Hardening Guideline for Microsoft Windows
Server 2008R2
CIS Rule ID
Description
Account Policies
NA
Restricted use of administrative accounts is solely for administrative task purpose
1.1.1.5.2.4
Set 'Enforce password history' to '24' or greater
1.1.1.5.2.3
Set 'Maximum password age' to '60' or less
1.1.1.5.2.2
Set 'Minimum password length' to '14' or greater
1.1.1.5.2.6
Set 'Password must meet complexity requirements' to 'Enabled'
1.1.1.5.2.1
Set 'Store passwords using reversible encryption' to 'Disabled'
1.1.1.5.1.1
Set 'Account lockout duration' to '15' or greater
1.1.1.5.1.2
Set 'Account lockout threshold' to '6' or fewer
Local Policies
NA
Restrict anonymous access to the registry
NA
Disable inactive account
NA
Disable administrator remote logon to ensure accountability
NA
Remove ACL permission from "Everyone group" on user created file share
1.1.1.2.1.9
Set 'Accounts: Guest account status' to 'Disabled'
1.1.1.2.1.56
Set 'Accounts: Limit local account use of blank passwords to console logon only' to
'Enabled'
1.1.1.2.1.80
Set 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' to
'Disabled'
1.1.1.2.1.75
Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace
period expires (0 recommended)' to '0'
1.1.1.2.1.40
Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the
system will generate a warning' to '90'
1.1.1.2.1.47
Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled'
1.1.1.2.1.72
Set 'Network access: Do not allow anonymous enumeration of SAM accounts and
shares' to 'Enabled'
1.1.1.2.1.11
Set 'Network access: Remotely accessible registry paths' to
0
'System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion'
1.1.1.2.1.62
Set 'Network access: Restrict anonymous access to Named Pipes and Shares' to
'Enabled' and Shares' to 'Enabled'
1
1.1.1.2.1.11
Set 'Network access: Shares that can be accessed anonymously' to ''
4
1.1.1.2.1.34
Set 'Recovery console: Allow automatic administrative logon' to 'Disabled'
1.1.1.2.1.93
Set 'Interactive logon: Do not display last user name' to 'Enabled'
1.1.1.2.1.10
Set 'Interactive logon: Number of previous logons to cache (in case domain controller is
2
not available)' to '0'
1.1.1.2.1.97
Set 'Interactive logon: Prompt user to change password before expiration' to '14'
Firewall Policies
1.1.1.4.1.1.
Set 'Windows Firewall: Domain: Firewall state' to 'On (recommended)'
1.7
1.1.1.4.1.1.
Set 'Windows Firewall: Private: Firewall state' to 'On (recommended)'
2.7
1.1.1.4.1.1.
Set 'Windows Firewall: Public: Firewall state' to 'On (recommended)'
3.7
Advanced Audit Policy Configuration
1.1.1.3.1.8.
Set 'Audit Policy: Account Logon: Credential Validation' to 'Success and Failure'
3
1.1.1.3.1.2.
Set 'Audit Policy: Account Management: Other Account Management Events' to
6
'Success and Failure'
1.1.1.3.1.2.
Set 'Audit Policy: Account Management: Security Group Management' to 'Success and
4
Failure'
1.1.1.3.1.2.
Set 'Audit Policy: Account Management: User Account Management' to 'Success and
7
Failure'
1.1.1.3.1.5.
Set 'Audit Policy: Policy Change: Audit Policy Change' to 'Success and Failure'
2
1.1.1.3.1.4.
Set 'Audit Policy: Privilege Use: Sensitive Privilege Use' to 'Success and Failure'
3
1.1.1.3.1.6.
Set 'Audit Policy: System: Other System Events' to 'No Auditing'
4
Services and Applications
NA
Anti virus software must be installed and virus signature must be up-to-date
NA
Security patches must be applied on a timely manner
NA
Disable unused services
NA
No P2P software application
2
Hardening Guideline for Redhat 6 / CentOS
6 and Ubuntu 12.04 LTS
CIS Rule ID
Description
Ubuntu
CentOS /
12.04 LTS
RHEL 6
Patching and Software Updates
1.2.3 (CentOS) Install OS updates, patches and additional security
1.1
1.2.5 (RHEL)
software in a timely manner
OS Services
5.1.1
2.1.5
Ensure NIS client and server are not installed
2.1.6
5.1.2
2.1.3
Ensure rsh server is not enabled
5.1.3
2.1.4
Ensure rsh client is not installed
5.1.4
2.1.10
Ensure talk server is not enabled
5.1.5
2.1.9
Ensure talk client is not installed
5.1.6
2.1.1
Ensure telnet server is not enabled
5.1.7
2.1.8
Ensure tftp-server is not enabled
5.2
2.1.12
Ensure chargen is not enabled
2.1.13
5.3
2.1.14
Ensure daytime is not enabled
2.1.15
5.4
2.1.16
Ensure echo is not enabled
2.1.17
5.5
Ensure discard is not enabled
5.6
Ensure time is not enabled
6.1
3.2
Ensure the X Window system is not installed
6.5
3.6
Ensure NTP service is running
6.9
3.10
Ensure FTP Server is not enabled
Firewall
7.7
4.7
Ensure firewall is active
Logging and Auditing
8.1.2
5.2.2
Install and Enable auditd Service
8.1.3
5.2.3
Enable auditing for processes that start prior to auditd
8.1.8
5.2.8
Collect login and logout events
8.1.14
5.2.14
Collect file deletion events by user
System Access, Authentication and Authorization
9.2.1
6.3.2
Set strong password creation policies
 password must be 14 characters or more
 provide at least 1 digit
3
9.2.2
6.3.3
9.2.3
6.3.4
9.3.8
6.2.8
9.4
6.4
10.1.1
7.1.1
10.1.3
7.1.3
User Settings
13.1
9.2.1
13.5
9.2.5
 provide at least 1 uppercase character
 provide at least 1 special character
 provide at least 1 lowercase character
Set lockout for 5 failed password attempts
Prohibit reuse past 5 passwords
Disable SSH root login
Restrict root login to system console
Set password expiration days to 90 days
Provide 7-day advance warning that a password will expire
Ensure password fields are not empty
Verify No UID 0 Accounts Exist Other Than root
Related Links

HKUST
4