The hardening checklists are based on the comprehensive checklists produced by the Center for Internet Security (CIS). The Information Security Office (ISO) has distilled the CIS lists down to the most critical steps for your systems, with a focus on issues unique to the computing environment at The University of Texas at Austin.
Print the checklist and check off each item you complete to ensure that you cover the critical steps for securing your server. The ISO uses this checklist during risk assessments as part of the process to verify server security.
MAC Address | |
---|---|
IP Address | |
Machine Name | |
Asset Tag | |
Administrator Name | |
Date |
Step | √ | To Do | CIS | UT Note | Confidential | Other | Min Std |
---|---|---|---|---|---|---|---|
Preparation and Installation | |||||||
1 | If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened. | § | ! | 4.5.1 | |||
Service Packs and Hotfixes | |||||||
2 | Install the latest service packs and hotfixes from Microsoft. | § | ! | ! | 4.5.2 | ||
3 | Enable automatic notification of patch availability. | § | ! | ! | 4.5.3 | ||
User Account Policies | |||||||
4 | Set minimum password length. | 1.1.4 | § | ! | ! | ||
5 | Enable password complexity requirements. | 1.1.5 | § | ! | |||
6 | Do not store passwords using reversible encryption. (Default) | 1.1.6 | § | ! | ! | ||
7 | Configure account lockout policy. | 1.2 | § | ! | ! | ||
User Rights Assignment | |||||||
8 | Restrict the ability to access this computer from the network to Administrators and Authenticated Users. | 2.2.2 | |||||
9 | Do not grant any users the 'act as part of the operating system' right. (Default) | 2.2.3 | ! | ! | |||
10 | Restrict local logon access to Administrators. | 2.2.6 | § | ||||
11 | Deny guest accounts the ability to logon as a service, a batch job, locally, or via RDP. | 2.2.18-21 | ! | ||||
Security Settings | |||||||
12 | Place the University warning banner in the Message Text for users attempting to log on. | 2.3.7.4 | § | ! | ! | 4.5.10 | |
13 | Disallow users from creating and logging in with Microsoft accounts. | 2.3.1.2 | § | ! | ! | ||
14 | Disable the guest account. (Default) | 2.3.1.3 | ! | ! | |||
15 | Require Ctrl+Alt+Del for interactive logins. (Default) | 2.3.7.2 | ! | ! | |||
16 | Configure machine inactivity limit to protect idle interactive sessions. | 2.3.7.3 | ! | ! | |||
17 | Configure Microsoft Network Client to always digitally sign communications. | 2.3.8.1 | ! | ||||
18 | Configure Microsoft Network Client to digitally sign communications if server agrees. (Default) | 2.3.8.2 | ! | ! | |||
19 | Disable the sending of unencrypted passwords to third party SMB servers. | 2.3.8.3 | ! | 4.5.6 | |||
20 | Configure Microsoft Network Server to always digitally sign communications. | 2.3.9.2 | ! | ||||
21 | Configure Microsoft Network Server to digitally sign communications if client agrees. | 2.3.9.3 | ! | ||||
Network Access Controls | |||||||
22 | Disable anonymous SID/Name translation. (Default) | 2.3.10.1 | ! | ! | |||
23 | Do not allow anonymous enumeration of SAM accounts. (Default) | 2.3.10.2 | ! | ! | 4.5.5 | ||
24 | Do not allow anonymous enumeration of SAM accounts and shares. | 2.3.10.3 | ! | 4.5.5 | |||
25 | Do not allow everyone permissions to apply to anonymous users. (Default) | 2.3.10.5 | ! | ! | 4.5.12 | ||
26 | Do not allow any named pipes to be accessed anonymously. | 2.3.10.6 | ! | 4.5.12 | |||
27 | Restrict anonymous access to named pipes and shares. (Default) | 2.3.10.9 | ! | ! | 4.5.12 | ||
28 | Do not allow any shares to be accessed anonymously. | 2.3.10.11 | ! | ||||
29 | Require the "Classic" sharing and security model for local accounts. (Default) | 2.3.10.12 | ! | ! | 4.5.12 | ||
Network Security Settings | |||||||
30 | Allow Local System to use computer identity for NTLM. | 2.3.11.1 | |||||
31 | Disable Local System NULL session fallback. | 2.3.11.2 | |||||
32 | Configure allowable encryption types for Kerberos. | 2.3.11.4 | |||||
33 | Do not store LAN Manager hash values. | 2.3.11.5 | ! | ! | 4.5.13 | ||
34 | Set LAN Manager authentication level to only allow NTLMv2 and refuse LM and NTLM. | 2.3.11.7 | ! | 4.5.13 | |||
35 | Enable the Windows Firewall in all profiles (domain, private, public). (Default) | 9.|LF||LF|1-3|RF||RF|.1 | ! | ! | 4.5.5 | ||
36 | Configure the Windows Firewall in all profiles to block inbound traffic by default. (Default) | 9.|LF||LF|1-3|RF||RF|.2 | ! | ! | |||
