Beruflich Dokumente
Kultur Dokumente
Windows 2012
Version 1.0
Preface
Applicability
Objective: To provide a document of the I/T security controls that are to be implemented for Bharti Airtel Ltd.
Scope: This document covers Bharti Airtels servers which are managed by IBM Global Services.
Compliance: Once completed, compliance with this customized guideline is subject to Audit inspection.
Overview
This document is to provide guidance for the Information Technology (I/T) security controls that should be
implemented for Bharti Airtel
Document Control
Document Name:
GSD331 Implementation Manual for Widows 2012
Document Identification: Version 1.0
Owner Identification: Pankaj Dikshit (pandiksh@in.ibm.com) , IBM , G4C
Author: Amita Misra, IBM
Document Approval: The following will approve any changes to this document:
Pankaj Dikshit (pandiksh@in.ibm.com) , Bharti Project ,IBM , G4C
"sachit singh" <sachit.singh@airtel.com>, Bharti AIRTEL CST
Approved On 06-Oct-14
Summary of Changes Version 1.0 06-Oct- 14 Initial Version
Review Plan: This document must be reviewed by all parties on a regular basis. All differences
between the customer's specifications and the IBM guidelines will be reviewed. The
recommended interval is 18 months. Verify that the interval selected is compliant
with the contract. If all of the Document Approvers agree, the review can be
skipped or the interval modified.
Related Document
Information Security Controls for Bharti Airtel (GSD331 Base Document for Bharti Airtel Ver 6.0) This
document contains the security policy to be implemented on the Bharti Airtels systems.
Table of Contents
Preface ....................................................................................................................................................................... 2
Overview............................................................................................................................................................. 2
Document Control ............................................................................................................................................... 2
Related Document ...................................................................................................................................................... 3
Table of Contents........................................................................................................................................................ 4
MW.1 System Setup.................................................................................................................................................... 6
MW.1.1.1 Initial System Setup ............................................................................................................................. 6
MW.1.1.2 Security Patch Review ......................................................................................................................... 6
MW.1.1.3 System Settings ................................................................................................................................... 7
MW.1.1.4 Network Settings ................................................................................................................................. 7
SNMP service ............................................................................................................................................................ 10
Community name of 'private' is not permitted if the SNMP service is active. ............................................................ 10
Community name of 'private' is not permitted if the SNMP service is active. ............... Error! Bookmark not defined.
MW.1.2 System Controls........................................................................................................................................... 10
MW.1.2.1 Logging ............................................................................................................................................. 10
MW.1.2.2 Identify and Authenticate Users ........................................................................................................ 17
MW.1.2.3 Protecting Resources OSRs .............................................................................................................. 19
MW.1.2.4 Protecting Resources - User Resources .............................................................................................. 27
MW.1.2.5 Business Use Notice .......................................................................................................................... 28
MW.1.2.6 Encryption......................................................................................................................................... 29
MW.1.2.7 SNMP Guidelines ............................................................................................................................... 30
SNMP can be enabled on Windows2003 Servers if there is a business requirement with following guidelines. ... 30
SNMP Version ................................................................................................................................................... 30
Only SNMP v2 shall be enabled. SNMP v3 is not supported on Windows 2012 ................................................... 30
SNMP Read ....................................................................................................................................................... 30
Only SNMP Read shall be enabled ..................................................................................................................... 30
SNMP Write ...................................................................................................................................................... 30
SNMP Write shall be disabled. ........................................................................................................................... 30
Default Community Strings ................................................................................................................................ 30
Default community strings public and private are forbidden. ....................................................................... 30
SNMP Community Strings .................................................................................................................................. 31
SNMP community strings should be Non-Trivial in nature of 14 Characters or greater in length. ........................ 31
SNMP Access Control ........................................................................................................................................ 31
Only Authorised Hosts should have SNMP Access. ............................................................................................. 31
MW.1.3 Health Checking and Exceptions................................................................................................................... 32
MW.1.3.1 Health Checking ................................................................................................................................ 32
MW.1.3.2 Process Exceptions ............................................................................................................................ 32
This appendix assumes that the OS has been installed from a known source and that the system has been
patched with the necessary patches. It further assumes that the network security personnel have working
knowledge of Windows 2012 system administration. While no system is absolutely secure, we are confident that
following these guidelines will result in systems that are harder for intruders to compromise. Continued
vigilance is imperative to keep systems secure.
