Nist windows server 2008 security guide

Subsequent patches released by Microsoft are included the next time the VHD is updated, which may be several months. As a result, these patches are not present on the VHD and will therefore show up as missing during the scan. This is expected behavior and does not indicate a deficiency in the product used to scan the VHD. The Security Content Automation Protocol SCAP is a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information.

No, the monthly patch updates for the SCAP 1. SCAP 1. Tools are referenced by their type configuration scanner, vulnerability scanner, etc , as well as by the vendor, tool name, and specific SCAP components in which the tool has achieved compliance. Microsoft Hyper-V is a bare metal hypervisor that allows users to run a virtual instance of an operating system aka Virtual Hard Disk. VHDs are very useful for both laboratory and deployment testing. While software can be installed on a VHD in the same way software is installed on normal operating systems, VHDs can be discarded and re-implemented very quickly for the purposes of ensuring a pristine testing environment or if something malfunctioned with the previous VHD.

Additionally, multiple VHDs can be run over a single physical platform to achieve cost savings. According to Microsoft licensing, VHD licenses expire after days. The Windows virtual hard disks are created without a license key supplied and has a 30 day evaluation period.

Once this period of time lapses, "not genuine" pop-ups will appear. You can rearm Windows 7 three times. To enable more manageable download of the multi-gigabyte virtual images, NIST elected to provide WinZip segmented files.

To the best of our knowledge, these files can only be re-assembled with WinZip. Once affiliation is confirmed, a non-segmented virtual machine image will be shipped on a DVD to your attention. After careful and comprehensive testing, an organization may decide to use the GPO,.

VHDs are provided for laboratory testing purposes only and are not to be used as a deployment image. The GPO will still work. Here are the steps to correct:. Next, import the reference Windows x86 and x64 VHDs. No, there are a number of settings that cannot be automated at this time. While settings for other browsers were not tested, Federal organizations are free to use other Web browser software instead of or in addition to Internet Explorer IE.

However, Federal organizations are free to use other desktop firewall software instead of the Microsoft Windows Firewall. The USGCB includes security settings that do not appear in the default user interface for the group policy editor. Microsoft has published a utility that is bundled with their Security Compliance Manager SCM which you can use to update the user interface of the group policy management tools.

There you will find more current utilities and security guidance for their current platform versions. There are a number of settings that will impact system functionality and agencies should test thoroughly before they are deployed in an operational environment. Organizations have taken a variety of approaches. Other enterprise management technologies can be used instead.

What works best will vary from one organization to the next. Additionally, by keeping the original VHDs you downloaded from NIST pristine and creating copies of it for actual testing you can quickly reconstitute your test environment for each round of testing. However, when you need to deploy the USGCB settings into production the VHDs won't be very useful, as there is no documented method for creating domain-based group policies from the local configuration on these stand-alone computers.

Then you can copy these backed up files into your production environment and import them into your production Active Directory domain. Some SCAP-validated tools may also be able to enforce the mandated settings, check with the tool vendors to determine the capabilities of their tools.

More specifically, create a WMI filter that selects applicable operating systems, and link that filter to the GPO applicable for those operating systems. If computers with Windows or previous Windows operating systems are present within the enterprise, these computers must be granted exception from the group policy using the Deny Read and Deny Apply Group Policy settings.

The following resources provide additional detail:. If the nomenclature is represented as w. So, 1. Additionally, when the USGCB content is updated, the general guidance from a version update perspective is that if there are settings changes, the major version should be incremented.

If the content is being updated due to a bug fix, then the minor version should be incremented. Finally, when the major version is incremented, the minor version should be reset to 0 zero , even if both settings changes and bug fixes are completed during the same update cycle. NIST is not able to provide an official position regarding what must and must not be implemented.

We would appreciate the continued dialog to discover any technical interoperability issues; however, your choice to implement or not implement settings based on functional impact, risk-based decision, etc.

This is due to the way that Advanced Audit Policies work when applied locally. Wake-on-LAN WOL is a feature supported by many hardware and software vendors, it uses a special network message colloquially known as magic packets to "wake up" hibernating computers. Although the technology has been around for many years, there are likely still some PCs deployed that do not support it.

Agencies need to plan ahead and configure each PC to take advantage of this technology. From an enterprise perspective, the magic packet is broadcast to a subnet. In most networks it will not be forwarded across subnets unless internal routers and switches are configured to allow this type of broadcast data.

Haphazardly forwarding broadcast traffic exposes the network to the risk of accidental or deliberate saturation by broadcasts, so the intermediate network devices should be configured to only forward this specific type of traffic.

Another way to reduce the risk of broadcast floods is to use Subnet Directed Broadcasts SDB so that the WOL packet is forwarded to the target subnet rather than the entire internal. Magic packets are specially formatted broadcast frames that contain the target computer's MAC address. WOL can be used to address the first two scenarios.

Many enterprise management tools can send a magic packet to wake up managed PCs, including most of the SCAP validated tools. For mobile users, agencies could provide remote users with a utility to wake up their office PC after they have connected to the VPN.

