HKUST Windows 2008 R2 Hardening Guide V1.05
CIS Rule ID (v2.1.0)
Account Policies
1.1.1.5.2.1
1.1.1.5.2.2
1.1.1.5.2.3
1.1.1.5.2.4
1.1.1.5.2.6
1.1.1.5.1.2
1.1.1.5.1.1
Local Policies
1.1.1.2.1.9
1.1.1.2.1.34
1.1.1.2.1.56
1.1.1.2.1.47
1.1.1.2.1.62
1.1.1.2.1.72
1.1.1.2.1.110
1.1.1.2.1.114
1.1.1.2.1.93
1.1.1.2.1.97
1.1.1.2.1.102
1.1.1.2.1.40
1.1.1.2.1.80
NA
NA
Description
Set 'Store passwords using reversible encryption' to 'Disabled'
Set 'Minimum password length' to '14' or greater
Set 'Maximum password age' to '90' or less *
Set 'Enforce password history' to '24' or greater
Set 'Password must meet complexity requirements' to 'Enabled'
Set 'Account lockout threshold' to '6' or fewer
Set 'Account lockout duration' to '15' or greater
Set 'Accounts: Guest account status' to 'Disabled'
Set 'Recovery console: Allow automatic administrative logon' to 'Disabled'
Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled'
Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled'
Set 'Network access: Restrict anonymous access to Named Pipes and Shares' to 'Enabled'
Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled'
Set 'Network access: Remotely accessible registry paths' to
'System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion'
Set 'Network access: Shares that can be accessed anonymously' to ''
Set 'Interactive logon: Do not display last user name' to 'Enabled'
Set 'Interactive logon: Prompt user to change password before expiration' to '14'
Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '0'
Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to '90'
Set 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' to 'Disabled'
Restrict anonymous access to the registry +
Remove ACL permission from "Everyone group" on user created file share ++
NA
Disable default "Administrator" account remote logon to ensure accountability +++
Firewall Policies
1.1.1.4.1.1.1.7
Set 'Windows Firewall: Domain: Firewall state' to 'On (recommended)'
1.1.1.4.1.1.2.7
Set 'Windows Firewall: Private: Firewall state' to 'On (recommended)'
1.1.1.4.1.1.3.7
Set 'Windows Firewall: Public: Firewall state' to 'On (recommended)'
Advanced Audit Policy Configuration
1.1.1.3.1.2.4
Set 'Audit Policy: Account Management: Security Group Management' to 'Success and Failure'
1.1.1.3.1.2.6
Set 'Audit Policy: Account Management: Other Account Management Events' to 'Success and Failure'
1.1.1.3.1.2.7
Set 'Audit Policy: Account Management: User Account Management' to 'Success and Failure'
1.1.1.3.1.4.3
Set 'Audit Policy: Privilege Use: Sensitive Privilege Use' to 'Success and Failure'
1.1.1.3.1.5.2
Set 'Audit Policy: Policy Change: Audit Policy Change' to 'Success and Failure'
1.1.1.3.1.6.4
Set 'Audit Policy: System: Other System Events' to 'Success and Failure' **
1.1.1.3.1.8.3
Set 'Audit Policy: Account Logon: Credential Validation' to 'Success and Failure'
*: ITSC recommends setting maximum password age to 90 days instead of 60 days mentioned in CIS rule 1.1.1.5.2.3
**: ITSC recommends auditing other system events to 'Success and Failure' instead of 'No Auditing' mentioned in CIS rule 1.1.1.3.1.6.4
For domain joined server, please send request to [email protected] . We will help to harden your server with domain group policy.
Important!! But you still have to implement the following 3 rules (+ , ++, +++) yourself.
+: https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2012-07-02/finding/V-1152
++: https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2012-07-02/finding/V-3245
+++: For server that did not join domain, create another local admin account and allow it to remote logon
For domain joined server, add the domain user to administrators group and allow it to remote logon
Then add administrator account in the following location of the local group policy
Local Policy -> User Right Assignment -> Deny logon through Remote Desktop Services
Note that this policy supersedes the Allow log on through Remote Desktop Services policy
Reference: https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2008_R2_Benchmark_v2.1.0.pdf