It is assumed that the server has had the smallest possible OS image installed and the latest patches applied.
Reduced size implies less services and greater security. But it may also cause a loss of convenience. Choose
security over convenience if in doubt about the necessity of a service, turn it off and see what breaks.
http://www.microsoft.com/downloads/results.aspx?freetext=windows%20server%202012&productID=&catego
ryId=7&period=&sortCriteria=popularity&nr=20&DisplayLang=en
Refer patch management process for applying the new patches & security advisiories which require
configuration changes . The latest patch management process is available in SMC team room and MDNS team
room
Recommended
System Settings Agreed to Setting Reference
Setting
directory
FINGER Disabled on all Disable FINGER in services file
Internet servers under %systemroot%\drivers\etc
directory
DISCARD Disabled on all Disable DISCARD in services file
Internet servers under %systemroot%\drivers\etc
directory
MW.1.2.1 Logging
Note- System Administrators will not have any individual ids on servers, servers will be accessed
through CyberArk to accomplish day to day operations.
System Recommended
Agreed to Setting Reference
Value/Parameter Setting
Account logon Success & Failure Set Success & Failure setting in audit policy
events
Account Success & Failure Set Success & Failure setting in audit policy.
management
Directory service Failure Failure
access
Logon events Success & Failure Set Success & Failure setting in audit policy.
System Recommended
Agreed to Setting Reference
Value/Parameter Setting
Policy change Success & Failure Set Success & Failure setting in audit policy
Privilege use Failure Set Success & Failure setting in audit policy
System events Failure Set Success & Failure setting in audit policy
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Account Failure
Logon
Credential
Validation
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Account Failure
Logon
Kerberos Service
Ticket Operations
Advanced Audit Success & Set Success & Failure setting in audit policy
policy - Account Failure
Logon
Other Account
Logon Events
Advanced Audit Success & Set Success & Failure setting in audit policy
policy - Account Failure
Logon
Kerberos
Authentication
Service
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Failure
Logon/Logoff
Logon
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Failure
Logon/Logoff
Logoff
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Failure
Logon/Logoff
Account Lockout
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Failure
Logon/Logoff
IPsec Main Mode
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Failure
Logon/Logoff
IPsec Quick Mode
System Recommended
Agreed to Setting Reference
Value/Parameter Setting
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Failure
Logon/Logoff
IPsec Extended
Mode
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Failure
Logon/Logoff
Special Logon
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Failure
Logon/Logoff
Other
Logon/Logoff
Events
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Failure
Logon/Logoff
Network Policy
Server
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Failure
Logon/Logoff
User / Device
Claims
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Account Failure
Management
User Account
Management
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Account Failure
Management
Computer Account
Management
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Account Failure
Management
Security Group
Management
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Account Failure
Management
Distribution Group
Management
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Account Failure
Management
Application Group
Management
System Recommended
Agreed to Setting Reference
Value/Parameter Setting
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Account Failure
Management
Other Account
Management
Events
Advanced Audit Failure Set Failure setting in audit policy
Policy - DS Access
Directory Service
Access
Advanced Audit Failure Set Failure setting in audit policy
Policy - DS Access
Directory Service
Changes
Advanced Audit Failure Set Failure setting in audit policy
Policy - DS Access
Directory Service
Replication
Advanced Audit Failure Set Failure setting in audit policy
Policy - DS Access
Detailed Directory
Service Replication
Advanced Audit Failure Set Failure setting in audit policy
Policy - Object
Access
File System
Advanced Audit Failure Set Failure setting in audit policy
Policy - Object
Access
Registry
Advanced Audit Failure Set Failure setting in audit policy
Policy - Object
Access
