DISA: Windows Server 2022 V2R4

This document provides information about the hotfix which contains a DISA template for DISA - Windows Server 2022 V2R4, with implementation for 276 rules that can be installed on TrueSight Server Automation 20.x onwards. This template is created based on the recommended settings defined by Microsoft Windows Server 2022 Security Technical Implementation Guide V2R4, published on January 30, 2025.

As part of the 25.4 release, a new DISA template DISA WINDOWS 2022 is introduced. This version adopts a script-based approach, where compliance checks and remediations are executed by using PowerShell scripts.

Before you begin

Before importing the template, perform the following tasks:

• Review and adjust the following local and global properties to align with your organization’s standards:

  Property name	Rule ID	Default value	Notes
  ADMIN_ACCOUNT_NAME	V-254239	Administrator	If renamed, specify the new administrator account name.
  APPLICATION_USER_LIST	V-254243	"user1,user2"	Manually managed application/service accounts
  DOWNLOADMODE	V-254357	0	Acceptable Values and Descriptions: Hex value Decimal value Description 0x00000000 0 No peering (HTTP Only) 0x00000001 1 Peers on same NAT only (LAN) 0x00000002 2 Local Network / Private group peering (Group) 0x00000063 99 Simple download mode, no peering (Simple) Note: Use the following values based on your network configuration: 0 for HTTP only 1 for LAN 2 for Group 99 for Simple
  FOREST_NAME	V-254400	"dc=disaost,dc=mil"	Fully qualified LDAP name of the domain being reviewed.
  APPROVED_ISSUERS	V-254413	"test1,test2"	List of authorized CAs. This property is related to PKI. For example, DoD PKI, ECA
  ALLOWED_DOMAIN_SUFFIX	V-254414	"test"	Domain suffix used in User Principal Name (UPN) For example: Name - User Principal Name User1 - 1234567890@mil
  SEDENYINTERACTIVELOGONRIGHT	V-254438	"user1"	Set to BladeLogicRSCD (MS) or BladeLogicRSCDDC (DC). Use comma-separated usernames if needed.

• The audit script auto-detects Domain Controller vs Member Server; there is no need to manually set the DOMAIN property.

•  Make sure the following files are copied to all target servers and are necessary for proper remediation.

  • .admx: C:\Windows\PolicyDefinitions
  • .adml: C:\Windows\PolicyDefinitions\en-US

  Rule ID	ADMX File	ADML File
  V-254276	SecGuide.admx	SecGuide.adml
  V-254277	SecGuide.admx	SecGuide.adml
  V-254334	SecGuide.admx	SecGuide.adml
  V-254335	MSS-Legacy.admx	MSS-Legacy.adml
  V-254336	MSS-Legacy.admx	MSS-Legacy.adml
  V-254337	MSS-Legacy.admx	MSS-Legacy.adml
  V-254338	MSS-Legacy.admx	MSS-Legacy.adml
  V-254429	SecGuide.admx	SecGuide.adml

  Download these files from Microsoft Download Center, if not apresent already.

Step 1: Download and install the files

1. Download the DISA - Windows Server 2022 package from the EPD location by following these steps:
   1. Log in to the BMC EPD Website.
   2. In View by category, navigate to Additional Products and select Server Automation.
   3. Go to:
      • TrueSight Server Automation > TrueSight Server Automation 25.2.00, or
      •  True Sight Server Automation Compliance Module > True Sight Server Automation Compliance Module 25.2.00.
   4. Download the TSSA 25.2.00 DISA updates for Windows 2022, which includes the following:
      • DISA-Windows Server 2022.zip
      • U_MS_Windows_Server_2022_V2R4_STIG.zip
      • RELEASE_NOTES_FOR_HOTFIX_OF_DISA_WINDOWS_2022_V2R4.docx
      • ExtendedObjects.zip
   5. Verify the downloaded content by using the following checksums:

      File name	MD5 checksum
      DISA - Windows Server 2022.zip	3489aa3a35ea9f17281a4c7b214bf095
      ExtendedObjects.zip	a008e80e513dd5ab6a0101b31917d49e

2. Extract ExtendedObjects.zip.
3. Backup existing objects from <Appserver_Install_Path>/share/sensors/disa/win2022>.
4. Replace only the updated objects on all app servers.
5. Move the DISA - Windows Server 2022 package to your RCP client server.

Step 2: Import the compliance content

1. Log in to the TrueSight Server Automation Console.
2. Right-click Component Templates and select Import.
   
    
3. Select the Import (Version-neutral) option and click OK.
   
    

4. Select the DISA - Windows Server 2022.zip package from the temporary location and click Next.The DISA template for DISA - Windows Server 2022 is available in the DISA - Windows Server 2022.zip package. To import the templates, select the DISA - Windows Server 2022.zip and click Next.
   

5. Make sure that you select the Update objects according to the imported package and Preserve template group path options. Click Next.
   
    
6. Click Finish.
   
    
7. Click OK.
   
   The templates will appear under: DISA Compliance Content > DISA STIG Revised.

Rules within the template

The following are the details of the 276 rules provided in the zip package. It contains the following types of rules:

• Rules that check for compliance (audit) and provide remediation: 191
• Rules that check for compliance(audit) but do not provide remediation: 36
• Rules that do not check for compliance and do not provide remediation: 46

The following are the details of the rules that are divided into parts:

• Rules not divided into parts: 274
• Rules divided into two parts (1 Rule) so (1* 2) = 2

The current rule count, according to the DISA Windows 2022 template, after running the compliance job, is 276 (274+2).