GSD331 Implementation Manual Windows 2012 PDF

GSD331 Implementation Manual for
Windows 2012
GSD331 Implementation Manual

for Bharti Airtel Ltd
GSD331 Implementation Manual for Microsoft Windows 2012
Version 1.0
IBM Global Services
IBM Bharti Confidential Page 1
Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

Windows 2012
Preface
Applicability
Objective: To provide a document of the I/T security controls that are to be implemented for Bharti Airtel Ltd.
Scope: This document covers Bharti Airtels servers which are managed by IBM Global Services.
Compliance: Once completed, compliance with this customized guideline is subject to Audit inspection.
Overview
This document is to provide guidance for the Information Technology (I/T) security controls that should be
implemented for Bharti Airtel
Document Control
Document Name:
GSD331 Implementation Manual for Widows 2012
Document Identification: Version 1.0
Owner Identification: Pankaj Dikshit (pandiksh@in.ibm.com) , IBM , G4C
Author: Amita Misra, IBM
Document Approval: The following will approve any changes to this document:
Pankaj Dikshit (pandiksh@in.ibm.com) , Bharti Project ,IBM , G4C
"sachit singh" <sachit.singh@airtel.com>, Bharti AIRTEL CST
Approved On 06-Oct-14
Summary of Changes Version 1.0 06-Oct- 14 Initial Version
Review Plan: This document must be reviewed by all parties on a regular basis. All differences
between the customer's specifications and the IBM guidelines will be reviewed. The
recommended interval is 18 months. Verify that the interval selected is compliant
with the contract. If all of the Document Approvers agree, the review can be
skipped or the interval modified.
Next Review is:April,16

Latest Level: SMC Teamroom
Previous Version: The previous version of this document should be retained until all changes in this
version have been implemented or 18 months, whichever is longer.
Distribution: Copies of this document may be obsolete. It is the users obligation to verify they
are using the most current edition. This document should be removed from use
when obsolete.
GSD331 Implementation Version 6.0
Manual Template

Windows 2012
Related Document
Information Security Controls for Bharti Airtel (GSD331 Base Document for Bharti Airtel Ver 6.0) This
document contains the security policy to be implemented on the Bharti Airtels systems.

Windows 2012
Table of Contents
Preface ....................................................................................................................................................................... 2
Overview............................................................................................................................................................. 2
Document Control ............................................................................................................................................... 2
Related Document ...................................................................................................................................................... 3
Table of Contents........................................................................................................................................................ 4
MW.1 System Setup.................................................................................................................................................... 6
MW.1.1.1 Initial System Setup ............................................................................................................................. 6
MW.1.1.2 Security Patch Review ......................................................................................................................... 6
MW.1.1.3 System Settings ................................................................................................................................... 7
MW.1.1.4 Network Settings ................................................................................................................................. 7
SNMP service ............................................................................................................................................................ 10
Community name of 'private' is not permitted if the SNMP service is active. ............................................................ 10
Community name of 'private' is not permitted if the SNMP service is active. ............... Error! Bookmark not defined.
MW.1.2 System Controls........................................................................................................................................... 10
MW.1.2.1 Logging ............................................................................................................................................. 10
MW.1.2.2 Identify and Authenticate Users ........................................................................................................ 17
MW.1.2.3 Protecting Resources OSRs .............................................................................................................. 19
MW.1.2.4 Protecting Resources - User Resources .............................................................................................. 27
MW.1.2.5 Business Use Notice .......................................................................................................................... 28
MW.1.2.6 Encryption......................................................................................................................................... 29
MW.1.2.7 SNMP Guidelines ............................................................................................................................... 30
SNMP can be enabled on Windows2003 Servers if there is a business requirement with following guidelines. ... 30
SNMP Version ................................................................................................................................................... 30
Only SNMP v2 shall be enabled. SNMP v3 is not supported on Windows 2012 ................................................... 30
SNMP Read ....................................................................................................................................................... 30
Only SNMP Read shall be enabled ..................................................................................................................... 30
SNMP Write ...................................................................................................................................................... 30
SNMP Write shall be disabled. ........................................................................................................................... 30
Default Community Strings ................................................................................................................................ 30
Default community strings public and private are forbidden. ....................................................................... 30
SNMP Community Strings .................................................................................................................................. 31
SNMP community strings should be Non-Trivial in nature of 14 Characters or greater in length. ........................ 31
SNMP Access Control ........................................................................................................................................ 31
Only Authorised Hosts should have SNMP Access. ............................................................................................. 31
MW.1.3 Health Checking and Exceptions................................................................................................................... 32
MW.1.3.1 Health Checking ................................................................................................................................ 32
MW.1.3.2 Process Exceptions ............................................................................................................................ 32

