Additional STIG Settings#

20.1#

20.1#

Configure all enabled accounts to require passwords. Note: The password required flag can be set by entering the following on a command line: “Net user [username] /passwordreq:yes”, substituting [username] with the name of the user account.

20.2#

20.2#

Configure the audit settings for AdminSDHolder object to include at least the following: Type - Fail, Principal - Everyone, Access - Full Control, Inherited from - None, and Applies to - This object only

  • Open Active Directory Users and Computers

  • Ensure Advanced Features is selected in the View menu

  • Select System under the domain being reviewed

  • Right-click the AdminSDHolder object

  • Select Properties

  • Select the Security tab

  • Select the Advanced button

  • Select the Auditing tab. Configure the above audit permission settings. Note: The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default.

  • Type - Success

  • Principal - Everyone

  • Access - Special

  • Inherited from - None

  • Applies to - This object only

  • (Access - Special = Write all properties, Modify permissions, Modify owner)

20.3#

20.3#

Limit the permissions on the Domain Controllers OU to restrict changes to: System, Domain Admins, Enterprise Admins and Administrators.

  • Open Active Directory Users and Computers

  • Ensure Advanced Features is selected in the View menu

  • Select the Domain Controllers OU

  • Right-click and select Properties

  • Select the Security tab Ensure the permissions are set to the above recommendation. Note The default permissions listed below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the Advanced button, the desired Permission entry, and the View or Edit button. Note #2 Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. Summary: CREATOR OWNER - Special permissions, SELF - Special permissions, and Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties it is not in compliance with this recommendation.

20.4#

20.4#

Configure the audit settings for Domain Controllers Organizational Unit (OU) object to include at least the following: Type - Fail, Principal - Everyone, Access - Full Control, and Inherited from - None.

  • Open Active Directory Users and Computers

  • Ensure Advanced Features is selected in the View menu

  • Select System under the domain being reviewed

  • Right-click the Domain Controllers Organizational Unit (OU) object and select Properties

  • Select the Security tab

  • Select the Advanced button

  • Select the Auditing tab Note: These audit settings apply to this object and all descendant objects. Note #2: The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default.

  • Type - Success

  • Principal - Everyone

  • Access - Special

  • Inherited from - None

  • (Access - Special = Write all properties, All extended rights, Change RID master) Two instances with the following summary information will be listed:

  • Type - Success

  • Principal - Everyone

  • Access - (blank)

  • Inherited from - (CN of domain)

20.5#

20.5#

Configure audit settings for Domain object to include at least the following: Type - Fail, Principal - Everyone, Access - Full Control, and Inherited from - None. These audit settings apply to this object only.

  • Open Active Directory Users and Computers

  • Ensure Advanced Features is selected in the View menu

  • Select System under the domain being reviewed

  • Right-click the Domain object and select Properties

  • Select the Security tab

  • Select the Advanced button

  • Select the Auditing tab Note: The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. Two instances with the following summary information will be listed:

  • Type - Success

  • Principal - Everyone

  • Access - (blank)

  • Inherited from - None

  • Applies to - Special OR

  • Type - Success

  • Principal - Domain Users

  • Access - All extended rights

  • Inherited from - None Applies to - This object only

  • Type - Success

  • Principal - Administrators

  • Access - All extended rights

  • Inherited from - None

20.6#

20.6#

Configure the audit settings for Group Policy objects to include at least the following: Type - Fail, Principal - Everyone, Access - Full Control, and Inherited from - None. Note: These audit settings apply to this object and all descendant objects or Descendant groupPolicyContainer objects.

  • Open Active Directory Users and Computers

  • Ensure Advanced Features is selected in the View menu

  • Select System under the domain being reviewed

  • Right-click Policies and select Properties

  • Select the Security tab

  • Select the Advanced button

  • Select the Auditing tab Ensure at least the above auditing permissions are set. Note: The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference.

