Mime Handling -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Mime Sniffing Safety Feature -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Mime Sniffing Safety Feature -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Mime Sniffing Safety Feature -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> MK Protocol Security Restriction -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> MK Protocol Security Restriction -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> MK Protocol Security Restriction -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Protection From Zone Elevation -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Protection From Zone Elevation -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Protection From Zone Elevation -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict File Download -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict File Download -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict File Download -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Scripted Window Security Restrictions -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Scripted Window Security Restrictions -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS Criteria: If the value "explorer.exe is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Scripted Window Security Restrictions -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Run .NET Framework-reliant components not signed with Authenticode' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2004" is REG_DWORD = 3, this is not a finding. + 3 + 2004 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Run .NET Framework-reliant components signed with Authenticode' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2001" is REG_DWORD = 3, this is not a finding. + 3 + 2001 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Scripting of Java applets' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1402" is REG_DWORD = 3, this is not a finding. + 3 + 1402 + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main + False + + The policy value for User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Disable AutoComplete for forms' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "Use FormSuggest" is REG_SZ = no, this is not a finding. + no + Use FormSuggest + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Turn off Crash Detection' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key:HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions Criteria: If the value "NoCrashDetection" is REG_DWORD = 1, this is not a finding. + 1 + NoCrashDetection + Dword + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main + False + + The policy value for User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> 'Turn on the auto-complete feature for user names and passwords on forms' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "FormSuggest Passwords" is REG_SZ = 'no', this is not a finding. + no + FormSuggest Passwords + String + + + Present + False + HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main + False + + Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "FormSuggest PW Ask" is REG_SZ = 'no', this is not a finding. + no + FormSuggest PW Ask + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter + False + + If the system is on the SIPRNet, this requirement is NA. + +The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> "Prevent Managing SmartScreen Filter" must be "Enabled", and "On" selected from the drop-down box. + +Procedure: Use the Windows Registry Editor to navigate to the following key: + +HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter + +Criteria: If the value "EnabledV9" is "REG_DWORD = 1", this is not a finding. + 1 + EnabledV9 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Delete Browsing History -> 'Allow deleting browsing history on exit' must be 'Disabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy Criteria: If the value "ClearBrowsingHistoryOnExit" is REG_DWORD = 0, this is not a finding. + 0 + ClearBrowsingHistoryOnExit + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Delete Browsing History -> 'Prevent Deleting Web sites that the User has Visited' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy Criteria: If the value "CleanHistory" is REG_DWORD = 0, this is not a finding. + 0 + CleanHistory + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Privacy -> 'Turn off InPrivate Browsing' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy Criteria: If the value "EnableInPrivateBrowsing" is REG_DWORD = 0, this is not a finding. + 0 + EnableInPrivateBrowsing + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Allow scripting of Internet Explorer WebBrowser controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1206" is REG_DWORD = 3, this is not a finding. + 3 + 1206 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Include local path when user is uploading files to a server' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "160A" is REG_DWORD = 3, this is not a finding. + 3 + 160A + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features-> Notification Bar-> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Show security warning for potentially unsafe files' must be 'Enabled', and 'Prompt' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1806" is REG_DWORD = 1, this is not a finding. + 1 + 1806 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features-> Notification Bar-> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Criteria: If the value "explorer.exe" is REG_SZ = 1, this is not a finding. + 1 + explorer.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> ' Allow only approved domains to use ActiveX controls without prompt' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "120b" is REG_DWORD = 3, this is not a finding. + 3 + 120b + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features-> Notification Bar-> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Criteria: If the value "iexplore.exe" is REG_SZ = 1, this is not a finding. + 1 + iexplore.exe + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone -> 'Turn on Cross-Site Scripting Filter' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "1409" is REG_DWORD = 0, this is not a finding. + 0 + 1409 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow scripting of Internet Explorer WebBrowser controls' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1206" is REG_DWORD = 3, this is not a finding. + 3 + 1206 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Include local path when user is uploading files to a server' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "160A" is REG_DWORD = 3, this is not a finding. + 3 + 160A + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Show security warning for potentially unsafe files' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1806" is REG_DWORD = 3, this is not a finding. + 3 + 1806 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Allow only approved domains to use ActiveX controls without prompt' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "120b" is REG_DWORD = 3, this is not a finding. + 3 + 120b + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone -> 'Turn on Cross-Site Scripting Filter' must be 'Enabled', and 'Enable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1409" is REG_DWORD = 0, this is not a finding. + 0 + 1409 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Security Features -> Restrict ActiveX Install -> 'Internet Explorer Processes' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL Criteria: If the value "(Reserved)" is REG_SZ = 1, this is not a finding. + 1 + (Reserved) + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone 'Allow updates to status bar via script' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2103" is REG_DWORD = 3, this is not a finding. + 3 + 2103 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone 'Run .NET Framework-reliant components not signed with Authenticode' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2004" is REG_DWORD = 3, this is not a finding. + 3 + 2004 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone 'Run .NET Framework-reliant components signed with Authenticode' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2001" is REG_DWORD = 3, this is not a finding. + 3 + 2001 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone 'Allow Scriptlets' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "1209" is REG_DWORD = 3, this is not a finding. + 3 + 1209 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Restricted Sites Zone 'Allow updates to status bar via script' must be 'Enabled', and 'Disable' selected from the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "2103" is REG_DWORD = 3, this is not a finding. + 3 + 2103 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Advanced Page 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "DisableEPMCompat" is REG_DWORD = 1, this is not a finding. + 1 + DisableEPMCompat + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Security Page-> Internet Zone 'Enable dragging of content from different domains across windows' must be 'Enabled', and 'Disabled' selected from the drop-down box. Procedure: Use the windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "2709" is REG_DWORD = 3, this is not a finding. + 3 + 2709 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel-> Advanced Page 'Turn on Enhanced Protected Mode' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "Isolation" is REG_SZ = 'PMEM', this is not a finding. + PMEM + Isolation + String + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Advanced Page 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' must be 'Enabled'. