Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Windows Server 2008 (Domain Member Servers and Domain Controllers)

Similar documents
Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark

Windows Server 2008/2012 Server Hardening

Objectives. At the end of this chapter students should be able to:

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

About Microsoft Windows Server 2003

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Symantec Backup Exec 12.5 for Windows Servers. Quick Installation Guide

Windows NT Server Operating System Security Features Carol A. Siegel Payoff

Desktop Web Access Single Sign-On Configuration Guide

Virto Password Reset Web Part for SharePoint. Release Installation and User Guide

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

How To - Implement Single Sign On Authentication with Active Directory

Virto Create & Clone AD User Web Part for Microsoft SharePoint. Release Installation and User Guide

ECA IIS Instructions. January 2005

Securing Remote Desktop for Windows XP

User Management Tool 1.5

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

Integrating LANGuardian with Active Directory

DIRECTORY PASSWORD V1.2 Quick Start Guide

Installation Guides - Information required for connection to the Goldfields Institute s (GIT) Wireless Network

Secrets of Event Viewer for Active Directory Security Auditing Lepide Software

NetWrix Password Manager. Quick Start Guide

support HP MFP Scan Setup Wizard 1.1

Windows Operating Systems. Basic Security

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

Setup guide. TELUS AD Sync

Belarc Advisor Security Benchmark Summary

Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations

Installing, Configuring, and Managing a Microsoft Active Directory

Active Directory Authentication Integration

DriveLock and Windows 7

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

CruzNet Secure Set-Up Instructions for Windows Vista

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

How To Set Up Dataprotect

Introduction. Activating the CFR Module License. CFR Configuration

Quick Start Guide. IT Management On-Demand

Symantec Endpoint Encryption Full Disk

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Using Internet or Windows Explorer to Upload Your Site

VERITAS Backup Exec TM 10.0 for Windows Servers

kalmstrom.com Business Solutions

Chapter 1 Scenario 1: Acme Corporation

User Guide. Version R91. English

SafeGuard Enterprise Administrator help

NETWRIX EVENT LOG MANAGER

Backup of data residing on Open-E Data Storage Software with Backup Exec

Upgrading from MSDE to SQL Server 2005 Express Edition with Advanced Services SP2

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Server Manager Help 10/6/2014 1

NETWRIX WINDOWS SERVER CHANGE REPORTER

NovaBACKUP xsp Version 12.2 Upgrade Guide

Symantec Enterprise Security Manager Policy Manual for Visa Cardholder Information Security Program (CISP) For Windows

Partie Serveur Lab : Implement Group Policy. Create, Edit and Link GPOs. Lab : Explore Group Policy Settings and Features

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

ProSystem fx Document

Yale Software Library

How to Configure a Stress Test Project for Microsoft Office SharePoint Server 2007 using Visual Studio Team Suite 2008.

SafeWord Domain Login Agent Step-by-Step Guide

Check Point FDE integration with Digipass Key devices

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Symantec Enterprise Vault

Defender Token Deployment System Quick Start Guide

WatchGuard Mobile User VPN Guide

WhatsUp Gold v16.1 Installation and Configuration Guide

Symantec Backup Exec 2010 R2. Quick Installation Guide

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

DriveLock and Windows 8

Welcome to the QuickStart Guide

T his feature is add-on service available to Enterprise accounts.

NETWRIX USER ACTIVITY VIDEO REPORTER

PLANNING AND DESIGNING GROUP POLICY, PART 1

User Guide. emoney for Outlook

Symantec Client Firewall Policy Migration Guide

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

NETASQ SSO Agent Installation and deployment

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

Table of Contents. TPM Configuration Procedure Configuring the System BIOS... 2

CLEO NED Active Directory Integration. Version 1.2.0

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

1. Product Information

OneStop Reporting 3.7 Installation Guide. Updated:

Getting Started - Client VPN

Microsoft Corporation. Project Server 2010 Installation Guide

Server Manager Performance Monitor. Server Manager Diagnostics Page. . Information. . Audit Success. . Audit Failure

User guide. Business

Log Management and Intrusion Detection

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

End User Configuration

RoomWizard Synchronization Software Manual Installation Instructions

Xythos on Demand Quick Start Guide For Xythos Drive

How To Upgrade Your Microsoft SQL Server for Accounting CS Version

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

New in this release: Syncing Progress

Transcription:

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark For Windows Server 2008 (Domain Member Servers and Domain Controllers)

Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 (Domain Member Servers and This document includes the following topics: Introducing the policy Installing the policy Policy modules for Domain Member Servers Policy modules for Domain Controllers Introducing the policy The Symantec Enterprise Security Manager (ESM) Baseline Policy for the Center for Internet Security (CIS) Benchmark for Windows Server 2008 assesses a host's compliance with the benchmark's recommendations. This release of the policy was built based on the CIS benchmark version 1.0.0 for Windows Server 2008 Domain Member Servers and Windows Server 2008 Domain Controllers.

