ISG Playbook
APIs
Table Of Contents
Purpose
This document serves as reference for tracking approved compliance deviations for Windows Server 2022 AMI in QNET Cloud.
Audit Policy
| Policy Name | DISA Microsoft Windows Server 2022 v1r4 |
|---|---|
| STIG Version | v1r4 |
URL | https://www.tenable.com/audits/DISA_STIG_Microsoft_Windows_Server_2022_v1r4 |
| Last Compliance Reviewed Date |
|
| Last Updated in Tenable |
|
Table
| Plug-In / Finding ID | Risk/Severity Level | Systems Impacted (All instances, web instances only, etc.) | CIS or DISA Title | Overview of the Risk (From Tenable Scan) | Operational/Business Impact (Describe the impact to the business if the check is not turned off.) | Technical Issues (Describe the technical issues that are caused by this control being in place) | Mitigating/Compensating Controls
(Describe what additional steps, processes or features that have been put in place to provide the same security level) | ISSO Approval & Date |
| 1011213 | High | All Member Server Instances | WN22-SO-000130 - Windows Server 2022 required legal notice must be configured to display before console logon | Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088 Solution Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Interactive Logon: Message title for users attempting to log on to 'DoD Notice and Consent Banner', 'US Department of Defense Warning Statement', or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the message text required in WN22-SO-000150. | Failure to display any logon banner prior to a logon attempt will negatively impact legal proceedings that could result from unauthorized access to system resources. | No technical issues should prevent us from changing this. The verbiage provided by CMS seems to satisfy all legal requirements, though. Nessus expects a banner as per DoD Environment | The legal notice being displayed has been previously approved. The notice contains verbiage provided by CMS. | Brandon Tennessee Jun 5, 2024 |
| 1011214 | High | All Member Server Instances | WN22-SO-000140 - Windows Server 2022 title for legal banner dialog box must be configured with the appropriate text. | Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088 SolutionConfigure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Interactive Logon: Message title for users attempting to log on to 'DoD Notice and Consent Banner', 'US Department of Defense Warning Statement', or an organization-defined equivalent.If an organization-defined title is used, it can in no case contravene or modify the language of the message text required in WN22-SO-000150. | Failure to display any logon banner prior to a logon attempt will negatively impact legal proceedings that could result from unauthorized access to system resources. | No technical issues should prevent us from changing this. The verbiage provided by CMS seems to satisfy all legal requirements, though. Nessus expects a banner as per DoD Environment | The legal notice being displayed has been previously approved. The notice contains verbiage provided by CMS. | Brandon Tennessee Jun 5, 2024 |
| 1011277 | High | All Member Server Instances | WN22-00-000260 - Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process | If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPsec have been implemented. If protection methods have not been implemented, this is a finding. Configure protection methods such as TLS, encrypted VPNs, or IPsec when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | Without TLS, encrypted VPNs, or IPsec, data transferred between systems or over networks is vulnerable to interception, eavesdropping, or tampering by malicious actors. This increases the risk of data breaches, unauthorized access, and theft of sensitive information. | Encrypting data for transmission using TLS, encrypted VPNs, or IPsec may introduce performance overhead, particularly on network-intensive applications or systems with high bandwidth requirements. | All traffic required by the CMS to be encrypted is done. Additionally, our organization uses Zscaler, a zero trust platform approved by the CMS for use and considered a more secure option than a traditional VPN. Policies in place prevent the use of weak ciphers and obsolete tls/ssl mechanisms. The environment is regularily scanned for compliance to the security standards. | Brandon Tennessee Jun 5, 2024 |
| 1013095 | Medium | All Member Server Instances | WN22-00-000050 - Windows Server 2022 manually managed application account passwords must be at least 15 characters in length | Information: Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts
that are manually managed must have passwords at least 15 characters in length. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. Result: WARNING Actual Value: Policy Value: WARNING | Enforcing a minimum password length of 15 characters for manually managed application accounts may impact application, especially if applications have hardcoded password length limitations or compatibility issues with longer passwords. However ADOs are advised to use minimum password length as per ARS. | Nessus expects manual review of the configuration. | We follow the minimum password policy as recommended in ARS and scanned periodically to review requirements are met. | Brandon Tennessee Jun 5, 2024 |
