DISA: Windows Server 2012 MS

This document provides information about the hotfix containing Windows Server 2012 MS Security Configuration Benchmark Version 3, Release 2 published on 4 May 2021. This template contains implementation for 342 rules that can be installed on TrueSight Server Automation version 21.x or later.

Determine whether you need to install the template

If you have done a fresh installation of version 22.2 or later, you don't need to do anything because this template is installed as part of the 22.2 installation process.

If you have upgraded to 22.2 or later, this template is not installed automatically. To install this template, do one of the following actions:

  • Perform the steps mentioned in this topic.
    Through this method, the DISA template for Windows 2012 MS is installed.

  • Upgrade the compliance content by using one of the following methods:

    Important

    Rename any existing customized template before you run the Auto Content Import Job or install the template manually. 

    • Through the Auto Content Import Job after the upgrade. During the Application Server upgrade, the Network Shell script of this job is updated. After you upgrade TrueSight Server Automation, execute this job to obtain the latest compliance content.
      Through this method, the latest version of all the templates that are available in version 22.2 are installed. For the complete list of supported templates and their versions, see Compliance-Content-support-and-requirements.
    • Install manually by using the content installer. Ensure that you use the content installer of the same version as the Application Server version. For information about how to install the compliance content manually, see Walkthrough-Loading-compliance-content.
      When you use this method, you have the flexibility to choose the template that you want to install from the set of templates that are available in version 22.2.

Before you begin

Before you begin, ensure that you perform the following tasks:

  • Some policy settings require the installation of the following SecGuide custom templates included with the STIG package: SecGuide.admx and SecGuide.adml. You can download these files from Microsoft site. Copy the SecGuide.admx file to Windows\PolicyDefinitions directory and the SecGuide.adml file to the Windows\PolicyDefinitions\en-US directory on the target server.

  • Some policy settings require the installation of the following MSS-Legacy custom templates included with the STIG package: MSS-Legacy.admx and MSS-Legacy.adml. You can download these files from Microsoft site Copy the MSS-Legacy.admx file to Windows\PolicyDefinitions directory and the MSS-Legacy.adml file to the Windows\PolicyDefinitions\en-US directory on the target server.

  • Back up the sensors folder located in the <AppServerInstallDir>/share directory on all the Application Servers in a multiple Application Server environment. This folder contains the extended object scripts.

Step 1: Download the files

  1. Download the DISA_Template_and_EO package from the EPD and extract its contents to a temporary location on the file server.
    You must log in or register to view this page

  2. Verify the downloaded content by using the following checksums:

    Click here to expand checksum related infromation


    S.No

    File Name

    MD5SUM

    1

    DISA - Windows Server 2012 MS.zip

    11f29008e4ab890b43cf920ba490a21d

    2

    ExtendedObjects.zip

    ce0c8b792a205696e5b1af03abfe72ef

    Verify the extended objects are present on the application. If the md5sums match, go ahead and replace them. If these md5sums do not match, you must manually merge the fixes.

  3. Extract the contents of ExtendedObjects.zip to a temporary directory and copy the extracted files to the existing <APPRSERVER_INSTALL_DIR>/share/sensors directory on all the Application Servers.
  4. Move DISA - Windows Server 2012 MS.zip to the server where the TrueSight Server Automation console is installed.

Step 2: Import the Compliance Content

  1. Log on to the Console.
  2. Right-click on Component Templates and click Import
  3. Select the Import (Version-neutral) option.
  4. Select the updated DISA - Windows Server 2012 MS.zip package from the temporary location and click Next.
    image2022-5-17_22-49-59.png
  5. To import the templates, select the DISA - Windows Server 2012 MS.
  6. Ensure that you select the Update objects according to the imported package and Preserve template group path options before you click Next.
    image2022-5-17_22-50-56.png
  7. Navigate to the last screen of the wizard and click Finish.
  8. The template is imported successfully. Click OK.
    The imported template is shown under DISA Compliance Content > DISA STG Revised.
    image2022-5-17_22-52-46.png 

Rules within the template

The template contains 342 rules.

The following are the details of the 342 rules provided in the zip package. It contains the following types of rules:

  • Rules that check for compliance (audit) and provide remediation - 159
  • Rules that check for compliance(audit) but do not provide remediation - 135
  • Rules that do not check for compliance and do not provide remediation - 48

The following are the details of the rules that are divided into parts:

  • Rules not divided into parts = 332
  • Rules divided into two parts - (3 Rule (Rule Group ID V-73523 , V-80475 and V-1145) so (3 * 2) = 6
  • Rules divided into four parts (1 Rule (Rule Group ID V-3487) so (1 * 4)  = 4

So, the current rule count according to DISA Windows 2012 MS template after running the compliance job is 342 (332 + 6 + 4).

Important

Ensure that you have gone through the following points before you run the compliance checks or perform remediation:

  • While running compliance jobs on domain controller targets, set the target server's DOMAIN property to DC.
  • Leave the DOMAIN property blank for member servers and standalone systems.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*