  • Type - Success

  • Principal - Everyone

  • Access - Special (Permissions: Write all properties, Modify permissions; Properties: all “Write” type selected)

  • Inherited from - Parent Object Applies to - Descendant groupPolicyContainer objects Two instances with the following summary information will be listed:

  • Type - Success

  • Principal - Everyone

  • Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions)

  • Inherited from - Parent Object Applies to - Descendant Organization Unit Objects

20.7#

20.7#

Maintain the permissions on Group Policy objects to not allow greater than Read and Apply group policy for standard user accounts or groups. The default permissions below meet this requirement: Authenticated Users - Read, Apply group policy, Special permissions The special permissions for Authenticated Users are for Read-type Properties. CREATOR OWNER - Special permissions, SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions, Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions, Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions, and ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Document any other access permissions that allow the objects to be updated with the ISSO. The Domain Admins and Enterprise Admins will not have the Delete all child objects permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created Group Policy objects.

20.8#

20.8#

Configure the audit settings for Infrastructure object to include at least the following: Type - Fail, Principal - Everyone, Access - Full Control, and Inherited from - None.

  • Open Active Directory Users and Computers

  • Ensure Advanced Features is selected in the View menu

  • Select System under the domain being reviewed

  • Right-click the Infrastructure object and select Properties

  • Select the Security tab

  • Select the Advanced button

  • Select the Auditing tab Configure the above audit permission settings. Note: The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default.

  • Type - Success

  • Principal - Everyone

  • Access - Special

  • Inherited from - None

  • (Access - Special = Write all properties, All extended rights, Change RID master) Two instances with the following summary information will be listed:

  • Type - Success

  • Principal - Everyone

  • Access - (blank)

  • Inherited from - (CN of domain)

20.9#

20.9#

Configure the audit settings for RID Manager$ object to include at least the following: Type - Fail, Principal - Everyone, Access - Full Control, and Inherited from - None

  • Open Active Directory Users and Computers

  • Ensure Advanced Features is selected in the View menu

  • Select System under the domain being reviewed

  • Right-click the RID Manager$ object and select Properties

  • Select the Security tab

  • Select the Advanced button

  • Select the Auditing tab Configure the above audit permissions. Note: The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default.

  • Type - Success

  • Principal - Everyone

  • Access - Special

  • Inherited from - None

  • (Access - Special = Write all properties, All extended rights, Change RID master) Two instances with the following summary information will be listed:

  • Type - Success

  • Principal - Everyone

  • Access - (blank)

  • Inherited from - (CN of domain)

20.10#

20.10#

Modify permissions on the SYSVOL directory, if necessary. Do not allow greater than Read & execute permissions for standard user accounts or groups. The defaults below meet this requirement:

  • Open File Explorer

  • Navigate to \Windows\SYSVOL (or the directory noted previously if different)

  • Right-click the directory and select properties

  • Select the Security tab

  • Click Advanced Configure the audit permission settings. C:\Windows\SYSVOL Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read & execute - This folder, subfolder, and files, Server Operators - Read & execute- This folder, subfolder, and files, Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control), CREATOR OWNER - Full control - Subfolders and files only, Administrators - Full control - Subfolders and files only, and SYSTEM - Full control - This folder, subfolders, and files

20.11#

20.11#

To configure all user accounts, including administrator accounts in Active Directory to enable the option Smart card is required for interactive logon, do the following:

  • Open Active Directory Users and Computer

  • Right click the user account and select properties

  • Select the account tab

  • Ensure Smart card is required for interactive logon is checked

20.12#

20.12#

Establish a policy, at minimum, to prohibit administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Ensure the policy is enforced. Note: The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement.

20.13#

20.13#

Establish and implement a process for backing up log data to another system or media other than the system being audited.

20.14#

20.14#

Install a DoD approved HBSS software and ensure it is operating continuously. In addition, a documented configuration for an installed HBSS or if the HBSS software needs to be created.

20.15#

20.15#

Move shares used to store files owned by users to a different logical partition than the directory server data files.

20.16#

20.16#

Maintain the default permissions for the registry keys of the HKEY_LOCAL_MACHINE hive as noted below.

