DISA: Windows Server 2022
Product: BMC TrueSight Server Automation
Applicable Version: 20.x and later
Feature/Hotfix: Importing DISA Compliance Content Templates (Version V2R3) for Windows Server 2022
Overview
This document outlines the steps to import the updated DISA Compliance Templates (V2R3) for Windows Server 2022. These templates are compatible with BMC TrueSight Server Automation version 20.x and later.
The updated DISA Windows Server 2022 V2R3 template introduces a script-based approach that is more streamlined, modular, and maintainable for managing compliance checks. Each rule is now supported by dedicated audit and remediation scripts, organized within a structured directory to ensure clarity and ease of maintenance.
The template includes Local Configuration Objects for each rule, which are responsible for triggering the corresponding audit scripts. Remediation scripts are specifically designed for each rule to ensure accurate and efficient compliance enforcement.
This approach delivers a consistent, script-driven framework that aligns with DISA Windows 2022 compliance requirements while enabling easier updates and reliable execution.
Updated Template
- DISA – Windows Server 2022
Before you begin
Before importing the template, review and adjust the following local and global properties to align with your organization’s standards:
| Property name | Rule ID | Default value | Notes | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ADMIN_ACCOUNT_NAME | V-254239 | Administrator | If renamed, specify the new administrator account name. | |||||||||||||||
| APPLICATION_USER_LIST | V-254243 | "user1,user2" | Manually managed application/service accounts | |||||||||||||||
| DOWNLOADMODE | V-254357 | 0 | Acceptable Values and Descriptions:
Note: Use the following values based on your network configuration:
| |||||||||||||||
| FOREST_NAME | V-254400 | "dc=disaost,dc=mil" | Fully qualified LDAP name of the domain being reviewed. | |||||||||||||||
| APPROVED_ISSUERS | V-254413 | "test1,test2" | List of authorized CAs. This property is related to PKI. For example, DoD PKI, ECA | |||||||||||||||
| ALLOWED_DOMAIN_SUFFIX | V-254414 | "test" | Domain suffix used in User Principal Name (UPN) For example:
| |||||||||||||||
| SEDENYINTERACTIVELOGONRIGHT | V-254438 | "user1" | Set to BladeLogicRSCD (MS) or BladeLogicRSCDDC (DC). Use comma-separated usernames if needed. |
- The audit script auto-detects Domain Controller vs Member Server; there is no need to manually set the DOMAIN property.
Make sure the following files are copied to all target servers:
- .admx: C:\Windows\PolicyDefinitions
- .adml: C:\Windows\PolicyDefinitions\en-US
Rule ID ADMX File ADML File V-254276 SecGuide.admx SecGuide.adml V-254277 SecGuide.admx SecGuide.adml V-254334 SecGuide.admx SecGuide.adml V-254335 MSS-Legacy.admx MSS-Legacy.adml V-254336 MSS-Legacy.admx MSS-Legacy.adml V-254337 MSS-Legacy.admx MSS-Legacy.adml V-254338 MSS-Legacy.admx MSS-Legacy.adml V-254429 SecGuide.admx SecGuide.adml Download these files from Microsoft Download Center, if not apresent already.
Step 1: Download and install the files
- Download the DISA - Windows Server 2022 package from the EPD location by following these steps:
- Log in to the BMC EPD Website.
- In View by category, navigate to Additional Products and select Server Automation.
- Navigate to:
- TrueSight Server Automation > TrueSight Server Automation 24.4.0.0, or
- Navigate to True Sight Server Automation Compliance Module > True Sight Server Automation Compliance Module 24.4.0.0.
- Download the TSSA 24.4.00 DISA updates for Windows 2022.
This file includes:- DISA-Windows Server 2022.zip
- U_MS_Windows_Server_2022_V2R3_STIG.zip
- RELEASE_NOTES_FOR_HOTFIX_OF_DISA_WINDOWS_2022_V2R3.docx
- ExtendedObjects.zip
- Verify the MD5 Checksums in the downloaded content:
Filename MD5 checksum DISA - Windows Server 2022.zip 554dcb686cf544a2c9d43f366a58a119 ExtendedObjects.zip 13a3343323f3048acf0654c42f9bdee4
- Update the extended objects
- Extract ExtendedObjects.zip.
- Backup existing objects from <Appserver_Install_Path>/share/sensors/disa/win2022.
- Replace only the updated objects on all app servers.
- Move the DISA - Windows Server 2022 package to your RCP client server.
Step 2: Import the compliance content
- Log in to the Console.
- Right-click Component Templates and select Import.
- Select the Import (Version-neutral) option and click OK.
Select the DISA - Windows Server 2022.zip package from the temporary location and click Next.The DISA template for DISA - Windows Server 2022 is available in the DISA - Windows Server 2022.zip package. To import the templates, select the DISA - Windows Server 2022.zip and click Next.
- Make sure that you select the Update objects according to the imported package and Preserve template group path options, and click Next.
- Click Finish.
- Click OK.
The templates will appear under: DISA Compliance Content > DISA STIG Revised.
Rules within the template
The following are the details of the 275 rules provided in the zip package. It contains the following types of rules:
- Rules that check for compliance (audit) and provide remediation: 205
- Rules that check for compliance(audit) but do not provide remediation: 28
- Rules that do not check for compliance and do not provide remediation: 42
The following are the details of the rules that are divided into parts:
- Rules not divided into parts: 272
- Rules divided into two parts (1 Rule) so (1* 3) = 3
The current rule count, according to the DISA Windows 2022 template, after running the compliance job, is 275 (272+3).