| 1011240 | High | All Member Server Instances | WN22-SO-000400 - Windows Server 2022 User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop. | Information UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged-on administrators to complete a task that requires raised privileges. Solution Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode to 'Prompt for consent on the secure desktop'. The more secure option for this setting, 'Prompt for credentials on the secure desktop', would also be acceptable.\" | User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged-on administrators to complete a task that requires raised privileges. | We have had numerous issues when updating, patching, installing and repairing ADFS and related services with the UAC settings turned on similar to this article: https://social.technet.microsoft.com/Forums/windows/en-US/6c76b2a3-ec91-4a22-813a-e74db0f713c1/adfs-proxy-config-wizard-crashes?forum=ADFS | Only administrator have access to the servers. AD group are included in GPO for each ADO, the Group Policy overides the existing adminsitrator local group members on the server with the approved AD group members, user accounts specified in the GPO. For example GPO Name: ADOName_restricted_access_control | Brandon Tennessee Jun 12, 2024 |
| 1013099 | High | All Member Server Instances | WN22-CC-000110 - Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | \"Information Virtualization Based Security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of code integrity. Secure Boot is the minimum security level, with DMA protection providing additional memory protection. DMA Protection requires a CPU that supports input/output memory management unit (IOMMU). Solution Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> Turn On Virtualization Based Security to 'Enabled' with 'Secure Boot' or 'Secure Boot and DMA Protection' selected. A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard\" | \"Policy is configured via GPO however only few Nitro TPM instances types support credential Guard at this time. https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/credential-guard.html\" | Credential Guard requires TPM, Secure Boot. AMI is configured to support TPM and Secure Boot and policy is enforced via GPO, however Credential Guard supported on following Nitro EC2 Instance Types. Instance Types: C5, C5d, C5n, C6i, C6id, C6in, M5, M5d, M5dn, M5n, M5zn, M6i, M6id, M6idn, M6in, R5, R5b, R5d, R5dn, R5n, R6i, R6id, R6idn, R6in. This policy is unsupported on servers running other Instance Types. Status on other Instance Types: Virtualization-based security : Enabled but not running Virtualization-based security Required Security Properties: Base Virtualization Support, Secure Boot Virtualization-based security Available Security Properties: Secure Boot, UEFI Code Readonly Virtualization-based security Services Configured: Credential Guard, Hypervisor enforced Code Integrity\" | GPO policy for future cross-matching.Upated 6/10 with CCOM Response: The GPO Policy Name is: Z-Global-Server-Win2022-hardening. | Brandon Tennessee Jun 12, 2024 |
| 1011243 | High | All Member Server Instances | WN22-SO-000430 - Windows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations. | Information
UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\System32 folders, to run with elevated privileges. Solution Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Only elevate UIAccess applications that are installed in secure locations to 'Enabled'. | User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC. | We've had numerous issues when updating, patching, installing and repairing ADFS and related services with the UAC settings turned on similar to this article: https://social.technet.microsoft.com/Forums/windows/en-US/6c76b2a3-ec91-4a22-813a-e74db0f713c1/adfs-proxy-config-wizard-crashes?forum=ADFS | Only administrator have access to the servers. AD group are included in GPO for each ADO, the Group Policy overides the existing adminsitrator local group members on the server with the approved AD group members, user accounts specified in the GPO. For example GPO Name: ADOName_restricted_access_control | Brandon Tennessee Jun 12, 2024 |
| 1011193 | High | All Member Server Instances | WN22-MS-000140 - Windows Server 2022 must be running Credential Guard on domain-joined member servers. | Information
Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software. Solution Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> Turn On Virtualization Based Security to 'Enabled' with 'Enabled with UEFI lock' selected for 'Credential Guard Configuration'. A Microsoft article on Credential Guard system requirement can be found at the following link: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements Severity Override Guidance: The AO can allow the severity override if they have reviewed the overall protection provided to the affected servers that are not capable of complying with the Credential Guard requirement. Items that must be reviewed/considered for compliance or mitigation for non-Credential Guard compliance are: The use of Microsoft Local Administrator Password Solution (LAPS) or similar products to control different local administrative passwords for all affected servers. This is to include a strict password change requirement (60 days or less). .... Strict separation of roles and duties. Server administrator credentials cannot be used on Windows 10 desktop to administer it. Documentation of all exceptions must be supplied. .... Use of a Privileged Access Workstation (PAW) and adherence to the Clean Source principle for administering affected servers. .... Boundary Protection that is currently in place to protect from vulnerabilities in the network/servers. .... Windows Defender rule block credential stealing from LSASS.exe is applied. This rule can only be applied if Windows Defender is in use. .... The overall number of vulnerabilities that are unmitigated on the network/servers. | Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software. | Credential Guard required TPM, Secure Boot.
