DISA: Windows Server 2016

This document provides information about the hotfix containing Windows Server 2016 RTM (Release 1607) Security Configuration Benchmark Version 2, Release 2. This template contains implementation for 274 rules that that can be installed on TrueSight Server Automation 21.x or later.

Important

  • On the file server, check the value of the featureDisaWin16Template key in the content.version file, located in the %FILESERVER%\BladeLogic\storage\Content directory. Depending on the value, do one of the following:
    • If the value is 22.2.00.000, you don’t need to perform the steps mentioned in this topic, as these templates are deployed as part of the 22.2 installation process.
    • If the value is lower than 22.2.00.000, perform the steps mentioned in this topic to deploy these templates.
  • If existing template is customized, make sure to rename it before importing new one and performing below steps.
  • Ensure to review Template's local and global properties default values to match with organization standards

Before you begin

Before you install this hotfix, ensure that you perform the following:

  • Some policy settings require the installation of the SecGuide custom templates included with the STIG package. SecGuide.admx and SecGuide.adml (These files can be downloaded from Microsoft site) must be copied to the Target Machine at \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
  • Some policy settings require the installation of the MSS-Legacy custom templates included with the STIG package. MSS-Legacy.admx and MSS-Legacy.adml (These files can be downloaded from Microsoft site) must be copied to Target Machine at the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
  • Save a backup of the extended_objects folder, which is at the following location on the file server:
    <File_Server_Root>/extended_objects/

Step 1: Downloading and installing the files

Download the DISA_Template_and_EO package from the EPD location and extract its contents to a temporary location on the file server.

You must log in or register to view this page


Click here to expand checksum related infromation

Verify the downloaded content by using the following check sums.

S.No

File Name

MD5SUM

1

DISA - Windows Server 2016.zip

a4e027be2f1b8c110d3284677390782e

2

extended_objects.zip

abd3117fa4150c929a103357a41832f6

Verify the extended objects are present on the application. If the md5sums match, go ahead and replace them. If these md5sums do not match, you must manually merge the fixes.

Step 2: Replacing the extended object scripts on the file server


    1. Navigate to the extended objects script files on your file server:
      <File_Server_Root>/extended_objects/
    2. Replace the Extended Object script files on your file server, with the extracted Extended Object script files stored in the temporary location:
      <temporary_location_on_file_server>/extended_objects/

Step 3: Importing the Compliance Content

  1. Log on the Console.
  2. Right-click on Component Templates and click Import
  3. Select the Import (Version-neutral) option.
  4. Select the updated DISA - Windows Server 2016 zip package from the temporary location.
    2asd.png

  5. The DISA STIG template for Windows 2016 is available in the DISA - Windows Server 2016 zip package. To import the templates, select the DISA - Windows Server 2016 as shown in the following screenshot.

    Note

    ⦁    Ensure that you select the Use existing objects and Preserve template group path options, before you click Next.

    win2k16-import.jpg

  6. Navigate to the last screen of the wizard and click Finish.
  7. Click OK. The templates are imported successfully.
    5.png 

Rules within the template

The template contains 274 rules.

The following are the details of the 274 rules provided in the zip package. It contains the following types of rules:

  • Rules that check for compliance (audit) and provides remediation - 192
  • Rules that check for compliance(audit) but do not provide remediation - 36
  • Rules that do not check for compliance and do not provide remediation - 46

The following are the details of the rules that are divided into parts:

  • Rules not divided into parts = 272
  • Rules divided into two parts - (2 Rules) so (1 * 2) = 2

So, the current rule count according to DISA Windows 2016 template after running the compliance job is 274.

Important

Ensure that you have gone through the following points before you run the compliance checks or perform remediation:

  • While running compliance jobs on domain controller targets, set the target server's DOMAIN property to DC.
  • Leave DOMAIN property blank for member servers and standalone systems.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*