Windows 2012
MW. Microsoft Windows 2012 Technical Specification

Copyright IBM Corporation, 1997, 2011 - All Rights Reserved Version
Version - Release Levels:
Microsoft Windows Server 2012 All Version and Windows 2012 R2 All versions

Windows 2012
MW.1 System Setup

During the initial installation, configuration and testing, make sure that your system is not connected to any
untrusted networks. You may want to only connect the system to a network after you have completed your
configuration steps. Configuration steps should be documented as they are performed.
This appendix assumes that the OS has been installed from a known source and that the system has been
patched with the necessary patches. It further assumes that the network security personnel have working
knowledge of Windows 2012 system administration. While no system is absolutely secure, we are confident that
following these guidelines will result in systems that are harder for intruders to compromise. Continued
vigilance is imperative to keep systems secure.
MW.1.1.1 Initial System Setup

Refer to http://technet.microsoft.com/en-us/library/cc755116.aspx for procedures on how to install a minimum
system and on how to apply patches and also contains how to secure the windows platforms.
It is assumed that the server has had the smallest possible OS image installed and the latest patches applied.
Reduced size implies less services and greater security. But it may also cause a loss of convenience. Choose
security over convenience if in doubt about the necessity of a service, turn it off and see what breaks.
MW.1.1.2 Security Patch Review

Microsoft Windows 2012 Server updates & latest patches can be downloaded from this site
http://www.microsoft.com/downloads/results.aspx?freetext=windows%20server%202012&productID=&catego
ryId=7&period=&sortCriteria=popularity&nr=20&DisplayLang=en
Refer patch management process for applying the new patches & security advisiories which require
configuration changes . The latest patch management process is available in SMC team room and MDNS team
room

Windows 2012
MW.1.1.3 System Settings

This document is a set of guidelines to provide baseline security settings for a Windows 2012 server. For specific
services (www,smtp,snmp,IIS,RDP) that need to be implemented on the servers, please refer to the respective
GSD 331 IM for secure implementation of the same.
Recommended
System Settings Agreed to Setting Reference
Setting
System Settings No No Requirements in this category

Requirements in
this category
AntiVirus Enabled yes Start Antivirus service
MW.1.1.4 Network Settings
System Settings Recommended Agreed to Setting Reference

Setting
Net News Transfer Protocol If activated, If activated, must be configured to
(NNTP) authentication & must be require authentication and
identification configured to identification of all users if any of
require the newsgroups on the server are
authentication classified confidential.
and
identification of
all users if any
of the
newsgroups on
the server are
classified
confidential.
X-Windows access control If X-Windows If X-Windows service is active,
service is active, Provide Xauth file and add allowed
access control host list in security tab of x-config
must not be tool.
disabled
REXD daemon May not be Disable REXD service
enabled

Windows 2012
Directories enabled for READ access via Remove Read permission of

Anonymous FTP access anonymous FTP everyone group on FTP folder
must not be containing classified data.
granted to
directories
containing
classified data
Access permissions for Each directory Set read or write security
directories accessible via may allow read permission (not Both) on FTP
Anonymous FTP access or write folder for Anonymous user.
access to
anonymous
users, but not
both
Process Control: Anonymous Files that have Perform Antivirus scan on writable
FTP, Process for Receiving Files been stored directory.
from Anonymous Users into a writeable Remove personal Audio Video files
directory must from directory.
be examined
(scanned for
viruses, checked
for Confidential
information,
checked for
inappropriate
material, etc.)
before being
moved to a
readable
directory.
Directories enabled for TFTP Access via TFTP Remove Read and Write
(Trivial File Transfer Protocol) may be granted permission from Confidential data.
access only to
directories
containing
unclassified
data.
confidential
data is not
permitted in
directories
accessible via
TFTP or any
subdirectories
of the directory.
ECHO Disabled on all Disable echo in services file under
Internet servers %systemroot%\drivers\etc
directory
CHARGEN Disabled on all Disable chargen in services file
Internet servers under %systemroot%\drivers\etc