TPM require the TPM chip on hardware. Secure boot required to have UEFI however Credential Guard supported on following Nitro EC2 Instance Types. Instance Types: C5, C5d, C5n, C6i, C6id, C6in, M5, M5d, M5dn, M5n, M5zn, M6i, M6id, M6idn, M6in, R5, R5b, R5d, R5dn, R5n, R6i, R6id, R6idn, R6in. This policy is unsupported on servers running other Instance Types. | None at this time. This policy is not supported on widely used instance types in the Organization. | Brandon Tennessee Jun 5, 2024 |
| 1011236 | High | All Member Server Instances | WN22-SO-000360 - Windows Server 2022 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. | Information
This setting ensures the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. Government and must be the algorithms used for all OS encryption functions. Solution Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing to 'Enabled'. | This setting ensures the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. Government and must be the algorithms used for all OS encryption functions.
Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000478-GPOS-00223 | If the following registry value does not exist or is not configured as specified, this is a finding.
Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value Type: REG_DWORD Value: 0x00000001 (1) Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the Client and Server must be configured to use TLS; otherwise and will not be able to establish a secure connection. | Any issues that could arise from relaxing this setting will be found by utilize tenable compliance and vulnerability scans to identify any weaker encryption algorithms or hash functions supported or configured on the server. Updated on 06/10: Group Policy name 'Z-Global-Servers-Win2022-FIPS' configured in AD to enable FIPS. This finding is no longer reported in Scans | Brandon Tennessee Jun 12, 2024 |
| 1011188 | High | All Member Server Instances | WN22-MS-000090 - Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems. | Information: Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The 'Deny log on as a batch job' user right defines accounts that are prevented from logging on to the system as a batch job, such as Task Scheduler. In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks, which could lead to the compromise of an entire domain. The Guests group must be assigned to prevent unauthenticated access. Solution: Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Deny log on as a batch job to include the following: Domain Systems Only: - Enterprise Admins Group - Domain Admins Group All Systems: - Guests Group | If this control check is not turned off, it will continue to be a finding even though all the users who have rights are appropriate. | Guest account is denied. However, domain administrators and enterprise administrators should be able to logon as a batch job user. If we deny these groups access to the hosts, we will not be able to run some of our automated processes, like those that help audit and clean up our Active Directory accounts. | Ensure that only authorized users are part of Enterprise Administrator and Domain Administrator accounts. This is done through regular auditing. | Brandon Tennessee Jun 5, 2024 |
| 1011189 | High | All Member Server Instances | WN22-MS-000110 - Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems. | Information: Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The 'Deny log on locally' user right defines accounts that are prevented from logging on interactively. In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks, which could lead to the compromise of an entire domain. The Guests group must be assigned this right to prevent unauthenticated access. Solution: Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Deny log on locally to include the following: Domain Systems Only: - Enterprise Admins Group - Domain Admins Group All Systems: - Guests Group | If this control check is not turned off, it will continue to be a finding even though all the users who have rights are appropriate. | Guest account is denied. However, domain administrators and enterprise administrators should be able to logon on locally. If we deny these groups access to the hosts, we will not be able to log on to hosts to be able to troubleshoot issues or install software and updates | Ensure that only authorized users are part of Enterprise Administrator and Domain administrator accounts. This is done through regular auditing. | Brandon Tennessee Jun 5, 2024 |
| 1011190 | High | All Member Server Instances | WN22-MS-000120 - Windows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems. | Information: Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The 'Deny log on through Remote Desktop Services' user right defines the accounts that are prevented from logging on using Remote Desktop Services. In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks, which could lead to the compromise of an entire domain. Local accounts on domain-joined systems must also be assigned this right to decrease the risk of lateral movement resulting from credential theft attacks. The Guests group must be assigned this right to prevent unauthenticated access. Solution: Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Deny log on through Remote Desktop Services to include the following: Domain Systems Only: - Enterprise Admins group - Domain Admins group - Local account (see Note below) All Systems: - Guests group Note: 'Local account' is referring to the Windows built-in security group. | If this control check is not turned off, it will continue to be a finding even though all the users who have rights are appropriate. | Guest account is denied. However, domain administrators and enterprise administrators should be able to access computers though Remote Desktop Services. If we deny these groups access to the hosts, we will not be able to administer them in the virtual environment. | Ensure that only authorized users are part of Enterprise Administrator and Domain administrator accounts. This is done through regular auditing. | Brandon Tennessee Jun 5, 2024 |
