DISA: Windows Server 2016


This document provides information about the hotfix containing Windows Server 2016 RTM (Release 1607) Security Configuration Benchmark Version 1, Release 10. This template contains implementation for 272 rules that that can be installed on TrueSight Server Automation 8.9.00 or later versions.

Before you begin

Before you install this hotfix, ensure that you perform the following:

  • Ensure that all compliance content provided by BMC in your environment is at least updated to version 8.9.
  • Some policy settings require the installation of the SecGuide custom templates included with the STIG package. SecGuide.admx and SecGuide.adml must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
  • Some policy settings require the installation of the MSS-Legacy custom templates included with the STIG package. MSS-Legacy.admx and MSS-Legacy.adml must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
  • Save a backup of the extended_objects folder, which is at the following location on the file server:
    <File_Server_Root>/extended_objects/

Step 1: Downloading and installing the files

Note

If you are using TrueSight Server Automation 8.9.02 or later versions, you need not install this fix separately because this fix is installed as part of the installation process.

Download the DISA_Template_and_EO package from the FTP location and extract its contents to a temporary location on the file server.

You must log in or register to view this page


Click here to expand checksum related infromation

Verify the downloaded content by using the following check sums.

S.No

File Name

MD5SUM

1

DISA - Windows Server 2016.zip

1e1bcd1cfd47071b71eec6e9889612e6

2

extended_objects.zip

abd3117fa4150c929a103357a41832f6

Verify the extended objects are present on the application. If the md5sums match, go ahead and replace them. If these md5sums do not match, you must manually merge the fixes.

Step 2: Replacing the extended object scripts on the file server


    1. Navigate to the extended objects script files on your file server:
      <File_Server_Root>/extended_objects/
    2. Replace the Extended Object script files on your file server, with the extracted Extended Object script files stored in the temporary location:
      <temporary_location_on_file_server>/extended_objects/

Step 3: Importing the Compliance Content

  1. Log on the Console.
  2. Right-click on Component Templates and click Import
    1.jpg
  3. Select the Import (Version-neutral) option.
    vn.jpg
  4. Select the updated DISA - Windows Server 2016 zip package from the temporary location.
    2asd.png

  5. The DISA STIG template for Windows 2016 is available in the DISA - Windows Server 2016 zip package. To import the templates, select the DISA - Windows Server 2016 as shown in the following screenshot.

    Note

    Ensure that you select the Update objects according to the imported package and Preserve template group path options before you click Next.

    3.png

  6. Navigate to the last screen of the wizard and click Finish.
    4.png
  7. Click OK. The templates are imported successfully.
    5.png 

Rules within the template

The template contains 272 rules.

The following are the details of the 272 rules provided in the zip package. It contains the following types of rules:

  • Rules that check for compliance (audit) and provides remediation - 191
  • Rules that check for compliance(audit) but do not provide remediation - 49
  • Rules that do not check for compliance and do not provide remediation - 32

The following are the details of the rules that are divided into parts:

  • Rules not divided into parts = 271
  • Rules divided into two parts - (1 Rule (Rule Group ID V-73513) so (1 * 2) = 2

So, the current rule count according to DISA Windows 2016 template after running the compliance job is 273.

Important

Ensure that you have gone through the following points before you run the compliance checks or perform remediation:

  • While running compliance jobs on domain controller targets, set the target server's DOMAIN property to DC.
  • Leave DOMAIN property blank for member servers and standalone systems.

The following tables list the rules with no compliance checks or remediation along with comments.

Rules with compliance checks but no remediation

Rule IDs

Comments

V-73269, V-73287, V-73291, V-73293, V-73295, V-73297, V-73299, V-73301, V-73277

Need additional information from the end user to evaluate this rule as the information is stored in an external system, for example, user and role expiry, unused files, and so on.

V-73239

Remediation requires patching the system to required patch level which is beyond the scope of rule remediation. We can use our patching solution to mitigate this

V-73623, V-73625, V-73685, V-73309

The remediation might render the server inaccessible to the user or service.

V-73405, V-73407, V-73409, V-73411, V-73369, V-73371, V-73249, V-73251, V-73253, V-73255

The remediation requires an update of permissions on the system for which there is no API available. Additionally, this may require an approval based on the organizational processes and policies.

V-73307

Updating the time may have an impact on applications running on the operating system. This is governed by an organization policy and processes, which cannot be generically implemented.

V-73223, V-73231

The remediation requires user input along with password policy which has to be maintained by the organization

V-73259, V-73263, V-73387

This rule checks for compliance but does not provide remediation.

Manual rules - rules without any compliance checks or remediation

Rule IDs

Comments

V-73217, V-73219, V-73225, V-73227, V-73233, V-73245, V-73235, V-73241, V-73243, V-73279, V-73281, V-73401, V-73403, V-73229, V-73221

More of an informational rule that requires manual interpretation. The checklist doesn't recommend nor provides any specific commands for checking this

V-73611, V-73613, V-73615

This rule requires the end user to import and register the certificates provided by DISA. The validation parts do not have any API or command which can be used to check the same.

V-73383

This rule refers to organization network diagram/ documentation classification level of the Windows domain controller. More of an informational rule hence can’t be automated

V-73257, V-73373, V-73375, V-73377, V-73381, V-73385, V-73389, V-73391, V-73393, V-73395, V-73397, V-73399

There is no command or API exposed by Windows to automate this check and hence needs to be done manually

V-73265, V-73267

This is a manual rule.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*