Windows 2012
directory
FINGER Disabled on all Disable FINGER in services file
directory
DISCARD Disabled on all Disable DISCARD in services file
directory
SYSTAT Disabled on all Disable SYSTAT in services file

directory
Post Office Protocol (POP) Disabled on all Disable Post Office Protocol (POP)
authentication Internet servers service
DAYTIME Disabled on all Disable DAYTIME in services file
directory
NETSTAT Disabled on all Disable NETSTAT in services file
directory
WHO Disabled on all Disable WHO in services file under
Internet servers %systemroot%\drivers\etc
directory
ECHO Disabled if not Disable ECHO in services file under
required to %systemroot%\drivers\etc
support an directory
application
CHARGEN Disabled if not Disable chargen in services file
required to under %systemroot%\drivers\etc
application
RSTATD Disabled if not Disable RSTATD in services file
required to under %systemroot%\drivers\etc
application
TFTP, Disabled if not Disable TFTP,
RWALLD, required to RWALLD,
RUSERD, support an RUSERD,
DISCARD, application DISCARD,
DAYTIME, DAYTIME,
BOOTPS, BOOTPS,
FINGER, FINGER,
SPRAYD, SPRAYD,
PCNFSD, PCNFSD,
NETSTAT, NETSTAT,
RWHO, RWHO,
CMSD, CMSD,
DTSPCD, DTSPCD,
TTDBSERVER, TTDBSERVER,
Telnet Service Telnet Service

Windows 2012
FTP Service in services file under

%systemroot%\drivers\etc
directory
Priivate and public community
name will not be used in SNMP
SNMP service Community
name of service.
'private' is not
permitted if the
SNMP service is
active.
MW.1.2 System Controls
MW.1.2.1 Logging
Note- System Administrators will not have any individual ids on servers, servers will be accessed
through CyberArk to accomplish day to day operations.
System Recommended
Agreed to Setting Reference
Value/Parameter Setting
Account logon Success & Failure Set Success & Failure setting in audit policy
events
Account Success & Failure Set Success & Failure setting in audit policy.
management
Directory service Failure Failure
access
Logon events Success & Failure Set Success & Failure setting in audit policy.
Object access Failure Set Failure setting in audit policy

Windows 2012
System Recommended
Policy change Success & Failure Set Success & Failure setting in audit policy
Privilege use Failure Set Success & Failure setting in audit policy
System events Failure Set Success & Failure setting in audit policy
Advanced Audit Success & Set Success & Failure setting in audit policy
Policy - Account Failure
Logon
Credential
Validation
Logon
Kerberos Service
Ticket Operations
policy - Account Failure
Logon
Other Account
Logon Events
policy - Account Failure
Logon
Kerberos
Authentication
Service
Policy - Failure
Logon/Logoff
Logon
Policy - Failure
Logon/Logoff
Logoff
Policy - Failure
Logon/Logoff
Account Lockout
Policy - Failure
Logon/Logoff
IPsec Main Mode
Policy - Failure
Logon/Logoff
IPsec Quick Mode

Windows 2012
System Recommended
Policy - Failure
Logon/Logoff
IPsec Extended
Mode
Policy - Failure
Logon/Logoff
Special Logon
Policy - Failure
Logon/Logoff
Other
Logon/Logoff
Events
Policy - Failure
Logon/Logoff
Network Policy
Server
Policy - Failure
Logon/Logoff
User / Device
Claims
Management
User Account
Management
Management
Computer Account
Management
Management
Security Group
Management
Management
Distribution Group
Management
Management
Application Group
Management

Windows 2012
System Recommended
Management
Other Account
Management
Events
Advanced Audit Failure Set Failure setting in audit policy
Policy - DS Access
Directory Service
Access
Policy - DS Access
Directory Service
Changes
Policy - DS Access
Directory Service
Replication
Policy - DS Access
Detailed Directory
Service Replication
Policy - Object
Access
File System
Policy - Object
Access
Registry
Policy - Object
Access
Kernel Object
Policy - Object
Access
SAM
Policy - Object
Access
Certification
Services
Policy - Object
Access
Application
Generated

Windows 2012
System Recommended
Policy - Object
Access
Handle
Manipulation
Policy - Object
Access
File Share
Policy - Object
Access
Filtering Platform
Packet Drop
Policy - Object
Access
Filtering Platform
Connection
Policy - Object
Access
Other Object
Access Events
Policy - Object
Access
Detailed File Share
Policy - Object Failure
Access
Removable
Storage
Policy - Object Failure
Access
Central Access
Policy Staging
Policy - Policy Failure
Change
Audit Policy
Change
Change
Authentication
Policy Change
Change
Authorization

Windows 2012
System Recommended
Policy Change
Change
MPSSVC Rule-
Level Policy
Change
Change
Filtering Platform
Policy Change
Change
Other Policy
Change Events
Policy - Privilege Failure
Use
Sensitive Privilege
Use
Use
Non Sensitive
Privilege Use
Use
Other Privilege
Use Events
Audit policy - Failure Set Failure setting in audit policy
System - Security
State Change