| 1011191 | High | All Member Server Instances | WN22-MS-000100 - Windows Server 2022 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right. | Information: Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The 'Deny log on as a service' user right defines accounts that are denied logon as a service. In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks, which could lead to the compromise of an entire domain. Incorrect configurations could prevent services from starting and result in a denial of service. Solution: Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Deny log on as a service to include the following: Domain systems: - Enterprise Admins Group - Domain Admins Group | If this control check is not turned off, it will continue to be a finding even though all the users who have rights are appropriate. | Guest account is denied. However, domain administrators and enterprise administrators should have access to log-on as a service on server. If we add these groups in deny logon as service, accounts which required administrator privileges to run on the server will not run. | Ensure that only authorized users are part of Enterprise Administrator and Domain Administrator accounts. This is done through regular auditing. | Brandon Tennessee Jun 5, 2024 |
| 1011187 | High | All Member Server Instances | WN22-MS-000080 - Windows Server 2022 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems. | This applies to member servers and standalone or nondomain-joined systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. Run \"gpedit.msc\". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If the following accounts or groups are not defined for the \"Deny access to this computer from the network\" user right, this is a finding: Domain Systems Only: - Enterprise Admins group - Domain Admins group - \"Local account and member of Administrators group\" or \"Local account\" (see Note below) All Systems: - Guests group For server core installations, run the following command: Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt Review the text file. If the following SIDs are not defined for the \"SeDenyNetworkLogonRight\" user right, this is a finding. Domain Systems Only: S-1-5-root domain-519 (Enterprise Admins) S-1-5-domain-512 (Domain Admins) S-1-5-114 (\"Local account and member of Administrators group\") or S-1-5-113 (\"Local account\") All Systems: S-1-5-32-546 (Guests) Note: These are built-in security groups. \"Local account\" is more restrictive but may cause issues on servers such as systems that provide failover clustering. Fix Text (F-57871r849120_fix) Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Deny access to this computer from the network to include the following: Domain Systems Only: - Enterprise Admins group - Domain Admins group - \"Local account and member of Administrators group\" or \"Local account\" (see Note below) All Systems: - Guests group Note: These are built-in security groups. \"Local account\" is more restrictive but may cause issues on servers such as systems that provide failover clustering. | If this control check is not turned off, it will continue to be a finding even though all the users who have rights are appropriate. | Guest account is denied. However, domain administrators and enterprise administrators should be able to access computers on the network. If we deny these groups access to the hosts, we will not be able to administer them in the virtual environment. | Ensure that only authorized users are part of Enterprise Administrator and Domain Administrator accounts. This is done through regular auditing. | Brandon Tennessee Jun 12, 2024 |
| 1011229 | High | All Member Server Instances | WN22-SO-000290 - Windows Server 2022 Kerberos
encryption types must be configured to prevent the use of DES and RC4 encryption suites. | Information: Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos
encryption. Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting 'The other domain supports Kerberos AES Encryption' on domain trusts, may be required to allow client communication across the trust relationship. Result: FAILED Actual Value: NULL Policy Value: 2147483640 | Disabling RC4 has proven to break existing applications and require changes in the active directory for user and computer objects. | Applications need to be configured to support disabling RC4 encryption. Its enabled to limit interoperability issues and connection errors while authentication | Any issues that could arise from relaxing this setting will be found by scans and event logs. Updated 6/10 with CCOM Response: Group Policy name 'Z-Global-Servers-Win2022-FIPS' configured in AD to prevent DES and RC4 for Kerberos encryption, this finding is no longer reported in scans. | Brandon Tennessee Jun 12, 2024 |
| 1011148 | High | All Member Server Instances | WN22-CC-000530 - Windows Server 2022 must have PowerShell Transcription enabled. | Information Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Enabling PowerShell Transcription will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system. Solution Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> 'Turn on PowerShell Transcription' to 'Enabled'. Specify the Transcript output directory to point to a Central Log Server or another secure location to prevent user access. | We have configured to use Splunk Client to capture the Windows event and specific agents logs.However, the Powershell transcription logs are not saved to the Windows events logs and need to be pointed to central log server or saved locally. The transcripts have to exist locally on each system and the settings available do not rotate the logs via GPO. Overtime system drive consumption will be a concern, Splunk Client will need to be researched to be configured to send logs through Splunk from the local files. This will require a project for Splunk for the configuration of the both the forwarder as well as the index would make the logs require the very amount of storage. Below added on 6/10: There are no provisions in Splunk or OS to forward powershell transcript records. Only option, to enable, is to configure transcription to save locally on the server and then configure Splunk App to forward this log to the deployment servers. If this is supported, we do not need to request a exception. Discuss further with Hagen. | Not applicable. | In the past, the organization was given the direction to move away from a file server with automated logs getting exported into and we forwarding supported logs to Splunk. | Brandon Tennessee Jun 12, 2024 |
