Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark For Windows Server 2008 Domain Controllers Version: 3.0.0
Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 Domain Controllers This document includes the following topics: Introducing the policy Installing the policy Introducing the policy The Symantec Enterprise Security Manager (ESM) Baseline Policy for the Center for Internet Security (CIS) Benchmark for Windows Server 2008 assesses a host's compliance with the benchmark's recommendations. This release of the policy was built based on the CIS benchmark version 1.0.0 for Windows Server 2008 Domain Controllers. This policy can be installed on Symantec ESM 10.0 and later managers running Security Update 40 or later on Microsoft Windows Server 2008 Domain Controllers. This release of the policy is based on the following CIS document: Version 1.0.0 of the Windows Server 2008 Domain Controllers
4 Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 Domain Controllers Installing the policy This policy can be installed on Symantec ESM 10 and later managers running Security Update 40 or later. CIS Benchmark for Windows 2008 Policy can be installed on the following operating system: Microsoft Windows Server 2008 (Domain Controllers) Security Essentials for Windows 2008 R2 Policy can be installed on the following operating system: Microsoft Windows Server 2008 R2 (Domain Controllers) For information on the Center for Internet Security benchmarks, visit the following URL: http://www.cisecurity.org. Installing the policy Before you install the policy, you must decide on the Symantec ESM Managers that you want to install the policy. Since policies run on Managers, you do not require to install policies on agents. You must install the policy on Symantec ESM 10 or later with Security Update 40 or later. Obtaining and Installing the policy with LiveUpdate You can install the LiveUpdate feature in the following ways: By using the LiveUpdate feature on the Symantec ESM console By using files from a Product disc or from the Internet To install the policy using LiveUpdate 1 Connect the Symantec ESM Enterprise Console to managers where you want to install the policy. 2 Click the LiveUpdate icon to start the LiveUpdate wizard. 3 In the wizard, ensure that Symantec LiveUpdate (Internet) is selected, and then click Next. 4 In the Welcome to LiveUpdate dialog box, click Next. 5 In the Available Updates panel, do one of the following: To install all checked products and components, click Next. To omit a product from the update, uncheck it, and then click Next.
Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 Domain Controllers Installing the policy 5 To omit a product component, expand the product node, uncheck the component that you want to omit, and then click Next. 6 In the Thank you panel, click Finish. 7 In the list of managers panel, ensure that all the managers that you want to update are checked, and then click Next. 8 In the Updating Managers panel, click OK. 9 In the Update Complete panel, click Finish. If you cannot use LiveUpdate to install the policy directly from a Symantec server, you can install the policy manually, using files from a Product disc or the Internet. Note: To avoid conflicts with updates that are performed by standard LiveUpdate installations, copy or extract the files into the LiveUpdate folder, which is usually Program Files/Symantec/LiveUpdate. To install the policy from a Product disc or from the Internet 1 Connect the Symantec ESM Enterprise Console to managers that you want to update. 2 From the Symantec Security Response Web site, download the executable files for Microsoft Windows Server 2008. You can go to the following link http://securityresponse.symantec.com 3 On a computer running Windows XP/Server 2008 that has network access to the manager, run the executable that you downloaded from the Symantec Security Response Web site. 4 Click Next to close the Welcome dialog box. 5 In the License Agreement dialog box, if you agree to the terms of the agreement, click Yes. 6 In the Question panel, click Yes to continue installation of the best practice policy. 7 In the ESM Manager Information panel, type the requested manager information, and then click Next. If the manager s modules have not been upgraded to Security Update 44 or later, the installation program returns an error message and stops the installation. Upgrade the manager to Security Update 43 or later, and then rerun the installation program. 8 Click Finish.
