Buku CIS Microsoft Windows Server 2012 R2 Benchmark v2.4.0

L1) Make sure "Manage audit and security log" is set to "Administrators" and (when Exchange is running in the environment) "Exchange Servers" (DC only) (checked). L1) Make sure "Interactive login: Domain controller authentication required to unlock workstation" is set to "Enabled" (MS only) (Checked).

Overview

Intended Audience

Consensus Guidance

Typographical Conventions

Scoring Information

Profile Definitions

This profile contains advanced Windows security features that have specific configuration dependencies and may not be compatible with all systems. If your environment supports these features, they are highly recommended as they have tangible security benefits.

Acknowledgements

Recommendations

Password Policy

If you don't also configure the minimum password age setting, users can repeatedly change their passwords until they can reuse their original password. If users are required to change their passwords to new unique values, there is an increased risk that users will write down their passwords somewhere so they don't forget them.

CCE-37166-6 CIS Controls

Configuring the Maximum password age setting to 0 so that users never have to change their password poses a major security risk because it allows a compromised password to be used by the malicious user as long as the valid user has authorized access. If the Maximum password age setting is too low, users will have to change their password very often.

CCE-37167-4 CIS Controls

Using this policy setting with the "Enforce password history" setting prevents easy reuse of old passwords. You must configure this policy setting to a number greater than 0 for the "Enforce password history" setting to be effective.

In enterprise environments, the ideal value for the minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements. However, starting with Windows Server 2019, Microsoft changed the GUI to allow a minimum password length of up to 20 characters.

CCE-36534-6

When very long passwords are required, mistyped passwords can cause account lockouts and increase help desk calls. If multi-factor authentication is not supported, user accounts must use long passwords on the system (longer than 14 characters).

CCE-37063-5 CIS Controls

This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user's password for authentication purposes. Enabling this policy setting allows the operating system to store passwords in a weaker format that is much more susceptible to compromise and weakens the security of your system.

Account Lockout Policy

If you configure the Account Lockout Duration setting to 0, the account will remain locked until an administrator manually unlocks it. Nothing, because this policy setting only has meaning if an account lockout threshold is set.

Computer Setup\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account Lockout Duration. Computer Setup\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account Lockout Threshold.

CCE-36008-1 CIS Controls

If this policy setting is enabled, a locked account will not be able to be used until it is reset by an administrator or until the account lockout period expires. This policy setting specifies the length of time before the account lockout threshold is reset to zero.

CCE-36883-7

Audit Policy
User Rights Assignment

Computer Setup\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter to . If you do not reset the Set account lockout counter after it is set, administrators will have to manually unlock all accounts.

2.2.2 (L1) Ensure that the "Access this computer from the network" option is set to "Administrators, authenticated users, COMPANY DOMAIN". For example, the Access to this computer from the network user right is required for users to connect to printers and shared folders.

CCE-35818-4 CIS Controls

If you remove this user right on member servers, users will not be able to connect to those servers through the network. If this user right is assigned to the Everyone group, anyone will be able to read the files in those shared folders.

A user who has been granted this right can add up to 10 workstations to the domain. Users with this right can add a computer to the domain that is configured in a way that violates the organization's security policies.

CCE-36282-2

Navigate to the UI path articulated in the Remediation section and confirm it is set as instructed. Navigate to the UI path articulated in the Remediation section and confirm it is set as instructed.

CCE-37071-8

Users attempting to log in through Terminal Services/Remote Desktop Services or IIS also need this user right. Any account with the Allow local logon user right can log on to the computer's console.

CCE-37659-0 CIS Controls

Any account with the Allow user right to log on by Remote Desktop Services can log on to the remote console of the computer. Removing the Allow Remote Desktop Services user to log on right from other groups or membership changes in these default groups can limit the capabilities of users who perform specific administrative roles in your environment.

CCE-37072-6

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow logon via Remote Desktop Services. This privilege is enabled only when a program (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API).

The PDC Emulator operations master at the root of the domain is authoritative for the organization. Computers that do not belong to the domain must be configured to synchronize with an external source.

CCE-37452-0

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the system time. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone.

CCE-37700-2 CIS Controls

By making the page file extremely large or extremely small, an attacker can easily affect the performance of an affected computer. Users who can change the size of the page file may make it extremely small or move the file to a highly fragmented storage volume, which can lead to reduced computer performance.

