CIS-Microsoft-Windows-Server-2012安全基线_微软安全基线怎么设置资源-CSDN文库

安全基线

5星 · 超过95%的资源需积分: 36 124 浏览量 2016-07-22 10:23:07 上传评论 9 收藏 116KB PDF 举报

资源推荐

资源详情

资源评论

Compliance Score : 99.12%

Summary

Rule Name Result

1.1.1 Set 'Enforce password history' to '24 or more password(s)' Pass: Rule passed : '24'.

1.1.2 Set 'Maximum password age' to 60 or fewer days, but not 0 Pass: Rule passed : '60' '60'.

1.1.3 Set 'Minimum password age' to '1 or more day(s)' Pass: Rule passed : '1'.

1.1.4 Set 'Minimum password length' to '14 or more character(s)' Pass: Rule passed : '14'.

1.1.5 Set 'Password must meet complexity requirements' to 'Enabled' Pass: Rule passed : '1'.

1.1.6 Set 'Store passwords using reversible encryption' to 'Disabled' Pass: Rule passed : '0'.

Rule Name Result

1.2.1 Set 'Account lockout duration' to '15 or more minute(s)' Pass: Rule passed : '15'.

1.2.2 Set 'Account lockout threshold' to 10 or fewer invalid logon

attempt(s), but not 0

Pass: Rule passed : '5' '5'.

1.2.3 Set 'Reset account lockout counter after' to '15 or more minute(s)' Pass: Rule passed : '15'.

Rule Name Result

2.2.1 Set 'Access Credential Manager as a trusted caller' to 'No One' Pass: Rule passed : local security policy ().

Account Policies Rules

Account Lockout Policy

User Rights Assignment

Local Policies

Local Policies Rules

This document provides prescriptive guidance for establishing a secure configuration posture for CIS Microsoft Windows Server 2012 R2 (Member Server). To obtain the

latest version of this guide, please contact support@nntws.com or visit http://benchmarks.cisecurity.org. If you have questions, comments, or have identified ways to

improve this guide, please write us at support@nntws.com or feedback@cisecurity.org.

2 of 228 rules failed

226 of 228 rules passed

0 of 228 rules partially passed

Account Policies

Account Policies Rules

Password Policy

Page 1

2.2.2 Set 'Access this computer from the network'

Pass: Rule passed : local security policy (2 items: NT AUTHORITY\AUTHENTICATED USERS,

BUILTIN\ADMINISTRATORS).

2.2.3 Set 'Act as part of the operating system' to 'No One' Pass: Rule passed :.

2.2.5 Set 'Adjust memory quotas for a process' to 'Administrators,

LOCAL SERVICE, NETWORK SERVICE'

Pass: Rule passed : local security policy (3 items: NT AUTHORITY\LOCAL SERVICE, NT

AUTHORITY\NETWORK SERVICE, BUILTIN\ADMINISTRATORS).

2.2.6 Set 'Allow log on locally' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

2.2.7 Configure 'Allow log on through Remote Desktop Services' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

2.2.8 Set 'Back up files and directories' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

2.2.9 Set 'Change the system time' to 'Administrators, LOCAL SERVICE'

Pass: Rule passed : local security policy (2 items: NT AUTHORITY\LOCAL SERVICE,

BUILTIN\ADMINISTRATORS).

2.2.10 Set 'Change the time zone' to 'Administrators, LOCAL SERVICE'

Pass: Rule passed : local security policy (2 items: NT AUTHORITY\LOCAL SERVICE,

BUILTIN\ADMINISTRATORS).

2.2.11 Set 'Create a pagefile' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

2.2.12 Set 'Create a token object' to 'No One' Pass: Rule passed : local security policy ().

2.2.13 Set 'Create global objects' to 'Administrators, LOCAL SERVICE,

NETWORK SERVICE, SERVICE'

Pass: Rule passed : local security policy (4 items: NT AUTHORITY\LOCAL SERVICE, NT

AUTHORITY\NETWORK SERVICE, BUILTIN\ADMINISTRATORS, NT

AUTHORITY\SERVICE).

2.2.14 Set 'Create permanent shared objects' to 'No One' Pass: Rule passed : local security policy ().

2.2.15 Set 'Create symbolic links' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

2.2.16 Set 'Debug programs' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

2.2.17 Set 'Deny access to this computer from the network' Pass: Rule passed : local security policy (BUILTIN\GUESTS).

2.2.18 Set 'Deny log on as a batch job' to include 'Guests' Pass: Rule passed : local security policy (BUILTIN\GUESTS).

2.2.19 Set 'Deny log on as a service' to include 'Guests' Pass: Rule passed : local security policy (BUILTIN\GUESTS).

2.2.20 Set 'Deny log on locally' to include 'Guests' Pass: Rule passed : local security policy (BUILTIN\GUESTS).

2.2.21 Set 'Deny log on through Remote Desktop Services' to include

'Guests, Local account'

Pass: Rule passed : local security policy (2 items: NT AUTHORITY\LOCAL ACCOUNT,

BUILTIN\GUESTS).

