KHIKA Standard Hardening Policies
Revision as of 07:47, 14 June 2019 by Dhanashree kulkarni (talk | contribs)
KHIKA Server Hardening for Windows Servers
The Policies and rules available in the default Server Hardening template provided by KHIKA for Windows Servers (2007 onwards) is as mentioned below:
| Policy Name | Rule Name and Description | Desired Value |
|---|---|---|
| Account & Password Policy | Password Age Minimum - Number of days for which user must use password before it can be changed. | 1 Day |
| Password Age Maximum - Number of days after which password expires. | 45 Days | |
| Password Length Minimum - The least number of characters that can make up a password for a user account. | 8 Characters | |
| Password Complexity level - Denotes whether password complexity is enabled. | Enabled | |
| Password History count - The number of unique new passwords that have to be associated with a user account before an old password can be reused. | 5 passwords | |
| Password lock out count - Number of failed logon attempts after which a user account MUST be locked out. | 5 attempts | |
| Administrator Name - Denotes Administrator Account Name. | Administrator | |
| Password in clear text - Determines whether passwords are stored using reverse encryption . | Disabled | |
| Guest Account Enable/Disable - Denotes whether the Guest account is enabled or disabled. | Disabled | |
| Audit Policy | Audit System Events - Audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. | Audit Success & Failure |
| Audit Logon Events - Audit each instance of a user logging on to or logging off from a computer. | Audit Success & Failure | |
| Audit Object Access - Audit the event of a user accessing an object. | No Audit | |
| Audit Privilege Use - Audit each instance of a user exercising a user right. | Audit Success & Failure | |
| Audit Policy Change - Audit every incident of a change to user rights assignment policies, audit policies, or trust policies. | Audit Success & Failure | |
| Audit Account Manage - Audit each event of account management on a computer. | Audit Success & Failure | |
| Audit Process Tracking - Audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. | No Audit | |
| Audit Directory Services Access - Audit each instance of user attempts to access an Active Directory object. | No Audit | |
| Audit Account Logon - Audit each time this computer validates the credentials of an account. | Audit Success & Failure | |
| Event Log Policy | Maximum Application event log size. | 16384 KB |
| Maximum System event log size. | 16384 KB | |
| Maximum Security event log size. | 16384 KB | |
| Application event log overflow action. | overwriteolder, overwriteasneeded | |
| System event log overflow action. | overwriteolder, overwriteasneeded | |
| Security event log overflow action. | overwriteolder, overwriteasneeded | |
| Security Policy | Digitally sign secure channel data (when possible). | Enabled |
| Digitally encrypt secure channel data (when possible). | Enabled | |
| Everyone permissions to apply to anonymous users. | Disabled | |
| Restrict anonymous access to Named Pipes and Shares. | Enabled | |
| Names of any pipes than can be accessed anonymously. | Should be empty | |
| Names of any shares than can be accessed anonymously. | Should be empty | |
| Classic need to be the sharing and security model for local accounts. | Enabled | |
| Additional Security Policy | Do not display last username | Enabled |
| LDAP Server signing requirements | Required | |
| Network client: Digitally sign communications (if server agrees) | Enabled | |
| Minimum session security for NTLM SSP based (including secure RPC) clients | Require NTLMv2 Session Security & 128-bit encryption | |
| LAN manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | |
| Do not store LAN Manager hash value on next password change | Enabled | |
| LDAP client signing requirements | None | |
| Minimum session security for NTLM SSP based (including secure RPC) servers | Require NTLMv2 Session Security & 128-bit encryption | |
| Optional subsystems none | None | |
| Password protected screensaver with 10 minute timeout should be set on the Server | Enabled | |
| Do not allow anonymous enumeration of SAM accounts and shares | Enabled | |
| Do not allow storage of credentials or .NET passwords for network authentication | Enabled | |
| Privilege Policy | Allow logon through RDP/Terminal Services | Remote Desktop Users, Administrators, Domain Admins |
| Shut down the system | Administrator | |
| Deny access to this computer from the network | Anonymous Login | |
| Device Policy | CDROM Status – whether CD ROM drive is enabled or disabled | Disabled |
| USB Status – whether USB devices are enabled or disabled. | Disabled | |
