Hardening Guideline for Microsoft Windows Server 2008R2 CIS Rule ID Description Account Policies NA Restricted use of administrative accounts is solely for administrative task purpose 1.1.1.5.2.4 Set 'Enforce password history' to '24' or greater 1.1.1.5.2.3 Set 'Maximum password age' to '60' or less 1.1.1.5.2.2 Set 'Minimum password length' to '14' or greater 1.1.1.5.2.6 Set 'Password must meet complexity requirements' to 'Enabled' 1.1.1.5.2.1 Set 'Store passwords using reversible encryption' to 'Disabled' 1.1.1.5.1.1 Set 'Account lockout duration' to '15' or greater 1.1.1.5.1.2 Set 'Account lockout threshold' to '6' or fewer Local Policies NA Restrict anonymous access to the registry NA Disable inactive account NA Disable administrator remote logon to ensure accountability NA Remove ACL permission from "Everyone group" on user created file share 1.1.1.2.1.9 Set 'Accounts: Guest account status' to 'Disabled' 1.1.1.2.1.56 Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled' 1.1.1.2.1.80 Set 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' to 'Disabled' 1.1.1.2.1.75 Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0' 1.1.1.2.1.40 Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to '90' 1.1.1.2.1.47 Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled' 1.1.1.2.1.72 Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled' 1.1.1.2.1.11 Set 'Network access: Remotely accessible registry paths' to 0 'System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion' 1.1.1.2.1.62 Set 'Network access: Restrict anonymous access to Named Pipes and Shares' to 'Enabled' and Shares' to 'Enabled' 1 1.1.1.2.1.11 Set 'Network access: Shares that can be accessed anonymously' to '' 4 1.1.1.2.1.34 Set 'Recovery console: Allow automatic administrative logon' to 'Disabled' 1.1.1.2.1.93 Set 'Interactive logon: Do not display last user name' to 'Enabled' 1.1.1.2.1.10 Set 'Interactive logon: Number of previous logons to cache (in case domain controller is 2 not available)' to '0' 1.1.1.2.1.97 Set 'Interactive logon: Prompt user to change password before expiration' to '14' Firewall Policies 1.1.1.4.1.1. Set 'Windows Firewall: Domain: Firewall state' to 'On (recommended)' 1.7 1.1.1.4.1.1. Set 'Windows Firewall: Private: Firewall state' to 'On (recommended)' 2.7 1.1.1.4.1.1. Set 'Windows Firewall: Public: Firewall state' to 'On (recommended)' 3.7 Advanced Audit Policy Configuration 1.1.1.3.1.8. Set 'Audit Policy: Account Logon: Credential Validation' to 'Success and Failure' 3 1.1.1.3.1.2. Set 'Audit Policy: Account Management: Other Account Management Events' to 6 'Success and Failure' 1.1.1.3.1.2. Set 'Audit Policy: Account Management: Security Group Management' to 'Success and 4 Failure' 1.1.1.3.1.2. Set 'Audit Policy: Account Management: User Account Management' to 'Success and 7 Failure' 1.1.1.3.1.5. Set 'Audit Policy: Policy Change: Audit Policy Change' to 'Success and Failure' 2 1.1.1.3.1.4. Set 'Audit Policy: Privilege Use: Sensitive Privilege Use' to 'Success and Failure' 3 1.1.1.3.1.6. Set 'Audit Policy: System: Other System Events' to 'No Auditing' 4 Services and Applications NA Anti virus software must be installed and virus signature must be up-to-date NA Security patches must be applied on a timely manner NA Disable unused services NA No P2P software application 2 Hardening Guideline for Redhat 6 / CentOS 6 and Ubuntu 12.04 LTS CIS Rule ID Description Ubuntu CentOS / 12.04 LTS RHEL 6 Patching and Software Updates 1.2.3 (CentOS) Install OS updates, patches and additional security 1.1 1.2.5 (RHEL) software in a timely manner OS Services 5.1.1 2.1.5 Ensure NIS client and server are not installed 2.1.6 5.1.2 2.1.3 Ensure rsh server is not enabled 5.1.3 2.1.4 Ensure rsh client is not installed 5.1.4 2.1.10 Ensure talk server is not enabled 5.1.5 2.1.9 Ensure talk client is not installed 5.1.6 2.1.1 Ensure telnet server is not enabled 5.1.7 2.1.8 Ensure tftp-server is not enabled 5.2 2.1.12 Ensure chargen is not enabled 2.1.13 5.3 2.1.14 Ensure daytime is not enabled 2.1.15 5.4 2.1.16 Ensure echo is not enabled 2.1.17 5.5 Ensure discard is not enabled 5.6 Ensure time is not enabled 6.1 3.2 Ensure the X Window system is not installed 6.5 3.6 Ensure NTP service is running 6.9 3.10 Ensure FTP Server is not enabled Firewall 7.7 4.7 Ensure firewall is active Logging and Auditing 8.1.2 5.2.2 Install and Enable auditd Service 8.1.3 5.2.3 Enable auditing for processes that start prior to auditd 8.1.8 5.2.8 Collect login and logout events 8.1.14 5.2.14 Collect file deletion events by user System Access, Authentication and Authorization 9.2.1 6.3.2 Set strong password creation policies password must be 14 characters or more provide at least 1 digit 3 9.2.2 6.3.3 9.2.3 6.3.4 9.3.8 6.2.8 9.4 6.4 10.1.1 7.1.1 10.1.3 7.1.3 User Settings 13.1 9.2.1 13.5 9.2.5 provide at least 1 uppercase character provide at least 1 special character provide at least 1 lowercase character Set lockout for 5 failed password attempts Prohibit reuse past 5 passwords Disable SSH root login Restrict root login to system console Set password expiration days to 90 days Provide 7-day advance warning that a password will expire Ensure password fields are not empty Verify No UID 0 Accounts Exist Other Than root Related Links HKUST 4