2.2.22 Set 'Enable computer and user accounts to be trusted for

delegation'

Pass: Rule passed : local security policy ().

2.2.23 Set 'Force shutdown from a remote system' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

2.2.24 Set 'Generate security audits' to 'LOCAL SERVICE, NETWORK

SERVICE'

Pass: Rule passed : local security policy (2 items: NT AUTHORITY\LOCAL SERVICE, NT

AUTHORITY\NETWORK SERVICE).

2.2.25 Set 'Impersonate a client after authentication' to 'Administrators,

LOCAL SERVICE, NETWORK SERVICE, SERVICE'

Pass: Rule passed : local security policy (4 items: NT AUTHORITY\LOCAL SERVICE, NT

AUTHORITY\NETWORK SERVICE, BUILTIN\ADMINISTRATORS, NT

AUTHORITY\SERVICE).

2.2.26 Set 'Increase scheduling priority' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

2.2.27 Set 'Load and unload device drivers' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

2.2.28 Set 'Lock pages in memory' to 'No One' Pass: Rule passed : local security policy ().

2.2.29 Set 'Manage auditing and security log' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

2.2.30 Set 'Modify an object label' to 'No One' Pass: Rule passed : local security policy ().

2.2.31 Set 'Modify firmware environment values' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

2.2.32 Set 'Perform volume maintenance tasks' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

2.2.33 Set 'Profile single process' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

Page 2

2.2.34 Set 'Profile system performance' to 'Administrators, NT

SERVICE\WdiServiceHost'

Pass: Rule passed : local security policy (2 items: BUILTIN\ADMINISTRATORS, NT

SERVICE\WDISERVICEHOST).

2.2.35 Set 'Replace a process level token' to 'LOCAL SERVICE,

NETWORK SERVICE'

Pass: Rule passed : local security policy (2 items: NT AUTHORITY\LOCAL SERVICE, NT

AUTHORITY\NETWORK SERVICE).

2.2.36 Set 'Restore files and directories' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

2.2.37 Set 'Shut down the system' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

2.2.39 Set 'Take ownership of files or other objects' to 'Administrators' Pass: Rule passed : local security policy (BUILTIN\ADMINISTRATORS).

Rule Name Result

2.3.1.1 Set 'Accounts: Block Microsoft accounts' to 'Users can't add or

log on with Microsoft accounts'

Pass: Rule passed : '3'.

2.3.1.2 Set 'Accounts: Guest account status' to 'Disabled'

Pass: Rule passed : local security policy

(0)'[{oval:org.cisecurity.benchmarks.microsoft_windows_8.1:obj:1051}]'.

2.3.1.3 Set 'Accounts: Limit local account use of blank passwords to

console logon only' to 'Enabled'

Pass: Rule passed : '1'.

2.3.1.4 Configure 'Accounts: Rename administrator account' Pass: Rule passed : local security policy ("NNTAdministrator").

2.3.1.5 Configure 'Accounts: Rename guest account' Pass: Rule passed : local security policy ("6ue$t").

Rule Name Result

2.3.2.1 Set 'Audit: Force audit policy subcategory settings (Windows

Vista or later) to override audit policy category settings' to 'Enabled'

Pass: Rule passed : '1'.

2.3.2.2 Set 'Audit: Shut down system immediately if unable to log

security audits' to 'Disabled'

Pass: Rule passed : '0'.

Rule Name Result

2.3.4.1 Set 'Devices: Allowed to format and eject removable media' to

'Administrators'

Pass: Rule passed : '0'.

2.3.4.2 Set 'Devices: Prevent users from installing printer drivers' to

'Enabled'

Pass: Rule passed : '1'.

Rule Name Result

2.3.6.1 Set 'Domain member: Digitally encrypt or sign secure channel

data (always)' to 'Enabled'

Pass: Rule passed : '1'.

2.3.6.2 Set 'Domain member: Digitally encrypt secure channel data

(when possible)' to 'Enabled'

Pass: Rule passed : '1'.

Accounts Rules

Security Options

Audit Rules

Devices Rules

Domain member Rules

Page 3

2.3.6.3 Set 'Domain member: Digitally sign secure channel data (when

possible)' to 'Enabled'

Pass: Rule passed : '1'.