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main Criteria: If the value "Isolation64Bit" is REG_DWORD = 1, this is not a finding. + 1 + Isolation64Bit + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page -> Internet Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding. + 0 + 270C + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page -> Intranet Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding. + 0 + 270C + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page ->Local Machine Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding. + 0 + 270C + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page -> Restricted Sites Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding. + 0 + 270C + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 + False + + The policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer-> Internet Control Panel -> Security Page -> Trusted Sites Zone 'Don't run antimalware programs against ActiveX controls' must be 'Enabled' and 'Disable' selected in the drop-down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Criteria: If the value "270C" is REG_DWORD = 0, this is not a finding. + 0 + 270C + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> ”Prevent bypassing SmartScreen Filter warnings” must be ”Enabled”. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter. + +Criteria: If the value "PreventOverride" is REG_DWORD = 1, this is not a finding. + + 1 + PreventOverride + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> ”Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the internet” must be ”Enabled”. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter. + +Criteria: If the value "PreventOverrideAppRepUnknown" is REG_DWORD = 1, this is not a finding. + + 1 + PreventOverrideAppRepUnknown + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> ”Prevent per-user installation of ActiveX controls” must be ”Enabled”. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX. + +Criteria: If the value "BlockNonAdminActiveXInstall" is REG_DWORD = 1, this is not a finding. + + 1 + BlockNonAdminActiveXInstall + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> ”Prevent ignoring certificate errors” must be ”Enabled”. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings. + +Criteria: If the value "PreventIgnoreCertErrors" is REG_DWORD = 1, this is not a finding. + + 1 + PreventIgnoreCertErrors + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Internet Zone >> ”Turn on SmartScreen Filter scan” must be ”Enabled” and ”Enable” selected from the drop-down box. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3. + +Criteria: If the value "2301" is REG_DWORD = 0, this is not a finding. + + 0 + 2301 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Restricted Sites Zone >> ”Turn on SmartScreen Filter scan” must be ”Enabled” and ”Enable” selected from the drop-down box. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4. + +Criteria: If the value "2301" is REG_DWORD = 0, this is not a finding. + + 0 + 2301 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Intranet Zone >> ”Initialize and script ActiveX controls not marked as safe” must be ”Enabled” and ”Disable” selected from the drop-down box. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1. + +Criteria: If the value "1201" is REG_DWORD = 3, this is not a finding. + + 3 + 1201 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Trusted Sites Zone >> ”Initialize and script ActiveX controls not marked as safe” must be ”Enabled” and ”Disable” selected from the drop-down box. + +Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2. + +Criteria: If the value "1201" is REG_DWORD = 3, this is not a finding. + + 3 + 1201 + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> "Allow fallback to SSL 3.0 (Internet Explorer)" must be "Enabled", and "No Sites" selected from the drop-down box. If "Allow fallback to SSL 3.0 (Internet Explorer)" is not "Enabled" or any other drop-down option is selected, this is a finding. + +Procedure: Use the Windows Registry Editor to navigate to the following key: + +HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings. + +Criteria: If the value "EnableSSL3Fallback" is REG_DWORD=0, this is not a finding. + 0 + EnableSSL3Fallback + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext + False + + In the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> Add-on Management, verify "Remove the Run this time button for outdated ActiveX controls in IE" is set to “Enabled”. + +Use the Windows Registry Editor to navigate to the following key: + +HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext + +If the value "RunThisTimeEnabled" is REG_DWORD = 0, this is not a finding. + 0 + RunThisTimeEnabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext + False + + In the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Security Features >> Add-on Management, verify "Turn off blocking of outdated ActiveX controls for Internet Explorer" is set to “Disabled”. + +Use the Windows Registry Editor to navigate to the following key: + +HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext + +If the value "VersionCheckEnabled" is REG_DWORD = 1, this is not a finding. + 1 + VersionCheckEnabled + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + Note: Only applies to Windows 10 version 1607 and higher and Windows Server 2016 systems. For other Windows versions, this check is Not Applicable. + +In the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Internet Zone, verify "Allow only approved domains to use the TDC ActiveX control" is “Enabled”. + +In the Options window, verify the “Only allow approved domains to use the TDC ActiveX control" drop-down box is set to “Enable”. + +Procedure: Use the Windows Registry Editor to navigate to the following key: + +HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + +Criteria: + +If the value "120c" is REG_DWORD = “3”, this is not a finding. + 3 + 120c + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + Note: Only applies to Windows 10 version 1607 and higher and Windows Server 2016 systems. For other Windows versions, this check is Not Applicable. + +In the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Restricted Sites Zone, verify "Allow only approved domains to use the TDC ActiveX control" is “Enabled”. + +In the Options window, verify the “Only allow approved domains to use the TDC ActiveX control" drop-down box is set to “Enable”. + +Procedure: Use the Windows Registry Editor to navigate to the following key: + +HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + +Criteria: + +If the value "120c" is REG_DWORD = “3”, this is not a finding. + 3 + 120c + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Internet Zone >> "Allow VBScript to run in Internet Explorer" must be "Enabled", and "Disable" must be selected from the drop-down box. + +Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + +If the value for "140C" is not REG_DWORD = 3, this is a finding. + +Note: This policy setting will only exist on Windows 10 Redstone 2 or later, and is otherwise not applicable. + + 3 + 140C + Dword + + + Present + False + HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + False + + The policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Internet Explorer >> Internet Control Panel >> Security Page >> Restricted Sites Zone >> "Allow VBScript to run in Internet Explorer" must be "Enabled", and "Disable" must be selected from the drop-down box. + +Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + +If the value for "140C" is not REG_DWORD = 3, this is a finding. + +Note: This policy setting will only exist on Windows 10 Redstone 2 or later, and is otherwise not applicable. + + 3 + 140C + Dword + + + \ No newline at end of file diff --git a/tests/helper.psm1 b/tests/helper.psm1 new file mode 100644 index 000000000..aca666adb --- /dev/null +++ b/tests/helper.psm1 @@ -0,0 +1,292 @@ +#################################### Common test Helpers #################################### +<# + .SYNOPSIS + Retrieves the parse errors for the given file. + + .PARAMETER FilePath + The path to the file to get parse errors for. +#> +function Get-FileParseErrors +{ + [OutputType([System.Management.Automation.Language.ParseError[]])] + [CmdletBinding()] + param + ( + [Parameter(ValueFromPipeline = $true, Mandatory = $true)] + [String] + $FilePath + ) + + $parseErrors = $null + + $null = [System.Management.Automation.Language.Parser]::ParseFile( + $FilePath, + [ref] $null, + [ref] $parseErrors + ) + return $parseErrors +} + +<# + .SYNOPSIS + Retrieves all text files under the given root file path. + + .PARAMETER Root + The root file path under which to retrieve all text files. + + .NOTES + Retrieves all files with the '.gitignore', '.gitattributes', '.ps1', '.psm1', '.psd1', + '.json', '.xml', '.cmd', or '.mof' file extensions. +#> +function Get-TextFilesList +{ + [OutputType([System.IO.FileInfo[]])] + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [String] + $FilePath + ) + + $textFileExtensions = @('.gitignore', '.gitattributes', '.ps1', '.psm1', '.psd1', '.json', + '.xml', '.cmd', '.mof') + + return Get-ChildItem -Path $FilePath -File -Recurse | Where-Object { $textFileExtensions ` + -contains $_.Extension } +} +function Test-FileInUnicode +{ + [OutputType([Boolean])] + [CmdletBinding()] + param + ( + [Parameter(ValueFromPipeline = $true, Mandatory = $true)] + [System.IO.FileInfo] + $FileInfo + ) + + $filePath = $FileInfo.FullName + + $fileBytes = [System.IO.File]::ReadAllBytes($filePath) + + $zeroBytes = @( $fileBytes -eq 0 ) + + return ($zeroBytes.Length -ne 0) +} + +#################################### Common test Helpers ##################################### +<# + .SYNOPSIS + Used to validate an xml file against a specified schema + + .PARAMETER XmlFile + Path and file name of the XML file to be validated + + .PARAMETER Xml + An already loaded System.Xml.XmlDocument + + .PARAMETER SchemaFile + Path of XML schema used to validate the XML