37 | Configure Windows Firewall to restrict remote access services (VNC, RDP, etc.) to authorized campus-only networks . | ! | 4.6.4 | ||||
38 | Configure Windows Firewall to restrict remote access services (VNC, RDP, etc.) to the campus VPN. | ! | 4.6.3 | ||||
Active Directory Domain Member Security Settings | |||||||
39 | Digitally encrypt or sign secure channel data (always). (Default) | 2.3.6.1 | ! | 4.5.6 | |||
40 | Digitally encrypt secure channel data (when possible). (Default) | 2.3.6.2 | ! | ! | 4.5.6 | ||
41 | Digitally sign secure channel data (when possible). (Default) | 2.3.6.3 | ! | ! | 4.5.6 | ||
42 | Require strong (Windows 2000 or later) session keys. | 2.3.6.6 | ! | ||||
43 | Configure the number of previous logons to cache. | 2.3.7.6 | § | ||||
Audit Policy Settings | |||||||
44 | Configure Account Logon audit policy. | 17.1 | § | ! | |||
45 | Configure Account Management audit policy. | 17.2 | § | ! | ! | ||
46 | Configure Logon/Logoff audit policy. | 17.5 | § | ! | ! | ||
47 | Configure Policy Change audit policy. | 17.7 | § | ! | ! | ||
48 | Configure Privilege Use audit policy. | 17.8 | § | ! | |||
Event Log Settings | |||||||
49 | Configure Event Log retention method and size. | 18.3.12; 18.9.26 | § | ! | ! | 4.6.1 | |
50 | Configure log shipping (e.g. to Splunk). | § | |||||
Linux Subsystem | |||||||
51 | Configure all Linux elements according to the Linux Hardening Guide, keeping in mind that some elements will require Windows tools (like Windows Firewall vs. iptables) | ||||||
Additional Security Protection | |||||||
52 | Disable or uninstall unused services. | ! | |||||
53 | Disable or delete unused users. | ! | |||||
54 | Configure user rights to be as secure as possible: Follow the Principle of Least Privilege | § | ! | ||||
55 | Ensure all volumes are using the NTFS file system. | § | ! | ||||
56 | Configure file system permissions. | § | ! | ||||
57 | Configure registry permissions. | § | ! | ||||
58 | Disallow remote registry access if not required. | 2.3.10.7-8 | § | ||||
Additional Steps | |||||||
59 | Set the system date/time and configure it to synchronize against campus time servers. | § | ! | ||||
60 | Install and enable anti-virus software. | § | ! | ! | |||
61 | Install and enable anti-spyware software. | § | ! | ||||
62 | Configure anti-virus software to update daily. | § | ! | ! | |||
63 | Configure anti-spyware software to update daily. | § | ! | ||||
64 | Provide secure storage for Confidential (category-I) Data as required. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate. | § | ! | ||||
65 | Install software to check the integrity of critical operating system files. | § | ! | ||||
66 | If RDP is utilized, set RDP connection encryption level to high. | § | ! | ||||
Physical Security | |||||||
67 | Unless the server is in the UDC or a managed VM cluster, set a BIOS/firmware password to prevent alterations in system start up settings. | 4.4.1 | |||||
68 | Do not allow the system to be shut down without having to log on. (Default) | 2.3.13.1 | ! | ! | |||
69 | Configure the device boot order to prevent unauthorized booting from alternate media. | ! | 4.4.1 | ||||
70 | Configure a screen-saver to lock the console's screen automatically if the host is left unattended. | § | ! | ! |
1 | If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected. |
---|---|
2 | There are several methods available to assist you in applying patches in a timely fashion: Microsoft Update Service
Windows AutoUpdate via WSUS |
3 | Configure Automatic Updates from the Automatic Updates control panel
|
4 | Configuring the minimum password length settings is important only if another method of ensuring compliance with university password standards is not in place. The Information Resources Use and Security Policy requires passwords be a minimum of 8 characters in length. It is strongly recommended that passwords be at least 14 characters in length (which is also the recommendation of CIS). |
5 | Configuring the password complexity setting is important only if another method of ensuring compliance with university password standards is not in place. The Information Resources Use and Security Policy requires that passwords contain letters, numbers, and special characters. Ensure Domain Administrators (and even Departmental/GPO Admin accounts used by TSCs) have a higher standard for password complexity, are required to change their passwords more frequently (e.g., twice a year) and are strongly warned against reuse of these credentials outside of the Austin AD context. |