  • Open Regedit

  • Right-click on the registry areas noted below If the default settings are not present change the permissions to the following: Select Permissions and the Advanced button. HKEY_LOCAL_MACHINE\SECURITY Type - “Allow” for all Inherited from - “None” for all Principal - Access - Applies to: SYSTEM - Full Control - This key and subkeys, and Administrators - Special - This key and subkeys HKEY_LOCAL_MACHINE\SOFTWARE Type - “Allow” for all Inherited from - “None” for all Principal - Access - Applies to Users - Read - This key and subkeys, Administrators - Full Control - This key and subkeys, SYSTEM - Full Control - This key and subkeys, CREATOR OWNER - Full Control - This key and subkeys, and ALL APPLICATION PACKAGES - Read - This key and subkeys

20.17#

20.17#

Configure an application allow-listing program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. If AppLocker is used, it is configured through group policy: Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker Implementation guidance for AppLocker is available in the NSA paper: Application Whitelisting using Microsoft AppLocker.

20.18#

20.18#

Configure directory data outside the root DSE)of a non-public directory to prevent anonymous access. For Active Directory, there are multiple configuration items that could enable anonymous access. Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc). The dsHeuristics option is used. This is addressed in check V-8555 in the Active Directory Forest STIG.

20.19#

20.19#

Configure the directory service to terminate LDAP-based network connections to the directory server after 300 (5 minutes) or less of inactivity:

  • Open an elevated Command Prompt (run as administrator), type ntdsutil

  • At the ntdsutil: prompt: type LDAP policies

  • At the ldap policy: prompt: type connections

  • At the server connections: prompt: type connect to server [host-name] (where [host-name] is the computer name of the domain controller)

  • At the server connections: prompt, type q

  • At the ldap policy: prompt: type Set MaxConnIdleTime to 300

  • Type Commit Changes to save

  • Type Show values to verify changes

  • Type q at the ldap policy: and ntdsutil: prompts to exit

20.20#

20.20#

Install the following DoD Root CA certificates in the Untrusted Certificates Store: DoD Root CA 2 - DoD Interoperability Root CA 1 - A8C27332CCB4CA49554CE55D34062A7DD2850C02 and DoD Root CA 3 - DoD Interoperability Root CA 2 - AC06108CA348CC03B53795C64BF84403C1DBD341 Note: The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx. Note #2: The Certificate Store can be loaded by executing the Microsoft Management Console (MMC) and loading the Certificates snap-in.

20.21#

20.21#

Install the following DoD Root CA certificates in the Trusted Certificates Store: DoD Root CA 2, DoD Root CA 3, DoD Root CA 4, and DoD Root CA 5 With the Value for the thumbprint filed as followed: DoD Root CA 2 Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 Valid to: Wednesday, December 5, 2029 DoD Root CA 3 Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB Valid to: Sunday, December 30, 2029 DoD Root CA 4 Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 Valid to: Sunday, July 25, 2032 DoD Root CA 5 Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B Valid to: Friday, June 14, 2041 Note: The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx. Note #2: The Certificate Store can be loaded by executing the Microsoft Management Console (MMC) and loading the Certificates snap-in.

20.22#

20.22#

Install DoD PKI or an approved ECA certificates. Note: The Global Directory Service (GDS) website provides an online source for approved certificates. Note #2: DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE.

20.23#

20.23#

If no certificate exists, install an approved certificate on the Domain Controller. Note: The Certificate Store can be loaded by executing the Microsoft Management Console (MMC) and loading the Certificates snap-in (Computer account).

20.24#

20.24#

Remove any Roles and Features or Programs and Features that are not required for the domain controller to function.

20.25#

20.25#

Ensure that domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.) Execute tpm.msc for configuration options in the Windows Operating System.

20.26#

20.26#

Remove any emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours. Domain accounts can be configured with an account expiration date, under Account properties. Local accounts can be configured to expire with the following command:

  • Open the Command Prompt

  • Type Net user [username] /expires:[mm/dd/yyyy] where username is the name of the temporary user account

20.27#

20.27#

To establish the recommended configuration, set the NTFS permissions on the file below to TrustedInstaller - Full Control, Administrators - Read & Execute, SYSTEM - Read & Execute, Users - Read & Execute, ALL APPLICATION PACKAGES - Read & Execute, and ALL RESTRICTED APPLICATION PACKAGES - Read & Execute: %SystemRoot%\ System32\Eventvwr.exe

20.28#

20.28#

To Uninstall the Fax Server role:

  • Start “Server Manager”

  • Select the server with the role

  • Scroll down to “ROLES AND FEATURES” in the right pane

  • Select “Remove Roles and Features” from the drop-down “TASKS” list

  • Select the appropriate server on the “Server Selection” page and click “Next”

  • Deselect “Fax Server” on the “Roles” page

  • Click “Next” and “Remove” as prompted (if installed).