A user account that has this user right has full control over the system and can lead to system compromise. The operating system examines the user's access token to determine the user's privilege level.

Users who can create global objects can affect processes running in other users' sessions. Users who can create global objects can affect Windows services and processes running under other user or system accounts.

CCE-37453-8 CIS Controls

Users who have the Create permanent shared objects user right can create new shared objects and expose sensitive data to the network. Computer Configuration\Policy\Windows Settings\Security Settings\Local Policies\User Right Assignment\Create Permanent Shared Objects.

Users who have the Create symbolic links user right may inadvertently or maliciously expose your system to symbolic link attacks. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create symbolic links.

Some attack tools exploit this right to extract hashed passwords and other private security information or to insert rootkit code. By default, the debug programs user rights are granted only to administrators, which helps mitigate the risk from this vulnerability.

CCE-37075-9 CIS Controls

This user right replaces the Access this computer from the network user right if both policies apply to the account. By configuring the Deny access to this computer from a network user right for other groups, you can limit the capabilities of users assigned to specific administrative roles in your environment.

This user right replaces the Log on as batch job user right, which can be used to allow accounts to schedule jobs that consume excessive system resources. Therefore, it is important that you understand which accounts belong to the groups to which you assign the Deny Login as a Batch Job user right.

This user right supersedes the User right to log in as a service if an account is subject to both policies. If you assign the Deny Login as a service user right to specific accounts, services may fail to start and a DoS condition may result.

CCE-36877-9 CIS Controls

Important: If you apply this security policy to the Everyone group, no one will be able to log in locally. Any account with local login capability can be used to log on to the computer's console.

This user right replaces the Allow login via Remote Desktop Services user right if an account is subject to both policies. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny login via Remote Desktop Services.

Any account with the right to log on through Remote Desktop Services can be used to log on to a remote computer console. Abuse of the Allow computer and delegation user account privilege can allow unauthorized users to impersonate other users on the network.

CCE-36860-5 CIS Controls

Anyone granted this user right can cause a denial of service (DoS) condition, which will make the computer unavailable to service user requests. If you remove the Force shutdown of a remote system user directly from the Server Operator group, you can limit the capabilities of users assigned to specific.

Note no. 2: A member server that has a Web Server (IIS) role with the Web Server Role service will require a special exception to this recommendation to allow the IIS application pool to be granted this user right. However, if you installed the Web Server (IIS) role using the Web Services role service, you will need to allow the IIS application group to grant this user right.

Services" component that is installed requires a special exception to this recommendation in order for additional SQL-generated records to be assigned this user right. If you have installed the Web Server (IIS) role with the Web Services role service, you must also assign the user right to.

CCE-37106-2

This user right is not required for management tools provided with the operating system, but may be required for software development tools. A user assigned this user right can increase the scheduling priority of a process to Real-Time, which leaves little processing time for all other processes and can lead to a DoS condition.

CCE-38326-5 CIS Controls

A user who has the Load and unload device drivers user right can inadvertently install malicious code that impersonates a device driver. If you remove the Load and Unload Device Managers user directly from the Print Operators.

Note: A Member Server with Microsoft SQL Server installed will require a special exception to this recommendation for additional logins created by SQL to be granted this user right. Users with lock pages in the memory user right can allocate physical memory to some processes, which may leave little or no RAM for other processes and result in a DoS condition.

If you configure the Logon as a batch task setting through domain Group Policy, the computer will not be able to assign user rights to accounts that are used for. If you install optional components such as ASP.NET or IIS, you may need to grant this user right to additional accounts required by those components.

CCE-38080-8 CIS Controls

If this user right is not assigned to this group and these accounts, IIS will not be able to run some COM objects that are required for proper functionality. Anyone with this user right can clear the security log to delete important evidence of unauthorized activity.

This right determines which user accounts can change the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can change the label of an object owned by that user to a lower level without this privilege.

CCE-36054-5

By modifying the integrity label of an object owned by another user, a malicious user could cause them to execute code at a higher level of privilege than intended. Computer Configuration\Policy\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change an object label.

CCE-38113-7 CIS Controls

A user granted the Perform Volume Maintenance Tasks user right can delete a volume, which may result in data loss or a DoS condition. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume maintenance tasks.

Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you need this user right if System Monitor is configured to collect data using Windows Management Instrumentation (WMI).

Attackers with this privilege can monitor a computer's performance to help identify critical processes that they may wish to attack directly. Attackers may also be able to determine which processes are active on the computer, so they can identify countermeasures they may need to avoid, such as antivirus software or an intrusion detection system.

CCE-36052-9 CIS Controls

Note no. 3: A member server with Microsoft SQL Server installed will require a special exception to this recommendation for additional SQL-generated entries to be granted this user right. However, if you installed the Web Server (IIS) role using the Web Services Role service, you will need to allow the IIS application group to be assigned this user rights assignment.

This user right also specifies which users can set valid security principals as object owners; it is similar to the user right to backup files and directories. An attacker with the Restore Files and Directories user right could restore sensitive data on the computer and overwrite data that is newer, which could result in the loss of important data, data corruption, or a denial of service.

The ability to shut down domain controllers and member servers should be limited to a very small number of trusted administrators. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down system.

CCE-38328-1 CIS Controls

The Synchronize directory service data user right affects Domain Controllers; only domain controllers should be able to synchronize directory service data. Controllers have this user right inherently, because the synchronization process runs in the context of the system account on domain controllers.

Any users with the Take ownership of files or other objects user right can take control of any object, regardless of the permissions on that object, and then make any changes they want to that object. Computer Setup\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Take ownership of files or other objects.

Security Options

Accounts

When a computer is booted into safe mode, the administrator account is always enabled, regardless of how this setting is configured. If the current administrator password does not meet the password requirements, you will not be able to reactivate the administrator account after it has been disabled.

CCE-37953-7

The recommended status for this setting is: Users cannot add or sign in to Microsoft accounts. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts.

CCE-36147-7 CIS Controls

The default guest account allows unauthenticated network users to log in as guest without a password. These unauthorized users can access any resources accessible to the guest account over the network.

If you enable this policy setting, local accounts that have blank passwords will not be able to log in to the network from remote client computers. However, if users with the ability to create new accounts override your domain-based password policies, they can create accounts with blank passwords.

The built-in local administrator account is a well-known account name that attackers will target. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account.

CCE-38233-3 CIS Controls

The guest account exists on all computers running the Windows 2000 or newer operating systems. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest account.

Audit

2.3.2.1 (L1) Provide 'Audit: Forces the settings of the audit policy subcategory. Windows Vista or later) to override audit policy category settings" is set to "Enabled" (Evaluated). Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Forces the audit policy subcategory settings (Windows Vista or later) to override the audit policy category settings.

CCE-37850-5

This policy setting determines whether the system shuts down if it is unable to log security events. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Settings\Audit: Shut down the system immediately if you cannot log security audits.

CCE-35907-5

DCOM
Devices

You can use this policy setting to prevent unauthorized users from deleting data on one computer to access it on another computer on which they have local administrator privileges. The fact that most removable storage devices will eject media by pressing a mechanical button reduces the benefit of this policy setting.

CCE-37701-0

This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. Only administrators will be able to install a printer driver as part of connecting to a shared printer.

CCE-37942-0 CIS Controls

Domain controller

Note that users (including those in the Server Operators group) are still able to create jobs through the Task Scheduler wizard. Server operators are not allowed to submit jobs through the AT program.).

However, these tasks run in the context of the account the user authenticates with when setting up the task. You can also implement Internet Protocol Security (IPsec) Authentication Header Mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult.

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain Controller: Deny machine account password changes. By default, connected computers change the passwords of their machine accounts as specified by the Domain Member: Maximum password age for machine account setting (Rule 2.3.6.5), which defaults to every 30 days.).

CCE-36921-5 CIS Controls

Domain member

Digital encryption and secure channel signing is a good idea where supported. Therefore, you cannot enable the Domain member setting: Encrypt or digitally sign secure channel data (always) in the Domain.

CCE-36142-8

However, only Windows NT 4.0 with Service Pack 6a (SP6a) and subsequent versions of the Windows operating system support digital encryption and signing of the secure channel. However, only Windows NT 4.0 Service Pack 6a (SP6a) and subsequent versions of the Windows operating system support digital encryption and signing of the secure channel.