6 | If this option is enabled, the system will store passwords using a weak form of encryption that is susceptible to compromise. This configuration is disabled by default. |
7 | Instead of the CIS recommended values, the account lockout policy should be configured as follows:
|
10 | Any account with this role is permitted to log in to the console. By default, this includes users in the Administrators, Users, and Backup Operators groups. It's unlikely that non-administrative users require this level of access and, in cases where the server is not physically secured, granting this right may facilitate a compromise of the device. |
12 | The text of the university's official warning banner can be found on the ISO Web site. You may add localized information to the banner as long as the university banner is included. |
13 | The use of Microsoft accounts can be blocked by configuring the group policy object at: Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options\Accounts: Block Microsoft accounts This setting can be verified by auditing the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser |
43 | Logon information for domain accounts can be cached locally to allow users who have previously authenticated to do so again even if a domain controller cannot be contacted. By default 10 accounts will be cached locally, but there is a risk that in the event of a compromise an attacker could locate the cached credentials and use a brute force attack to discover the passwords. Therefore, it is recommended that this value be reduced so that fewer credentials will be placed at risk, and credentials will be cached for shorter periods of time in the case of devices that are logged into frequently by multiple users. The group policy object below should be set to 4 or fewer logins: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available)
|
44 | The Account Logon audit policy logs the results of validation tests of credentials submitted for user account logon requests. The server that is authoritative for the credentials must have this audit policy enabled. For domain member machines, this policy will only log events for local user accounts. Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Account Logon\
|
45 | Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Account Management\
|
46 | Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\
|
47 | Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Policy Change\
|
48 | Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Privilege Use\
|
49 | The university requires the following event log settings instead of those recommended by the CIS Benchmark:
The recommended retention method for all logs is: Retain events for at least 14 days These are minimum requirements. The most important log here is the security log. 1 GB is a suggested minimum, but if you have a high-volume service, make the file as large as necessary to make sure at least 14 days of security logs are available. The further your logs go back, the easier it will be to respond in the event of a breach. In rare cases, a breach may go on for months before detection. You may increase the number of days that you keep, or you may set the log files to not overwrite events. Note that if the event log reaches its maximum size and no events older than the number of days you specified exist to be deleted, or if you have disabled overwriting of events, no new events will be logged. This may happen deliberately as an attempt by an attacker to cover his tracks. For critical services working with Confidential or other sensitive data, use Syslog, Splunk, Intrust, or a similar service to ship logs to another device. Another option is to configure Windows to rotate event log files automatically when an event log reaches its maximum size as described in the article http://support.microsoft.com/kb/312571 using the AutoBackupLogFiles registry entry. |
50 | It is highly recommended that logs are shipped from any Confidential cdevices to a service like Splunk, which provides log aggregation, processing, and real-time monitoring of events among many other things. This helps to ensure that logs are preserved and unaltered in the event of a compromise, in addition to allowing proactive log analysis of multiple devices. Splunk licenses are available through ITS at no charge. ITS also maintains a centrally-managed Splunk service that may be leveraged. |
