Monday, August 4, 2014

Windows 2008R2 Server Hardening Checklist

The hardening checklists are based on the comprehensive checklists produced by CIS. The Information Security Office has distilled the CIS lists down to the most critical steps for your systems, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin.

How to use the checklist

Print the checklist and check off each item you complete to ensure that you cover the critical steps for securing your server. The Information Security Office uses this checklist during risk assessments as part of the process to verify that servers are secure.

How to read the checklist

Step - The step number in the procedure. If there is a UT Note for this step, the note number corresponds to the step number.
Check (√) - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective system
CIS - Reference number in the Center for Internet Security Windows Server 2008 Benchmark . The CIS document outlines in much greater detail how to complete each step.
UT Note - The UT Note at the bottom of the page provides additional detail about the step for the university computing environment.
Cat I - For systems that include Category-I data , required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include Category-II or -III data , all steps are recommended, and some are required (denoted by the !).
Min Std - This column links to the specific requirement for the university in the Minimum Security Standards for Systems document.

Server Information

MAC Address                                                                                                                               
IP Address
Machine Name
Asset Tag
Administrator Name
StepTo DoCISUT NoteCat ICat II Cat IIIMin Std
Preparation and Installation
1If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened.§ !5.1
2Consider using the Security Configuration Wizard to assist in hardening the host.§
Service Packs and Hotfixes
3Install the latest service packs and hotfixes from Microsoft.§ !!5.2
4Enable automatic notification of patch availability.1.6.1§ !!5.3
Auditing and Account Policies
5Configure Audit policy as described.1.2!6.1
6Set minimum password length.1.1.4§ !
7Enable Password Complexity.1.1.5§ !
8Configure event Log Settings.1.4§ !6.1
Security Settings
9Disable anonymous SID/Name translation. (default)1.9.6!
10Do not allow Anonymous Enumeration of SAM accounts (Default)1.9.37!5.5
11Do not allow Anonymous Enumeration of SAM accounts and shares.1.9.38!5.5
12Disable the guest account. (Default)1.9.5!5.12
13Digitally Encrypt or Sign Secure Channel Data (Always). (Default)
14Digitally Encrypt Secure Channel Data (When Possible). (Default)1.9.13!5.6
15Digitally Sign Secure Channel Data (When Possible). (Default)1.9.14!5.6
16Place the University warning banner in the Message Text for Users Attempting to log on.1.9.27-28§ !5.10
17Disable the sending of unencrypted password to connect to Third-Party SMB Servers. (Default)1.9.32!5.6
18Do not allow Everyone permissions to apply to anonymous users. (Default)1.9.40!5.12
19Do not allow any named pipes to be accessed anonymously.1.9.41!5.12
20Restrict anonymous access to Named Pipes and Shares.1.9.43!5.12
21Ensure that no shares can be accessed anonymously.1.9.44!5.12
22Choose "Classic" as the sharing and security model for local accounts. (Default)1.9.45!5.12
23Do not store LAN Manager hash values1.9.46!5.13
24Set LAN Manager Authentication level to NTLMv2 only1.9.47!5.13
Additional Security Protection
25Disable or uninstall unused services.!5.4
26Disable or delete unused users.!5.4
27Configure User Rights to be as secure as possible.1.81§ !
28Ensure all volumes are using the NTFS file system.§ !
29Use the Internet Connection Firewall or other methods to limit connections to the server.1.5§ !5.5
30Configure file system permissions.§ !
31Configure registry permissions.§ !
Additional Steps
32Set the system date/time and configure it to synchronize against campus time servers.§ !
33Install and enable anti-virus software.§ !!3.1
34Install and enable anti-spyware software.§ !3.2
35Configure anti-virus software to update daily.§ !3.3
36Configure anti-spyware software to update daily.§ !3.3
37Configure a screen-saver to lock the console's screen automatically if the host is left unattended.§
38If the machine is not physically secured against unauthorized tampering, set a BIOS/firmware password to prevent alterations in system startup settings.!4.1
39Configure the device boot order to prevent unauthorized booting from alternate media.!4.1
40Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate.§ !5.7
41Install software to check the integrity of critical operating system files.§ !5.8
42If RDP is utilized, set RDP connection encryption level to high.
Original Post:
§ !5.6