document + + .PARAMETER ValidationEventHandler + Script block that is run when an error occurs while validating XML + + .EXAMPLE + Test-XML -XmlFile C:\source\test.xml -SchemaFile C:\Source\test.xsd + + .EXAMPLE + $xmlobject = Get-StigData -OsVersion 2012R2 -OsRole MemberServer + Test-XML -Xml $xmlobject -SchemaFile C:\Source\test.xsd +#> +Function Test-Xml +{ + param + ( + [Parameter(ValueFromPipeline = $true, Mandatory = $true, ParameterSetName = 'File')] + [string] + $XmlFile, + + [Parameter(ValueFromPipeline = $true, Mandatory = $true, ParameterSetName = 'Object')] + [xml] + $Xml, + + [Parameter(Mandatory = $true)] + [string] + $SchemaFile, + + [scriptblock] + $ValidationEventHandler = { Throw $_.Exception } + ) + + If (-not (Test-Path -Path $SchemaFile)) + { + Throw "Schema file not found" + } + + $schemaReader = New-Object System.Xml.XmlTextReader $SchemaFile + $schema = [System.Xml.Schema.XmlSchema]::Read($schemaReader, $ValidationEventHandler) + + If ($PsCmdlet.ParameterSetName -eq "File") + { + $xml = New-Object System.Xml.XmlDocument + $xml.Load($XmlFile) + } + + $xml.Schemas.Add($schema) | Out-Null + $xml.Validate($ValidationEventHandler) +} + +function Get-StigDataRootPath +{ + [cmdletbinding()] + param() + + return "$((Get-Module -Name PowerStig -ListAvailable).ModuleBase)\StigData" +} + +<# + .SYNOPSIS + Returns a list of stigs for a given resource. This is used in integration testign by looping + through every valide STIG found in the StigData directory. + + .PARAMETER CompositeResourceName + The resource to filter the results + + .PARAMETER Filter + Parameter description +#> +function Get-StigVersionTable +{ + [outputtype([psobject])] + [cmdletbinding()] + param + ( + [Parameter(Mandatory = $true)] + [string] + $CompositeResourceName, + + [Parameter()] + [string] + $Filter + ) + + $path = "$((((Get-Module -Name PowerStig -ListAvailable) | + Sort-Object Version)[-1]).ModuleBase)\StigData\$CompositeResourceName" + + $versions = Get-ChildItem -Path $path -Exclude "*.org.*", "*.xsd" + + $versionTable = @{} + foreach ($version in $versions) + { + if ($version.Basename -match $Filter) + { + $versionTable.Add($version.Basename, $version.FullName) + } + } + + $versionTable +} + +<# + .SYNOPSIS + Using an AST, it returns the name of a configuration in the composite resource schema file. + + .PARAMETER FilePath + The full path to the resource schema module file +#> +function Get-ConfigurationName +{ + [cmdletbinding()] + [outputtype([string[]])] + param + ( + [Parameter(Mandatory = $true)] + [String] + $FilePath + ) + + $AST = [System.Management.Automation.Language.Parser]::ParseFile( + $FilePath, [ref] $null, [ref] $Null + ) + + # Get the Export-ModuleMember details from the module file + $ModuleMember = $AST.Find( { + $args[0] -is [System.Management.Automation.Language.ConfigurationDefinitionAst]}, $true) + + return $ModuleMember.InstanceName.Value +} + +<# + .SYNOPSIS + Returns the list of StigVersion nunmbers that are defined in the ValidateSet parameter attribute + + .PARAMETER FilePath + THe full path to the resource to read from +#> +function Get-StigVersionParameterValidateSet +{ + [outputtype([string[]])] + [cmdletbinding()] + param + ( + [Parameter(Mandatory = $true)] + [string] + $FilePath + ) + + $compositeResource = Get-Content -Path $FilePath -Raw + + $AbstractSyntaxTree = [System.Management.Automation.Language.Parser]::ParseInput( + $compositeResource, [ref]$null, [ref]$null) + + $params = $AbstractSyntaxTree.FindAll( + {$args[0] -is [System.Management.Automation.Language.ParameterAst]}, $true) + + # Filter the specifc ParameterAst + $paramToUpdate = $params | + Where-Object {$PSItem.Name.VariablePath.UserPath -eq 'StigVersion'} + + # Get the specifc parameter attribute to update + $validate = $paramToUpdate.Attributes.Where( + {$PSItem.TypeName.Name -eq 'ValidateSet'}) + + return $validate.PositionalArguments.Value +} + +<# + .SYNOPSIS + Get a unique list of valid STIG versions from the StigData + + .PARAMETER CompositeResourceName + The resource to filter the results +#> +function Get-ValidStigVersionNumbers +{ + [cmdletbinding()] + param + ( + [Parameter(Mandatory = $true)] + [string] + $CompositeResourceName + ) + + $path = "$(Get-StigDataRootPath)\$CompositeResourceName" + + [string[]] $ValidStigVersionNumbers = Get-ChildItem -Path $path -Exclude "*.org.*" | + ForEach-Object { ($PSItem.baseName -split "-")[-1] } | + Select-Object -Unique + + return $ValidStigVersionNumbers +} + +Export-ModuleMember -Function @( + 'Get-FileParseErrors', + 'Get-TextFilesList', + 'Test-FileInUnicode', + 'Test-Xml' + 'Get-StigVersionTable', + 'Get-ConfigurationName', + 'Get-StigVersionParameterValidateSet', + 'Get-ValidStigVersionNumbers' +) diff --git a/tests/integration/PowerStig.tests.ps1 b/tests/integration/PowerStig.tests.ps1 new file mode 100644 index 000000000..233758b2f --- /dev/null +++ b/tests/integration/PowerStig.tests.ps1 @@ -0,0 +1,20 @@ +Describe "$ModuleName module" { + + Context 'Exported Commands' { + + $commands = (Get-Command -Module $ModuleName).Name + $exportedCommands = @('Get-OrgSettingsObject', 'Get-DomainName', 'Get-StigList') + + foreach ($export in $exportedCommands) + { + It "Should export the $export Command" { + $commands.Contains($export) | Should Be $true + } + } + + It "Should not have more commands than are tested" { + $compare = Compare-Object -ReferenceObject $commands -DifferenceObject $exportedCommands + $compare.Count | Should Be 0 + } + } +} diff --git a/tests/integration/common.tests.ps1 b/tests/integration/common.tests.ps1 new file mode 100644 index 000000000..2a92a0e3d --- /dev/null +++ b/tests/integration/common.tests.ps1 @@ -0,0 +1,251 @@ +# Pulled from https://github.com/PowerShell/DscConfiguration.Tests + +<# + PSSA = PS Script Analyzer + Only the first and last tests here will pass/fail correctly at the moment. The other 3 tests + will currently always pass, but print warnings based on the problems they find. + These automatic passes are here to give contributors time to fix the PSSA + problems before we turn on these tests. These 'automatic passes' should be removed + along with the first test (which is replaced by the following 3) around Jan-Feb + 2017. +#> + +$srcDirectory = "$projectRoot\src" + +if(-not $env:SrcFolder) +{ + $env:SrcFolder = $srcDirectory +} + +$projectRoot = (Resolve-Path -Path $PSScriptRoot\..\..).Path +$SrcRootDir = "$projectRoot\src" +$ModuleName = (Get-Item $SrcRootDir/*.psd1).BaseName +$relDirectory = "$projectRoot\release\$moduleName" +Import-Module "$projectRoot\tests\helper.psm1" -Force + +Describe 'Common Tests - File Parsing' { + $ScriptFiles = Get-ChildItem -Path $relDirectory -Filter '*.ps1' -File + + foreach ($ScriptFile in $ScriptFiles) + { + Context $ScriptFile.Name { + It 'Should not contain parse errors' { + $containsParseErrors = $false + + $parseErrors = Get-FileParseErrors -FilePath $ScriptFile.FullName + + if ($null -ne $parseErrors) + { + Write-Warning -Message "There are parse errors in $($ScriptFile.FullName):" + Write-Warning -Message ($parseErrors | Format-List | Out-String) + + $containsParseErrors = $true + } + + $containsParseErrors | Should Be $false + } + } + } +} + +Describe 'Common Tests - File Formatting' { + $textFiles = Get-TextFilesList -FilePath $relDirectory + + Context 'All discovered ext files' { + It "Should not contain any files with Unicode file encoding" { + $containsUnicodeFile = $false + + foreach ($textFile in $textFiles) + { + if (Test-FileInUnicode $textFile) { + if($textFile.Extension -ieq '.mof') + { + Write-Warning -Message "File $($textFile.FullName) should be converted to ASCII. Use fixer function 'Get-UnicodeFilesList `$pwd | ConvertTo-ASCII'." + } + else + { + Write-Warning -Message "File $($textFile.FullName) should be converted to UTF-8. Use fixer function 'Get-UnicodeFilesList `$pwd | ConvertTo-UTF8'." + } + + $containsUnicodeFile = $true + } + } + + $containsUnicodeFile | Should Be $false + } + + It 'Should not contain any files with tab characters' { + $containsFileWithTab = $false + + foreach ($textFile in $textFiles) + { + $fileName = $textFile.FullName + $fileContent = Get-Content -Path $fileName -Raw + + $tabCharacterMatches = $fileContent | Select-String "`t" + + if ($null -ne $tabCharacterMatches) + { + Write-Warning -Message "Found tab character(s) in $fileName. Use fixer function 'Get-TextFilesList `$pwd | ConvertTo-SpaceIndentation'." + $containsFileWithTab = $true + } + } + + $containsFileWithTab | Should Be $false + } + + It 'Should not contain empty files' { + $containsEmptyFile = $false + + foreach ($textFile in $textFiles) + { + $fileContent = Get-Content -Path $textFile.FullName -Raw + + if([String]::IsNullOrWhiteSpace($fileContent)) + { + Write-Warning -Message "File $($textFile.FullName) is empty. Please remove this file." + $containsEmptyFile = $true + } + } + + $containsEmptyFile | Should Be $false + } + + It 'Should not contain files without a newline at the end' { + $containsFileWithoutNewLine = $false + + foreach ($textFile in $textFiles) + { + # Skip xml files in this test + if ($textFile.Extension -eq ".xml") + { + continue + } + $fileContent = Get-Content -Path $textFile.FullName -Raw + if ( -not [String]::IsNullOrWhiteSpace($fileContent) -and $fileContent[-1] -ne "`n") + { + if (-not $containsFileWithoutNewLine) + { + Write-Warning -Message 'Each file must end with a new line.' + } + + Write-Warning -Message "$($textFile.FullName) does not end with a new line. Use fixer function 'Add-NewLine'" + + $containsFileWithoutNewLine = $true + } + } + + + $containsFileWithoutNewLine | Should Be $false + } + + } +} + +Describe 'Common Tests - Configuration Module Requirements' { + + #$moduleName = Get-Item -Path $relDirectory | ForEach-Object -Process {$_.Name} + + $Files = Get-ChildItem -Path $relDirectory + $Manifest = Import-PowerShellDataFile -Path "$relDirectory\$moduleName.psd1" + + Context "$moduleName module manifest properties" { + It 'Contains a module manifest that aligns to the folder and module names' { + $Files.Name.Contains("$moduleName.psd1") | Should Be True + } + It 'Contains a readme' { + Test-Path "$projectRoot\README.md" | Should Be True + } + It "Manifest $moduleName.psd1 should import as a data file" { + $Manifest | Should BeOfType 'Hashtable' + } + It 'Should have a GUID in the manifest' { + $Manifest.GUID | Should Match '[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}' + } + It 'Should not list RequiredModules in the manifest' { + $Manifest.RequiredModules | Should BeNullOrEmpty + } + It 'Should list a module version in the manifest' { + $Manifest.ModuleVersion | Should BeGreaterThan 0.0.0.0 + } + It 'Should list an author in the manifest' { + $Manifest.Author | Should Not BeNullOrEmpty + } + It 'Should provide a description in the manifest' { + $Manifest.Description | Should Not BeNullOrEmpty + } + It 'Should require PowerShell version 4 or later in the manifest' { + $Manifest.PowerShellVersion | Should BeGreaterThan 4.0 + } + It 'Should require CLR version 4 or later in the manifest' { + $Manifest.CLRVersion | Should BeGreaterThan 4.0 + } + It 'Should export functions in the manifest' { + $Manifest.FunctionsToExport | Should Not BeNullOrEmpty + } + It 'Should include tags in the manifest' { + $Manifest.PrivateData.PSData.Tags | Should Not BeNullOrEmpty + } + It 'Should include a project URI in the manifest' { + $Manifest.PrivateData.PSData.ProjectURI | Should Not BeNullOrEmpty + } + } + + if ($Manifest.RequiredModules) + { + Context "$moduleName required modules" { + + foreach ($RequiredModule in $Manifest.RequiredModules) + { + if ($RequiredModule.GetType().Name -eq 'Hashtable') + { + It "$($RequiredModule.ModuleName) version $($RequiredModule.ModuleVersion) should be found in the PowerShell public gallery" { + {Find-Module -Name $RequiredModule.ModuleName -RequiredVersion $RequiredModule.ModuleVersion} | Should Not BeNullOrEmpty + } + It "$($RequiredModule.ModuleName) version $($RequiredModule.ModuleVersion) should install locally without error" { + {Install-Module -Name $RequiredModule.ModuleName -RequiredVersion $RequiredModule.ModuleVersion -Scope CurrentUser -Force} | Should Not Throw + } + } + else + { + It "$RequiredModule should be found in the PowerShell public gallery" { + {Find-Module -Name $RequiredModule} | Should Not BeNullOrEmpty + } + It "$RequiredModule should install locally without error" { + {Install-Module -Name $RequiredModule -Scope CurrentUser -Force} | Should Not Throw + } + } + } + } + } +} + +Describe 'Common Tests - STIG Data Requirements' { + Context 'Converted STIGs' { + $stigDataFolder = "$SrcRootDir\StigData" + $convertedStigs = Get-ChildItem -Path $stigDataFolder -File | Where-Object {$_.Name -notmatch "\.org\.default\.xml?"} + $orgSettings = Get-ChildItem -Path $stigDataFolder -File | Where-Object {$_.Name -match "\.org\.default\.xml?"} + $orgSettings = $orgSettings.BaseName.ToLower() + $convertedStigs = $convertedStigs.BaseName.ToLower() + + foreach ($stig in $convertedStigs) + { + It "$stig should have paired org settings file" { + $testResult = $true + + if ($orgSettings.Contains(($stig + ".org.default"))) + { + continue + } + else + { + $testResult = $false + + Write-Warning -Message "$stig does not have an Org Setting xml. Run 'ConvertTo-DscStigXml' for $stig with the 'CreateOrgSettingsFile' Switch " + } + + $testResult | Should Be $true + } + } + } +} diff --git a/tests/unit/Class/OrganizationalSetting.tests.ps1 b/tests/unit/Class/OrganizationalSetting.tests.ps1 new file mode 100644 index 000000000..8dd5ffde8 --- /dev/null +++ b/tests/unit/Class/OrganizationalSetting.tests.ps1 @@ -0,0 +1,69 @@ +using module .\..\..\..\src\Class\OrganizationalSetting.psm1 + +[xml] $OrgSettingXml = +@" + + + + + + + + + + + + +"@ + +[hashtable] $OrgSettingHashtable = +@{ +"V-1114"="xGuest"; +"V-1115"="xAdministrator"; +"V-3472.a"="NT5DS"; +"V-4108"="90"; +"V-4113"="300000"; +"V-8322.b"="NT5DS"; +"V-26482"="Administrators"; +"V-26579"="32768"; +"V-26580"="196608"; +"V-26581"="32768" +} + +Describe "OrganizationalSetting Class" { + + Context "Constructor" { + + It "Should create an OrganizationalSetting class instance using OrgSettingHashtable data" { + foreach ($hash in $OrgSettingHashtable.GetEnumerator()) + { + $newOrgSetting = [OrganizationalSetting]::new($hash.Key, $hash.Value) + $newOrgSetting.StigRuleId | Should Be $hash.Key + $newOrgSetting.Value | Should Be $hash.Value + } + } + } + + Context "Static Methods" { + It "ConvertFrom: Should be able to convert an Xml document to a OrganizationalSetting array" { + $orgSettingArray = [OrganizationalSetting]::ConvertFrom($OrgSettingXml) + + foreach ($node in $OrgSettingXml.OrganizationalSettings.ChildNodes) { + $orgSetting = $orgSettingArray.Where({$_.StigRuleId -eq $node.id}) + $orgSetting.StigRuleId | Should Be $node.id + $orgSetting.Value | Should Be $node.value + } + } + + It "ConvertFrom: Should be able to convert a Hashtable to a OrganizationalSetting array" { + $orgSettingArray = [OrganizationalSetting]::ConvertFrom($OrgSettingHashtable) + + foreach ($hash in $OrgSettingHashtable.GetEnumerator()) + { + $orgSetting = $orgSettingArray.Where( {$_.StigRuleId -eq $hash.Key}) + $orgSetting.StigRuleId | Should Be $hash.Key + $orgSetting.Value | Should Be $hash.Value + } + } + } +} diff --git a/tests/unit/Class/SkippedRule.tests.ps1 b/tests/unit/Class/SkippedRule.tests.ps1 new file mode 100644 index 000000000..ec54a19a0 --- /dev/null +++ b/tests/unit/Class/SkippedRule.tests.ps1 @@ -0,0 +1,41 @@ +using module .\..\..\..\src\Class\SkippedRule.psm1 + +[string[]] $SkippedRuleArray = +@( +"V-1114", +"V-1115", +"V-3472.a", +"V-4108", +"V-4113", +"V-8322.b", +"V-26482", +"V-26579", +"V-26580", +"V-26581" +) + +Describe "SkippedRule Class" { + + Context "Constructor" { + + It "Should create an SkippedRule class instance using SkippedRule data" { + foreach ($rule in $SkippedRuleArray) + { + $SkippedRule = [SkippedRule]::new($rule) + $SkippedRule.StigRuleId | Should Be $rule + } + } + } + + Context "Static Methods" { + It "ConvertFrom: Should be able to convert an array of StigRuleId strings to a SkippedRule array" { + $SkippedRules = [SkippedRule]::ConvertFrom($SkippedRuleArray) + + foreach ($rule in $SkippedRuleArray) + { + $skippedRule = $SkippedRules.Where( {$_.StigRuleId -eq $rule}) + $skippedRule.StigRuleId | Should Be $rule + } + } + } +} diff --git a/tests/unit/Class/SkippedRuleType.tests.ps1 b/tests/unit/Class/SkippedRuleType.tests.ps1 new file mode 100644 index 000000000..6e74a2c87 --- /dev/null +++ b/tests/unit/Class/SkippedRuleType.tests.ps1 @@ -0,0 +1,38 @@ +using module .\..\..\..\src\Class\SkippedRuleType.psm1 +using module .\..\..\..\src\Enum\StigRuleType.psm1 + +[string[]] $SkippedRuleTypeArray = +@( +"AccountPolicyRule", +"AuditPolicyRule", +"RegistryRule", +"SecurityOptionRule", +"ServiceRule", +"UserRightRule" +) + +Describe "SkippedRuleType Class" { + + Context "Constructor" { + + It "Should create an SkippedRuleType class instance using SkippedRuleType1 data" { + foreach ($type in $SkippedRuleTypeArray) + { + $SkippedRuleType = [SkippedRuleType]::new($type) + $SkippedRuleType.StigRuleType | Should Be $type + } + } + } + + Context "Static Methods" { + It "ConvertFrom: Should be able to convert an array of SkippedRuleType strings to a SkippedRuleType array" { + $SkippedRuleTypes = [SkippedRuleType]::ConvertFrom($SkippedRuleTypeArray) + + foreach ($type in $SkippedRuleTypeArray) + { + $skippedRuleType = $SkippedRuleTypes.Where( {$_.StigRuleType.ToString() -eq $type}) + $skippedRuleType.StigRuleType | Should Be $type + } + } + } +} diff --git a/tests/unit/Class/StigData.tests.ps1 b/tests/unit/Class/StigData.tests.ps1 new file mode 100644 index 000000000..ab167483c --- /dev/null +++ b/tests/unit/Class/StigData.tests.ps1 @@ -0,0 +1,296 @@ +using module .\..\..\..\src\Class\StigData.psm1 +using module .\..\..\..\src\Class\StigException.psm1 +using module .\..\..\..\src\Class\StigProperty.psm1 +using module .\..\..\..\src\Class\SkippedRuleType.psm1 +using module .\..\..\..\src\Class\SkippedRule.psm1 +using module .\..\..\..\src\Class\OrganizationalSetting.psm1 +using module .\..\..\..\src\Class\Technology.psm1 +using module .\..\..\..\src\Class\TechnologyRole.psm1 +using module .\..\..\..\src\Class\TechnologyVersion.psm1 + +Import-Module "$PSScriptRoot\..\..\helper.psm1" -Force +$SchemaFile = (Resolve-Path -Path "$SrcRootDir\StigData\Schema\PowerStig.xsd").Path + +#region StigData1 Test Data +[hashtable] $orgSettingHashtable = +@{ +"V-1114"="xGuest"; +"V-1115"="xAdministrator"; +"V-3472.a"="NT5DS"; +"V-4108"="90"; +"V-4113"="300000"; +"V-8322.b"="NT5DS"; +"V-26482"="Administrators"; +"V-26579"="32768"; +"V-26580"="196608"; +"V-26581"="32768" +} + +$orgSettings = [OrganizationalSetting]::ConvertFrom($orgSettingHashtable) + +$technologyName = 'Windows'; +$technologyVersionName = '2012R2'; +$technologyRoleName = 'DC'; + +$technology = [Technology]::new($technologyName) +$technologyVersion = [TechnologyVersion]::new($technologyVersionName, $technology) +$technologyRole = [TechnologyRole]::new($technologyRoleName, $technologyVersion) + +$stigVersion = [StigData]::GetHighestStigVersion($technology, $technologyRole, $technologyVersion) + + +[hashtable] $stigExceptionHashtable = +@{ + "V-26606" = @{'ServiceState' = 'Running'; + 'StartupType'= 'Automatic'}; + "V-15683" = @{'ValueData' = '1'}; + "V-26477" = @{'Identity' = 'Administrators'}; +} + +$stigExceptions = [StigException]::ConvertFrom($stigExceptionHashtable) + +[string[]] $skippedRuleTypeArray = +@( +"AccountPolicyRule" +) + +$skippedRuleTypes = [SkippedRuleType]::ConvertFrom($skippedRuleTypeArray) + +[string[]] $skippedRuleArray = +@( +"V-1114", +"V-1115", +"V-3472.a", +"V-4108", +"V-4113", +"V-8322.b", +"V-26482", +"V-26579", +"V-26580", +"V-26581" +) + +$skippedRules = [SkippedRule]::ConvertFrom($skippedRuleArray) +#endregion StigData1 Test Data + +Describe "StigData Class" { + + Context "Constructor" { + + It "Should create an StigData class instance using StigData1 data" { + $stigData = [StigData]::new($stigVersion, $orgSettings, $technology, $technologyRole, $technologyVersion, $stigExceptions, $skippedRuleTypes, $skippedRules) + + $stigData.StigVersion | Should Be $stigVersion + + $organizationalSettings = $stigData.OrganizationalSettings + foreach ($hash in $orgSettingHashtable.GetEnumerator()) + { + $orgSetting = $organizationalSettings.Where( {$_.StigRuleId -eq $hash.Key}) + $orgSetting.StigRuleId | Should Be $hash.Key + $orgSetting.Value | Should Be $hash.Value + } + + $stigData.Technology.Name | Should Be $technology.Name + + $stigData.TechnologyVersion.Name | Should Be $technologyVersion.Name + + $stigData.TechnologyRole.Name | Should Be $technologyRole.Name + + $stigExceptions = $stigData.StigExceptions + foreach ($hash in $stigExceptionHashtable.GetEnumerator()) + { + $stigException = $stigExceptions.Where({$_.StigRuleId -eq $hash.Key}) + $stigException.StigRuleId | Should Be $hash.Key + + foreach ($property in $hash.Value.GetEnumerator()) + { + $stigProperty = $stigException.Properties.Where({$_.Name -eq $property.Key}) + $stigProperty.Name | Should Be $property.Key + $stigProperty.Value | Should Be $property.Value + } + } + + $skippedRuleTypes = $stigData.SkippedRuleTypes + foreach ($type in $skippedRuleTypeArray) + { + $skippedRuleType = $skippedRuleTypes.Where( {$_.StigRuleType.ToString() -eq $type}) + $skippedRuleType.StigRuleType | Should Be $type + } + + $skippedRules = $stigData.SkippedRules + foreach ($rule in $skippedRuleArray) + { + $skippedRule = $skippedRules.Where( {$_.StigRuleId -eq $rule}) + $skippedRule.StigRuleId | Should Be $rule + } + } + + It "Should create an StigData class with the highest available version because no StigVersion was provided" { + $stigData = [StigData]::new($null, $orgSettings, $technology, $technologyRole, $technologyVersion, $stigExceptions, $skippedRuleTypes, $skippedRules) + + $stigData.StigVersion | Should Not Be $null + } + + It "Should throw an exception when Technology is Null" { + { [StigData]::new($stigVersion, $orgSettings, $null, $technologyRole, $technologyVersion, $stigExceptions, $skippedRuleTypes, $skippedRules) } ` + | Should Throw + } + + It "Should throw an exception when TechnologyVersion is Null" { + { [StigData]::new($stigVersion, $orgSettings, $technology, $technologyRole, $null, $stigExceptions, $skippedRuleTypes, $skippedRules) } ` + | Should Throw + } + + It "Should throw an exception when TechnologyRole is Null" { + { [StigData]::new($stigVersion, $orgSettings, $technology, $null, $technologyVersion, $stigExceptions, $skippedRuleTypes, $skippedRules) } ` + | Should Throw + } + + It "Should throw an exception because no Stig exists in PowerStig for the Technology, TechnologyVersion, and TechnologyRole that were provided" { + $technology = New-Object -TypeName Technology + $technology.Name = "Cheeseburger" + + { [StigData]::new($stigVersion, $orgSettings, $technology, $technologyRole, $technologyVersion, $stigExceptions, $skippedRuleTypes, $skippedRules) } ` + | Should Throw + } + } + + Context "Instance Methods" { + It "SetStigPath: Should be able to determine the StigPath for the provided valid set of Technology, TechnologyVersion, TechnologyRole, and StigVersion" { + $stigData = New-Object -TypeName StigData + $stigData.StigVersion = $stigVersion + $stigData.Technology = $technology + $stigData.TechnologyVersion = $technologyVersion + $stigData.TechnologyRole = $technologyRole + + $stigData.SetStigPath() + $stigData.StigPath | Should Be "$([StigData]::GetRootPath())\$($technology.Name)-$($technologyVersion.Name)-$($technologyRole.Name)-$($stigVersion).xml" + } + + It "SetStigPath: Should throw an exception if it is unable to find a matching Stig for the provided Technology, TechnologyVersion, TechnologyRole, and StigVersion" { + $stigData = New-Object -TypeName StigData + $stigData.StigVersion = $stigVersion + $technology = New-Object -TypeName Technology + $technology.Name = "Cheeseburger" + $stigData.Technology = $technology + $stigData.TechnologyVersion = $technologyVersion + $stigData.TechnologyRole = $technologyRole + + { $stigData.SetStigPath() } | Should Throw + } + + It "ProcessStigData: Should load the Stig Xml document from the filesystem into the StigXml property" { + $stigData = New-Object -TypeName StigData + $stigData.StigVersion = $stigVersion + $stigData.Technology = $technology + $stigData.TechnologyVersion = $technologyVersion + $stigData.TechnologyRole = $technologyRole + + $stigData.SetStigPath() + $stigData.StigXml | Should Be $null + + $stigData.ProcessStigData() + $stigData.StigXml | Should Not Be $null + } + + It "MergeOrganizationalSettings: Should merge the default organizational settings into instance OrganizationalSettings when no OrganizationalSettings is provided for a Stig that requires them" { + $stigData = [StigData]::new($stigVersion, $null, $technology, $technologyRole, $technologyVersion, $stigExceptions, $skippedRuleTypes, $skippedRules) + + $stigData.OrganizationalSettings | Should Not Be $null + $stigData.OrganizationalSettings.Length | Should BeGreaterThan 0 + } + + It "MergeOrganizationalSettings: Should merge provided settings into instance OrganizationalSettings for a Stig that requires them" { + $stigData = [StigData]::new($stigVersion, $orgSettings, $technology, $technologyRole, $technologyVersion, $stigExceptions, $skippedRuleTypes, $skippedRules) + + $organizationalSettings = $stigData.OrganizationalSettings + foreach ($hash in $orgSettingHashtable.GetEnumerator()) + { + $orgSetting = $organizationalSettings.Where( {$_.StigRuleId -eq $hash.Key}) + $orgSetting.StigRuleId | Should Be $hash.Key + $orgSetting.Value | Should Be $hash.Value + } + } + + It "MergeOrganizationalSettings: Should merge instance OrganizationalSettings into StigXml" { + $stigData = [StigData]::new($stigVersion, $orgSettings, $technology, $technologyRole, $technologyVersion, $stigExceptions, $skippedRuleTypes, $skippedRules) + + $propertyMap = [OrganizationalSetting]::PropertyMap() + + foreach ($rule in $stigData.OrganizationalSettings) + { + $ruleToCheck = ( $stigData.StigXml.DISASTIG | Select-Xml -XPath "//Rule[@id='$( $rule.StigRuleId )']" -ErrorAction Stop ).Node + + if ($null -ne $ruleToCheck) + { + $ParentNodeName = $ruleToCheck.ParentNode.Name + if ($ParentNodeName -ne "SkipRule") { + $OverridePropertyName = $propertyMap.$ParentNodeName + $ruleToCheck.$OverridePropertyName | Should Be $rule.Value + } + } + } + } + + It "MergeOrganizationalSettings: Should pass schema testing after organizational settings have been merged" { + $stigData = [StigData]::new($stigVersion, $orgSettings, $technology, $technologyRole, $technologyVersion, $null, $null, $null) + + { Test-Xml -Xml $stigData.StigXml -SchemaFile $SchemaFile } | Should Not Throw + } + + It "MergeStigExceptions: Should merge the supplied stig exceptions when StigExceptions is not Null" { + $stigData = [StigData]::new($stigVersion, $null, $technology, $technologyRole, $technologyVersion, $stigExceptions, $null, $null) + + foreach ($exception in $stigData.StigExceptions) + { + $ruleToCheck = ( $stigData.StigXml.DISASTIG | Select-Xml -XPath "//Rule[@id='$( $exception.StigRuleId )']" -ErrorAction Stop ).Node + + if ($null -ne $ruleToCheck) + { + $ParentNodeName = $ruleToCheck.ParentNode.Name + if ($ParentNodeName -ne "SkipRule") { + foreach ($property in $exception.Properties) { + $ruleToCheck.$($property.Name) | Should Be $property.Value + } + } + } + } + } + + It "MergeStigExceptions: Should pass schema testing after stig exceptions have been merged" { + $stigData = [StigData]::new($stigVersion, $null, $technology, $technologyRole, $technologyVersion, $stigExceptions, $null, $null) + + { Test-Xml -Xml $stigData.StigXml -SchemaFile $SchemaFile } | Should Not Throw + } + + It "ProcessSkippedRuleTypes: Should process the supplied skipped rule types when SkippedRuleTypes is not Null" { + $stigData = [StigData]::new($stigVersion, $null, $technology, $technologyRole, $technologyVersion, $null, $skippedRuleTypes, $null) + + $stigData.SkippedRules | Should Not Be $null + $stigData.SkippedRules.Length | Should BeGreaterThan 0 + } + + It "MergeSkippedRules: Should merge the supplied skipped rules when SkippedRules is not Null" { + $stigData = [StigData]::new($stigVersion, $null, $technology, $technologyRole, $technologyVersion, $null, $skippedRuleTypes, $skippedRules) + + foreach ($skippedRule in $stigData.SkippedRules) + { + $ruleToCheck = ( $stigData.StigXml.DISASTIG.SkipRule | Select-Xml -XPath "//Rule[@id='$( $skippedRule.StigRuleId )']" -ErrorAction Stop ).Node + + $ruleToCheck | Should Not Be $null + } + } + + It "MergeSkippedRules: Should pass schema testing after skipped rules have been merged" { + $stigData = [StigData]::new($stigVersion, $null, $technology, $technologyRole, $technologyVersion, $null, $skippedRuleTypes, $skippedRules) + + { Test-Xml -Xml $stigData.StigXml -SchemaFile $SchemaFile } | Should Not Throw + } + + It "Should pass schema testing after with values passed in to all parameters" { + $stigData = [StigData]::new($stigVersion, $orgSettings, $technology, $technologyRole, $technologyVersion, $stigExceptions, $skippedRuleTypes, $skippedRules) + + { Test-Xml -Xml $stigData.StigXml -SchemaFile $SchemaFile } | Should Not Throw + } + } +} diff --git a/tests/unit/Class/StigException.tests.ps1 b/tests/unit/Class/StigException.tests.ps1 new file mode 100644 index 000000000..7ba08ac6f --- /dev/null +++ b/tests/unit/Class/StigException.tests.ps1 @@ -0,0 +1,73 @@ +using module .\..\..\..\src\Class\StigException.psm1 +using module .\..\..\..