DISA: Windows Server 2019

This topic provides instructions about installing the Defense Information Systems Agency (DISA) template for Windows Server 2019, Version 2 release 4 published on May 31, 2022 with implementation for 276 rules. You can use this template for TrueSight Server Automation versions 22.2 and later.

Determine whether you need to install the template

Depending on the release timelines of the template, you might or might not need to install the template manually. 

To determine whether you need to install the template manually

  1. On the file server, check the value of the featureDisaWin19Template key in the content.version file, located in the %FILESERVER%\BladeLogic\storage\Content directory. Depending on the key's value, do one of the following:
    • If the value is 23.1.00.000, you don’t need to install the template manually because this template is deployed as part of the 23.1 installation process.
    • If the value is lower than 23.1.00.000, perform the steps mentioned in this topic to install these templates.
  2. If the existing template is customized, make sure to rename it before you import the new one and perform the steps mentioned in this topic.
  3. Ensure that the default values for the template's local and global properties meet the organization standards.

Before you install the template

Before you install the template, ensure that the following requirements are met: 

  • All compliance content provided by BMC in your environment is at least updated to 20.x or later version.
  • The exiting customized template is renamed before you import the new one (by performing the steps given below).
  • The default values for the template's local and global properties are reviewed and match the organization standards.

  • The extended_objects folder is backed up.

    The extended_objects folder is located at <File_Server_Root>/extended_objects/ on the file server. 

  • SecGuide custom templates (SecGuide.admx and SecGuide.adml) are installed on the target server under \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.

    Some policy settings require the installation of SecGuide custom templates included with the STIG package. These files can be downloaded from Microsoft site. For more information, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

  • MSS-Legacy custom templates (MSS-Legacy.admx and MSS-Legacy.adml) are installed on the target server under \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.

    Some policy settings require the installation of MSS-Legacy custom templates included with the STIG package. These files can be downloaded from Microsoft site. For more information, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

Tasks to install the template

Perform the following tasks to install the template:

  1. Download and install the files.
  2. Replacing the extended object scripts on the file server.
  3. Import the Compliance Content.
  4. (Optional) View rules in the template

Task 1: Download and install the files

  1. Download the DISA - Windows Server 2019 package from the EPD location and extract its contents to a temporary location on the file server.
    You must log in or register to view this page

    Click here to expand checksum related information

    Verify the downloaded content by using the following check sums.

    S.No

    File Name

    MD5SUM

    1

    DISA - Windows Server 2019.zip

    dad0bb37db6e4b3f3027428a535f0fd6

    2

    ExtendedObjects.zip

    10ef0f0dc0f343cd78bd2dccabd96d5d

  2. Move the DISA- Windows Server 2019 package to your RCP client server.

Task 2: Replace the extended object scripts on the file server

  1. Navigate to the extended objects script files on your file server:
    <File_Server_Root>/extended_objects/
  2. Replace the extended object script files on your file server with the extracted Extended Object script files stored in the temporary location:
    <temporary_location_on_file_server>/extended_objects/

Task 3: Import the Compliance Content

  1. Log in to the TrueSight Server Automation console.
  2. Right click Component Templates and click Import.
    disa 2019 import.png

  3. Select Import (Version-neutral) and click OK
    disa 2019 version neutral.png

  4. Select the DISA - Windows Server 2019.zip package from the temporary location and click Next.

    The DISA template for DISA - Windows Server 2019 is available in the DISA - Windows Server 2019.zip package.

    disa 2019 select package.png

  5. Ensure that the Update objects according to the imported package and Preserve template group path options are selected, and click Next.
    disa 2019 update objects.png

  6. Navigate to the last screen of the wizard and click Finish.
    disa 2019 last screen.png

  7. The templates are imported successfully. Click OK.

    The imported templates are shown under DISA Compliance Content > DISA.

    disa 2019 success.png

(Optional) Task 4: Rules within the template

The 276 rules provided in the zip package contains the following types of rules:

  • Rules that check for compliance (audit) and provides remediation - 194
  • Rules that check for compliance (audit) but do not provide remediation - 38
  • Rules that do not check for compliance and do not provide remediation - 44

The following are the details of the rules that are divided into parts:

  • Rules not divided into parts = 274
  • Rules divided into two parts (1 Rule) so (1* 2) = 2

The current rule count according to DISA Windows 2019 template after running the compliance job is 276 (274+2).

Note

Before you run the compliance checks or perform remediation, ensure that you perform the following tasks: 

  • While running compliance jobs on domain controller targets, set the DOMAIN property of the target server to DC. 
  • Leave the DOMAIN property blank for member servers and standalone systems. Ensure that the value for the DOMAIN property is set to DC on all the domain controllers targets and on all non-domain systems (Member Servers). This property can either be blank or can be any string other than DC for member servers.
  • Ensure that you copy the required admx/adml files specified in the CIS benchmark to the policy definition location. Remediation occurs only when these files are available. For more details, see section 18 of the CIS benchmark. By default, the policy definitions are located at:
    MS: %systemroot%\PolicyDefinitions
    DC: %SYSTEMROOT%\SYSVOL\sysvol\!USERDNSDOMAIN!\Policies\PolicyDefinitions

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*