20.29#

20.29#

Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system.

20.30#

20.30#

To configure the FTP service to prevent anonymous logons:

  • Open Internet Information Services (IIS) Manager

  • Select the server

  • Double-click FTP Authentication

  • Select Anonymous Authentication

  • Select Disabled under Actions

20.31#

20.31#

Install and enable a host-based firewall on the system.

20.32#

20.32#

Reset the krbtgt account password via PowerShell. PowerShell scripts to reset the password can be found at the following Microsoft webpage: Browse code samples | Microsoft Docs Note: The password must be changed twice to effectively remove the password history. Changing the password once and waiting for replication to complete and then changing again reduces the risk of issues. Changing the password twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected.

20.33#

20.33#

Format volumes to use NTFS or ReFS.

20.34#

20.34#

Establish a policy that requires application/service account passwords that are manually managed to be 15 characters or more in length. Ensure that the policy is enforced.

20.35#

20.35#

Change passwords for manually managed application/service accounts at least annually or when an administrator with knowledge of the password leaves the organization.

20.36#

20.36#

Ensure each member of the Backup Operators group has separate accounts for backup functions and standard user functions.

20.37#

20.37#

Configure the permissions on shared printers to restrict standard users to only have Print permissions. Open Printers & scanners in Settings. For each printer:

  • Select the printer

  • Select Manage

  • Select Printer Properties

  • Select the Sharing tab If Share this printer is checked, select the Security tab and change the permissions.

20.38#

20.38#

If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. Remove any unnecessary non-system-created shares.

20.39#

20.39#

Configure the system to, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.

20.40#

20.40#

Remove any unauthorized or standard user accounts from the Administrators group. Stand-alone system

  • Open Local Users and Groups

  • Navigate to Groups

  • Review the Administrators group for unauthorized accounts or standard user accounts that should not have administrator privileges. Remove any unauthorized or standard user accounts. Domain-joined system

  • Open Active Directory Users and Computers

  • Review the Administrators and Domain Admins groups (which must be replaced with a domain member server administrator group) group for unauthorized accounts or standard user accounts that should not have administrator privileges. Remove any unauthorized or standard user accounts.

20.41#

20.41#

Remove any unauthorized or standard user accounts from the Administrators group. Stand-alone system

  • Open Local Users and Groups

  • Select Groups and review the Administrators group for unauthorized accounts or standard user accounts that should not have administrator privileges. Remove any unauthorized or standard user accounts. Domain-joined system

  • Open Active Directory Users and Computers and review the Administrators group for unauthorized accounts or standard user accounts that should not have administrator privileges. Remove any unauthorized or standard user accounts.

20.42#

20.42#

Update the system to a Version 1809 (Build 17763.xxx) or newer.

20.43#

20.43#

Maintain the Allow type permissions on organization-defined OUs to be at least as restrictive as the defaults below.

  • Open Active Directory Users and Computers

  • Ensure Advanced Features is selected in the View menu For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU:

  • Right-click the OU and select Properties

  • Select the Security tab Set the permission to the following: CREATOR OWNER - Special permissions, Self - Special permissions, Authenticated Users - Read, Special permissions, SYSTEM - Full Control, Domain Admins - Full Control, Enterprise Admins - Full Control, Key Admins - Special permissions, Enterprise Key Admins - Special permissions, Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions, Pre-Windows 2000 Compatible Access - Special permissions, and ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Note: The special permissions for Authenticated Users are Read type. Note #2: The special permissions for Pre-Windows 2000 Compatible Access are for Read types. Note #3: Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented.

20.44#

20.44#

Remove any unresolved SIDs found in User Rights assignments and determined to not be for currently valid accounts or groups by removing the accounts or groups from the appropriate group policy.

20.45#

20.45#

Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days.

20.46#

20.46#

Configure all enabled user account passwords to expire. Domain Controllers:

  • Open Active Directory Users and Computers

  • Uncheck Password never expires for all enabled user accounts Member servers and standalone systems

  • Open Computer Management

  • Go to Users

  • Uncheck Password never expires for all enabled user accounts Note: Document any exceptions with the ISSO.