Kernel Object
Advanced Audit Failure Set Failure setting in audit policy
Policy - Object
Access
SAM
Advanced Audit Failure Set Failure setting in audit policy
Policy - Object
Access
Certification
Services
Advanced Audit Failure Set Failure setting in audit policy
Policy - Object
Access
Application
Generated
System Recommended
Agreed to Setting Reference
Value/Parameter Setting
Advanced Audit Failure Set Failure setting in audit policy
Policy - Object
Access
Handle
Manipulation
Advanced Audit Failure Set Failure setting in audit policy
Policy - Object
Access
File Share
Advanced Audit Failure Set Failure setting in audit policy
Policy - Object
Access
Filtering Platform
Packet Drop
Advanced Audit Failure Set Failure setting in audit policy
Policy - Object
Access
Filtering Platform
Connection
Advanced Audit Failure Set Failure setting in audit policy
Policy - Object
Access
Other Object
Access Events
Advanced Audit Failure Set Failure setting in audit policy
Policy - Object
Access
Detailed File Share
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Object Failure
Access
Removable
Storage
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Object Failure
Access
Central Access
Policy Staging
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Policy Failure
Change
Audit Policy
Change
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Policy Failure
Change
Authentication
Policy Change
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Policy Failure
Change
Authorization
System Recommended
Agreed to Setting Reference
Value/Parameter Setting
Policy Change
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Policy Failure
Change
MPSSVC Rule-
Level Policy
Change
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Policy Failure
Change
Filtering Platform
Policy Change
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Policy Failure
Change
Other Policy
Change Events
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Privilege Failure
Use
Sensitive Privilege
Use
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Privilege Failure
Use
Non Sensitive
Privilege Use
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Privilege Failure
Use
Other Privilege
Use Events
Audit policy - Failure Set Failure setting in audit policy
System - Security
State Change
System Recommended
Agreed to Setting Reference
Value/Parameter Setting
Audit policy - Failure Set Failure setting in audit policy
System - Other
System Events
OSR auditing - the Enable Auditing on the OSR Set following Audit permission on
recommended setting object, with the following OSR objects folders
listed is the minimum specifications:
required Name: Everyone
Name: Everyone Apply onto: This folder only
Apply onto: This folder only Access: Select "Failed" for each of
Access: Select "Failed" for these accesses:
each of these accesses: Traverse Folder/Execute File
Traverse Folder/Execute List Folder/Read Data
File Read Attributes
List Folder/Read Data Read Extended Attributes
Read Attributes Create Files / Write Data
Read Extended Attributes Create Folders / Append Data
Create Files / Write Data Write Attributes
Create Folders / Append Write Extended Attributes
Data Delete Subfolders and Files
Write Attributes Delete
Write Extended Attributes Read Permissions
Delete Subfolders and Change Permissions
Files Take Ownership
Delete
Read Permissions
Change Permissions
Take Ownership
OSR auditing - the Enable Auditing on the OSR Set following Audit permission on
recommended setting object, with the following OSR objects files
listed is the minimum specifications:
required Name: Everyone
Name: Everyone Apply onto: This object only
Apply onto: This object only Access: Select "success & Failed"
Access: Select "success & for each of these accesses:
Failed" for each of these Traverse Folder/Execute File
accesses: List Folder/Read Data
Traverse Folder/Execute Read Attributes
File Read Extended Attributes
Log Retention Security Event Log - Save 60 days security event log.
Requirement retained for 60 days. Logs Logs will be retained on the system
may be retained on the itself, or on a separate system.
system itself, or on a
separate system.
6- Guest ID
7- replicate ID
Recommended
System Value/Parameter Agreed to Setting Reference
Setting
The following objects are designated as OSRs. The access listed in the 'Required Setting' column is the maximum
authority permitted to general users (e.g. Everyone, Users or other groups containing general users).
Task Scheduler Service Each active entry Each active entry must specify the full path of
must specify the the file/command/script to be executed.
full path of the
file/command/sc
ript to be
executed.