System - Security
System Extension

System - System
Integrity

System - IPsec
Driver

Windows 2012
System Recommended
System - Other
System Events
Enable Advance Enable Create following registry entry-

Audit Policy Advance Audit
Policy HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Name: SCENoApplyLegacyAuditPolicy
Type: REG_DWORD
Value: 1 (Enabled)
System Value/Parameter Recommended Setting Agreed to Setting Reference
OSR auditing - the Enable Auditing on the OSR Set following Audit permission on
recommended setting object, with the following OSR objects folders
listed is the minimum specifications:
required Name: Everyone
Name: Everyone Apply onto: This folder only
Apply onto: This folder only Access: Select "Failed" for each of
Access: Select "Failed" for these accesses:
each of these accesses: Traverse Folder/Execute File
Traverse Folder/Execute List Folder/Read Data
File Read Attributes
List Folder/Read Data Read Extended Attributes
Read Attributes Create Files / Write Data
Read Extended Attributes Create Folders / Append Data
Create Files / Write Data Write Attributes
Create Folders / Append Write Extended Attributes
Data Delete Subfolders and Files
Write Attributes Delete
Write Extended Attributes Read Permissions
Delete Subfolders and Change Permissions
Files Take Ownership
Delete
Read Permissions
Change Permissions
Take Ownership
OSR auditing - the Enable Auditing on the OSR Set following Audit permission on
recommended setting object, with the following OSR objects files
listed is the minimum specifications:
required Name: Everyone
Name: Everyone Apply onto: This object only
Apply onto: This object only Access: Select "success & Failed"
Access: Select "success & for each of these accesses:
Failed" for each of these Traverse Folder/Execute File
accesses: List Folder/Read Data
Traverse Folder/Execute Read Attributes
File Read Extended Attributes

Windows 2012
List Folder/Read Data Create Files / Write Data

Read Attributes Create Folders / Append Data
Read Extended Attributes Write Attributes
Create Files / Write Data Write Extended Attributes
Create Folders / Append Delete
Data Read Permissions
Write Attributes Change Permissions
Write Extended Attributes Take Ownership
Delete
Read Permissions
Change Permissions
Take Ownership
Log Retention Security Event Log - Save 60 days security event log.
Requirement retained for 60 days. Logs Logs will be retained on the system
may be retained on the itself, or on a separate system.
system itself, or on a
separate system.
MW.1.2.2 Identify and Authenticate Users
System Value/Parameter Recommended Setting Agreed to Setting Reference
Enforce password history 4 passwords Set value to 4

remembered
Minimum password age 1 days Set value to 0
Maximum password age 45 days Set value to 45
Minimum password 8 characters Set value to 8
length
Store password using Disabled Change setting to Disabled
reversible encryption
Password complexity Required Change Setting to Enabled
'Password never expires' NO No
User accounts that are No Yes
only associated with a
started process(es) and
are set to 'Disabled'
status, so they can not
be logged onto.
(example: tmersrvd)
Account lockout 3 Set value to 10 .
threshold for Servers
Account lockout duration '0' minutes: Account is Set value to 0

locked out until
administrator unlocks it.
Reset account lockout This policy must be set Set value to 30
after to a value equal or
above 30 minutes.

Windows 2012
Password Requirements User accounts that non-expiring password will be allowed

satisfy all of the for ID fullfilling below criteria-
following criteria:
1) 'Logon locally' user 1) 'Logon locally' user right is disabled
right is disabled 2) Userid does not have system or
2) Userid does not security administrative authority (per
have system or security section 5.0)
administrative authority 3) All interactive login methods (FTP,
(per section 5.0) telnet, rexec, SSH, etc) are disabled for
3) All interactive login the userid by either:
methods (FTP, telnet, 3a) Denying access to the user
rexec, SSH, etc) are rights: 'Access this computer from
disabled for the userid network' and 'Logon through Terminal
by either: Services', or
3a) Denying access 3b) Another method that disables
to the user rights: interactive login methods for the given
'Access this computer service or protocol
from network' and
'Logon through 4- User accounts that are only
Terminal Services', or associated with a started process(es)
3b) Another method and are set to 'Disabled' status, so they
that disables interactive can not be logged onto. (example:
login methods for the tmersrvd)
given service or
protocol 5- IUSR_{system} and IWAM_{system}
user accounts created by Internet
Information Server (IIS)
6- Guest ID
7- replicate ID
System & Security

