This site requires JavaScript to be enabled
Welcome Guest|
Recent searches
IE BUMPER
KB0016231

MSS Windows Server Standards

Number of views : 32
Article Number : KB0016231
Published on : 2019-09-30
Last modified : 2019-09-30 21:00:51
Knowledge Base : ESM External

Overview

An outline of the Configuration Standards applied to all Windows servers via SCCM Operating System Deployment and Active Directory Group Policy. These apply minimum security standards from the ISO as well as MSS operational requirements.

Details

What

How

Why

Preparation and Installation

   

If machine is a new install, protect it from hostile network traffic, until the operating system is installed and   hardened.

OSD

Min Std, 4.5.1

Join to Domain

OSD

Operational

Convert DHCP to Static IP addressing

OSD

Operational

Import/apply Start layout and default theme

OSD

Operational

Install System Center Configuration Manager Client

OSD 

Operational

Install Local Administrator Password Solution client side extensions

OSD

Operational

Install/Configure Splunk Universal Forwarder

OSD 

Operational, Min Std, 4.6.3

Install/Configure OpenManage (hardware only)

OSD

Operational

Install VMWare Tools (virtual servers only)

OSD

Operational

 Apply Group Policies

GPO

Operational and Security

Service Packs and Hotfixes

   

Install the latest service packs and hotfixes from Microsoft.

OSD

Min Std, 4.5.2

Enable automatic notification of patch availability.

GPO

Min Std, 4.5.3

User Account Policies

   

Set minimum password length.

GPO

Security 

Enable password complexity requirements.

GPO

Security

Do not store passwords using reversible encryption. (Default)

GPO

Security

Configure account lockout policy.

GPO

Security

User Rights Assignment

   

Do not grant any users the 'act as part of the operating system' right. (Default)

GPO

Security

Deny guest accounts the ability to logon as a service, a batch job, locally, or via RDP.

GPO

Security

Security Settings

   

Place the University warning banner in the Message Text for users attempting to log on.

GPO

Min Std, 4.5.10

Disallow users from creating and logging in with Microsoft accounts.

GPO

Security

Disable the guest account. (Default)

GPO

Security

Require Ctrl+Alt+Del for interactive logins. (Default)

GPO

Security

Configure machine inactivity limit to protect idle interactive sessions.

GPO

Security

Configure Microsoft Network Client to always digitally sign communications.

GPO

Security

Configure Microsoft Network Client to digitally sign communications if server agrees. (Default)

GPO

Security

Disable the sending of unencrypted passwords to third party SMB servers.

GPO

Min Std, 4.5.6

Configure Microsoft Network Server to always digitally sign communications.

GPO

Security

Configure Microsoft Network Server to digitally sign communications if client agrees.

GPO

Security

Network Access Controls

   

Disable anonymous SID/Name translation. (Default)

GPO

Security

Do not allow anonymous enumeration of SAM accounts. (Default)

GPO

Min Std, 4.5.5

Do not allow anonymous enumeration of SAM accounts and shares.

GPO

Min Std, 4.5.5

Do not allow everyone permissions to apply to anonymous users. (Default)

GPO

Min Std, 4.5.12

Do not allow any named pipes to be accessed anonymously.

GPO

Min Std, 4.5.12

Restrict anonymous access to named pipes and shares. (Default)

GPO

Min Std, 4.5.12

Do not allow any shares to be accessed anonymously.

GPO

Security

Require the "Classic" sharing and security model for local accounts. (Default)

GPO

Min Std, 4.5.12

Network Security Settings

   

Do not store LAN Manager hash values.

GPO

Min Std, 4.5.13

Set LAN Manager authentication level to only allow NTLMv2 and refuse LM and NTLM.

GPO

Min Std, 4.5.13

Enable the Windows Firewall in all profiles (domain, private, public). (Default)

GPO

Min Std, 4.5.5

Configure the Windows Firewall in all profiles to block inbound traffic by default. (Default)

GPO

Security

Active Directory Domain Member Security Settings

   

Digitally encrypt or sign secure channel data (always). (Default)

GPO

Min Std, 4.5.6

Digitally encrypt secure channel data (when possible). (Default)

GPO

Min Std, 4.5.6

Digitally sign secure channel data (when possible). (Default)

GPO

Min Std, 4.5.6

Require strong (Windows 2000 or later) session keys.

GPO

Security

Audit Policy Settings

   

Configure Account Logon audit policy.

GPO

Min Std, 4.6.4

Configure Account Management audit policy.

GPO

Security

Configure Logon/Logoff audit policy.

GPO

Security

Configure Policy Change audit policy.

GPO

Security

Configure Privilege Use audit policy.

GPO

Security

Event Log Settings

   

Configure Event Log retention method and size.

GPO

Min Std, 4.6.1

Additional Security Protection

   

Disable or delete unused users.

GPO

Min Std, 4.5.4

Configure user rights to be as secure as possible.

GPO

User Rights are configured to minimum standards.    Further security is left to administrator discretion.

Ensure all volumes are using the NTFS file system.

OSD

Security

Configure file system permissions.

OSD

File system permissions are left at vendor defaults to   ensure basic functionality.  Any further permissions are left to administrator discretion.

Configure registry permissions.

OSD

Registry system permissions are left at vendor defaults   to ensure basic functionality.  Any further permissions are left to administrator discretion.

Additional Steps

   

Install and enable Endpoint Protection anti-virus software.

OSD

Min Std, 4.3.1

Configure Endpoint Protection anti-virus software to update daily.

SCCM

Min Std, 4.3.3

Install software to check the integrity of critical operating system files.

OSD

Min Std, 4.5.8

If RDP is utilized, set RDP connection encryption level to high.

GPO

Security

Physical Security

   

Disable automatic administrative logon to recovery console.

GPO

Security

Do not allow the system to be shut down without having to log on. (Default)

GPO

Security

Configure a screen-saver to lock the console's screen automatically if the host is left unattended.

GPO

Security

User Rights Assignment

   

Restrict the ability to access this computer from the network to Administrators and Authenticated Users.

GPO

Security

Restrict local logon access to Administrators.

GPO

Security

Network Security Settings

   

Allow Local System to use computer identity for NTLM.

GPO

Security

Disable Local System NULL session fallback.

GPO

Security

Configure allowable encryption types for Kerberos.

GPO

Security

Active Directory Domain Member Security Settings

   

Configure the number of previous logons to cache.

GPO

Security

Event Log Settings

   

Configure log shipping (e.g. to Splunk).

OSD

Min Std, 4.6.3

Infrastructure Baseline (Virtual Machine)

   

CPU: 2 vCPU cores

 

Operational

Disk: 100GB Tier Virtual Disk (OS)

 

Operational

Memory: 8 GB RAM

 

Operational

 

Thank You! Your feedback has been submitted.

Feedback