/
Windows Server 2012 R2 Hardening Checklist

Windows Server 2012 R2 Hardening Checklist

Sep 08, 2015

The hardening checklists are based on the comprehensive checklists produced by CIS. The Information Security Office has distilled the CIS lists down to the most critical steps for your systems, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin.

How to use the checklist

Print the checklist and check off each item you complete to ensure that you cover the critical steps for securing your server. The Information Security Office uses this checklist during risk assessments as part of the process to verify that servers are secure.

How to read the checklist

Step - The step number in the procedure. If there is a UT Note for this step, the note number corresponds to the step number.
Check (√) - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective system
CIS - Reference number in the Center for Internet Security Windows Server 2012 R2 Benchmark v1.1.0. The CIS document outlines in much greater detail how to complete each step.
UT Note - The UT Note at the bottom of the page provides additional detail about the step for the university computing environment.
Cat I - For systems that include Category-I data , required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include Category-II or -III data , all steps are recommended, and some are required (denoted by the !).
Min Std - This column links to the specific requirement for the university in the Minimum Security Standards for Systems document.

Server Information

MAC Address

                                                                                                                               

IP Address

 

Machine Name

 

Asset Tag

 

Administrator Name

 

Date

 

Step

To Do

CIS

UT Note

Cat I

Cat II Cat III

Min Std

 

 

Preparation and Installation

 

 

 

 

 

1

 

If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened.

 

§

!

 !

5.1

2

 

Consider using the Security Configuration Wizard to assist in hardening the host.

 

§

 

 

 

 

 

Service Packs and Hotfixes

 

 

 

 

 

3

 

Install the latest service packs and hotfixes from Microsoft.

 

§

!

!

5.2

4

 

Enable automatic notification of patch availability.

 

§

!

!

5.3

 

 

User Account Policies

 

 

 

 

 

5

 

Set minimum password length.

1.1.4

§

!

!

 

6

 

Enable password complexity requirements.

1.1.5

§

!

 

 

7

 

Do not store passwords using reversible encryption. (Default)

1.1.6

§

!

!

 

8

 

Configure account lockout policy.

1.2

§

!

!

 

 

 

User Rights Assignment

 

 

 

 

 

9

 

Restrict the ability to access this computer from the network to Administrators and Authenticated Users.

2.2.2

 

 

 

 

10

 

Do not grant any users the 'act as part of the operating system' right. (Default)

2.2.3

 

!

!

 

11

 

Restrict local logon access to Administrators.

2.2.6

§

 

 

 

12

 

Deny guest accounts the ability to logon as a service, a batch job, locally, or via RDP.

2.2.18-21

 

!

 

 

 

 

Security Settings

 

 

 

 

 

13

 

Place the University warning banner in the Message Text for users attempting to log on.

2.3.7.4

§

!

!

5.10

14

 

Disallow users from creating and logging in with Microsoft accounts.

2.3.1.1

§

!

!

 

15

 

Disable the guest account. (Default)

2.3.1.2

 

!

!

 

16

 

Require Ctrl+Alt+Del for interactive logins. (Default)

2.3.7.2

 

!

!

 

17

 

Configure machine inactivity limit to protect idle interactive sessions.

2.3.7.3

 

!

!

 

18

 

Configure Microsoft Network Client to always digitally sign communications.

2.3.8.1

 

!

 

 

19

 

Configure Microsoft Network Client to digitally sign communications if server agrees. (Default)

2.3.8.2

 

!

!

 

20

 

Disable the sending of unencrypted passwords to third party SMB servers.

2.3.8.3

 

!

!

5.6

21

 

Configure Microsoft Network Server to always digitally sign communications.

2.3.9.2

 

!

 

 

22

 

Configure Microsoft Network Server to digitally sign communications if client agrees.

2.3.9.3

 

!

 

 

 

 

Network Access Controls

 

 

 

 

 

23

 

Disable anonymous SID/Name translation. (Default)

2.3.11.1

 

!

!

 

24

 

Do not allow anonymous enumeration of SAM accounts. (Default)

2.3.11.2

 

!

!

5.5

25

 

Do not allow anonymous enumeration of SAM accounts and shares.

2.3.11.3

 

!

 

5.5

26

 

Do not allow Everyone permissions to apply to anonymous users. (Default)

2.3.11.4

 

!

!

5.12

27

 

Do not allow any named pipes to be accessed anonymously.

2.3.11.5

 

!

 

5.12

28

 

Restrict anonymous access to named pipes and shares. (Default)

2.3.11.8

 

!

!

5.12

29

 

Do not allow any shares to be accessed anonymously.

2.3.11.9

 

!