DISA: Windows Server 2019

This document provides information about the hotfix that contains Defense Information Systems Agency (DISA) template for Windows Server 2019, Version 2 release 2 published on  4th May 2021 with implementation for 304 rules. The hotfix can be installed on TrueSight Server Automation 21.x and later.

Important

  • On the file server, check the value of the featureDisaWin19Template key in the content.version file, located in the %FILESERVER%\BladeLogic\storage\Content directory. Depending on the value, do one of the following:
    • If the value is 22.2.00.000, you don’t need to perform the steps mentioned in this topic, as these templates are deployed as part of the 22.2 installation process.
    • If the value is lower than 22.2.00.000, perform the steps mentioned in this topic to deploy these templates.
  • If existing template is customized, make sure to rename it before importing new one and performing below steps.
  • Ensure to review Template's local and global properties default values to match with organization standards

Before you begin

Before you install this hotfix, ensure that you perform the following:

  • Some policy settings require the installation of the SecGuide custom templates included with the STIG package. SecGuide.admx and SecGuide.adml (These files can be downloaded from Microsoft site) must be copied to the Target Machine at \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
  • Some policy settings require the installation of the MSS-Legacy custom templates included with the STIG package. MSS-Legacy.admx and MSS-Legacy.adml (These files can be downloaded from Microsoft site) must be copied to the Target Machine at \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
  • Save a backup of the extended_objects folder, which is at the following location on the file server:
    <File_Server_Root>/extended_objects/

Step 1: Downloading and installing the files

Download the DISA_Template_and_EO package from the EPD location and extract its contents to a temporary location on the file server.

You must log in or register to view this page

Click here to expand checksum related information

Verify the downloaded content by using the following check sums.

S.No

File Name

MD5SUM

1

DISA - Windows Server 2019.zip

0d873ed5eb3a47300bc7a5abd3ebc0d5

2

Extended_objects.zip

abd3117fa4150c929a103357a41832f6


Step 2: Replacing the extended object scripts on the file server

  1. Backup the extended_objects folder on the fileserver.
    <File_Server_Root>/extended_objects/
  2. Replace the extended object script files on your file server with the extracted Extended Object script files stored in the temporary location:
    <temporary_location_on_file_server>/extended_objects/

Step 3: Importing the Compliance Content

  1. Log in to the TrueSight Server Automation console.
  2. Right click Component Templates and click Import.
  3. Select Import (Version-neutral) and click OK
  4. Select the DISA - Windows Server 2019.zip package from the temporary location.

    image2020-2-7_19-39-44.png

  5. Ensure that the Use existing objects and Preserve template group path options are selected, and click Next.

    image2022-6-9_11-26-34.png

  6. Click Next to review the import contents and then click Finish.
    The templates are imported successfully.
    image2020-2-7_19-44-28.png

Rules within the template

The 304 rules provided in the zip package contains the following types of rules:

  • Rules that check for compliance (audit) and provides remediation - 195
  • Rules that check for compliance(audit) but do not provide remediation - 63
  • Rules that do not check for compliance and do not provide remediation - 46

The current rule count according to DISA Windows 2019 template after running the compliance job is 304.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*