\src\Class\StigProperty.psm1 + +$StigException1StigRuleId = 'V-26606' +$StigException1StigProperty1 = [StigProperty]::new('ServiceState', 'Running') +$StigException1StigProperty2 = [StigProperty]::new('StartupType', 'Automatic') +$StigException1StigProperty = @($StigException1StigProperty1, $StigException1StigProperty2) + +$StigExceptionAddMethodStigProperty1 = [StigProperty]::new('ServiceState', 'Running') +$StigExceptionAddMethodNameValue1 = @{'Name'='ServiceState';'Value'='Running'} + +[hashtable] $StigExceptionHashtable = +@{ + "V-26606" = @{'ServiceState' = 'Running'; + 'StartupType'= 'Automatic'}; + "V-15683" = @{'ValueData' = '1'}; + "V-26477" = @{'Identity' = 'Administrators'}; +} + +Describe "StigException Class" { + + Context "Constructor" { + + It "Should create an StigException class instance using StigException1 data" { + $StigException = [StigException]::new($StigException1StigRuleId, $StigException1StigProperty) + $StigException.StigRuleId | Should Be $StigException1StigRuleId + $StigException.Properties | Should Be $StigException1StigProperty + } + } + + Context "Instance Methods" { + It "AddProperty: Should be able to add a StigProperty instance." { + $StigException = [StigException]::new() + $StigException.StigRuleId = $StigException1StigRuleId + $StigException.AddProperty($StigExceptionAddMethodStigProperty1) + + $StigProperties = $StigException.Properties + $StigProperty = $StigProperties.Where( {$_.Name -eq $StigExceptionAddMethodStigProperty1.Name}) + $StigProperty.Name | Should Be $StigExceptionAddMethodStigProperty1.Name + $StigProperty.Value | Should Be $StigExceptionAddMethodStigProperty1.Value + } + + It "AddProperty: Should be able to add a StigProperty equivalent Name/Value pair." { + $StigException = [StigException]::new() + $StigException.StigRuleId = $StigException1StigRuleId + $StigException.AddProperty($StigExceptionAddMethodNameValue1.Name, $StigExceptionAddMethodNameValue1.Value) + + $StigProperties = $StigException.Properties + $StigProperty = $StigProperties.Where( {$_.Name -eq $StigExceptionAddMethodNameValue1.Name}) + $StigProperty.Name | Should Be $StigExceptionAddMethodNameValue1.Name + $StigProperty.Value | Should Be $StigExceptionAddMethodNameValue1.Value + } + } + + Context "Static Methods" { + It "ConvertFrom: Should be able to convert an Hashtable to a StigException array" { + $StigExceptions = [StigException]::ConvertFrom($StigExceptionHashtable) + + foreach ($hash in $StigExceptionHashtable.GetEnumerator()) + { + $stigException = $StigExceptions.Where({$_.StigRuleId -eq $hash.Key}) + $stigException.StigRuleId | Should Be $hash.Key + + foreach ($property in $hash.Value.GetEnumerator()) + { + $stigProperty = $stigException.Properties.Where({$_.Name -eq $property.Key}) + $stigProperty.Name | Should Be $property.Key + $stigProperty.Value | Should Be $property.Value + } + } + } + } +} diff --git a/tests/unit/Class/StigProperty.tests.ps1 b/tests/unit/Class/StigProperty.tests.ps1 new file mode 100644 index 000000000..57d1612ea --- /dev/null +++ b/tests/unit/Class/StigProperty.tests.ps1 @@ -0,0 +1,22 @@ +using module .\..\..\..\src\Class\StigProperty.psm1 + +$StigPropertyTest = +@{ + 'ValueData' = '2'; + 'Identity' = 'Administrators,Local Service' +} + +Describe "StigProperty Class" { + + Context "Constructor" { + + It "Should create an StigProperty class instance using StigProperty1 data" { + foreach ($property in $StigPropertyTest.GetEnumerator()) + { + $stigProperty = [StigProperty]::new($property.Key, $property.Value) + $stigProperty.Name | Should Be $property.Key + $stigProperty.Value | Should Be $property.Value + } + } + } +} diff --git a/tests/unit/Class/Technology.tests.ps1 b/tests/unit/Class/Technology.tests.ps1 new file mode 100644 index 000000000..378804ce6 --- /dev/null +++ b/tests/unit/Class/Technology.tests.ps1 @@ -0,0 +1,60 @@ +using module .\..\..\..\src\Class\Technology.psm1 + +$testValidateSet = @('Windows','SQL') + +$invalidName = 'Cheeseburger' + + +Describe "Technology Class" { + Context "Constructor" { + foreach ($technology in $TestValidateSet) + { + It "Should create an Technology class instance using $technology data" { + $newTechnology = [Technology]::new($technology) + $newTechnology.Name | Should Be $technology + } + } + + It "Should throw an exception for Technology not being available: " { + { [Technology]::new($InvalidName) } | Should Throw + } + } + + Context "Static Properties" { + It "ValidateSet: Should match TestValidateSet to static ValidateSet property" { + $ValidateSet = [Technology]::ValidateSet + foreach ($Tech in $ValidateSet) + { + $match = $TestValidateSet.Where({$_ -eq $Tech}) + $match | Should Be $Tech + } + } + } + + Context "Instance Methods" { + + foreach ($technology in $TestValidateSet) + { + It "Validate: Should be able to validate $technology TechnologyRole. Valid property config." { + $newTechnology = [Technology]::new() + $newTechnology.Name = $technology + $newTechnology.Validate() | Should Be $true + } + } + + It "Validate: Should be able to validate $technology TechnologyRole. Invalid property config." { + $technology = [Technology]::new() + $technology.Name = $InvalidName + $technology.Validate() | Should Be $false + } + } + + Context "Static Methods" { + It "Available: Should be able to return available technologies" { + $validateSet = [Technology]::ValidateSet + $available = [Technology]::Available() + + $available | Should Be $validateSet + } + } +} diff --git a/tests/unit/Class/TechnologyRole.tests.ps1 b/tests/unit/Class/TechnologyRole.tests.ps1 new file mode 100644 index 000000000..ebcad215b --- /dev/null +++ b/tests/unit/Class/TechnologyRole.tests.ps1 @@ -0,0 +1,92 @@ +using module .\..\..\..\src\Class\Technology.psm1 +using module .\..\..\..\src\Class\TechnologyVersion.psm1 +using module .\..\..\..\src\Class\technologyRole.psm1 + +$technologyRole1 = 'DNS' +$technologyRole2 = 'ADDomain' +$technologyRole3 = 'Instance' + +$Technology1 = [Technology]::new('Windows') +$Technology2 = [Technology]::new('SQL') + +$technologyVersion1 = [TechnologyVersion]::new('2012R2', $Technology1) +$technologyVersion2 = [TechnologyVersion]::new('All', $Technology1) +$technologyVersion3 = [TechnologyVersion]::new('Server2012', $Technology2) + +$TestValidateSet = @" +2012R2 = DNS, DC, MS, IISSite +All = ADDomain, ADForest, FW, IE11 +Server2012 = Instance, Database +"@ + +$TestValidSetData = ConvertFrom-StringData -StringData $TestValidateSet + +$InvalidName = 'Cheeseburger' + +Describe "technologyRole Class" { + + Context "Constructor" { + It "Should create an technologyRole class instance using technologyRole1 and technologyVersion1 data" { + $technologyRole = [technologyRole]::new($technologyRole1, $technologyVersion1) + $technologyRole.Name | Should Be $technologyRole1 + $technologyRole.TechnologyVersion | Should Be $technologyVersion1 + } + + It "Should create an technologyRole class instance using technologyRole2 and technologyVersion2 data" { + $technologyRole = [technologyRole]::new($technologyRole2, $technologyVersion2) + $technologyRole.Name | Should Be $technologyRole2 + $technologyRole.TechnologyVersion | Should Be $technologyVersion2 + } + + It "Should create an technologyRole class instance using technologyRole3 and technologyVersion3 data" { + $technologyRole = [technologyRole]::new($technologyRole3, $technologyVersion3) + $technologyRole.Name | Should Be $technologyRole3 + $technologyRole.TechnologyVersion | Should Be $technologyVersion3 + } + + It "Should throw an exception for technologyRole not being available for TechnologyVersion: 2012R2 -> ADDomain" { + { [technologyRole]::new($technologyRole1, $technologyVersion2) } | Should Throw + } + + It "Should throw an exception for technologyRole not being available for TechnologyVersion: All -> DNS" { + { [technologyRole]::new($technologyRole2, $technologyVersion1) } | Should Throw + } + + It "Should throw an exception for technologyRole not being available for TechnologyVersion: 2012R2 -> DNS" { + { [technologyRole]::new($technologyRole2, $technologyVersion3) } | Should Throw + } + } + + Context "Static Properties" { + It "ValidateSet: Should match TestValidateSet to static ValidateSet property" { + [technologyRole]::ValidateSet | Should Be $TestValidateSet + } + } + + Context "Instance Methods" { + It "Validate: Should be able to validate a technologyRole. Valid property config." { + $technologyRole = [technologyRole]::new() + $technologyRole.Name = $technologyRole1 + $technologyRole.TechnologyVersion = $technologyVersion1 + $technologyRole.Validate() | Should Be $true + } + + It "Validate: Should be able to validate a technologyRole. Invalid property config." { + $technologyRole = [technologyRole]::new() + $technologyRole.Name = $technologyRole1 + $technologyRole.TechnologyVersion = $technologyVersion2 + $technologyRole.Validate() | Should Be $false + } + } + + Context "Static Methods" { + It "Available: Should be able to return available roles. Valid TechnologyVersion parameter." { + $ValidVersion = $technologyVersion1.Name + [technologyRole]::Available($ValidVersion) | Should Be $TestValidSetData.$ValidVersion.Split(',').Trim() + } + + It "Available: Should throw an exception that no roles are available for an unsupported version." { + { [technologyRole]::Available($InvalidName) } | Should Throw + } + } +} diff --git a/tests/unit/Class/TechnologyVersion.tests.ps1 b/tests/unit/Class/TechnologyVersion.tests.ps1 new file mode 100644 index 000000000..ff6ee79ba --- /dev/null +++ b/tests/unit/Class/TechnologyVersion.tests.ps1 @@ -0,0 +1,81 @@ +using module .\..\..\..\src\Class\Technology.psm1 +using module .\..\..\..\src\Class\TechnologyVersion.psm1 +using module .\..\..\..