4 Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 (Domain Member Servers and Installing the policy This release of the policy is based on the following CIS documents: Version 1.0.0 of the Windows Server 2008 Member Servers Version 1.0.0 of the Windows Server 2008 Domain Controllers This policy can be installed on Symantec ESM 6.5.3 and later managers running Security Update 39 or later. This policy can be installed on the following operating systems: Microsoft Windows Server 2008 (Domain Member Servers) Microsoft Windows Server 2008 ( For information on the Center for Internet Security benchmarks, visit the following URL: http://www.cisecurity.org. Installing the policy Before you install the policy, you must decide on the Symantec ESM Managers that you want to install the policy. Since policies run on Managers, you do not require to install policies on agents. You must install the policy on Symantec ESM 6.5.3 or later with Security Update 39 or later. Obtaining and Installing the policy with LiveUpdate You can install the LiveUpdate feature in the following ways: By using the LiveUpdate feature on the Symantec ESM console By using files from a Product disc or from the Internet To install the policy using LiveUpdate 1 Connect the Symantec ESM Enterprise Console to managers where you want to install the policy. 2 Click the LiveUpdate icon to start the LiveUpdate wizard. 3 In the wizard, ensure that Symantec LiveUpdate (Internet) is selected, and then click Next. 4 In the Welcome to LiveUpdate dialog box, click Next. 5 In the Available Updates panel, do one of the following: To install all checked products and components, click Next. To omit a product from the update, uncheck it, and then click Next.

Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 (Domain Member Servers and Installing the policy 5 To omit a product component, expand the product node, uncheck the component that you want to omit, and then click Next. 6 In the Thank you panel, click Finish. 7 In the list of managers panel, ensure that all the managers that you want to update are checked, and then click Next. 8 In the Updating Managers panel, click OK. 9 In the Update Complete panel, click Finish. If you cannot use LiveUpdate to install the policy directly from a Symantec server, you can install the policy manually, using files from a Product disc or the Internet. Note: To avoid conflicts with updates that are performed by standard LiveUpdate installations, copy or extract the files into the LiveUpdate folder, which is usually Program Files/Symantec/LiveUpdate. To install the policy from a Product disc or from the Internet 1 Connect the Symantec ESM Enterprise Console to managers that you want to update. 2 From the Symantec Security Response Web site, download the executable files for Microsoft Windows Server 2008. You can go to the following link http://securityresponse.symantec.com 3 On a computer running Windows XP/Server 2003 that has network access to the manager, run the executable that you downloaded from the Symantec Security Response Web site. 4 Click Next to close the Welcome dialog box. 5 In the License Agreement dialog box, if you agree to the terms of the agreement, click Yes. 6 In the Question panel, click Yes to continue installation of the best practice policy. 7 In the ESM Manager Information panel, type the requested manager information, and then click Next. If the manager s modules have not been upgraded to Security Update 36 or later, the installation program returns an error message and stops the installation. Upgrade the manager to Security Update 36 or later, and then rerun the installation program. 8 Click Finish.

6 Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 (Domain Member Servers and Policy modules for Domain Member Servers Policy modules for Domain Member Servers Account Integrity The CIS Benchmark for Windows policy include the modules that ensure compliance with the CIS benchmark. Each module lists the enabled checks with the standards that they address, the associated name lists, and the templates. As specific values are not required everywhere, default values and templates are provided. Moreover, a few benchmark requirements depend on the local policy decisions and hence you must set the checks that associates with such requirements. Although, the policy appears as read only, you can however copy and rename the policy depending on the requirements of your corporate security policy. The Account Integrity module reports the user rights assignments of your computer. Table 1-1 gives a list of the checks and their s. Table 1-1 s and s Access credential manager as a trusted caller Access this computer from network Act as part of operating system Add workstation to domain Allow logon locally Allow logon through Terminal Services Change the system time Change the time zone Create a token object Create permanent shared objects Debug programs Deny access to this computer from the network Deny logon locally 1.8.39 1.8.1 1.8.2 1.8.27 1.8.28 1.8.29 1.8.6 1.8.30 1.8.8 1.8.10 1.8.11 1.8.12 1.8.32

Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 (Domain Member Servers and Policy modules for Domain Member Servers 7 Table 1-1 s and s (continued) Deny logon through Terminal Services Enable computer and user accounts to be trusted for delegation Impersonate a client from authentication Load and unload device drivers Log on as batch job Profile single process Profile system performance Remove computer from docking station Replace a process level token Restore files and directories Shut down the system Synchronize directory service data Take ownership of files or other objects 1.8.33 1.8.13 1.8.15 1.8.17 1.8.36 1.8.22 1.8.23 1.8.24 1.8.25 1.8.37 1.8.26 1.8.40 1.8.38 Active Directory The Active Directory module for Windows Server 2008 reports on the security options. Table 1-2 gives a list of the checks and their s. Table 1-2 s and s Enforce user login restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal 1.1.10 1.1.13 1.1.15 1.1.14

8 Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 (Domain Member Servers and Policy modules for Domain Member Servers Table 1-2 s and s (continued) Maximum tolerance for computer clock synchronization Security options 1.1.12 1.2.10, 1.2.11, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.9.1, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 19.9, 1.9.12, 1.9.13, 1.9.14, 1.9.15, 1.9.16, 1.9.17, 1.9.18, 1.9.20, 1.9.21, 1.9.22, 1.9.23, 1.9.24, 1.9.25, 1.9.26, 1.9.27, 1.9.28, 1.9.30, 1.9.31, 1.9.32, 1.9.33, 1.9.34, 1.9.35, 1.9.36, 1.9.37, 1.9.38, 1.9.39, 1.9.40, 1.9.43, 1.9.44, 1.9.45, 1.9.46, 1.9.47, 1.9.48, 1.9.49, 1.9.50, 1.9.52, 1.9.53, 1.9.54, 1.9.55, 1.9.56, 1.9.57, 1.9.59, 1.9.60, 1.9.61, 1.9.63, 1.9.64, 1.9.65, 1.9.66, 1.9.67, 1.9.68, 1.9.69, 1.9.70, 1.9.71, 1.9.72 Login Parameters The Login Parameters module reports accounts, resources, and settings that are inconsistent with proper authorized usage. Table 1-3 gives a list of the checks and their s. Table 1-3 s and s Account lockout duration Account lockout threshold Bad logon counter reset Security options 1.1.7 1.1.8 1.1.9 1.1.11 Password Strength The Password Strength module examines the system parameters that control a password construction, change, age, expiration, and storage. Table 1-4 gives a list of the checks and their s.

Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 (Domain Member Servers and Policy modules for Domain Member Servers 9 Table 1-4 s and s Account Policies - Password Policy Passwords must meet complexity requirements Passwords stored using reversible encryption 1.1.1, 1.1.2, 1.1.3, 1.1.4 1.1.5 1.1.6 Registry The Registry module reports violations of the registry key settings that are specified in the template files. Table 1-5 gives a list of the checks and their s. Table 1-5 s and s Key and value existence 1.5.1, 1.5.2, 1.5.5, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.5.17, 1.5.18, 1.5.19, 1.5.20, 1.5.21, 1.6.1, 1.6.2, 1.6.3, 1.10.1, 1.10.2, 1.10.4, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.12.1, 1.12.2, 1.12.8, 1.12.9, 1.12.10, 1.12.11 System Auditing The System Auditing module reports the security events that are audited for failure or success and the status of the log file when it is full. Table 1-6 gives a list of the checks and their s. Table 1-6 s and s Application event log size Application events do not overwrite security logs 1.4.1 1.4.2

10 Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 (Domain Member Servers and Policy modules for Domain Controllers Table 1-6 s and s (continued) Granular System Audit Settings Security event log size Security events do not overwrite security logs System event log size System events do not overwrite security logs 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.11, 1.3.12, 1.3.13, 1.3.14, 1.3.15, 1.3.16, 1.3.17, 1.3.18, 1.3.19, 1.3.20 1.4.3 1.4.4 1.4.5 1.4.6 Policy modules for Domain Controllers Account Integrity The CIS Benchmark for Windows policy include the modules that ensure compliance with the CIS benchmark. Each module lists the enabled checks with the standards that they address, the associated name lists, and the templates. As specific values are not required everywhere, default values and templates are provided. Moreover, a few benchmark requirements depend on the local policy decisions and hence you must set the checks that associates with such requirements. Although the policy appears as read only, you can however copy and rename the policy depending on the requirements of your corporate security policy. The Account Integrity module reports the user rights assignments of your computer. Table 1-7 gives a list of the checks and their s. Table 1-7 s and s Access credential manager as a trusted caller Access this computer from network Act as part of operating system Add workstation to domain 1.8.39 1.8.1 1.8.2 1.8.27

Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 (Domain Member Servers and Policy modules for Domain Controllers 11 Table 1-7 Allow logon locally s and s (continued) 1.8.28 Allow logon through Terminal Services Change the system time Create a token object Create permanent shared objects Change the time zone Debug programs Deny access to this computer from the network Deny logon locally Deny logon through Terminal Services Enable computer and user accounts to be trusted for delegation Impersonate a client from authentication Load and unload device drivers Profile single process Log on as batch job Profile system performance Remove computer from docking station Replace a process level token Shut down the system Restore files and directories Take ownership of files or other objects Synchronize directory service data 1.8.29 1.8.6 1.8.8 1.8.10 1.8.30 1.8.11 1.8.12 1.8.32 1.8.33 1.8.13 1.8.15 1.8.17 1.8.22 1.8.36 1.8.23 1.8.24 1.8.25 1.8.26 1.8.37 1.8.38 1.8.40

12 Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 (Domain Member Servers and Policy modules for Domain Controllers Active Directory The Active Directory module for Windows Server 2008 reports on the security options. Table 1-8 gives a list of the checks and their s. Table 1-8 s and s Enforce user login restrictions Maximum tolerance for computer clock synchronization Maximum lifetime for service ticket Maximum lifetime for user ticket renewal Maximum lifetime for user ticket Security options 1.1.10 1.1.12 1.1.13 1.1.14 1.1.15 1.2.10, 1.2.11, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.9.1, 1.9.12, 1.9.13, 1.9.14, 1.9.15, 1.9.16, 1.9.17, 1.9.18, 1.9.20, 1.9.21, 1.9.22, 1.9.23, 1.9.24, 1.9.25, 1.9.26, 1.9.27, 1.9.28, 1.9.3, 1.9.30, 1.9.31, 1.9.32, 1.9.33, 1.9.34, 1.9.35, 1.9.36, 1.9.37, 1.9.38, 1.9.39, 1.9.4, 1.9.40, 1.9.43, 1.9.44, 1.9.45, 1.9.46, 1.9.47, 1.9.48, 1.9.49, 1.9.5, 1.9.50, 1.9.52, 1.9.53, 1.9.54, 1.9.55, 1.9.56, 1.9.57, 1.9.59, 1.9.6, 1.9.60, 1.9.61, 1.9.63, 1.9.64, 1.9.65, 1.9.66, 1.9.67, 1.9.68, 1.9.69, 1.9.7, 1.9.70, 1.9.71, 1.9.72, 1.9.8, 1.9.9 Login Parameters The Login Parameters module reports accounts, resources, and settings that are inconsistent with proper authorized usage. Table 1-9 gives a list of the checks and their s. Table 1-9 s and s Account lockout duration Account lockout threshhold 1.1.7 1.1.8

Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 (Domain Member Servers and Policy modules for Domain Controllers 13 Table 1-9 s and s (continued) Bad logon counter reset Security options 1.1.9 1.1.11 Password Strength The Password Strength module examines the system parameters that control a password construction, change, age, expiration, and storage. Table 1-10 gives a list of the checks and their s. Table 1-10 s and s Account Policies - Password Policy Passwords must meet complexity requirements Passwords stored using reversible encryption 1.1.1, 1.1.2, 1.1.3, 1.1.4 1.1.5 1.1.6 Registry The Registry module reports violations of the registry key settings that are specified in the template files and the changed key values. Table 1-11 gives a list of the checks and their s. Table 1-11 s and s Key and value existence 1.5.1, 1.5.2, 1.5.5, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.5.17, 1.5.18, 1.5.19, 1.5.20, 1.5.21, 1.6.1, 1.6.2, 1.6.3, 1.10.1, 1.10.2, 1.10.4, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.12.1, 1.12.2, 1.12.8, 1.12.9, 1.12.10, 1.12.11

14 Symantec Enterprise Security Manager Baseline Policy Manual for Windows Server 2008 (Domain Member Servers and Policy modules for Domain Controllers System Auditing The System Auditing module reports the security events that are audited for failure or success and the status of the log file when it is full. Table 1-12 gives a list of the checks and their s. Table 1-12 s and s Application event log size Application events do not overwrite security logs Granular System Audit Settings Security event log size Security events do not overwrite security logs System event log size System events do not overwrite security logs 1.4.1 1.4.2 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.11, 1.3.12, 1.3.13, 1.3.14, 1.3.15, 1.3.16, 1.3.17, 1.3.18, 1.3.19, 1.3.20 1.4.3 1.4.4 1.4.5 1.4.6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information