U_Windows_2008_R2 MS_V1R14 STIG Benchmark NNT.xml U_Windows_2008_R2 MS_V1R14 STIG Benchmark NNT: WIN-2LR8M18J6A1 On WIN-2LR8M18J6A1 - By admin for time period 11/26/2014 3:20:57 PM to 11/26/2014 3:20:57 PM U_Windows_2008_R2 MS_V1R14 STIG Benchmark NNT Total score: 46.31 % 113 out of 244 rules passed 0 out of 244 rules did not pass completely 131 out of 244 rules failed The Windows Server 2008 R2 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements were developed from DoD consensus, as well as the Windows Server 2008 R2 Security Guide and security templates published by Microsoft Corporation. Note: This is a sample report generated using NNT Change Tracker Enterprise - unlike other compliance scanning solutions, Change Tracker uses continuous file integrity monitoring to detect any configuration drift and report breach activity in real-time. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected] Unsupported Service Packs Rules Unsupported Service Packs Rules 1 Systems must be at supported service pack (SP) or release levels. Description: <VulnDiscussion>Systems at unsupported service packs or releases will not receive security updates for new vulnerabilities and leaves them subject to exploitation. Systems must be maintained at a service pack level supported by the vendor with new security updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives ><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance> </SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools>HK</Third PartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>VIVM-1</IAControls> Pass: Rule passed : hkey_local_machine\software\microsoft\windows nt\currentversion\currentbuildnumber (9600). Display Shutdown Button Display Shutdown Button Rules Display Shutdown Button Rules 11/26/2014 3:32:36 PM 1 U_Windows_2008_R2 MS_V1R14 STIG Benchmark NNT.xml 2 The shutdown option will not be available from the logon dialog box. Description: <VulnDiscussion>Displaying the shutdown button may allow individuals to shut down a system anonymously. Only authenticated users should be allowed to shut down the system. Preventing display of this button in the logon dialog box ensures that individuals who shut down the system are authorized and tracked in the systems Security event log.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Do cumentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></Sev erityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools>HK</ThirdPartyT ools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls> Pass: Rule passed : hkey_local_machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlo gon (0). NTFS Requirement NTFS Requirement Rules NTFS Requirement Rules 3 Local volumes will be formatted using NTFS. Description: <VulnDiscussion>This is a category 1 finding because the ability to set access permissions and audit critical directories and files is only available by using the NTFS file system. The capability to assign access permissions to file objects is a DoD policy requirement. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Docu mentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></Severit yOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools>< MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECCD-1, ECCD-2</IAControls> Pass: Rule passed : c:\ (NTFS), e:\ (NTFS). Legal Notice Display Legal Notice Display Rules Legal Notice Display Rules 11/26/2014 3:32:37 PM 2 U_Windows_2008_R2 MS_V1R14 STIG Benchmark NNT.xml 4 The required legal notice will be configured to display before console logon. Description: <VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegative s><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance> </SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPart yTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECWM-1</IAControls> Fail: The required legal notice will be configured to display before console logon. : local security policy (LegalNoticeText). Remediation : Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options ->'Interactive Logon: Message text for users attempting to log on' as outlined in the check. Caching of logon credentials Caching of logon credentials Rules Caching of logon credentials Rules 5 Caching of logon credentials will be limited. Description: <VulnDiscussion>The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons such as the user’s machine is disconnected from the network or domain controllers are not available. Even though the credential cache is well-protected, storing encrypted copies of users passwords on systems do not always have the same physical protection required for domain controllers. If a system is attacked, the unauthorized individual may isolate the password to a domain user account using a password-cracking program, and gain access to the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives> <Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></ SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools>HK</ThirdPa rtyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls> Fail: Caching of logon credentials will be limited. : hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount (4). Remediation : Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> 'Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)' to '2' logons or less. Anonymous shares are not restricted Anonymous shares are not restricted Rules Anonymous shares are not restricted Rules 11/26/2014 3:32:37 PM 3 U_Windows_2008_R2 MS_V1R14 STIG Benchmark NNT.xml 6 Anonymous enumeration of shares will be restricted. Description: <VulnDiscussion>This is a Category 1 finding because it allows anonymous logon users (null session connections) to list all account names and enumerate all shared resources, thus providing a map of potential points to attack the system. By default, Windows allows anonymous users to list account names and enumerate share names.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives> <Documentable>true</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></ SeverityOverrideGuidance><PotentialImpacts>In a mixed Windows environment, this setting may cause systems with down-level operating systems to fail to authenticate, may prevent their users from changing their passwords, and may cause problems with managing printers and spools. In domains supporting Exchange 2003 servers and versions of Outlook earlier than Outlook 2003, the setting 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' should be set to 'Disabled' on the Domain Controller Group Policy to allow Outlook to anonymously query the global catalog service.</PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationC ontrol><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1, PRNK-1</IAControls> Pass: Rule passed : hkey_local_machine\system\currentcontrolset\control\lsa\restrictanonymous (1). Bad Logon Attempts Bad Logon Attempts Rules Bad Logon Attempts Rules 7 The number of allowed bad-logon attempts will meet minimum requirements. Description: <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts should be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives>< Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></S everityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools>HK</ThirdPart yTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECLO-1, ECLO-2</IAControls> Fail: The number of allowed bad-logon attempts will meet minimum