Compliance Content updates for SP2

BMC Server Automation version 8.3 SP2 includes the following Content updates:

Added support for new component templates
New DISA STIG properties

Added support for new component templates

The following new component templates are supported:

Policy/Benchmarks	Available templates and versions	Template feature ID (used in silent installation)	Versions	Release	Update
Defense Information Systems Agency (DISA)	DISA - Windows Server 2008 DC	featureDisaWin08DCTemplate	6.0	1.22	July 26, 2013
Defense Information Systems Agency (DISA)	DISA - Windows Server 2008 MS	featureDisaWin08MSTemplate	6.0	1.22	July 26, 2013
Defense Information Systems Agency (DISA)	DISA - Windows Server 2008 R2 DC	featureDisaWin08R2DCTemplate	1	8	July 26, 2013
Defense Information Systems Agency (DISA)	DISA - Windows Server 2008 R2 MS	featureDisaWin08R2MSTemplate	1	8	July 26, 2013
Center for Internet Security (CIS)	CIS - Red Hat Enterprise Linux 6	featureCisRedhat6Template	1.1.0		August 31, 2012

Info

The new DISA templates can be located at the path: Component Templates > DISA Compliance Content > DISA STIG Revised

New DISA STIG properties

The following DISA properties are added in the custom property class.

Property	Description	Default Value
MANAGE_AUDITING_AND_SECURITY_LOG	The default value, that is, AUDITORS group should be present on the target server	Auditors

The following DISA properties are added in the local property class:

Property	DISA Template Version	Description	Default Value
ALLOWED_WINDOWS_FEATURES	All versions	These features will be allowed.	GPMC BACKUP BitLocker
APPLICATION_ACCOUNTS	All versions	Comma separated list of application accounts	Guest,Application
AUDITORS_GROUP	All versions	Auditors group	Auditors
DEBUG_PROGRAMS	All versions	List for User Right - Debug Programs
DISA_LEGAL_NOTICE_TEXT	All versions	DISA Legal Notice text
DISA_LEGAL_NOTICE_TEXT_1	All versions	DISA Legal Notice text.	Click here to see the complete default value of the property.
DISA_LEGAL_NOTICE_TEXT_2
DISA_LEGAL_NOTICE_TEXT_3
DISA_LEGAL_NOTICE_TEXT_4
DISA_LEGAL_TITLE_TEXT	All versions	DISA Legal title
DOMAIN_ACCOUNTS_WITH_CAC	Windows Server 2008 R2 DC	Comma separated list of Domain Accounts
DOMAIN_ACCOUNTS_WITH_CAC	Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 MS	Comma separated list of Domain Accounts requiring smart card (CAC)
DOMAIN_SUPPORTS_EXCHANGE_ 2003	All versions	DOMAIN SUPPORTS EXCHANGE 2003	FALSE
EVENT_LOGS_DIR	All versions	Event log directory	??TARGET.SYSTEMROOT??/System32/Winevt/Logs
FRS_DIRECTORY_DATA_LOCATION	All versions	FRS directory data location	/C/Windows/NTDS/
FTP_PASSWORD	All versions	FTP password	password
FTP_USER	All versions	FTP user	anonymous
IPV6_TRANSITION_COMPLETE	Windows Server 2008 DC, Windows Server 2008 MS	IPv6 Transition Complete	FALSE
IS_GOLD_DISK	Windows Server 2008 DC	It is TRUE, if target server is a GOLD DISK.	TRUE
LOCAL_ADMINISTRATOR_ACCOUNTS	Windows Server 2008 MS, Windows Server 2008 R2 MS	Comma separated list of local administrator accounts
NTP_AUTHORIZED_SERVER	All versions	NTP Authorized time server
OPTIONAL_SUBSYSTEMS	All versions	V-4445 Optional Subsystems	Posix
REMEDIATE_SETTING_FOR_GPO	All versions	Remediation setting for GPO	Default Domain Controller Security Policy and Default Domain Security Policy
SERVICES_CHECK_STARTUP_ AUTOMATIC	All versions	Specifies comma separated list of services whose startup type should be automatic	Click here to see the complete list of services.
SERVICES_CHECK_STARTUP_ AUTOMATIC_DELAYED	All versions	Specifies comma separated list of services whose startup type should be Automatic (delayed)	Diagnostic Policy Service,Distributed Transaction Coordinator,Software Protection,Windows Remote Management (WS-Management),Windows Update,Network Policy Server
SERVICES_CHECK_STARTUP_ DISABLED	All versions	Specifies comma separated list of services whose startup type should be disabled	Computer Browser,Internet Connection Sharing (ICS),PnP-X IP Bus Enumerator,Routing and Remote Access,SSDP Discovery,UPnP Device Host,Net.Tcp Port Sharing Service
SERVICES_CHECK_STARTUP_ MANUAL	All versions	Specifies comma separated list of services whose startup type should be manual	Click here to see the complete list of services.
SERVICES_CHECK_STARTUP_ MANUAL_1	All versions	Specifies comma separated list of services whose startup type should be Manual	Windows Modules Installer,WinHTTP Web Proxy Auto-Discovery Service,Wired AutoConfig,WMI Performance Adapter,Windows CardSpace,Windows Presentation Foundation Font Cache 3.0.0.0,Remote Desktop Configuration,Remote Desktop Services UserMode Port,Windows Process Activation
TIME_SYNC_SOURCE	All versions	Specifies the type of time synchronization source to be used.	Possible values are: "Nt5DS" or "NTP" or "AllSync"