| 1011050 | High | All Member Server Instances | WN22-AC-000020 - Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Information The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack while allowing for honest errors made during normal user logon. Solution Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> Account lockout threshold to '3' or fewer invalid logon attempts (excluding '0', which is unacceptable). | Changing from 5 to 3 invalid logins could cause the need for more manual intervention to unlock accidentally locked accounts. | Changing from 5 to 3 invalid logins could cause the need for more manual intervention to unlock accidentally locked accounts. | We are following the ARS recommendation for moderate systems. The ARS control calls for an account to be locked out after 5 invalid logon attempts during a 120-minute time window. The lockout will last for at least one hour. | Brandon Tennessee Jun 12, 2024 |
| 1011215 | High | All Member Server Instances | WN22-SO-000150 - Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation. | Information Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended. Solution Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Interactive logon: Smart card removal behavior to 'Lock Workstation' or 'Force Logoff'. | Smart Cards are not used in our environment. Causing the service they use to be automatically activated will cause more services to run on the server. This will cause more resources to be used, more logging to occur, and more overhead in general on the server. | If turned on, we will cause more logging and overhead to unnecessarily happen. | Nearly all hosts are virtual and hosted in AWS. Smart cards are only useful in physical machines. No additional controls needed, however, will review this deviation at a minimum, on an annual basis and if smart cards begin to be used, we will revisit. | Brandon Tennessee Jun 12, 2024 |
| 1011008 | High | All Member Server Instances | WN22-00-000020 - Windows Server 2022 passwords for the built-in Administrator account must be changed at least every 60 days. | Information
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password may not be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure. Windows LAPS must be used to change the built-in Administrator account password. Steps to Remediate Change the enabled local Administrator account password at least every 60 days. Windows LAPS must be used to change the built-in Administrator account password. Domain-joined systems can configure this to occur more frequently. LAPS will change the password every 30 days by default. | LAPS is used to change and rotate built in Administrator account password every 60 days. LAPS agent is installed on the AMI and GPO is configured on the Active Directory. | Nessus expects a newer release, Windows LAPS and the GPO Policy for the same. This will be implemented across the organization in the future by ESS. | The required settings has already configured to support (legacy) LAPS version and its supported on Windows Server 2022 OS. | Brandon Tennessee Jun 12, 2024 |
| 1011281 | Medium | All Member Server Instances | WN22-00-000420 - Windows Server 2022 FTP servers must be configured to prevent anonymous logons. | Information
The FTP service allows remote users to access shared files and directories. Allowing anonymous FTP connections makes user auditing difficult. Using accounts that have administrator privileges to log on to FTP risks that the userid and password will be captured on the network and give administrator access to an unauthorized user. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. Solution Configure the FTP service to prevent anonymous logons. Open 'Internet Information Services (IIS) Manager'. Select the server. Double-click 'FTP Authentication'. Select 'Anonymous Authentication'. Select 'Disabled' under 'Actions'. | Security team scans the hosts to verify for any annoymous logons to FTP servers. | Not Applicable. FTP services are not installed on the GOLD AMI. Instance owners are responsbile for management of FTP services if installed for their projects. | The security team scans for insecure hosts separately. | Brandon Tennessee Jun 12, 2024 |
| 1011282 | Medium | All Member Server Instances | WN22-00-000430 - Windows Server 2022 FTP servers must be configured to prevent access to the system drive. | Information
The FTP service allows remote users to access shared files and directories that could provide access to system resources and compromise the system, especially if the user can gain access to the root directory of the boot drive. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. Solution Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system. | Security team scans the hosts to verify for any annoymous logons to FTP servers. | Not Applicable. FTP services are not installed on the GOLD AMI. Instance owners are responsbile for management of FTP services if installed for their projects. | The security team scans for insecure hosts separately. | Brandon Tennessee Jun 12, 2024 |
| 1011273 | Medium | All Member Server Instances | WN22-00-000120 - Windows Server 2022 must have a host-based intrusion detection or prevention system. | Information A properly configured Host-based Intrusion Detection System (HIDS) or Host-based Intrusion Prevention System (HIPS) provides another level of defense against unauthorized access to critical servers. With proper configuration and logging enabled, such a system can stop and/or alert for many attempts to gain unauthorized access to resources. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. Solution Install a HIDS or HIPS on each server.\"\"Information A properly configured Host-based Intrusion Detection System (HIDS) or Host-based Intrusion Prevention System (HIPS) provides another level of defense against unauthorized access to critical servers. With proper configuration and logging enabled, such a system can stop and/or alert for many attempts to gain unauthorized access to resources. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. Solution Install a HIDS or HIPS on each server. | We deploy the Crowdstrike Falcon agents to the OS when building an AMI, and its used to monitor the alerts in the system. | Crowdstrike Falcon cloud-delivered endpoint protection platform: this software only solution delivers and unifies IT hygiene, next-generation antivirus, endpoint detection and response (EDR), managed threat hunting and threat intelligence. Its considered to be a HIPS. | No mitigation is necessary, as we use Crowdstrike Falcon agent to monitor the OS system. | Brandon Tennessee Jun 12, 2024 |