6 Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 Domain Controllers Account Integrity The CIS Benchmark for Windows policy include the modules that ensure compliance with the CIS benchmark. Each module lists the enabled checks with the standards that they address, the associated name lists, and the templates. As specific values are not required everywhere, default values and templates are provided. Moreover, a few benchmark requirements depend on the local policy decisions and hence you must set the checks that associates with such requirements. Although the policy appears as read only, you can however copy and rename the policy depending on the requirements of your corporate security policy. The Account Integrity module reports the user rights assignments of your computer. Table 1-1 gives a list of the checks and their s. Table 1-1 s and s Access credential manager as a trusted caller Access this computer from network Act as part of operating system Add workstation to domain Adjust memory quotas for a process Allow logon locally Allow logon through Terminal Services Back up files and directories Bypass traverse checking Change the system time Change the time zone Create a token object Create a pagefile 1.8.39 1.8.1 1.8.2 1.8.27 1.8.3 1.8.28 1.8.29 1.8.4 1.8.5 1.8.6 1.8.30 1.8.8 1.8.7
Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 Domain Controllers 7 Table 1-1 s and s (continued) Create global objects Create permanent shared objects Create symbolic links Debug programs Deny access to this computer from the network Deny logon locally Deny logon through Terminal Services Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Generate security audits Impersonate a client from authentication Increase a process working Increase scheduling priority Load and unload device drivers Lock pages in memory Log on as batch job Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Replace a process level token Shut down the system 1.8.9 1.8.10 1.8.31 1.8.11 1.8.12 1.8.32 1.8.33 1.8.13 1.8.14 1.8.34 1.8.15 1.8.35 1.8.16 1.8.17 1.8.18 1.8.36 1.8.19 1.8.20 1.8.21 1.8.22 1.8.23 1.8.24 1.8.25 1.8.26
8 Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 Domain Controllers Table 1-1 s and s (continued) Restore files and directories Take ownership of files or other objects Synchronize directory service data 1.8.37 1.8.38 1.8.40 Active Directory The Active Directory module for Windows Server 2008 reports on the security options. Table 1-2 gives a list of the checks and their s. Table 1-2 s and s Enforce user login restrictions Maximum tolerance for computer clock synchronization Maximum lifetime for service ticket Maximum lifetime for user ticket renewal Maximum lifetime for user ticket Security options 1.1.10 1.1.12 1.1.13 1.1.14 1.1.15 1.2.10, 1.2.11, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.9.1, 1.9.12, 1.9.13, 1.9.14, 1.9.15, 1.9.16, 1.9.17, 1.9.18, 1.9.20, 1.9.21, 1.9.22, 1.9.23, 1.9.24, 1.9.25, 1.9.26, 1.9.27, 1.9.28, 1.9.3, 1.9.30, 1.9.31, 1.9.32, 1.9.33, 1.9.34, 1.9.37, 1.9.38, 1.9.39, 1.9.4, 1.9.40, 1.9.43, 1.9.44, 1.9.45, 1.9.46, 1.9.47, 1.9.48, 1.9.49, 1.9.5, 1.9.50, 1.9.52, 1.9.53, 1.9.54, 1.9.55, 1.9.56, 1.9.57, 1.9.6, 1.9.8, 1.9.9, 1.9.2, 1.9.10, 1.9.11, 1.9.19, 1.9.29, 1.9.41. 1.9.42, 1.9.51, 1.9.58 Login Parameters The Login Parameters module reports accounts, resources, and settings that are inconsistent with proper authorized usage.
Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 Domain Controllers 9 Table 1-3 gives a list of the checks and their s. Table 1-3 s and s Account lockout duration Account lockout threshhold Bad logon counter reset Security options 1.1.7 1.1.8 1.1.9 1.1.11 Password Strength The Password Strength module examines the system parameters that control a password construction, change, age, expiration, and storage. Table 1-4 gives a list of the checks and their s. Table 1-4 s and s Account Policies - Password Policy Passwords must meet complexity requirements Passwords stored using reversible encryption 1.1.1, 1.1.2, 1.1.3, 1.1.4 1.1.5 1.1.6 System Auditing The System Auditing module reports the security events that are audited for failure or success and the status of the log file when it is full. Table 1-5 gives a list of the checks and their s. Table 1-5 s and s Application event log size Application events do not overwrite security logs 1.4.1 1.4.2
10 Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 Domain Controllers Table 1-5 s and s (continued) Granular System Audit Settings Security event log size Security events do not overwrite security logs System event log size System events do not overwrite security logs 1.3.8, 1.3.9, and 1.3.10 1.4.3 1.4.4 1.4.5 1.4.6 Audit Windows Server 2008 has detailed audit facilities that allow administrators to tune their audit policy with greater specificity. Table 1-6 gives a list of the checks and their s. Table 1-6 s and s Auditing for Account Logon Events Auditing for Account Management Audit directory service access Auditing for Logon Events Audit Object Access Auditing for Policy Changes Aaudit privilege use Audit process tracking Auditing for System Events 1.2.1 1.2.2 1.2.3 1.2.4 1.2.5 1.2.6 1.2.7 1.2.8 1.2.9