2.3.6.4 Set 'Domain member: Disable machine account password

changes' to 'Disabled'

Pass: Rule passed : '0'.

2.3.6.5 Set 'Domain member: Maximum machine account password age'

to 30 or fewer days, but not 0

Pass: Rule passed : '30' '30'.

2.3.6.6 Set 'Domain member: Require strong (Windows 2000 or later)

session key' to 'Enabled'

Pass: Rule passed : '1'.

Rule Name Result

2.3.7.1 Set 'Interactive logon: Do not display last user name' to 'Enabled' Pass: Rule passed : '1'.

2.3.7.2 Set 'Interactive logon: Do not require CTRL+ALT+DEL' to

'Disabled'

Pass: Rule passed : '0'.

2.3.7.3 Set 'Interactive logon: Machine inactivity limit' to 900 or fewer

second(s), but not 0

Pass: Rule passed : '900' '900'.

2.3.7.4 Configure 'Interactive logon: Message text for users attempting to

log on'

Fail: Configure 'Interactive logon: Message text for users attempting to log on' : .'THIS IS A

PRIVATE COMPUTER SYSTEM. It is for authorized use only.Users (authorized or

unauthorized) have no explicit or implicitexpectation of privacy.Any or all uses of this system

and all files on this system maybe intercepted, monitored, recorded, copied, audited,

inspected,and disclosed to authorized site and law enforcement personnel,as well as authorized

officials of other agencies, both domesticand foreign. By using this system, the user consents

to suchinterception, monitoring, recording, copying, auditing, inspection,and disclosure at the

discretion of authorized site personnel.Unauthorized or improper use of this system may result

inadministrative disciplinary action and civil and criminal penalties.By continuing to use this

system you indicate your awareness of andconsent to these terms and conditions of use. LOG

OFF IMMEDIATELYif you do not agree to the conditions stated in this warning.

2.3.7.5 Configure 'Interactive logon: Message title for users attempting to

log on'

Pass: Rule passed : 'NOTICE TO USERS'.

2.3.7.6 Set 'Interactive logon: Number of previous logons to cache (in

case domain controller is not available)' to '4 or fewer logon(s)'

Pass: Rule passed : '4'.

2.3.7.7 Set 'Interactive logon: Prompt user to change password before

expiration' to 'between 5 and 14 days'

Pass: Rule passed : '5' '5'.

2.3.7.8 Set 'Interactive logon: Smart card removal behavior' to 'Lock

Workstation'

Pass: Rule passed : '1'.

Interactive logon Rules

Page 4

剩余15页未读，继续阅读

评论收藏

内容反馈

陈宝强

2018-09-17

内容不错，还可以
流星影shin

2017-06-26

感谢分享。这应该是一个扫描结果，不过可以作为参考。
m0_37713701

2018-08-16

谢谢,留着备用.
liyoung2008

2018-03-26

参考了，参考了
大坚果之龙

2017-06-21

内容很不错，解决了问题

前往

页

lse19871231

粉丝: 2
资源: 5

CIS-Microsoft-Windows-Server-2012安全基线

CIS 系统基线

Windows 2012系统安全配置基线标准.docx

安全配置基线

CIS docker 安全标准

Windows安全基线加固

CIS Security加固手册Red Hat Linux 8

系统安全配置技术规范-windows（基线加固）

安全加固基线大全

等保主机安全基线合规-配置指导windows系统.pdf

CIS-基线检查-all.7z

CIS_Microsoft_SQL_Server_2012_Benchmark_v1.4.0

CIS-Microsoft-Windows-Server-2022-Benchmark-v2.0.0

CIS_Microsoft_Windows_Server_2016_RTM_Release 1607_Benchmark_v1.0.0.pdf

CIS_Microsoft_Windows_Server_2008_R2_Benchmark_v3.0.1.pdf

基于python+springboot实现的针对Windows Server 2008 R2的基线安全检测系统.zip

cis-cat漏扫工具

CIS-基线检查-sqlserver&oracle;&apache;&mongo;.zip

微软Windows Server 2012中文版

CIS-基线检查-redhat&Centos;&win;.zip

cis-benchmark-on-the-aws-cloud

Windows操作系统安全配置基线V1.1.doc

shell实现对Windows服务器的安全基线检查

server2012r2

windows server 服务器主机安全加固设置

windows基线配置脚本-可供参考学习使用

Windows基线检查模板

CISredhat linux 7 安全基线

各大主流交换机的安全基线检测脚本或命令

cis_baseline_csv:将具有所有控件和标题的CIS安全基线PDF文档转换为CSV文件

最新资源