\src\Class\TechnologyRole.psm1 + +$TechnologyVersion1 = 'All' +$TechnologyVersion2 = '2012R2' +$TechnologyVersion3 = 'Server2012' + +$Technology1 = [Technology]::new('Windows') +$Technology2 = [Technology]::new('SQL') + +$TestValidateSet = @" +Windows = All, 2012R2 +SQL = Server2012 +"@ + +$TestValidSetData = ConvertFrom-StringData -StringData $TestValidateSet + +$InvalidName = 'Cheeseburger' + +Describe "TechnologyVersion Class" { + + Context "Constructor" { + + It "Should create an TechnologyVersion class instance using Technology1 and TechnologyVersion1 data" { + $TechnologyVersion = [TechnologyVersion]::new($TechnologyVersion1, $Technology1) + $TechnologyVersion.Name | Should Be $TechnologyVersion1 + $TechnologyVersion.Technology | Should Be $Technology1 + } + + It "Should create an TechnologyRole class instance using TechnologyRole2 and TechnologyVersion2 data" { + $TechnologyVersion = [TechnologyVersion]::new($TechnologyVersion2, $Technology1) + $TechnologyVersion.Name | Should Be $TechnologyVersion2 + $TechnologyVersion.Technology | Should Be $Technology1 + } + + It "Should create an TechnologyRole class instance using TechnologyRole3 and TechnologyVersion3 data" { + $TechnologyVersion = [TechnologyVersion]::new($TechnologyVersion3, $Technology2) + $TechnologyVersion.Name | Should Be $TechnologyVersion3 + $TechnologyVersion.Technology | Should Be $Technology2 + } + + It "Should throw an exception for TechnologyRole not being available for TechnologyVersion: Windows -> Cheeseburger" { + { [TechnologyVersion]::new($InvalidName, $Technology1) } | Should Throw + } + } + + Context "Static Properties" { + It "ValidateSet: Should match TestValidateSet to static ValidateSet property" { + [TechnologyVersion]::ValidateSet | Should Be $TestValidateSet + } + } + + Context "Instance Methods" { + It "Validate: Should be able to validate a TechnologyVersion. Valid property config." { + $TechnologyVersion = [TechnologyVersion]::new() + $TechnologyVersion.Name = $TechnologyVersion1 + $TechnologyVersion.Technology = $Technology1 + $TechnologyVersion.Validate() | Should Be $true + } + + It "Validate: Should be able to validate a TechnologyVersion. Invalid property config." { + $TechnologyVersion = [TechnologyVersion]::new() + $TechnologyVersion.Name = $InvalidName + $TechnologyVersion.Technology = $Technology1 + $TechnologyVersion.Validate() | Should Be $false + } + } + + Context "Static Methods" { + It "Available: Should be able to return available roles. Valid TechnologyVersion parameter." { + $ValidVersion = $Technology1.Name + [TechnologyVersion]::Available($ValidVersion) | Should Be $TestValidSetData.$ValidVersion.Split(',').Trim() + } + + It "Available: Should throw an exception that no roles are available for an unsupported version." { + $InvalidTechnology = $InvalidName + { [TechnologyVersion]::Available($InvalidTechnology) } | Should Throw + } + } +} diff --git a/tests/unit/Common/Get-DomainName.tests.ps1 b/tests/unit/Common/Get-DomainName.tests.ps1 new file mode 100644 index 000000000..0a1e2bcb5 --- /dev/null +++ b/tests/unit/Common/Get-DomainName.tests.ps1 @@ -0,0 +1,95 @@ +[string] $sut = $MyInvocation.MyCommand.Path -replace '\\tests\\','\src\' ` +-replace '\.tests\.ps1','.ps1' ` +-replace '\\unit\\','\' + +Import-Module $sut -Force + +Describe 'Get-DomainName' { + + Context 'Domain Name' { + + It 'Should return the FQDN of the host domain name if one is not povided.' { + Mock -CommandName Get-DomainFQDN -MockWith {return 'Contoso.com'} + Get-DomainName -DomainName $null | Should Be 'Contoso.com' + } + + It 'Should return the FQDN by default.' { + Get-DomainName -DomainName 'Contoso.com' | Should Be 'Contoso.com' + } + + It 'Should return the FQDN name of the FQDN that is provided.' { + Get-DomainName -DomainName 'Contoso.com' -Format 'FQDN' | Should Be 'Contoso.com' + } + + It 'Should return the netbios name of the FQDN that is provided.' { + Get-DomainName -DomainName 'Contoso.com' -Format 'NetbiosName' | Should Be 'Contoso' + } + + It 'Should return the distinguished name of the FQDN that is provided.' { + Get-DomainName -DomainName 'Contoso.com' -Format 'DistinguishedName' | Should Be 'DC=Contoso,DC=com' + } + } + + Context 'Forest Name' { + + It 'Should return the FQDN of the host root domain name if one is not povided.' { + Mock -CommandName Get-ForestFQDN -MockWith {'forest.root'} + Get-DomainName -ForestName $null | Should Be 'forest.root' + } + + It 'Should return the FQDN by default.' { + Get-DomainName -ForestName 'Contoso.com' | Should Be 'Contoso.com' + } + + It 'Should return the FQDN name of the FQDN that is provided.' { + Get-DomainName -ForestName 'Contoso.com' -Format 'FQDN' | Should Be 'Contoso.com' + } + + It 'Should return the netbios name of the FQDN that is provided.' { + Get-DomainName -ForestName 'Contoso.com' -Format 'NetbiosName' | Should Be 'Contoso' + } + + It 'Should return the distinguished name of the FQDN that is provided.' { + Get-DomainName -ForestName 'Contoso.com' -Format 'DistinguishedName' | Should Be 'DC=Contoso,DC=com' + } + } +} + +Describe 'Get-NetbiosName' { + + It 'Should return the Netbios Name from a fqdn' { + Get-NetbiosName -FQDN 'Contoso.com' | Should Be 'Contoso' + } + + It 'Should return the Netbios Name from a short name' { + Get-NetbiosName -FQDN 'Contoso' | Should Be 'Contoso' + } + + It 'Should return the Netbios Name from a child domain fqdn ' { + Get-NetbiosName -FQDN 'Child.Contoso.com' | Should Be 'Child' + } +} + +Describe 'Get-DistinguishedName' { + + It 'Should return a Distinguished Name' { + Get-DistinguishedName -FQDN 'Contoso.com' | Should Be 'DC=Contoso,DC=com' + } + + It 'Should return a Distinguished Name' { + Get-DistinguishedName -FQDN 'Contoso' | Should Be 'DC=Contoso' + } +} + +Describe 'Format-DistinguishedName' { + + It 'Should join array into an DN' { + Format-DistinguishedName -Parts @('child','test','com') | Should Be 'dc=child,dc=test,dc=com' + } +} +Describe 'Get-DomainParts' { + + It 'Should split the fqdn into an array' { + Get-DomainParts -FQDN 'child.test.com' | Should Be @('child','test','com') + } +} diff --git a/tests/unit/Common/Get-OrgSettingsObject.tests.ps1 b/tests/unit/Common/Get-OrgSettingsObject.tests.ps1 new file mode 100644 index 000000000..2c680889a --- /dev/null +++ b/tests/unit/Common/Get-OrgSettingsObject.tests.ps1 @@ -0,0 +1,126 @@ +[string] $sut = $MyInvocation.MyCommand.Path -replace '\\tests\\','\src\' ` +-replace '\.tests\.ps1','.ps1' ` +-replace '\\unit\\','\' + +Import-Module $sut + +[xml] $OrgSettingXml = +@" + + + + + + + + + + + + +"@ + +[hashtable] $OrgSettingHashtable = +@{ + "V-1114" = "xGuest"; + "V-1115" = "xAdministrator"; + "V-3472.a" = "NT5DS"; + "V-4108" = "90"; + "V-4113" = "300000"; + "V-8322.b" = "NT5DS"; + "V-26482" = "Administrators"; + "V-26579" = "32768"; + "V-26580" = "196608"; + "V-26581" = "32768" +} + +Describe "Function Get-OrgSettingsObject" { + + It "Should be able to convert an Xml document to a OrganizationalSetting array" { + $OrgSettingArray = Get-OrgSettingsObject -OrgSettings $OrgSettingXml + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-1114"}) + $OrgSetting.StigRuleId | Should Be "V-1114" + $OrgSetting.Value | Should Be "xGuest" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-1115"}) + $OrgSetting.StigRuleId | Should Be "V-1115" + $OrgSetting.Value | Should Be "xAdministrator" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-3472.a"}) + $OrgSetting.StigRuleId | Should Be "V-3472.a" + $OrgSetting.Value | Should Be "NT5DS" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-4108"}) + $OrgSetting.StigRuleId | Should Be "V-4108" + $OrgSetting.Value | Should Be "90" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-4113"}) + $OrgSetting.StigRuleId | Should Be "V-4113" + $OrgSetting.Value | Should Be "300000" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-8322.b"}) + $OrgSetting.StigRuleId | Should Be "V-8322.b" + $OrgSetting.Value | Should Be "NT5DS" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-26482"}) + $OrgSetting.StigRuleId | Should Be "V-26482" + $OrgSetting.Value | Should Be "Administrators" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-26579"}) + $OrgSetting.StigRuleId | Should Be "V-26579" + $OrgSetting.Value | Should Be "32768" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-26580"}) + $OrgSetting.StigRuleId | Should Be "V-26580" + $OrgSetting.Value | Should Be "196608" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-26581"}) + $OrgSetting.StigRuleId | Should Be "V-26581" + $OrgSetting.Value | Should Be "32768" + } + + It "Should be able to convert a Hashtable to a OrganizationalSetting array" { + $OrgSettingArray = Get-OrgSettingsObject -OrgSettings $OrgSettingHashtable + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-1114"}) + $OrgSetting.StigRuleId | Should Be "V-1114" + $OrgSetting.Value | Should Be "xGuest" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-1115"}) + $OrgSetting.StigRuleId | Should Be "V-1115" + $OrgSetting.Value | Should Be "xAdministrator" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-3472.a"}) + $OrgSetting.StigRuleId | Should Be "V-3472.a" + $OrgSetting.Value | Should Be "NT5DS" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-4108"}) + $OrgSetting.StigRuleId | Should Be "V-4108" + $OrgSetting.Value | Should Be "90" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-4113"}) + $OrgSetting.StigRuleId | Should Be "V-4113" + $OrgSetting.Value | Should Be "300000" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-8322.b"}) + $OrgSetting.StigRuleId | Should Be "V-8322.b" + $OrgSetting.Value | Should Be "NT5DS" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-26482"}) + $OrgSetting.StigRuleId | Should Be "V-26482" + $OrgSetting.Value | Should Be "Administrators" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-26579"}) + $OrgSetting.StigRuleId | Should Be "V-26579" + $OrgSetting.Value | Should Be "32768" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-26580"}) + $OrgSetting.StigRuleId | Should Be "V-26580" + $OrgSetting.Value | Should Be "196608" + + $OrgSetting = $OrgSettingArray.Where({$_.StigRuleId -eq "V-26581"}) + $OrgSetting.StigRuleId | Should Be "V-26581" + $OrgSetting.Value | Should Be "32768" + } +} diff --git a/tests/unit/Common/Get-StigList.tests.ps1 b/tests/unit/Common/Get-StigList.tests.ps1 new file mode 100644 index 000000000..f2b5f41fb --- /dev/null +++ b/tests/unit/Common/Get-StigList.tests.ps1 @@ -0,0 +1,12 @@ +[string] $sut = $MyInvocation.MyCommand.Path -replace '\\tests\\','\src\' ` +-replace '\.tests\.ps1','.ps1' ` +-replace '\\unit\\','\' + +Import-Module $sut + +Describe "Function Get-StigList" { + + It "Should be able to output a table of available STIGs and their associated StigVersion, Technology, TechnologyVersion, and TechnologyRole" { + Get-StigList | Should Not Be $null + } +} diff --git a/tests/unit/common.tests.ps1 b/tests/unit/common.tests.ps1 new file mode 100644 index 000000000..4c0cb4a1e --- /dev/null +++ b/tests/unit/common.tests.ps1 @@ -0,0 +1,292 @@ +# Pulled from https://github.com/PowerShell/DscConfiguration.Tests + +<# + PSSA = PS Script Analyzer + Only the first and last tests here will pass/fail correctly at the moment. The other 3 tests + will currently always pass, but print warnings based on the problems they find. + These automatic passes are here to give contributors time to fix the PSSA + problems before we turn on these tests. These 'automatic passes' should be removed + along with the first test (which is replaced by the following 3) around Jan-Feb + 2017. +#> + +$projectRoot = (Resolve-Path -Path $PSScriptRoot\..