Administrative userids Administrators IDs which are member of any following
include accounts within Domain Admins groups will be considered as
the following groups Enterprise Admins administrative IDs
Power Users
Backup Operators Administrators
Print Operators Domain Admins
Network Configuration Enterprise Admins
Operators Power Users
DHCP Administrators Backup Operators
Account Operators Print Operators
Server Operators Network Configuration Operators
Group Policy Creator DHCP Administrators
Owners Account Operators
Schema Admins Server Operators
Group Policy Owners Group Policy Creator Owners
Enterprise Operators Schema Admins
Certificate Service Group Policy Owners
DCOM Access Enterprise Operators
Distributed COM Users Certificate Service DCOM Access
Event Log Readers Distributed COM Users
Performance Log Users Event Log Readers
Performance Monitor Performance Log Users
Users Performance Monitor Users

Windows 2012
Eventlog (note: this is a Eventlog (note: this is a specific userid)

specific userid)
MW.1.2.3 Protecting Resources OSRs
Recommended
System Value/Parameter Agreed to Setting Reference
Setting
The following objects are designated as OSRs. The access listed in the 'Required Setting' column is the maximum
authority permitted to general users (e.g. Everyone, Users or other groups containing general users).
Task Scheduler Service Each active entry Each active entry must specify the full path of
must specify the the file/command/script to be executed.
full path of the
file/command/sc
ript to be
executed.

Windows 2012
Recommended
Setting
Task Scheduler Service For each active Users and Everyone group will be provided
entry's following permissions on files/scripts/folders
file/command/sc configured in schedule jobs
ript executed,
and all Files/scripts:
directories in its - Read & Execute
path, the - Read
maximum
authority Directories:
permitted to - Read & Execute
general users - List Folder Contents
(unless - Read
otherwise
specified in the
OSR section of
this tech spec) is:
Files/commands
/scripts:
- Read & Execute
- Read
Directories:
- Read & Execute
- List Folder
Contents
- Read
Registry setting Name:NoDriveTy Create following registry setting
peAutoRun HKLM\Software\Microsoft\Windows\Current
Type: Version\Policies\Explorer\
REG_DWORD
Value: 0xFF Name:NoDriveTypeAutoRun
(Hex) Type: REG_DWORD
Value: 0xFF (Hex)
Registry setting Name: Create following registry setting
AutoBackupLogF HKLM\SYSTEM\CurrentControlSet\Services\E
iles ventlog\Security
Type: Name: AutoBackupLogFiles
REG_DWORD Type: REG_DWORD
Value: 0x1 Value: 0x1
Registry setting Name: Create following registry setting
AutoBackupLogF HKLM\SYSTEM\CurrentControlSet\Services\E
iles ventlog\System
Type:
REG_DWORD Name: AutoBackupLogFiles
Value: 0 Type: REG_DWORD
Value: 0

Windows 2012
Recommended
Setting
Registry setting Name: Retention Create following registry setting
Type: HKLM\SYSTEM\CurrentControlSet\Services\E
REG_DWORD ventlog\Security
Value: -1
(0xffffffff) Name: Retention
Read Type: REG_DWORD
Value: -1 (0xffffffff)
Registry setting Name: Retention Create following registry setting
Type: HKLM\SYSTEM\CurrentControlSet\Services\E
REG_DWORD ventlog\System
Value: (not
required to be Name: Retention
set) Type: REG_DWORD
Value: (not required to be set)
Registry setting Name:NoDriveT Create following registry setting
ypeAutoRun HKLM\Software\Microsoft\Windows\Current
Type: Version\Policies\Explorer\
REG_DWORD
Value: 0xFF Name:NoDriveTypeAutoRun
(Hex) Type: REG_DWORD
Value: 0xFF (Hex)
Permission on Read & Execute Provide following permission to everyone and

%SystemRoot%\System32\Spoo List Folder users group on
l Contents %SystemRoot%\System32\Spool folder. This
Read is Maximum permission allowed for
everyone and users group.
Permission-
Read & Execute
List Folder Contents
Read
%SystemRoot% Read & Execute Provide following permission to everyone and
List Folder users group on %SystemRoot%
Contents Folder. This is Maximum permission allowed
Read for everyone and users group.
Permission-
Read & Execute
Read

Windows 2012
Recommended
Setting
%SystemRoot%\security Read & Execute Provide following permission to everyone and
List Folder users group on %SystemRoot%\security
Permission-
Read & Execute
Read
%SystemRoot%\system Read & Execute Provide following permission to everyone and