Default value for DISA_LEGAL_NOTICE_TEXT_1, DISA_LEGAL_NOTICE_TEXT_2, DISA_LEGAL_NOTICE_TEXT_3, and DISA_LEGAL_NOTICE_TEXT_4

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject toroutine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

Default value for SERVICES_CHECK_STARTUP_AUTOMATIC

Base Filtering Engine,COM+ Event System,Cryptographic Services,DCOM Server Process Launcher,Desktop Window Manager Session Manager,DHCP Client,Distributed Link Tracking Client,DNS Client,Group Policy Client,IP Helper,Network Location Awareness,Network Store Interface Service,Plug and Play,Power,Print Spooler,Remote Procedure Call (RPC),Remote Registry,RPC Endpoint Mapper,Security Accounts Manager,Shell Hardware Detection,System Event Notification Service,Task Scheduler,TCP/IP NetBIOS Helper,User Profile Service,Windows Event Log,Windows Firewall,Windows Management Instrumentation,Windows Time,Workstation,Active Directory Certificate Services,Active Directory Domain Services,Active Directory Web Services,DFS Namespace,DFS Replication,DNS Server,Intersite Messaging,Kerberos Key Distribution Center,DHCP Server,DNS Server,Workstation,Hyper-V Image Management Service,Hyper-V Networking Management Service,Virtual Machine Management Service,Print Spooler,Remote Desktop Services,Application Host Helper Service,World Wide Web Publishing Service

Default value for SERVICES_CHECK_STARTUP_MANUAL

Application Experience,Application Identity,Application Information,Application Layer Gateway Service,Application Management,Background Intelligent Transfer Service,Certificate Propagation,COM+ System Application,Credential Manager,Diagnostic Service Host,Diagnostic System Host,Disk Defragmenter,Encrypting File System (EFS),Extensible Authentication Protocol,Function Discovery Provider Host,Function Discovery Resource Publication,Health Key and Certificate Management,Human Interface Device Access,IKE and AuthIP IPsec Keying Modules,Interactive Services Detection,IPsec Policy Agent,KtmRm for Distributed Transaction Coordinator,Link-Layer Topology Discovery Mapper,Microsoft .NET Framework NGEN v2.0.50727_X64,Microsoft .NET Framework NGEN v2.0.50727_X86,Microsoft Fibre Channel Platform Registration Service,Microsoft iSCSI Initiator Service,Microsoft Software Shadow Copy Provider,Multimedia Class Scheduler,Netlogon,Network Access Protection Agent,Network Connections,Network List Service,Performance Counter DLL Host,Performance Logs & Alerts,Portable Device Enumerator Service,Problem Reports and Solutions Control Panel Support,Protected Storage,Remote Access Auto Connection Manager,Remote Access Connection Manager,Remote Desktop Configuration,Remote Desktop Services,Remote Desktop Services UserMode Port Redirector,Remote Procedure Call (RPC) Locator,Resultant Set of Policy Provider,Secondary Logon,Secure Socket Tunneling Protocol Service,Smart Card,SNMP Trap,Special Administration Console Helper,SPP Notification Service,Telephony,Thread Ordering Server,TP AutoConnect Service,TPM Base Services,Virtual Disk,Volume Shadow Copy,Windows Audio,Windows Audio Endpoint Builder,Windows Color System,Windows Driver Foundation - User-mode Driver Framework,Windows Error Reporting Service,Windows Event Collector,Windows Font Cache Service,Windows Installer

For existing properties in the Server built-in property class, see DISA-properties-in-the-Server-built-in-property-class.

BMC Recommendations

Before running remediation job against Windows 2008 R2 DC or Windows 2008 DC, please backup the following GPO policy files:

Default Domain security policy located at: \\localhost\SYSVOL\<Domain name>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
Default Domain Controller security policy located at: \\localhost\SYSVOL\<Domain name>\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Warning

BMC Regulatory Compliance Templates (Policies) provided by BMC comes with remediation actions for many of the standard checks where rule check fails and corrective action may be necessary to get servers to desired state. It is recommended by BMC for customers to carefully review all the shipped remediation actions. BMC supplies Auto remediation flag and by default is set to false to ensure no changes on the managed servers are performed when certain compliance rules check fail. If auto remediation flag is set to true then BSA as part of remediation package deploy job will make changes to servers. It is the responsibility of customer to ensure and control remediation actions including auto remediation actions performed in their environment.