DISA: Windows Server 2022

This document provides information about the Defense Information Systems Agency (DISA) STIG template for Windows Server 2022, Version 1 release 3 published on June 7, 2023. This template contains implementation for 274 rules that can be installed on TrueSight Server Automation 20.x or later.

Determine whether you need to install the template

If you are installing TrueSight Server Automation version 23.4 for the first time (fresh installation), no action is required because this template is installed as a part of the 23.4 installation process.

If you have upgraded to 23.4 or later, this template is not installed automatically. To install this template, do one of the following actions:

• Perform the steps mentioned in this topic.
  Through this method, the DISA STIG template for Windows Server 2022 is installed.

• Upgrade the compliance content by using one of the following methods:
  

  Important

  Rename any existing customized template before you run the Auto Content Import Job or install the template manually. 

• 
  
  • Through the Auto Content Import Job after the upgrade. During the Application Server upgrade, the Network Shell script of this job is updated. After you upgrade TrueSight Server Automation, execute this job to obtain the latest compliance content.
    Through this method, the latest version of all the templates that are available in version 23.4 are installed. For the complete list of supported templates and their versions, see Compliance-Content-support-and-requirements.
  • Install manually by using the content installer. Ensure that you use the content installer of the same version as the Application Server version. For information about how to install the compliance content manually, see Walkthrough-Loading-compliance-content. 
    When you use this method, you have the flexibility to choose the template that you want to install from the set of templates that are available in version 23.4.

Before you begin

Before you import this template, ensure that the following requirements are met:

• Review that the default values for the template's local and global properties meet the organization standards.
• Rename any existing customized template before you import the latest template.
• Back up the extended_objects folder located in the <APPRSERVER_INSTALL_DIR>/share/sensors directory on all the Application Servers in a multiple Application Server environment. This folder contains the extended object scripts.
• Perform the following tasks before you run the compliance checks or perform remediation: 
  • While running compliance jobs on domain controller targets, set the DOMAIN property of the target server to DC. 
  • Leave the DOMAIN property blank for member servers (non-domain systems) and standalone systems.

• Copy SecGuide custom templates (SecGuide.admx and SecGuide.adml) on all the target servers under \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.

  Important

  Some policy settings require the installation of SecGuide custom templates included with the STIG package. These files can be downloaded from Microsoft site. For more information, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

• Copy MSS-Legacy custom templates (MSS-Legacy.admx and MSS-Legacy.adml) on all the target servers under \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.

  Important

  Some policy settings require the installation of MSS-Legacy custom templates included with the STIG package. These files can be downloaded from Microsoft site. For more information, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

Step 1: Download the files

1. Access the following EPD link and click TSSA 23.2.00 DISA STIG Updates for Windows 2022 to download the DISA - Windows Server 2022 package:
   You must log in or register to view this page
2. Expand to view the checksum-related information

   Verify the downloaded content by using checksums:

   S.No	File Name	MD5SUM
   1	DISA - Windows Server 2022.zip	a76fa54f562bab505288b6dc6694bab9
   2	ExtendedObjects.zip	45d12dab1ae76dac7adabb21bf514b57

3. Extract the contents of ExtendedObjects.zip to a temporary directory and copy the extracted files to the existing <APPRSERVER_INSTALL_DIR>/share/sensors directory on all the Application Servers.
4. Move DISA_Windows_2022_V1R3_STIG.zip to the server where the TrueSight Server Automation console is installed.

Step 2: Import the compliance content

1. Log in to the TrueSight Server Automation console.
2. Right-click Component Templates and select Import.
   
3. Select the Import (Version-neutral) option and click OK
   
   

4. Select the DISA - Windows Server 2022.zip package from the temporary location and click Next.
   The DISA template for DISA - Windows Server 2022 is available in the DISA - Windows Server 2022.zip  package.

   

5. To import the template, select DISA - Windows Server 2022 and click Next.
6. Select the Update objects according to the imported package and Preserve template group path options, and click Next.
   
7. Navigate to the last screen of the wizard and then click Finish.
   
8. The template is imported successfully. Click OK.
   The imported template is shown under  DISA Compliance Content > DISA STIG Revised.
   

Rules within the template

The 274 rules provided in the zip package contain the following types of rules:

• Rules that check for compliance (audit) and provide remediation - 192
• Rules that check for compliance(audit) but do not provide remediation - 36
• Rules that do not check for compliance and do not provide remediation - 46

The following are the details of the rules that are divided into parts:

• Rules not divided into parts = 272
• Rules divided into two parts (1 Rule) so (1* 2) = 2

The current rule count according to DISA Windows 2022 template after running the compliance job is 274 (272+2).