Window Server 2012 Hardening Checklist

FILE SYSTEM
Use of secure File System	NTFS
COMPUTER CONFIGURATION/WINDOWS SETTINGS/SECURITY SETTINGS/ACCOUNT POLICIES
ACCOUNT LOCKOUT POLICY:Account lockout threshold	3 invalid logon attempts
ACCOUNT LOCKOUT POLICY:Account lockout duration	30 minutes
ACCOUNT LOCKOUT POLICY:Reset account lockout counter after	30 minutes
PASSWORD POLICY: Enforce password history	6 passwords remembered
PASSWORD POLICY: Maximum password age	90 days
PASSWORD POLICY: Minimum password age	0 day
PASSWORD POLICY: Minimum password length	8 characters
PASSWORD POLICY: Password must meet complexity requirements	Enabled
PASSWORD POLICY: Store password using reversible encryption for all users in the domain	Disabled
Start > Run > gpmc.msc Default Domain Policy > Edit
COMPUTER CONFIGURATION/WINDOWS SETTINGS/SECURITY SETTINGS/LOCAL POLICIES/USER RIGHTS ASSIGNMENT
Force shutdown from a remote system		Administrators
Act as part of the operating system		No One
Add workstations to domain		Domain Administrators
Allow log on locally		Administrators
Change the System Time		LOCAL SERVICE, Administrators
Deny log on as a batch job		Guests
Deny log on through Remote Desktop Services		Guests
Set the system date/time and configure it to synchronize against office time servers.		Enabled

COMPUTER CONFIGURATION/WINDOWS SETTINGS/SECURITY SETTINGS/ADVANCE AUDIT POLICY CONFIGURATION/SYSTEM AUDIT POLICIES
Account Logon: Audit Credential Validation	Success and Failure
Account Management: Audit Computer Account Management	Success and Failure
Account Management: Audit Other Account Management Events	Success and Failure
Account Management: Audit Security Group Management	Success
Account Management: Audit User Account Management	Success
Logon-Logoff: Audit Logoff	Success
Logon-Logoff: Audit Logon	Success and Failure
Logon-Logoff: Audit Special Logon	Success and Failure
Policy Change: Audit Policy Change	Success and Failure
Policy Change: Authentication Policy Change	Success
Policy Change: Authorization Policy Change	Success
System: IPSec Driver	Success and Failure
System: Security State Change	Success and Failure
System: Security System Extension	Success and Failure
System: System Integrity	Success and Failure

COMPUTER CONFIGURATION/WINDOWS SETTING/SECURITY SETTING/LOCAL POLICIES: SECURITY OPTIONS
Accounts: Guest Account Status	Disabled
Accounts: Limit local accounts use of blank passwords to the console only	Enabled
Accounts: Rename Guest account	Verify that Guest account is renamed
Accounts: Rename administrator account	Verify that Administrator account is renamed
Audit: Audit the use of Backup and Restore privilege	Enabled
Audit: Audit the access of global system objects	Disabled
Audit: Shutdown system immediately if unable to log security audits	Disabled
Audit: Force audit policy subcategory settings to override audit policy category settings	Enabled
Devices: Restrict CD-ROM access to locally logged-on user only	Enabled
Devices: Restrict floppy access to locally logged-on user only	Enabled
Domain member: Digitally encrypt or sign secure channel data (always) setting.	Enabled
Domain member: Digitally encrypt secure channel data (when possible) setting.	Enabled
Domain member: Digitally sign secure channel data (when possible) setting.	Enabled
Domain member: Disable machine account password changes	Disabled
Domain member: Require strong (Windows 2000 or later) session key	Enabled
Microsoft network client: Digitally sign communications (always)	Enabled
Microsoft network client: Digitally sign communications (if server agrees)	Enabled
Microsoft network client: Send unencrypted password to third-party SMB Servers	Disabled
Microsoft network server: Amount of idle time required before suspending session	15 minutes
Microsoft network server: Digitally sign communications (always)	Enabled
Microsoft network server: Digitally sign communications (if client agrees)	Enabled
Network access: Allow anonymous SID/Name translation	Disabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares	Enabled
Network access: Do not allow storage of passwords and credentials for network authentication	Enabled
Network access: Let Everyone permissions apply to anonymous users	Disabled
Network access: Sharing and security model for local accounts	Classic – Local users authenticate as themselves
Network security: LDAP client signing requirements	Require Signing
Network security: Force logoff when logon hours expire	Enabled
Network security: Do not store LAN Manager hash value on next password change	Enabled
Set LAN Manager Authentication level to NTLMv2 only	Enabled
System objects: Strengthen Default permissions on Internal System Objects	Enabled
Interactive Logon: Do not display last username	Enabled
Interactive Logon: Message Title for users attempting to logon	This system is restricted to XXX authorised users only.
Interactive Logon: Message Text for users attempting to logon	This system is restricted to XXX authorised users only.
Interactive logon: Do not require CTRL + ALT + DEL	Disabled
Recovery console: Allow automatic administrative logon	Disabled
Recovery console: Allow floppy copy and access to all drives and all folders	Disabled
Shutdown: Allow system to be shut down without having to log on	Disabled
User Account Control: Admin Approval Mode for the Built-in Administrator account	Enabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop	Disabled
User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode	Prompt for consent
User Account Control: Behaviour of the elevation prompt for standard users	Prompt for credentials
User Account Control: Run all administrators in Admin Approval Mode	Enabled
COMPUTER CONFIGURATION/ADMINISTRATIVE TEMPLATE/SYSTEM:Remote Procedure Call: Restrictions for Unauthenticated RPC clients	Enabled - Authenticated
COMPUTER CONFIGURATION/ADMINISTRATIVE TEMPLATE/SYSTEM: Remote Procedure Call: RPC Endpoint Mapper client authentication	Enabled
Configure the device boot order to prevent unauthorized booting from alternate media.	Enabled
Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate.	Enabled
Place the office warning banner in the Message Text for Users Attempting to log on.	Enabled
Do not allow any named pipes to be accessed anonymously.	Enabled
Restrict anonymous access to Named Pipes and Shares.	Enabled
Ensure that no shares can be accessed anonymously.	Enabled