List Folder users group on %SystemRoot%\system
Permission-
Read & Execute
Read
%SystemRoot%\system32 Read & Execute Provide following permission to everyone and

List Folder users group on %SystemRoot%\system32
Permission-
Read & Execute
Read
%SystemRoot%\system32\con no general user Remove permission of everyone group on

fig authorizations %SystemRoot%\system32\config.
permitted
%SystemRoot%\system32\driv Read & Execute Provide following permission to everyone and

ers List Folder users group on
Contents %SystemRoot%\system32\drivers
Read Folder. This is Maximum permission allowed
for everyone and users group.
Permission-
Read & Execute
Read

Windows 2012
Recommended
Setting
%SystemRoot%\system32\spo Read & Execute Provide following permission to everyone and
ol List Folder users group on
Contents %SystemRoot%\system32\spool
Permission-
Read & Execute
Read
%SystemRoot%\system32\Gro Read & Execute Provide following permission to everyone and

upPolicy List Folder users group on
Contents %SystemRoot%\system32\GroupPolicy
Permission-
Read & Execute

Read
%WinDir%\WinSxS\Backup Read & Execute Provide following permission to everyone and

List Folder users group on %WinDir%\WinSxS\Backup
Permission-
Read & Execute
Read
%SystemDrive%\boot\BCD Read & Execute Provide following permission to everyone and

Read users group on %SystemDrive%\boot\BCD
Folder. This is Maximum permission allowed
Permission-
Read & Execute
Read

Windows 2012
Recommended
Setting
%SystemRoot%\system32\winl Read & Execute Provide following permission to everyone and
oad.exe Read users group on
or %SystemRoot%\system32\winload.exe
%SystemRoot%\system32\winl or
oad.efi %SystemRoot%\system32\winload.efi
File. This is Maximum permission allowed
Permission-
Read & Execute
Read
Read & Execute Provide following permission to everyone and

%SystemDrive%\bootmgr Read users group on %SystemDrive%\bootmgr
or or
\EFI\Microsoft\Boot\bootmgfw. \EFI\Microsoft\Boot\bootmgfw.efi
efi File. This is Maximum permission allowed
Permission-
Read & Execute
Read
%SystemDrive% Read & Execute Provide following permission to everyone and

List Folder users group on %SystemDrive% folder. This
Contents is Maximum permission allowed for
Read everyone and users group.
Create
folders/append Permission-
data Read & Execute
Read
Create folders/append data
%SystemRoot%\syswow64 Read & Execute Provide following permission to everyone and

List Folder users group on %SystemRoot%\syswow64
Contents Folder. This is Maximum permission
Read allowed for everyone and users group.
Permission-
Read & Execute
Read

Windows 2012
Recommended
Setting
%SystemRoot%\syswow64\dri Read & Execute Provide Following permission to everyone
vers List Folder and users group on
Contents %SystemRoot%\syswow64\drivers
Read folder will be provided.This is Maximum
permission allowed for everyone and users
group.
Permission-
Read & Execute
Read
%SystemRoot%\System32\Wi no general user Remove everyone and users group

nevt\Logs\Security.evtx authorizations Permission from
permitted %SystemRoot%\System32\Winevt\Logs\Se
(or the Security log file whose curity.evtx file.
location/name is defined in the
HKLM\SYSTEM\CurrentContro
lSet\Services\EventLog\Securit
y subkey, if the log has been
moved from the default
location)
%SystemRoot%\System32\Wi no general user Remove everyone and users group

nevt\Logs\DNS Server.evtx authorizations Permission from
permitted %SystemRoot%\System32\Winevt\Logs\
(or the DNS Server log file DNS Server.evtx file.
whose location/name is
defined in the
HKLM\SYSTEM\CurrentContro
lSet\Services\EventLog\DNS
Server subkey, if the log has
been moved from the default
location)

Windows 2012
Recommended
Setting
Notes:
The above permissions
are required on the
specified directories
and files listed only; not
subfolders and files
under them.
Certain privileged
ids/groups (e.g. Server
Operator, Power User,
Print Operator,
SYSTEM) are granted
default permissions to
some OSRs. These
defaults are acceptable
and need not be
changed.
Administrators and SYSTEM may
be granted Full Control to all
OSRs.
Registry Controls required on Windows Terminal Servers:
HKLM\SYSTEM\ General users Remove everyone and users group from