| 1011275 | Medium | All Member Server Instances | WN22-00-000220 - Windows Server 2022 system files must be monitored for unauthorized changes. | Information Monitoring system files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. Solution Monitor the system for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. This can be done with the use of various monitoring tools. | We deploy the Crowdstrike Falcon agents to the OS when building an AMI, and its used to monitor the alerts in the system. | It is related to intrusion detection system (HIDS/HIPS) and its managed by Crowdstrike Falcon cloud-delivered endpoint protection platform: this software only solution delivers and unifies IT hygiene, next-generation antivirus, endpoint detection and response (EDR), managed threat hunting and threat intelligence. | No mitigation is necessary, as we use Crowdstrike Falcon agent to monitor the OS system. | Brandon Tennessee Jun 12, 2024 |
| 1011279 | Medium | All Member Server Instances | WN22-00-000290 - Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | Information Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using ESS and periodic scanning using other tools. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. Solution Install a DoD-approved ESS software and ensure it is operating continuously. | We deploy the Crowdstrike Falcon agents as the Endpoint Security Solution (ESS) in the the OS when building an AMI, and its used to monitor the alerts in the system. | Not applicable. | CrowdStrike Falcon agent is used to monitor the alerts in the system. | Brandon Tennessee Jun 12, 2024 |
| 1011276 | Medium | All Member Server Instances | WN22-00-000250 - Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest | Information: This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organiz
ations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechani sm is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184 NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. Result: WARNING Actual Value: Policy Value: WARNING | No changes necessary. | To ensure security on EC2 Instances, for data at rest, Amazon EBS encryption is enforced when creating volumes. Nessus expects manual review of the configuration. | At account level, automatic encryption is enabled to encrypt new EBS volumes with KMS Key. | Brandon Tennessee Jun 12, 2024 |
| 1011270 | Medium | All Member Server Instances | WN22-00-000010 - Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks | Information: Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introdu
ced during a session that has been granted full privileges. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. Result: WARNING Actual Value: Policy Value: WARNING | AD groups has been configured in AD and restricted groups are enforced via GPO to ensure that only authorized users are granted acecss to the domain joined systems. | Nessus expects a manual review of this configuration. | Restricted AD groups has been configured in AD to grant access to the domain joined systems and reviewed periodically. Access is provisioned when access requests are approved by ADO SPOC in Service Now based on business requirements. | Brandon Tennessee Jun 12, 2024 |
| 1011271 | Medium | All Member Server Instances | WN22-00-000030 - Windows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email | Information: Using applications that access the internet or have potential internet sources using administrative privileges exposes a system to
compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious code and must not be run with an administrative account. Since administrative accounts may generally change or work around technical restrictions for running a web browser or other applications, it is essential that policy require administrative accounts to not access the internet or use applications such as email. The policy must define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Whitelisting can be used to enforce the policy to ensure compliance. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000205-GPOS-00083 NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. Result: WARNING Actual Value: Policy Value: WARNING | AD groups has been configured in AD and restricted groups are enforced via GPO to ensure that only authorized users are granted acecss to the domain joined systems. | Some applications, including management tools or software updates, may require internet access to function properly. Enforcing the restriction on administrative accounts from accessing the internet may impact the functionality of these applications, requiring organizations to evaluate alternative solutions or workarounds. Nessus expects a manual review of this configuration. Nessus expects a manual review of this configuration. | Restricted AD groups has been configured in AD to grant access to the domain joined systems and reviewed periodically. Access is provisioned when access requests are approved by ADO SPOC in Service Now based on business requirements. | Brandon Tennessee Jun 12, 2024 |
| 1011180 | Medium | All Member Server Instances | WN22-MS-000010 - Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system | Information: An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to
