DISA: Windows Server 2019

This document provides information about the hotfix that contains Defense Information Systems Agency (DISA) template for Windows Server 2019 with implementation for 304 rules. The hotfix can be installed on TrueSight Server Automation 20.02 or later versions.

Step 1: Downloading and installing the files

  1. Login to the ftp.bmc.com host using the SFTP protocol.

  2. Download the DISA_Template_and_EO package from the FTP location and extract its contents to a temporary location on the file server. 
    You must log in or register to view this page

    Click here to expand checksum related information

    Verify the downloaded content by using the following check sums.

    S.No

    File Name

    MD5SUM

    1

    DISA - Windows Server 2019.zip

    820e7fb943ee20a0377803eb64318daa

    2

    Extended_objects.zip

    abd3117fa4150c929a103357a41832f6ss


Step 2: Replacing the extended object scripts on the file server

  1. Backup the extended_objects folder on the fileserver.
    <File_Server_Root>/extended_objects/
  2. Replace the extended object script files on your file server with the extracted Extended Object script files stored in the temporary location:
    <temporary_location_on_file_server>/extended_objects/

Step 3: Importing the Compliance Content

  1. Log in to the TrueSight Server Automation console.
  2. Right click Component Templates and click Import.
  3. Select Import (Version-neutral) and click OK
  4. Select the DISA - Windows Server 2019 zip package from the temporary location.

    image2020-2-7_19-39-44.png

    The DISA template for DISA Windows 2019 is available in the DISA - Windows Server 2019.zip package. 

  5. To import the templates, select DISA - Windows Server 2019.zip and click Next

    image2020-2-7_19-41-11.png

    Note

    Ensure that you select Update objects according to the imported package and Preserve template group path before you click Next.

  6. Navigate to the last screen of the wizard and click Finish.

    image2020-2-7_19-42-7.png

  7. Click OK. The templates are imported.

    image2020-2-7_19-44-28.png

Rules within the template

The 304 rules provided in the zip package contains the following types of rules:

  • Rules that check for compliance (audit) and provides remediation - 195
  • Rules that check for compliance(audit) but do not provide remediation - 63
  • Rules that do not check for compliance and do not provide remediation - 46

The current rule count according to DISA Windows 2019 template after running the compliance job is 304.

The following tables list the rules with no compliance checks or remediation along with comments.

Rules with compliance checks but no remediation

Rule IDs

Comments

V-93383,V-93385,V-93387,V-93423,V-93389,V-93391,V-93397

Need additional information from the end user to evaluate this rule as the information is stored in an external system, for example, user and role expiry, unused files, and so on.

V-73239

Remediation requires patching the system to required patch level which is beyond the scope of rule remediation. We can use our patching solution to mitigate this.

V-93281,V-93283,V-93495,V-93145

The remediation might render the server inaccessible to the user or service.

V-93189,V-93191,V-93193,V-93195,V-93029 ,V-93031,V-93019,V-93021,V-93023,V-93025

The remediation requires an update of permissions on the system for which there is no API available. Additionally, this may require an approval based on the organizational processes and policies.

V-93187

Updating the time may have an impact on applications running on the operating system. This is governed by an organization policy and processes, which cannot be generically implemented.

V-93473, V-93209

The remediation requires user input along with password policy that the organization must maintain.

V-93457,V-93473,V-93509

This rule checks for compliance but does not provide remediation.

Manual rules - rules without any compliance checks or remediation

Rule IDs

Comments

V-93369,V-93027,V-93205,V-93207,V-93437,V-93219,V-93217,V-93571,V-93567,V-93183,V-93185,V-93461,V-93043

More of an informational rule that requires manual interpretation. The checklist doesn't recommend nor provides any specific commands for checking this.

V-93481,73613,V-93485

This rule requires the end user to import and register the certificates provided by DISA. The validation parts do not have any API or command which can be used to check the same.

V-93513

This rule refers to organization network diagram/ documentation classification level of the Windows domain controller. More of an informational rule hence can’t be automated.

V-92993,V-93033,V-93035,V-93037,V-93417,V-93271,V-93121,V-93123,V-93125,V-93127,V-93129,V-93131

There is no command or API exposed by Windows to automate this check and hence needs to be done manually.

 V-93203,V-93531, V-93381 , V-93187, V-93215

This is a manual rule.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*