20.47#

20.47#

Maintain the default permissions for program file directories (Program Files and Program Files [x86]) and configure 2.3.10.5 Ensure ‘Network access: Let Everyone permissions apply to anonymous users’ is set to ‘Disabled’ (WN19-SO-000240). Changing in File Explorer: View the Properties of program file directories (Program Files and Program Files [x86]).

  • For each folder, view the Properties

  • Select the Security tab

  • Select the Advanced button TrustedInstaller - Full control - This folder and subfolders, SYSTEM - Modify - This folder only, SYSTEM - Full control - Subfolders and files only, Administrators - Modify - This folder only, Administrators - Full control - Subfolders and files only, Users - Read & execute - This folder, subfolders and files, CREATOR OWNER - Full control - Subfolders and files only, ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files, and ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files

20.48#

20.48#

To establish the recommended configuration, set the NTFS permissions on the file below to Eventlog - Full Control, SYSTEM - Full Control, and Administrators - Full Control: %SystemRoot%\ System32\winevt\Logs\Application.evtx Note: If the location of the event logs has been changed, when adding permissions, the event log user, Eventlog must be entered as NT Service\Eventlog.

20.49#

20.49#

To establish the recommended configuration, set the NTFS permissions on the file below to Eventlog - Full Control, SYSTEM - Full Control, and Administrators - Full Control: %SystemRoot%\ System32\winevt\Logs\Security.evtx Note: If the location of the event logs has been changed, when adding permissions, the event log user, Eventlog must be entered as NT Service\Eventlog.

20.50#

20.50#

To establish the recommended configuration, set the NTFS permissions on the file below to Eventlog - Full Control, SYSTEM - Full Control, and Administrators - Full Control: %SystemRoot%\ System32\winevt\Logs\System.evtx Note: If the location of the event logs has been changed, when adding permissions, the event log user, Eventlog must be entered as NT Service\Eventlog.

20.51#

20.51#

Maintain the default permissions for the system drive’s root directory and configure 2.3.10.5 Ensure ‘Network access: Let Everyone permissions apply to anonymous users’ is set to ‘Disabled’ (WN19-SO-000240). Changing in File Explorer:

  • View the Properties of the system drive’s root directory (usually C:)

  • Select the Security tab

  • Select the Advanced button Change the permissions to match the default. Default permissions: C: Type - “Allow” for all Inherited from - “None” for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders, and files, Administrators - Full control - This folder, subfolders, and files, Users - Read & execute - This folder, subfolders, and files, Users - Create folders/append data - This folder and subfolders, Users - Create files/write data - Subfolders only, and CREATOR OWNER - Full Control - Subfolders and files only

20.52#

20.52#

Maintain the default permissions for the Windows installation directory and configure 2.3.10.5 Ensure ‘Network access: Let Everyone permissions apply to anonymous users’ is set to ‘Disabled’ (WN19-SO-000240).

  • View the Properties of the Windows installation directory

  • Select the Security tab

  • Select the Advanced button Change the permissions to match the default. Default permissions: \Windows Type - “Allow” for all Inherited from - “None” for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders, SYSTEM - Modify - This folder only, SYSTEM - Full control - Subfolders and files only, Administrators - Modify - This folder only, Administrators - Full control - Subfolders and files only, Users - Read & execute - This folder, subfolders, and files, CREATOR OWNER - Full control - Subfolders and files only, ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files, and ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files

20.53#

20.53#

Change the permissions on the NTDS database and log files to the following: NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) (I) - permission inherited from parent container (F) - full access

20.54#

20.54#

Map the user account to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details.

20.55#

20.55#

Configure protection methods such as TLS, encrypted VPNs, or IPsec when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.

20.56#

20.56#

Configure a NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfer replication data through a network cleared to a lower level than the data.