bypass or modify required security restrictions on that machine and make it vulnerable to attack. System administrators must log on to systems using only accounts with the minimum level of authority necessary. For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group (see V- 243468 in the Active Directory Domain STIG). Restricting highly privileged accounts from the local Administrators group helps mitigate the risk of privilege escalation resulting from credential theft attacks. Standard user accounts must not be members of the built-in Administrators group. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Result: WARNING Actual Value: 'ADMINISTRATORS: Administrator Domain Admins HIDS-AWS-INFRA-NONPROD-CSDO Admin DL-HCQIS Engineers' Policy Value: 'MANUAL REVIEW' | AD groups has been configured in AD and restricted groups are enforced via GPO to ensure that only authorized users are granted acecss to the domain joined systems. | Nessus expects a manual review of this configuration. | Restricted AD groups has been configured in AD to grant access to the domain joined systems and reviewed periodically. Access is provisioned when access requests are approved by ADO SPOC in Service Now based on business requirements. | Brandon Tennessee Jun 12, 2024 |
| 1011283 | Medium | All Member Server Instances | WN22-AU-000010 - Windows Server 2022 audit records must be backed up to a different system or media than the system be | Information: Protection of log data includes ensuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. | Protection of log data includes ensuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration. | The required settings has already been configured. Nessus expects manual review of the configuration. | No mitigation is necessary as the log rotation values are already been configured. Log data and Windows Events are offloaded to Splunk in the organization | Brandon Tennessee Jun 12, 2024 |
| 1011284 | Medium | All Member Server Instances | WN22-AU-000020 - Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time a | Steps to Remediate Configure the system to, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. Information: Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. | Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration. | The required settings has already been configured. Nessus expects manual review of the configuration. | No mitigation is necessary as the log rotation values are already been configured. Log data and Windows Events are offloaded to Splunk in the organization | Brandon Tennessee Jun 12, 2024 |
| 1011016 | Medium | All Member Server Instances | WN22-00-000110 - Windows Server 2022 must use an antivirus program. | Information Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Solution If no antivirus software is in use, install Microsoft Defender or third-party antivirus. Open 'PowerShell'. Enter 'Install-WindowsFeature -Name Windows-Defender'. For third-party antivirus, install per antivirus instructions and disable Windows Defender. Open 'PowerShell'. Enter 'Uninstall-WindowsFeature -Name Windows-Defender'. | No changes necessary | Nessus has not performed this check. The required settings has already been configred. | No mitigation is necessary as we use Trend Micro and Crowdstrike for Anti-Malware and Anti-Spyware. | Brandon Tennessee Jun 12, 2024 |
| 1011212 | Medium | All Member Server Instances | WN22-SO-000120 - Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver. | Information Unattended systems are susceptible to unauthorized use and must be locked when unattended. The screen saver must be set at a maximum of 15 minutes and be password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 Solution Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Interactive logon: Machine inactivity limit to '900' seconds or less, excluding '0' which is effectively disabled. | Our current windows 2019 GPO specifically is set to not interfere with inactivity like the mentioned finding via this setting: Set time limit for active but idle Remote Desktop Services sessions | If the finding turned on, it may interrupt users workflow and productivity. | No mitigation is necessary. Individual instances are managed by the responsible instance owner and user rights that have a security requirement for the org are governed by in place group policies that prevent this for those rights. | Brandon Tennessee Jun 12, 2024 |
| 1011029 | Medium | All Member Server Instances | WN22-00-000240 - Windows Server 2022 must have software certificate installation files removed. | Information Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based certificates. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Solution Remove any certificate installation files (*.p12 and *.pfx) found on a system. Note: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. | No changes necessary | There is no configuration change, Nessus scan expects manual review of the configuration. | No mitigation is necessary as this is a Manual Review and we do not install any software based certificates when building Gold AMI. | Brandon Tennessee Jun 12, 2024 |
| 1011009 | Medium | All Member Server Instances | WN22-00-000040 - Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. | Information Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions present on NTFS disk drives for backup and restore purposes. Members of the Backup Operators group must have separate logon accounts for performing backup duties. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Solution Ensure each member of the Backup Operators group has separate accounts for backup functions and standard user functions. | No changes necessary | The required settings has already been configred, Nessus expects manual review of the configuration. | No mitigation is necessary as this is a manual review. GPO are configured to allow approved users access to the server using standard account. Individual instances are managed by the responsible instance owner and user rights that have a security requirement for the org are governed by in place group policies that prevent this for those rights. | Brandon Tennessee Jun 12, 2024 |
| 1011011 | Medium | All Member Server Instances | WN22-00-000070 - Windows Server 2022 shared user accounts must not be permitted. | Information Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Solution Remove unapproved shared accounts from the system. Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. | No changes necessary. | The required settings has already been configred, Nessus expects manual review of the configuration. | No mitigation is necessary as we do not create accounts or grants access to the users with the intention of them being shared. | Brandon Tennessee Jun 12, 2024 |