\..\).Path + +$srcDirectory = "$projectRoot\src" +<# + .SYNOPSIS + Retrieves the parse errors for the given file. + + .PARAMETER FilePath + The path to the file to get parse errors for. +#> +function Get-FileParseErrors +{ + [OutputType([System.Management.Automation.Language.ParseError[]])] + [CmdletBinding()] + param + ( + [Parameter(ValueFromPipeline = $true, Mandatory = $true)] + [String] + $FilePath + ) + + $parseErrors = $null + + $null = [System.Management.Automation.Language.Parser]::ParseFile( + $FilePath, + [ref] $null, + [ref] $parseErrors + ) + return $parseErrors +} + +<# + .SYNOPSIS + Retrieves all text files under the given root file path. + + .PARAMETER Root + The root file path under which to retrieve all text files. + + .NOTES + Retrieves all files with the '.gitignore', '.gitattributes', '.ps1', '.psm1', '.psd1', + '.json', '.xml', '.cmd', or '.mof' file extensions. +#> +function Get-TextFilesList +{ + [OutputType([System.IO.FileInfo[]])] + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [String] + $FilePath + ) + + $textFileExtensions = @('.gitignore', '.gitattributes', '.ps1', '.psm1', '.psd1', '.json', + '.xml', '.cmd', '.mof') + + return Get-ChildItem -Path $FilePath -File -Recurse | Where-Object { $textFileExtensions ` + -contains $_.Extension } +} +function Test-FileInUnicode +{ + [OutputType([Boolean])] + [CmdletBinding()] + param + ( + [Parameter(ValueFromPipeline = $true, Mandatory = $true)] + [System.IO.FileInfo] + $FileInfo + ) + + $filePath = $FileInfo.FullName + + $fileBytes = [System.IO.File]::ReadAllBytes($filePath) + + $zeroBytes = @( $fileBytes -eq 0 ) + + return ($zeroBytes.Length -ne 0) +} + +if(-not $env:SrcFolder) +{ + $env:SrcFolder = $srcDirectory +} + +$Name = 'PowerStig' + +Describe 'Common Tests - File Parsing' { + $ScriptFiles = Get-ChildItem -Path $env:SrcFolder -Filter '*.ps1' -File + + foreach ($ScriptFile in $ScriptFiles) + { + Context $ScriptFile.Name { + It 'Should not contain parse errors' { + $containsParseErrors = $false + + $parseErrors = Get-FileParseErrors -FilePath $ScriptFile.FullName + + if ($null -ne $parseErrors) + { + Write-Warning -Message "There are parse errors in $($ScriptFile.FullName):" + Write-Warning -Message ($parseErrors | Format-List | Out-String) + + $containsParseErrors = $true + } + + $containsParseErrors | Should Be $false + } + } + } +} + +<# +#> +Describe 'Common Tests - File Formatting' { + $textFiles = Get-TextFilesList -FilePath $env:SrcFolder + + Context 'All discovered ext files' { + It "Should not contain any files with Unicode file encoding" { + $containsUnicodeFile = $false + + foreach ($textFile in $textFiles) + { + if (Test-FileInUnicode $textFile) { + if($textFile.Extension -ieq '.mof') + { + Write-Warning -Message "File $($textFile.FullName) should be converted to ASCII. Use fixer function 'Get-UnicodeFilesList `$pwd | ConvertTo-ASCII'." + } + else + { + Write-Warning -Message "File $($textFile.FullName) should be converted to UTF-8. Use fixer function 'Get-UnicodeFilesList `$pwd | ConvertTo-UTF8'." + } + + $containsUnicodeFile = $true + } + } + + $containsUnicodeFile | Should Be $false + } + + It 'Should not contain any files with tab characters' { + $containsFileWithTab = $false + + foreach ($textFile in $textFiles) + { + $fileName = $textFile.FullName + $fileContent = Get-Content -Path $fileName -Raw + + $tabCharacterMatches = $fileContent | Select-String "`t" + + if ($null -ne $tabCharacterMatches) + { + Write-Warning -Message "Found tab character(s) in $fileName. Use fixer function 'Get-TextFilesList `$pwd | ConvertTo-SpaceIndentation'." + $containsFileWithTab = $true + } + } + + $containsFileWithTab | Should Be $false + } + + It 'Should not contain empty files' { + $containsEmptyFile = $false + + foreach ($textFile in $textFiles) + { + $fileContent = Get-Content -Path $textFile.FullName -Raw + + if([String]::IsNullOrWhiteSpace($fileContent)) + { + Write-Warning -Message "File $($textFile.FullName) is empty. Please remove this file." + $containsEmptyFile = $true + } + } + + $containsEmptyFile | Should Be $false + } + <# + It 'Should not contain files without a newline at the end' { + $containsFileWithoutNewLine = $false + + foreach ($textFile in $textFiles) + { + $fileContent = Get-Content -Path $textFile.FullName -Raw + + if(-not [String]::IsNullOrWhiteSpace($fileContent) -and $fileContent[-1] -ne "`n") + { + if (-not $containsFileWithoutNewLine) + { + Write-Warning -Message 'Each file must end with a new line.' + } + + Write-Warning -Message "$($textFile.FullName) does not end with a new line. Use fixer function 'Add-NewLine'" + + $containsFileWithoutNewLine = $true + } + } + + + $containsFileWithoutNewLine | Should Be $false + } + #> + } +} + +Describe 'Common Tests - Configuration Module Requirements' { + + #$Name = Get-Item -Path $env:SrcFolder | ForEach-Object -Process {$_.Name} + + $Files = Get-ChildItem -Path $env:SrcFolder + $Manifest = Import-PowerShellDataFile -Path "$env:SrcFolder\$Name.psd1" + + Context "$Name module manifest properties" { + It 'Contains a module manifest that aligns to the folder and module names' { + $Files.Name.Contains("$Name.psd1") | Should Be True + } + It 'Contains a readme' { + Test-Path "$projectRoot\README.md" | Should Be True + } + It "Manifest $Name.psd1 should import as a data file" { + $Manifest | Should BeOfType 'Hashtable' + } + It 'Should have a GUID in the manifest' { + $Manifest.GUID | Should Match '[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}' + } + It 'Should list requirements in the manifest' { + $Manifest.RequiredModules | Should Not Be Null + } + It 'Should list a module version in the manifest' { + $Manifest.ModuleVersion | Should BeGreaterThan 0.0.0.0 + } + It 'Should list an author in the manifest' { + $Manifest.Author | Should Not Be Null + } + It 'Should provide a description in the manifest' { + $Manifest.Description | Should Not Be Null + } + It 'Should require PowerShell version 4 or later in the manifest' { + $Manifest.PowerShellVersion | Should BeGreaterThan 4.0 + } + It 'Should require CLR version 4 or later in the manifest' { + $Manifest.CLRVersion | Should BeGreaterThan 4.0 + } + It 'Should export functions in the manifest' { + $Manifest.FunctionsToExport | Should Not Be Null + } + It 'Should include tags in the manifest' { + $Manifest.PrivateData.PSData.Tags | Should Not Be Null + } + It 'Should include a project URI in the manifest' { + $Manifest.PrivateData.PSData.ProjectURI | Should Not Be Null + } + } + + if ($Manifest.RequiredModules) + { + Context "$Name required modules" { + + foreach ($RequiredModule in $Manifest.RequiredModules) + { + if ($RequiredModule.GetType().Name -eq 'Hashtable') + { + It "$($RequiredModule.ModuleName) version $($RequiredModule.ModuleVersion) should be found in the PowerShell public gallery" { + {Find-Module -Name $RequiredModule.ModuleName -RequiredVersion $RequiredModule.ModuleVersion} | Should Not Be Null + } + It "$($RequiredModule.ModuleName) version $($RequiredModule.ModuleVersion) should install locally without error" { + {Install-Module -Name $RequiredModule.ModuleName -RequiredVersion $RequiredModule.ModuleVersion -Scope CurrentUser -Force} | Should Not Throw + } + } + else + { + It "$RequiredModule should be found in the PowerShell public gallery" { + {Find-Module -Name $RequiredModule} | Should Not Be Null + } + It "$RequiredModule should install locally without error" { + {Install-Module -Name $RequiredModule -Scope CurrentUser -Force} | Should Not Throw + } + } + } + } + } +} diff --git a/tests/unit/stigData/common.tests.ps1 b/tests/unit/stigData/common.tests.ps1 new file mode 100644 index 000000000..061925d37 --- /dev/null +++ b/tests/unit/stigData/common.tests.ps1 @@ -0,0 +1,23 @@ +######################################### Begin Header ######################################### +Import-Module "$PSScriptRoot\..\..\helper.psm1" -Force +$StigDataPath = Get-ChildItem -Path "$SrcRootDir\StigData" +$SchemaFile = "$SrcRootDir\StigData\Schema\PowerStig.xsd" +######################################### End Header ######################################### + +Describe 'Common Tests - XML Validation' { + + foreach ($StigDataFolder in $StigDataPath) + { + $StigDataName = $StigDataFolder.name + + Context $StigDataName { + $StigDataXml = Get-ChildItem -Path $StigDataFolder.FullName -Exclude *.org.xml, *org.default.xml + foreach ($StigDataXmlFile in $StigDataXml) + { + It "$($StigDataXmlFile.name) should be a valid xml file" { + {Test-Xml -XmlFile $StigDataXmlFile.FullName -SchemaFile $SchemaFile} | Should Not Throw + } + } + } + } +}