Important

   

This space contains documentation for TrueSight Server Automation 8.9.03 and the later service packs for 8.9. For earlier releases, see BMC Server Automation 8.9.

Updating CIS for Windows Server 2016 to newer benchmarks

This document provides information about the hotfix containing Center for Internet Security (CIS) templates for Windows Server 2016, with implementation for 371 rules that can be installed on  TrueSight Server Automation 8.9.00 onwards. This template is created based on the recommended settings defined by Microsoft Windows Server 2016 RTM (Release 1607) Security Configuration Benchmark Version 1.1.0, published on October 31, 2018.

Before you begin

Before you install this hotfix, ensure that all compliance content provided by BMC in your environment is at least updated to version 8.9.

Step 1: Downloading and installing the files

  1. Login to ftp.bmc.com host using SFTP protocol. Download the CIS - Windows Server 2016.zip package from the following location:



     Click here to expand checksum related infromation

    Verify the downloaded content by using the following check sums.

    File Name

    MD5SUM

    CIS - Windows Server 2016.zip

    BDC707262EF2D77B058D21A2B7DBE516

  2. Move the CIS - Windows Server 2016.zip package to your RCP client server.

Step 2: Importing the Compliance Content 

  1. Log on to the Console.
  2. Right-click Component Templates and select Import

    The Import Wizard starts.
  3. Select the Import (Version-neutral) option.
  4. Select the CIS - Windows Server 2016.zip package from the temporary location and click Next.
  5. The CIS template for CIS - Windows Server 2016 is available in the CIS - Windows Server 2016.zip package. To import the templates, select the zip file and click Next.

    Note

    Ensure that you select the Update objects according to the imported package and Preserve template group path options before you click Next.

  6. Navigate to the last screen of the wizard and then click Finish.

    The templates are imported successfully.

Rules within the templates

The following are the details of the 371 rules provided in the zip package. It contains the following types of rules:

  • Rules that check for compliance and provides remediation - 348
  • Rules that check for compliance but do not provide remediation - 23

The following are the details of the rules that are divided into parts:

  • Rules not divided into parts - 362
  • Rules divided into two parts (Rule ID 18.8.22.1.13 , 18.8.25.1 , 18.9.80.1.1 , 18.9.101.1.1 & 18.9.101.1.3) - (5 * 2) = 10
  • Rules divided into three parts (Rule ID 18.9.101.1.2) - (1 * 3) = 3
  • Rules divided into four parts (Rule ID : 18.5.9.1 , 18.5.9.2) - (2 * 4) = 8
  • Rules divided into five parts (Rule ID : 18.5.20.1) - (1 * 5) = 5

So, the current rule count according to CIS Windows 2016 template after running the compliance job is 388 (362 + 10 + 3 + 8 + 5).

Note

Ensure that you have gone through the following points before you run the compliance checks or perform remediation: 

  • While running compliance jobs on domain controller targets, set the target server's DOMAIN property to DC. 
  • Leave DOMAIN property blank for member servers and standalone systemsEnsure that the value for the DOMAIN property is set to DC on all the domain controllers targets and on all non-domain systems (Member Servers). This property can either be BLANK or can be any string other than DC.

Rule IDs Without Remediation and Undo

Comments

1.2.1, 1.2.3

No remediation is provided as both GPO's Reset account lockout Counter after(Rule ID 1.2.3) and Account lockout duration (Rule ID 1.2.1) have dependency and it should be resolved manually in case of non compliant.

2.3.1.5 , 2.3.1.6

The remediation requires user input which has to be maintained by the organization.

18.5.14.1

None

18.9.76.13.1.2

None

18.8.21.5

None

Section 19 Rules (19.1.3.1 , 19.1.3.2 , 19.1.3.3 , 19.1.3.4 , 19.5.1.1 , 19.6.5.1.1 , 19.7.4.1 , 19.7.4.2 , 19.7.7.1 , 19.7.7.2 , 19.7.7.3 ,  19.7.7.4 , 19.7.26.1 , 19.7.40.1 , 19.7.44.2.1)

None 

TARGET/LOCAL PROPERTY

RULE IS WHICH PROPERTY IS USED

PROPERTY NAME

DEFAULT VALUES

DELIMITER

LOCAL

1.1.4

MIN_PASSWD_LENGTH

14

 

LOCAL

2.2.21

DENY_ACCESS_FROM_NETWORK

BUILTIN\Guests

 

LOCAL

2.2.26

DENY_LOG_ON_THROUGH_THE_REMOTE_DESKTOP_SERVICES

BUILTIN\Guests

Comma (,)

LOCAL

2.3.7.4

CIS_LEGAL_NOTICE_TEXT

BLANK

 

LOCAL

2.3.7.5

INTERACTIVE_LOGON_MESSAGE_TITLE

BLANK

 

LOCAL

19.1.3.2

SCREEN_SAVER_EXECUTABLE

BLANK

 

LOCAL

2.3.1.5

RENAME_ADMINISTRATOR_ACCOUNT

BLANK


LOCAL

2.3.1.6

RENAME_GUEST_ACCOUNT

BLANK


Was this page helpful? Yes No Submitting... Thank you

Comments