CurrentControlSet\ may not be access list
Services\Eventlog\Security granted access
to this subkey
HKLM\SYSTEM\ Name: Create following registry key
CurrentControlSet\Services\ RestrictGuestAcc
Eventlog\Application ess Name: RestrictGuestAccess
Type: Type: REG_DWORD
REG_DWORD Value: 1
Value: 1
Eventlog\Security ess Name: RestrictGuestAccess
REG_DWORD Value: 1
Value: 1
Eventlog\System ess Name: RestrictGuestAccess
REG_DWORD Value: 1
Value: 1

Windows 2012
Recommended
Setting
Eventlog\DNS Server ess Name: RestrictGuestAccess
REG_DWORD Value: 1
Value: 1
Note: On servers where the DNS Server
Note: On subkey does not exist, no action is required.
servers where
the DNS Server
subkey does not
exist, no action
is required.
MW.1.2.4 Protecting Resources - User Resources

Windows 2012
System
Recommended Setting Agreed to Setting Reference
Value/Parameter
Creating new user home Minimum permission At creation time, the home directory must be
directories should be assigned to owned by the resource owner, and the
anyone other than the maximum allowed permissions granted on the
resource owner and home directory to anyone other than the
administrators. resource owner and administrators is:
Traverse Folder / Execute File
Read Attributes
Read Permissions
Note: If home directories are designed with subdirectories under them such as a 'public' folder or a folder for
storing web pages that are readable by general users, the above permissions would be needed for users to
traverse through and access the subdirectories. Otherwise granting no access to general users would be the
more common approach for initial home directory permission settings set by the Provider of Service.
Guest accounts which If a guest account is If a guest account is enabled, it must comply
allow system login enabled, it must with the following-
without entry of a comply with the Remove guest account permission from
specific password. following: system drive and folder.
(examples: Guest No access to Remove Guest account permission from data
accounts) confidential data folders.
Any group in scope of
Section MW.1.3 of this
technical specification
MW.1.2.5 Business Use Notice
Recommended Agreed to
How implemented Reference
Setting Setting
Yes Set via the following registry values:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policie
s\system\legalnoticecaption
Value- Warning
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policie
s\system\legalnoticetext
Value- Access to this
system is strictly
restricted to authorized
persons only.
Unauthorized access to
this sys-tem is not
allowed and every
activity is monitored on
this system

Windows 2012
MW.1.2.6 Encryption
Encryption Recommended Agreed to

Encryption facility Initial Setting Reference
Type Setting Setting
Data See GSD331 for requirements
Transmission criteria.
Note: Windows Server 2012 provides encryption support for some services, including Kerberos, remote access,
Remote Procedure Call (RPC), Secure Sockets Layer/Transport Layer Security (SSL/TLS), Terminal Services
Remote Desktop Protocol (RDP), and IP Security (IPSec).
Vendor software that supports encryption requirements of the main standard may also be used.
File/Database See GSD331 for requirements
Storage criteria.
Note: Windows Server 2012 supports encryption of folders/files with the Encrypting File System (EFS). EFS uses
the Advanced Encryption Standard (AES) algorithm with a 256-bit key by default; a 3DES algorithm option is also
available.
Vendor software that supports encryption requirements of the main standard may also be used.

Windows 2012
System
Recommended Setting Agreed to Setting Reference
Value/Parameter
Maximum lifetime for If Kerberos If Kerberos authentication is enabled
user ticket authentication is
enabled, the following Change value of Maximum ticket lifetime to
are the maximum 12 Hours.
lifetimes permitted for
user accounts at If Kerberos authentication is not enabled,
creation time: there is no requirement for this item.
* 30 hours (general
user accounts)
* 12 hours (system
& security
administrative user
accounts)
If this is enabled at a
policy level which
implements a single
maximum lifetime
across all userids, then
that must be set to 12
hours (so both general
users and
administrative users
are compliant).
If Kerberos
authentication is not
enabled, there is no
requirement for this
item.
MW.1.2.7 SNMP Guidelines
SNMP can be enabled on Windows2003 Servers if there is a business requirement with following guidelines.
SNMP Version Only SNMP v2 shall be enabled. SNMP v3 is not

supported on Windows 2012
SNMP Read Only SNMP Read shall be enabled
SNMP Write SNMP Write shall be disabled.
Default Community Strings Default community strings public and private are
forbidden.

Windows 2012
SNMP Community Strings SNMP community strings should be Non-Trivial in

nature of 14 Characters or greater in length.
SNMP Access Control Only Authorised Hosts should have SNMP Access.