54 | Configure user rights to be as secure as possible, following the recommendations in section 2.2 of the CIS benchmark. Every attempt should be made to remove Guest, Everyone, and ANONYMOUS LOGON from the user rights lists. Follow current best practice to ensure IIS is not being run as the System User. Ensure scheduled tasks are run with a dedicated Service account and not a Domain Administrator account. For systems the present the highest risk, complete PAWS implementation and ensure system logs are routed to Splunk. |
55 | Volumes formatted as FAT or FAT32 can be converted to NTFS, by using the convert.exe utility provided by Microsoft. Microsoft has provided instructions on how to perform the conversion. Windows servers used with Category I data must use the NTFS file system for all partitions where Category I data is to be stored. |
56 | Be extremely careful, as setting incorrect permissions on system files and folders can render a system unusable. |
57 | Be extremely careful, as setting incorrect permissions on registry entries can render a system unusable. |
58 | Some remote administration tools, such as Microsoft Systems Management Server, require remote registry access to managed devices. Disabling remote registry access may cause such services to fail. If remote registry access is not required, it is recommended that the remote registry service be stopped and disabled. If remote registry access is required, the remotely accessible registry paths should still be configured to be as restrictive as possible. The group policy object below controls which registry paths are available remotely: Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options\Network access: Remotely accessible registry paths This object should be set to allow access only to:
Further restrictions on the registry paths and subpaths that are remotely accessible can be configured with the group policy object: Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options\Network access: Remotely accessible registry paths and sub-paths |
59 | By default, domain members synchronize their time with domain controllers using Microsoft's Windows Time Service. The domain controller should be configured to synchronize its time with an external time source, such as the university's network time servers. |
60 | ITS provides FireAMP, a managed, cloud-based antivirus service, free of charge for all university owned devices. More information about obtaining and using FireAMP is at https://security.utexas.edu/education-outreach/anti-virus. |
61 | Anti-spyware software is only required to be installed if the server is used to browse Web sites not specifically related to the administration of the server, which is not recommended. ITS provides anti-spyware software for no additional charge. At a minimum, SpyBot Search and Destroy should be installed. We also recommend the installation of a secondary anti-spyware application, such as SpyWare Blaster, EMS Free Surfer, or AdAware. An additional measure that can be taken is to install Firefox with the NoScript and uBlock add-ons. |
62 | FireAMP is the recommended AV solution. |
63 | Spyware Blaster - Enabling auto-update functionality requires the purchase of an additional subscription.
|
64 | Windows provides the Encrypting File System as a built-in mechanism to allow the encryption of individual users' files and folders. Be aware of the caveats involved in the use of EFS before implementing it for general use, though. Other options such as PGP and GNUPG also exist. Another encryption option to consider is whole-disk encryption, which encrypts the entire contents of the drive instead of just specific files and folders. Windows comes with BitLocker for this. If encryption is being used in conjunction with Confidential data, one of the solutions listed in the Approved Encryption Methods (EID required) must be implemented. |
65 | Windows has a feature called Windows Resource Protection which automatically checks certain key files and replaces them if they become corrupted. It is enabled by default. You can audit in much more in depth using Tripwire; consider this for your highest-risk systems. Modern versions of Tripwire require the purchase of licenses in order to use it. The Tripwire management console can be very helpful for managing more complex installations. |
66 | This setting is configured by group policy object at: \Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security This policy object should be configured as below:
|
70 |
|