Windows Version: Windows Server 2012
I. Identification
1.1 Assessment item A
A) Assessment content:
The logged-in user should be identified and authenticated. The identification should be unique, and the identification information should be complicated and replaced regularly.
B) Rectification Suggestions:
The password must be a string of at least eight characters and consists of digits, letters, and special symbols. The password must be changed periodically within 90 days.
C) Rectification process:
1. Choose Local Security Policy > Account Policy > Password Policy. The Settings are as follows:
2. Change the password regularly. View the following command:
1.2 Assessment item B
A) Assessment content:
It should have the function of handling login failures. It should configure and enable measures such as ending sessions, limiting the number of illegal login times, and automatically exiting when the login connection times out.
B) Rectification Suggestions:
You are advised to configure and enable the function of handling login failures, such as ending a session, limiting the number of illegal login attempts, and automatically logging out when the login connection times out. You can lock a user for 30 minutes after five login failures. The login timeout is set to 30 minutes.
C) Rectification process:
1. Open local Security Policy > Account lock Policy and set the following Settings:
2. Set the screen saver to realize timeout logout of local login and remote login. Set the value to 30 minutes
If the physical machine says you can’t change it remotely, go somewhere else and change it.
Change the screen saver policy of the power supply:
3. Automatic exit policy for remote login
Search local group policy: Computer Configuration – Management Template – Windows Components – Remote Desktop Service – Remote Desktop Session host – Session Time Limit Setting: Set the timeout period to 30 minutes.
1.3 Assessment item C
A) Assessment content:
When conducting remote management, necessary measures should be taken to prevent the identification information from being eavesdropped during network transmission.
B) Rectification Suggestions:
It is recommended to use bastion and SSH for remote management to prevent authentication information from being eavesdropped during network transmission.
C) Rectification process:
Local management meets the requirement by default. You need to configure remote management, that is, use certificate encryption to authenticate information. The final implementation was fortress and SSH.
1. Open remote Desktop Services > Remote Desktop Session Host > Security
Enter Edit Group Policy in control Panel or pgedit. MSC in Win +R. The Local Group Policy Editor window is displayed. View –> Local Computer Policy –> Computer Configuration –> Administrative Modules –>Windows Components –> Remote Desktop Services –> Remote Desktop Session Host –> Related options in Security.
Enable security layer RDP:
Modify Setting the client connection encryption level:
The main configuration of these two can be, the rest of the few also do some configuration.
2. Disable the Telnet service
You can also check whether the Telnet service exists in the service. Because Telnet is plaintext transmission, once Telnet is enabled, it does not meet the requirements!
Or check whether the Telnet service is installed in the service.
1.4 Assessment item D
A) Assessment content:
Two or more combination of authentication technologies such as password, cryptography and biotechnology should be used to authenticate users, and at least one of the authentication technologies should be implemented by cryptography.
B) Rectification Suggestions:
It is suggested that two or more combination of authentication technologies, such as password, cryptography and biotechnology, should be used to authenticate users, and at least one of the authentication technologies should be implemented by cryptography.
We need a fortress to do that.
Access control
2.1 Assessment item A
A) Assessment content:
Accounts and permissions should be assigned to logged-in users;
B) Rectification Suggestions:
You are advised to assign different permissions to login users. Assign user names and permissions to roles.
C) Rectification process:
2.2 Assessment item B
A) Assessment content:
Rename or delete the default account and change the default password of the default account
B) Rectification Suggestions:
1. Disable useless default accounts
2. Change the default password
2.3 Assessment item C
A) Assessment content:
Delete or disable unnecessary accounts in a timely manner to avoid sharing accounts
B) Rectification Suggestions:
Avoid sharing accounts and assign permissions instead. Check item D
2.4 Assessment item D
A) Assessment content:
The administrative user should be granted the minimum permission required to separate the administrative user
B) Rectification Suggestions:
You are advised to create roles such as system administrator, operator, auditor, and security administrator and assign minimum rights to them to separate rights. System management Patching the operating system Security management For security policy makers, auditors only need to have the permission to view audit logs
C) Rectification process:
1. Create three personas.
2. Remove the log audit permission from the administrator
Change to censor
After the restart, other members can only be viewed but cannot be cleared
2.5 Assessment item E
A) Assessment content:
The authorized principal should configure the access control policy, and the access control policy specifies the access rules between the subject and the object.