| 1011012 | Medium | All Member Server Instances | WN22-00-000080 - Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Information Using an allowlist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allowlisting. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Solution Configure an application allowlisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. Configuration of allowlisting applications will vary by the program. AppLocker is an allowlisting application built in to Windows Server. If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker. Implementation guidance for AppLocker is available at the following link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide | No changes necessary. | Our Organization, the software were not authorized via GPO, we use the Software Approval process with the TDB, SIAs etc as it can be problematic in a developer community to try and formulate a hard list that is universally applied. | No mitigation is necessaryas we do not authorize software in our GPO settings. | Brandon Tennessee Jun 12, 2024 |
| 1011034 | Medium | All Member Server Instances | WN22-00-000300 - Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours. | Information If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Solution Configure temporary user accounts to automatically expire within 72 hours. Domain accounts can be configured with an account expiration date, under 'Account' properties. Local accounts can be configured to expire with the command 'Net user [username] /expires:[mm/dd/yyyy]', where [username] is the name of the temporary user account. Delete any temporary user accounts that are no longer necessary. | No changes necessary | There is no configuration change, Nessus scan expects manual review of the configuration. | We do not employ temporary accounts in the organization. | Brandon Tennessee Jun 12, 2024 |
| 1011046 | Medium | All Member Server Instances | WN22-00-000450 - Windows Server 2022 must have orphaned security identifiers (SIDs) removed from user rights. | Information Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the account or group objects are reanimated, there is a potential they may still have rights no longer intended. Valid domain accounts or groups may also show up as unresolved SIDs if a connection to the domain cannot be established. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Solution Remove any unresolved SIDs found in User Rights assignments and determined to not be for currently valid accounts or groups by removing the accounts or groups from the appropriate group policy. | The description indicates manual review on an individual server as opposed to a GPO setting. | Nessus scan suggests Manual Review. | No mitigation is necessary as this is a manual review. Our organization does have automated account management in place via AD Manage Engine following guidance from the ARS and CMS security to ensure old accounts are removed from the directory services. Individual instances are managed by the responsible instance owner and user rights that have a security requirement for the org are governed by in place group policies that prevent this for those rights. | Brandon Tennessee Jun 12, 2024 |
| 1011274 | Medium | All Member Server Instances | WN22-00-000180 - Windows Server 2022 nonadministrative accounts or groups must only have print permissions on printer shares. | Information Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration can permit access to devices and data beyond a user's need. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. Solution Configure the permissions on shared printers to restrict standard users to only have Print permissions. | The description indicates manual review. In our org, its 100% virtual environment and printer shares are irrelevant. | This is a manual review process. Organizationally, the shared printers are not implemented in the environment and environment is regularily scanned as a part of compliance. | No mitigation is required, as we do not have shared Printers. | Brandon Tennessee Jun 12, 2024 |
| 1011280 | Medium | All Member Server Instances | WN22-00-000310 - Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | Information Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account must be established for privileged users who need long-term maintenance accounts. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance. Solution Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours. Domain accounts can be configured with an account expiration date, under 'Account' properties. Local accounts can be configured to expire with the command 'Net user [username] /expires:[mm/dd/yyyy]', where [username] is the name of the temporary user account. | No changes necessary. | Nessus has not performed this check. We do not create temporary accounts in the organization. | No mitigation is necessary, as we do not employ temporary accounts in the organization. | Brandon Tennessee Jun 12, 2024 |
| 1011030 | Medium | All Member Server Instances | WN22-00-000270 - Windows Server 2022 must have the roles and features required by the system documented. | Information Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this potential. The standard installation option (previously called Server Core) further reduces this when selected at installation. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. Steps to Remediate Document the roles and features required for the system to operate. Uninstall any that are not required. | The description indicates manual review on an individual server as opposed to a GPO setting. | This is a manual review process. Organizationally, the environment is regularily scanned and known features and roles that have a security interest are maintained as needed by the responsible system owner and unnecessary roles removed (example: telnet) as a part of compliance. Other applications in the environment are controlled by the TDB approval process and documented in confluence as necessary | None at this time. | Brandon Tennessee Jun 12, 2024 |
Revisions
Date | Version | Change Description |
|---|---|---|
| 1.0 | Initial Release |