Microsoft Windows Server 2016 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000095-GPOS-00049
Group -
The Server Message Block (SMB) v1 protocol must be uninstalled.
SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.Rule Medium Severity -
SRG-OS-000095-GPOS-00049
Group -
SRG-OS-000393-GPOS-00173
Group -
Passwords for the built-in Administrator account must be changed at least every 60 days.
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password no...Rule Medium Severity -
Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are use...Rule Medium Severity -
Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
Using an allowlist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential v...Rule Medium Severity -
Servers must have a host-based intrusion detection or prevention system.
A properly configured Host-based Intrusion Detection System (HIDS) or Host-based Intrusion Prevention System (HIPS) provides another level of defense against unauthorized access to critical servers...Rule Medium Severity -
Non-administrative accounts or groups must only have print permissions on printer shares.
Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration can permit access to devices and data beyond a...Rule Low Severity -
Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidential...Rule High Severity -
Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours.
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of al...Rule Medium Severity -
Windows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activatio...Rule Medium Severity -
The TFTP Client must not be installed.
Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.Rule Medium Severity -
The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.Rule Medium Severity -
Windows PowerShell 2.0 must not be installed.
Windows PowerShell 5.0 added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade a...Rule Medium Severity -
FTP servers must be configured to prevent access to the system drive.
The FTP service allows remote users to access shared files and directories that could provide access to system resources and compromise the system, especially if the user can gain access to the roo...Rule Medium Severity -
Secure Boot must be enabled on Windows Server 2016 systems.
Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security features in Windows Server 2016, including Virtualizat...Rule Low Severity -
Windows Server 2016 maximum password age must be configured to 60 days or less.
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system ...Rule Medium Severity -
Windows Server 2016 must have the built-in Windows password complexity policy enabled.
The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (n...Rule Medium Severity -
Permissions for the Application event log must prevent access by non-privileged accounts.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Permissions for the System event log must prevent access by non-privileged accounts.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2016 must be configured to audit Account Logon - Credential Validation failures.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2016 must be configured to audit Account Management - Other Account Management Events successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2016 must be configured to audit Account Management - User Account Management successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2016 must be configured to audit Object Access - Removable Storage successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2016 must be configured to audit System - Other System Events successes.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Windows Server 2016 must be configured to audit System - System Integrity failures.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
Additional security requirements are applied to Universal Naming Convention (UNC) paths specified in hardened UNC paths before allowing access to them. This aids in preventing tampering with or spo...Rule Medium Severity -
Command line data must be included in process creation events.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. A...Rule Medium Severity -
Printing over HTTP must be prevented.
Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive informati...Rule Medium Severity -
Windows Telemetry must be configured to Security or Basic.
Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information ...Rule Medium Severity -
File Explorer shell protocol must run in protected mode.
The shell protocol will limit the set of folders that applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security ...Rule Medium Severity -
Passwords must not be saved in the Remote Desktop Client.
Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving pa...Rule Medium Severity -
The Windows Installer Always install with elevated privileges option must be disabled.
Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain fu...Rule High Severity -
Automatically signing in the last interactive user after a system-initiated restart must be disabled.
Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling th...Rule Medium Severity -
The Windows Remote Management (WinRM) service must not use Basic authentication.
Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.Rule High Severity -
The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this. Satisfies: SRG-OS-000393-GPOS-0017...Rule Medium Severity -
The Kerberos user ticket lifetime must be limited to 10 hours or less.
In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limit...Rule Medium Severity -
Active Directory Group Policy objects must have proper access control permissions.
When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or dest...Rule High Severity -
The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the in...Rule High Severity -
The directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.
The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker ...Rule Low Severity -
The Active Directory Infrastructure object must be configured with proper audit settings.
When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact...Rule Medium Severity -
The Active Directory AdminSDHolder object must be configured with proper audit settings.
When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact...Rule Medium Severity -
The Active Directory RID Manager$ object must be configured with proper audit settings.
When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.