B) Rectification Suggestions:
The default in accordance with
2.6 Assessment item F
A) Assessment content:
The granularity of inter-visit control should reach to user level or process level, file level and database table level.
B) Rectification Suggestions:
The default in accordance with
2.7 Assessment item G
A) Assessment content:
Security marks should be set up for important subjects and objects, and access to information resources with security marks should be controlled.
B) Rectification Suggestions:
It is recommended that important subjects and objects set security labels and control their access to information resources with security labels. Domestic servers and operating systems are required because of high costs, and rectification is not recommended
Three, security audit
3.1 Assessment item A
1) Assessment content:
The security audit function should be enabled to cover all users and audit important user behaviors and security events
2) Rectification Suggestions:
1. The security audit function should be enabled or the host security audit system should be adopted
2. A relatively complete security audit strategy should be enabled
3) Rectification process:
1. Check whether the security audit function is enabled.
On the CLI, enter secpol. MSC to display the local security policy. View security Settings > Local Policy > Audit Policy. Modify the audit result as follows:
3.2 Assessment item B
1) Assessment content:
The audit record should include the date and time of the event, the user, the time type, whether the time was successful, and other information related to the audit
2) Rectification Suggestions:
1. Check whether audit records include date, time, type, subject identification, object identification, and result
3) Rectification process:
First of all, instead of using third-party auditing software, we use software that comes with Windows. So, we can go and see if the audit record of the Windows record contains these requirements.
Open the event viewer –> Windows Log –> System. They were all audited.
3.3 Assessment item C
1) Assessment content:
Audit records should be protected, backed up regularly, and avoided unexpected deletion, modification, or overwriting
2) Rectification Suggestions:
1. Audit records shall be backed up and other protection measures shall be taken
2, audit record retention time to reach the national standard (more than 6 months)
3) Rectification process:
1. Set the log policy.
Open the event viewer and change the Windows Log drop-down menu for Applications, Security, Settings, and system logging policies to the following.
【 答 案 】 : We do not want the log to be overwritten. When the second log is full, we will make an archive backup for it and then continue recording. And the third is that the log will not be archived when it is full and will not be recorded.
2. Back up logs periodically
3.4 Assessment item D
1) Assessment content:
Audit records should be protected against unauthorized interruptions
2) Rectification Suggestions:
Other non-audit personnel are not allowed to log in and operate logs. A special person is responsible for managing audit logs.
3) Rectification process:
Iv. Intrusion prevention
4.1 Assessment Item A
1) Assessment content:
Follow the principle of minimal installation and install only the components and applications that you need
2) Rectification Suggestions:
Remove redundant programs
3) Rectification process:
4.2 Assessment item B
1) Assessment content:
Disable unnecessary system services, default shares, and high-risk ports
2) Rectification Suggestions:
You are advised to disable high-risk ports such as port 445, port 139, and port 3389, and disable unnecessary system services such as default sharing and Telent
3) Rectification process:
1. Understand the relationship between services, processes, and ports.
When a service is started, a service may start one or more processes, and then the process may listen on the port, and then only when the process listens on the port will the communication on the port be meaningful. A message sent to a port on a server on which no process is listening gets no response.
For example, the IIS service will start the W3WP process, and the W3WP process will listen on port 80 or some port you set up.
2. Close the default share and Remote Registry. Print Spooler, Telnet service
Right-click computer – manage – services and applications to close these four.
Because this system does not use the function of sharing service, this service is closed.
If yes, the DHCP service cannot be shut down and a trap is left. Remote login is not possible if DHCP is turned off, so this is not turned off.
3. Check whether there are unnecessary ports or high-risk ports
Windows opens five ports 135,137,138,139 and 445 by default, which are related to file sharing and printer sharing. If the machine is connected to the network, part of the information on the machine will be disclosed without the user’s knowledge.
3389 is a remote service, not closed because it needs to be used.
4.3 Assessment item C
1) Assessment content:
You must set the terminal access mode or network address range to restrict the management terminals that can be managed through the network
2) Rectification Suggestions:
You are advised to set the terminal access mode or network address range and allow only specific IP addresses or address segments to log in.
Only RDP is allowed for remote login from the Intranet. The terminal access mode or network address range is not specified for management terminals that can be managed through the network.
3) Rectification process:
Find Remote Desktop – User mode (TCP) in firewall type