20.57#

20.57#

To uninstall the SMBv1 protocol:

  • Start Server Manager

  • Select the server with the role

  • Scroll down to ROLES AND FEATURES in the right pane

  • Select Remove Roles and Features from the drop-down TASKS list

  • Select the appropriate server on the Server Selection page and click Next

  • Deselect SMB 1.0/CIFS File Sharing Support on the Features page

  • Click next and Remove as prompted (if installed). OR

  • Open Windows PowerShell with elevated privileges (run as administrator)

  • Type Uninstall-WindowsFeature -Name FS-SMB1 -Restart (Omit the Restart parameter if an immediate restart of the system cannot be done.)

20.58#

20.58#

Remove unapproved shared accounts from the system. Note: Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity.

20.59#

20.59#

Remove any certificate installation files *.p12 and *.pfx found on a system. Note: The Certificate Store can be loaded by executing the Microsoft Management Console (MMC) and loading the Certificates snap-in. Note #2: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.

20.60#

20.60#

Monitor the system for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. This can be done with the use of various monitoring tools including the approved DoD HBSS solution that supports a File Integrity Monitor (FIM) module.

20.61#

20.61#

Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest. Note: This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.

20.62#

20.62#

To establish the recommended configuration, navigate to the the following and Uninstall the Telnet Client feature: To Uninstall the Telnet Client feature:

  • Start Server Manager

  • Select the server with the role

  • Scroll down to ROLES AND FEATURES in the right pane

  • Select Remove Roles and Features from the drop-down TASKS list

  • Select the appropriate server on the Server Selection page and click Next

  • Deselect Telnet Client on the Features page

  • Click Next and Remove as prompted (if installed).

20.63#

20.63#

Remove any temporary user accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours. Domain accounts can be configured with an account expiration date, under Account properties. Local accounts can be configured to expire with the following command:

  • Open the Command Prompt

  • Type Net user [username] /expires:[mm/dd/yyyy] where username is the name of the temporary user account

20.64#

20.64#

To Uninstall the TFTP Client feature:

  • Start “Server Manager”

  • Select the server with the role

  • Scroll down to “ROLES AND FEATURES” in the right pane

  • Select “Remove Roles and Features” from the drop-down “TASKS” list

  • Select the appropriate server on the “Server Selection” page and click “Next”

  • Deselect “TFTP Client” on the “Features” page

  • Click “Next” and “Remove” as prompted (if installed).

20.65#

20.65#

Document the roles and features required for the system to operate. Uninstall roles and features that are not required.

20.66#

20.66#

Install a HIDS or HIPS on each server.

20.67#

20.67#

If no anti-virus software is in use, install Windows Defender or third-party anti-virus.

  • Open PowerShell

  • Type Install-WindowsFeature -Name Windows-Defender For third-party anti-virus, install per anti-virus instructions and disable Windows Defender.

  • Open PowerShell

  • Type Uninstall-WindowsFeature -Name Windows-Defender

20.68#

20.68#

To enable UEFI firmware to run in UEFI mode, not Legacy BIOS mode.

  • Open the PC BIOS menu. This menu can usually be accessed by pressing a key during the bootup sequence, such as F1, F2, F12, or Esc

  • OR from Windows, hold the Shift key while selecting Restart. Go to Troubleshoot > Advanced Options: UEFI Firmware Settings

  • Find the Boot Device Menu select the command that identifies both the firmware mode and the device

  • Select UEFI mode

  • Save changes and exit. The PC will reboot

20.69#

20.69#

Install the following DoD Root CA certificates in the Untrusted Certificates Store: DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 and DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - 929BF3196896994C0A201DF4A5B71F603FEFBF2E Note: The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx. Note #2: The Certificate Store can be loaded by executing the Microsoft Management Console (MMC) and loading the Certificates snap-in.

20.70#

20.70#

If a standard user account is found to have administrative privileges, remove the privileges from the standard user account, and create an administrative account for the user.

20.71#

20.71#

To Uninstall the Windows PowerShell 2.0 Engine feature:

  • Open Server Manager

  • Select the server with the role

  • Scroll down to ROLES AND FEATURES in the right pane

  • Select Remove Roles and Features from the drop-down TASKS list

  • Select the appropriate server on the Server Selection page and click next

  • Deselect Windows PowerShell 2.0 Engine under Windows PowerShell on the Features page

  • Click next and Remove as prompted (if installed) Note: Windows PowerShell 5.0 added advanced logging features that can provide additional detail when malware has been run on a system.