Recommended
System Value/Parameter Agreed to Setting Reference
Setting
Task Scheduler Service For each active Users and Everyone group will be provided
entry's following permissions on files/scripts/folders
file/command/sc configured in schedule jobs
ript executed,
and all Files/scripts:
directories in its - Read & Execute
path, the - Read
maximum
authority Directories:
permitted to - Read & Execute
general users - List Folder Contents
(unless - Read
otherwise
specified in the
OSR section of
this tech spec) is:
Files/commands
/scripts:
- Read & Execute
- Read
Directories:
- Read & Execute
- List Folder
Contents
- Read
Registry setting Name:NoDriveTy Create following registry setting
peAutoRun HKLM\Software\Microsoft\Windows\Current
Type: Version\Policies\Explorer\
REG_DWORD
Value: 0xFF Name:NoDriveTypeAutoRun
(Hex) Type: REG_DWORD
Value: 0xFF (Hex)
Registry setting Name: Create following registry setting
AutoBackupLogF HKLM\SYSTEM\CurrentControlSet\Services\E
iles ventlog\Security
Type: Name: AutoBackupLogFiles
REG_DWORD Type: REG_DWORD
Value: 0x1 Value: 0x1
Registry setting Name: Create following registry setting
AutoBackupLogF HKLM\SYSTEM\CurrentControlSet\Services\E
iles ventlog\System
Type:
REG_DWORD Name: AutoBackupLogFiles
Value: 0 Type: REG_DWORD
Value: 0
Recommended
System Value/Parameter Agreed to Setting Reference
Setting
Registry setting Name: Retention Create following registry setting
Type: HKLM\SYSTEM\CurrentControlSet\Services\E
REG_DWORD ventlog\Security
Value: -1
(0xffffffff) Name: Retention
Read Type: REG_DWORD
Value: -1 (0xffffffff)
Registry setting Name: Retention Create following registry setting
Type: HKLM\SYSTEM\CurrentControlSet\Services\E
REG_DWORD ventlog\System
Value: (not
required to be Name: Retention
set) Type: REG_DWORD
Value: (not required to be set)
Registry setting Name:NoDriveT Create following registry setting
ypeAutoRun HKLM\Software\Microsoft\Windows\Current
Type: Version\Policies\Explorer\
REG_DWORD
Value: 0xFF Name:NoDriveTypeAutoRun
(Hex) Type: REG_DWORD
Value: 0xFF (Hex)
Permission-
Read & Execute
List Folder Contents
Read
%SystemRoot% Read & Execute Provide following permission to everyone and
List Folder users group on %SystemRoot%
Contents Folder. This is Maximum permission allowed
Read for everyone and users group.
Permission-
Read & Execute
List Folder Contents
Read
Recommended
System Value/Parameter Agreed to Setting Reference
Setting
%SystemRoot%\security Read & Execute Provide following permission to everyone and
List Folder users group on %SystemRoot%\security
Contents Folder. This is Maximum permission allowed
Read for everyone and users group.
Permission-
Read & Execute
List Folder Contents
Read
Permission-
Read & Execute
List Folder Contents
Read
Permission-
Read & Execute
List Folder Contents
Read
Permission-
Read & Execute
List Folder Contents
Read
Recommended
System Value/Parameter Agreed to Setting Reference
Setting
%SystemRoot%\system32\spo Read & Execute Provide following permission to everyone and
ol List Folder users group on
Contents %SystemRoot%\system32\spool
Read Folder. This is Maximum permission allowed
for everyone and users group.
Permission-
Read & Execute
List Folder Contents
Read
Permission-
Permission-
Read & Execute
List Folder Contents
Read
Permission-
Read & Execute
Read
Recommended
System Value/Parameter Agreed to Setting Reference
Setting
%SystemRoot%\system32\winl Read & Execute Provide following permission to everyone and
oad.exe Read users group on
or %SystemRoot%\system32\winload.exe
%SystemRoot%\system32\winl or
oad.efi %SystemRoot%\system32\winload.efi
File. This is Maximum permission allowed
for everyone and users group.
Permission-
Read & Execute
Read
Permission-
Read & Execute
Read
Permission-
Read & Execute
List Folder Contents
Read
Recommended
System Value/Parameter Agreed to Setting Reference
Setting
%SystemRoot%\syswow64\dri Read & Execute Provide Following permission to everyone
vers List Folder and users group on
Contents %SystemRoot%\syswow64\drivers
Read folder will be provided.This is Maximum
permission allowed for everyone and users
group.
Permission-
Read & Execute
List Folder Contents
Read
Recommended
System Value/Parameter Agreed to Setting Reference
Setting
Notes:
The above permissions
are required on the
specified directories
and files listed only; not
subfolders and files
under them.