Windows 2012
MW.1.3 Health Checking and Exceptions
MW.1.3.1 Health Checking
Requirement Description
Confirm that mandatory access control system options are as Validate:
specified Password settings in Section
MW.1.2.2
Guest account restrictions in
Section MW.1.2.4
Verify that only approved users hold security administrative and Verify users with system & security
system authority administrative privileges, as defined in
Section MW.1.1.3
Verify that all OSR access controls are set Validate settings in Section MW.1.2.3
Verify that only approved users are included in the access lists of Reference Section MW.1.2.3
OSRs beyond that allowed to general users.
Verify that Harmful code detection programs are installed and Standard requirements apply
operational
Verify that the required access and activity logs data do exist. (list Validate security logs as per Section
logs to be verified) MW.1.2.1
MW.1.3.2 Process Exceptions

Protecting Resources - OSRs
In environments where the Provider of Service can guarantee that no userid is able to access the file & directory
OSRs (non-registry OSRs), the file/directory permissions defined in the OSR table in section MW.1.2.3 need not
be applied. One acceptable example of this would be an environment where both of the following apply:
No general users are active at the NT Operating System layer (no shares are open to general users,
users are not allowed to logon locally if there is no application need or bisuness requirement or you can
give this right to only authenticated user group, etc)
All Guest, IUSR_{system} and Anonymous userids have been disabled

soc_user UserID which is used for integration with Q-Radar SIEM Tool is allowed to have a Non-
Expiring password (infinite password age) on following Servers

Application Hostname IP Address
Domain Controller ndelpads09 10.12.41.20
Domain Controller NDELPADS04 10.12.41.71
Domain Controller ndelpdcs02 10.5.140.196
Domain Controller SBLRPDCS01 10.96.40.11
Domain Controller SBLRPDCS02 10.96.40.12
Domain Controller WBHOPADS02 10.75.40.2
Domain Controller WINDPADS02 10.72.40.10
Domain Controller NDELPADS11 10.12.130.12
Domain Controller NJAKPADS02 10.27.0.22
Domain Controller SBLRDMXXAPZP56 10.96.0.59
Domain Controller EORIPDCS02 10.135.40.36

Windows 2012
Domain Controller NDELPAPS07 10.12.41.13

Domain Controller WMUMPDCS03 10.48.41.51
Domain Controller WGUJPDCS01.India.airtel.itm 10.80.40.16
Domain Controller CNDANDBEAPZP01 10.14.101.76
Domain Controller Comteldc 10.15.6.8

GSD331 Implementation Manual Windows 2012 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

GSD331 Implementation Manual Windows 2012 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

GSD331 Implementation Manual for

GSD331 Implementation Manual

GSD331 Implementation Manual for Microsoft Windows 2012

IBM Global Services

IBM Bharti Confidential Page 1

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

Next Review is:April,16

IBM Bharti Confidential Page 2

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

IBM Bharti Confidential Page 3

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

IBM Bharti Confidential Page 4

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

MW. Microsoft Windows 2012 Technical Specification

IBM Bharti Confidential Page 5

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

MW.1 System Setup

MW.1.1.1 Initial System Setup

MW.1.1.2 Security Patch Review

IBM Bharti Confidential Page 6

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

MW.1.1.3 System Settings

System Settings No No Requirements in this category

AntiVirus Enabled yes Start Antivirus service

MW.1.1.4 Network Settings

System Settings Recommended Agreed to Setting Reference

IBM Bharti Confidential Page 7

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

Directories enabled for READ access via Remove Read permission of

IBM Bharti Confidential Page 8

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

SYSTAT Disabled on all Disable SYSTAT in services file

IBM Bharti Confidential Page 9

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

FTP Service in services file under

MW.1.2 System Controls

Object access Failure Set Failure setting in audit policy

IBM Bharti Confidential Page 10

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

IBM Bharti Confidential Page 11

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

IBM Bharti Confidential Page 12

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

IBM Bharti Confidential Page 13

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

IBM Bharti Confidential Page 14

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

Audit policy - Failure Set Failure setting in audit policy

Audit policy - Failure Set Failure setting in audit policy

Audit policy - Failure Set Failure setting in audit policy

IBM Bharti Confidential Page 15

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

Enable Advance Enable Create following registry entry-

System Value/Parameter Recommended Setting Agreed to Setting Reference

IBM Bharti Confidential Page 16

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)

List Folder/Read Data Create Files / Write Data

MW.1.2.2 Identify and Authenticate Users

System Value/Parameter Recommended Setting Agreed to Setting Reference

Enforce password history 4 passwords Set value to 4

Account lockout duration '0' minutes: Account is Set value to 0

IBM Bharti Confidential Page 17

Print to PDF without this message by purchasing novaPDF (http://www.novapdf.com/)