The EPA collected a list of tools there are many others. The configuration settings were designed for a system acting as a desktop and were field-tested on typical desktop computers. This checklist was posted to checklists. The desktop environment tested by the DoD and NIST includes the following packages and package groups " " indicates a package group :.

A desktop system operates a graphical environment and provides applications for everyday business use, such as a web browser, mail client, spreadsheet and word processor. A server does not run a graphical environment or any of those applications, but can host network services such as a web server or directory server.

Systems should never be configured to act in both roles. However, server administrators should review the recommended security settings for desktops and determine if the server could benefit from any of the security configuration decisions and practices e.

Some settings are 'Conditional' meaning these configurations should be applied if the technology is in use. While nearly all configuration settings are supported via the kickstart scripts, not all of the settings can be automatically assessed using SCAP. In the alpha release, the SCAP 1. Additional configurations will be automated in later versions of the SCAP content. Some SCAP validated tools may require root access via ssh to scan and return comprehensive results.

As a result, this configuration check was marked as a manual check. The current content references to the Red Hat hosted patch content; therefore, the SCAPVal tool should be run with the online and maxsize options.

If you need to run the content through the SCAPVal tool, in offline mode, or from a network that cannot reach the Red Hat servers, follow the instructions below:. The kickstart available on the usgcb. Please send all questions regarding configuration settings, SCAP content, kickstart scripts, etc. The kickstart script is meant to be used by a Red Hat administrator with experience installing and configuring RHEL5 systems. This kickstart configures a system for an IPv4 environment.

Note that this is applicable if the kickstart is hosted on a web server. See Red Hat kickstart guidance for additional installation instruction.

Site specific information should be customized. Also note that the kickstart configures a system for an IPv4 environment. It is assumed that the user of the kickstart has familiarity with installing Red Hat and using kickstart scripts. The kickstart script was created to facilitate the setup of a non-operational environment where USGCB settings can be tested prior to being applied to operational systems.

Always test any configuration script prior to deploying to operational systems. The bootloader password in the kickstart script is rhel5. This should be modified to an unknown password for operational systems. The root password set in the kickstart script is password. This should be modified to an unknown password, or removed so the administrator must enter the password during installation. The intent of the Puppet manifest is to facilitate configuration and management of RHEL5 systems across an enterprise.

The Puppet manifest on the usgcb. The Puppet manifests are intended for use by experienced Red Hat administrators with familiarity using Puppet. There are several steps for deploying Puppet across an enterprise. Detailed instructions are included with the Puppet files.

To summarize the instructions distributed with the manifests: customize configuration files see next section , set up a Puppetmaster server using these configuration files, and install Puppet on workstations, pointing them at your Puppetmaster server.

Always test the configuration in a lab environment before deploying them to operational systems. Refer to Puppet documentation for additional guidance.

The following is a list of files that should be modified with appropriate site-specific settings in order to achieve maximum compliance. Put email addresses and appropriate Puppet module tags for which user will receive notifications when actions are taken. Configure the names of local dns, ntp, and syslog servers here. Contains several global site variables including filebucket which must be set to the Puppet server name.

Configure this file appropriately for local groups of workstations and what modules they inherit. The Puppet manifests were created to manage systems in a non-operational environment where USGCB settings can be tested prior to being applied to operational systems. Although, it is possible for Puppet to set the bootloader password, it is strongly recommended to have it set at install-time by the kickstart. The root password must be set manually at the time of installation by an administrator, or by a kickstart script.

The Puppet manifests do not modify the root password. The Puppet manifests and the kickstart file perform distinctive tasks. The USGCB kickstart file was designed to configure a fully-compliant USGCB system right from installation while the Puppet manifests were designed to keep a system in a managed state of continual compliance. The two can thus be used in concert on a system installed using the options present in the kickstart file and then managed via Puppet to ensure it stays up-to-date.

Security and Privacy: configuration management , security automation , vulnerability management. You are viewing this page in an unauthorized frame window. Search Search. Journal Articles Conference Papers Books. Technologies Sectors. Projects U.

What if I want to implement settings that I consider more secure? Where can I obtain security configuration information for operating systems and application other than Windows and Internet Explorer?

Are FDCC checklists no longer applicable? For example, there are many new settings in Windows Vista that will have no effect on computers running Windows XP including the settings for the Windows Firewall with Advanced Security. I have tried several scanners, none seem to be able to accurately detect user-specific settings. What does this mean? Section 3 - Manual System Check Procedures This section documents the procedures that instruct the reviewer on how to perform an SRR manually, and to interpret the program output for vulnerabilities.

The tables contained in this section are referenced in Section 3. Target Audience : This document is designed to instruct the reviewer on how to assess Windows Server configurations in Windows domains. In addition, the security settings recommended can also be used to configure Group Policy in a Windows Active Directory environment. Regulatory Compliance : Not provided. Disclaimer : Not provided.

Product Support : Not provided. Point of Contact : disa. Licensing : Not provided.