• Tidak ada hasil yang ditemukan

Buku CIS Microsoft Windows Server 2012 R2 Benchmark

N/A
N/A
Info
Unduh - Bebas
Chiến Vũ

Academic year: 2024

Membagikan "Buku CIS Microsoft Windows Server 2012 R2 Benchmark"

Copied!
952
0
0

Memuat.... (Lihat teks lengkap sekarang)

Unduh sekarang ( 952 Halaman )

Teks penuh

L1) Make sure "Interactive login: Domain controller authentication required to unlock workstation" is set to "Enabled" (MS only) (Automatic). L1) Make sure "Microsoft Network Client: Send unencrypted password to third-party SMB servers" is set to "Disabled" (Automated). L1) Make sure 'Microsoft Network Server: Target Server SPN Validation Level' is set to 'Accept if provided by client' or higher (MS only) (Automatic).

L2) Make sure that 'Network Access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' (automated). L1) Make sure that 'Network Access: Sharing and Security Model for Local Accounts' is set to 'Classic - Local Users Authenticate as Themselves' (Automated). L1) Make sure that 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' (automated).

2.3.15.1 (L1) Ensure that 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' (Automated) ..Symlinks)' is set to 'Enabled' (Automated). L1) Make sure "User Account Control: Bring height request for administrators in admin approval mode" is set to "Require approval on secure desktop" or higher (Automatic).

Overview

Templates can be downloaded from Microsoft at: Download ADMX Templates for Windows 11 2022 Update [22H2] from Official Microsoft Download

Intended Audience

Consensus Guidance

Typographical Conventions

Recommendation Definitions

Title

Assessment Status

Automated

Manual

Profile

Description

Rationale Statement

Impact Statement

Audit Procedure

Remediation Procedure

Default Value

CIS Critical Security Controls ® (CIS Controls ® )

Additional Information

Profile Definitions

This profile contains advanced Windows security features that have specific configuration dependencies and may not be compatible with all systems.

Acknowledgements

Recommendations

1 Account Policies

Password Policy

This policy setting determines the number of renewed, unique passwords that must be associated with a user account before you can reuse an old password. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their passwords. Specifying a low number for this policy setting allows users to use the same small number of passwords repeatedly.

This policy setting determines the number of days you must use a password before you can change it. Using this policy setting together with the Enforce Password History setting prevents old passwords from being easily reused. You must configure this policy setting to a number greater than 0 for the Enforce Password History setting to take effect.

This policy setting determines the minimum number of characters that make up a password for a user account. This policy setting checks all new passwords to ensure they meet basic requirements for strong passwords.

Account Lockout Policy

Once you configure the account ban threshold setting, the account will be banned after the specified number of failed attempts. Computer Setup\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account Lockout Duration. None, because this policy setting only has meaning when an account lockout threshold is specified.

Setting this policy to 0 does not meet the benchmark as it disables the account exclusion threshold. Computer Setup\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account Lockout Threshold. Computer Setup\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policies\Allow administrator account lockout.

This policy setting specifies the length of time before the account lockout threshold is reset to zero. Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after.

2 Local Policies

Audit Policy

User Rights Assignment

Users' stored credentials may be compromised if this user right is granted to other devices. Anyone with this user right can take complete control of the computer and delete evidence of their activities. Note: A member server that has the web server (IIS) role with the web server role service requires a special exception to this recommendation to allow IIS application pools to be assigned this user right.

Users trying to log in through Terminal Services / Remote Desktop Services or IIS also need this user right. Assign this user right to the Backup Operators group if your organization requires them to have this capability. Any account with the Allow local login user right can log in to the console of the computer.

Any account with the Allow Login Using Remote Desktop Services user right can log in to the computer's remote console. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or folder through the Application Programming Interface (API) for NTFS file system backup. For example, if you assign this user right to the IWAM_(ComputerName) account, the MSM management point will fail.

This user right supersedes the User right to log in as a service if an account is subject to both policies. However, this user right must be explicitly assigned to the ASPNET account on computers running IIS 6.0. Accounts that have this user right will not be able to connect to the computer through Remote Desktop Services or Remote Assistance.

Note no. 2: A member server that has a Web Server (IIS) role with the Web Server Role service will require a special exception to this recommendation to allow the IIS application pool to be granted this user right. However, if you installed the Web Server (IIS) role using the Web Services role service, you will need to allow the IIS application group to grant this user right. If this user right is required for this type of impersonation, an unauthorized user will not be able to do it.

Note #2: A member server that has the web server (IIS) role with the web server role service requires a special exception to this recommendation to allow IIS application pools to be assigned this user right. However, if you have installed the Web Server (IIS) role with the Web Services role service, you must allow the IIS application pool(s) to be assigned this user privilege grant.

Security Options

  • Accounts
  • Audit
  • DCOM
  • Devices
  • Domain controller
  • Domain member
  • Interactive logon
  • Microsoft network client

This policy setting determines whether local accounts that are not password protected can be used to log in from locations other than the physical computer console. If you enable this policy setting, local accounts with empty passwords will not be able to log on to the network from remote client computers. This policy setting determines whether the system will shut down if it cannot log security events.

This policy setting determines whether members of the Server Operators group are allowed to submit jobs through the AT program. This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signatures. Note #2: This policy setting has no effect on LDAP simple bind (ldap_simple_bind) or LDAP simple bind over SSL (ldap_simple_bind_s).

This policy setting determines whether all secure channel traffic initiated by the domain member should be signed or encrypted. This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic it initiates. This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic it initiates should be digitally signed.

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain Member: Digitally sign secure channel information (if possible). The domain member will require digital signing of all secure channel traffic.). Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain Member: Require a strong (Windows 2000 or later) session key. A secure channel will not be established unless 128-bit encryption can be implemented.). This policy setting determines whether the account name of the last user who logged on to client computers in your organization will appear on the individual Windows logon screen for each computer.

This policy setting determines whether users must press CTRL+ALT+DEL before logging in. This policy setting specifies the text displayed in the title bar of the window that users see when they log on to the system. This policy setting determines whether a user can log on to a Windows domain using cached account information.

This policy setting determines the number of unique users for which login information is stored in local memory. This policy setting determines how long in advance users are warned that their password will expire.

Referensi

Unduh sekarang ( PDF - 952 Halaman - 10.65 MB )

Garis besar

Account Lockout Policy User Rights Assignment Accounts Audit Domain controller Domain member Interactive logon

Dokumen terkait