Certain privileged
ids/groups (e.g. Server
Operator, Power User,
Print Operator,
SYSTEM) are granted
default permissions to
some OSRs. These
defaults are acceptable
and need not be
changed.
Administrators and SYSTEM may
be granted Full Control to all
OSRs.
Registry Controls required on Windows Terminal Servers:
Recommended
System Value/Parameter Agreed to Setting Reference
Setting
HKLM\SYSTEM\ Name: Create following registry key
CurrentControlSet\Services\ RestrictGuestAcc
Eventlog\DNS Server ess Name: RestrictGuestAccess
Type: Type: REG_DWORD
REG_DWORD Value: 1
Value: 1
Note: On servers where the DNS Server
Note: On subkey does not exist, no action is required.
servers where
the DNS Server
subkey does not
exist, no action
is required.
System
Recommended Setting Agreed to Setting Reference
Value/Parameter
Creating new user home Minimum permission At creation time, the home directory must be
directories should be assigned to owned by the resource owner, and the
anyone other than the maximum allowed permissions granted on the
resource owner and home directory to anyone other than the
administrators. resource owner and administrators is:
Traverse Folder / Execute File
Read Attributes
Read Permissions
Note: If home directories are designed with subdirectories under them such as a 'public' folder or a folder for
storing web pages that are readable by general users, the above permissions would be needed for users to
traverse through and access the subdirectories. Otherwise granting no access to general users would be the
more common approach for initial home directory permission settings set by the Provider of Service.
Guest accounts which If a guest account is If a guest account is enabled, it must comply
allow system login enabled, it must with the following-
without entry of a comply with the Remove guest account permission from
specific password. following: system drive and folder.
(examples: Guest No access to Remove Guest account permission from data
accounts) confidential data folders.
Any group in scope of
Section MW.1.3 of this
technical specification
Recommended Agreed to
How implemented Reference
Setting Setting
Yes Set via the following registry values:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policie
s\system\legalnoticecaption
Value- Warning
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policie
s\system\legalnoticetext
Value- Access to this
system is strictly
restricted to authorized
persons only.
Unauthorized access to
this sys-tem is not
allowed and every
activity is monitored on
this system
MW.1.2.6 Encryption
Vendor software that supports encryption requirements of the main standard may also be used.
File/Database See GSD331 for requirements
Storage criteria.
Note: Windows Server 2012 supports encryption of folders/files with the Encrypting File System (EFS). EFS uses
the Advanced Encryption Standard (AES) algorithm with a 256-bit key by default; a 3DES algorithm option is also
available.
Vendor software that supports encryption requirements of the main standard may also be used.
System
Recommended Setting Agreed to Setting Reference
Value/Parameter
Maximum lifetime for If Kerberos If Kerberos authentication is enabled
user ticket authentication is
enabled, the following Change value of Maximum ticket lifetime to
are the maximum 12 Hours.
lifetimes permitted for
user accounts at If Kerberos authentication is not enabled,
creation time: there is no requirement for this item.
* 30 hours (general
user accounts)
* 12 hours (system
& security
administrative user
accounts)
If this is enabled at a
policy level which
implements a single
maximum lifetime
across all userids, then
that must be set to 12
hours (so both general
users and
administrative users
are compliant).
If Kerberos
authentication is not
enabled, there is no
requirement for this
item.
SNMP can be enabled on Windows2003 Servers if there is a business requirement with following guidelines.
Default Community Strings Default community strings public and private are
forbidden.
SNMP Access Control Only Authorised Hosts should have SNMP Access.
Requirement Description
Confirm that mandatory access control system options are as Validate:
specified Password settings in Section
MW.1.2.2
Guest account restrictions in
Section MW.1.2.4
Verify that only approved users hold security administrative and Verify users with system & security
system authority administrative privileges, as defined in
Section MW.1.1.3
Verify that all OSR access controls are set Validate settings in Section MW.1.2.3
Verify that only approved users are included in the access lists of Reference Section MW.1.2.3
OSRs beyond that allowed to general users.
Verify that Harmful code detection programs are installed and Standard requirements apply
operational
Verify that the required access and activity logs data do exist. (list Validate security logs as per Section
logs to be verified) MW.1.2.1