COMPUTER CONFIGURATION/ADMINISTRATIVE TEMPLATE/WINDOWS COMPONENTS
Event Log Service\Application: Maximum log size (KB)	250 MB
Event Log Service\Application: Retain old events	Disabled
Event Log Service\Security: Maximum log size (KB)	250 MB
Event Log Service\Security: Retain old events	Disabled
Event Log Service\System: Maximum log size (KB)	250 MB
Event Log Service\System: Retain old events	Disabled
Remote Desktop Services\Remote Desktop Connection Client: Do not allow passwords to be saved	Enabled
Remote Desktop Services\Remote Desktop Session Host\Security: Always prompt for password upon connection	Enabled
Remote Desktop Services\Remote Desktop Session Host\Security: Set client connection encryption level	High
Remote Desktop Services\Remote Desktop Session Host\Session Time Limits: Sets a time limit for active but idle Terminal Service sessions	15 minutes
Internet Explorer/Security Features/ MK Protocol Security Restriction: Internet Explorer Processes	Enabled
SERVICES
Microsoft iSCSI Initiator Service	Disabled
Network Access Protection Agent	Disabled
Offline Files (if applicable)	Disabled
Remote Procedure Call (RPC) Locator	Disabled
Smart Card	Disabled
Smart Card Removal Policy	Disabled
SNMP Trap	Disabled
Disable or uninstall unused services.

   

USER CONFIGURATION/ADMINISTRATIVE TEMPLATES/CONTROL PANEL
Personalization: Enable Screen Saver	Enabled
Personalization: Screen Saver Timeout	5 minutes
Personalization: Password Protect the screen saver	Enabled
Disable or delete unused users.	Enabled
Configure User Rights to be as secure as possible.	Enabled
Use the Internet Connection Firewall or other methods to limit connections to the server.	Enabled
Configure file system permissions.	Enabled
Configure registry permissions.	Enabled

 

(USER CONFIGURATION/ADMINISTRATIVE TEMPLATE/SYSTEM): INTERNET COMMUNICATION MANAGEMENT: INTERNET COMMUNICATION SETTINGS
Turn off downloading of print drivers over HTTP	Enabled
Turn off printing over HTTP	Enabled
Turn off Internet download for Web publishing and online ordering wizards	Enabled
Turn off Search Companion content file updates	Enabled
Turn off the “Publish to Web” task for files and folders	Enabled
Turn off the Windows Messenger Customer Experience Improvement Program	Enabled
(COMPUTER CONFIGURATION/ADMINISTRATIVE TEMPLATE/WINDOWS COMPONENT) AUTOPLAY POLICIES
Turn off Autoplay	Enabled
(COMPUTER CONFIGURATION/ADMINISTRATIVE TEMPLATE/WINDOWS COMPONENT) CREDENTIAL USER INTERFACE
Enumerate administrator accounts on elevation	Enabled
OTHERS
Install and enable anti virus software	Verify that Anti Virus is Installed
Configure antivirus software to update frequently or connect to enterprise Antivirus server	Enabled
Windows Firewall	Verify that Firewall is turned on
NetIQ  SCM 5.8	Verify that NetIQ agent is installed
NetIQ SM 6.5	Verify that NetIQ agent is installed
SCCM	Verify that SCCM agent is installed
TSM  *backup agent, not applicable if Server has its own backup system	Verify that TSM agent is installed
Install and enable anti-spyware software	Enabled
Configure anti spyware software to update daily	Enabled
Install the latest service packs and hotfixes from Microsoft.	Enabled
Enable automatic notification of patch availability.	Enabled