Blade ZipKit - Component Template with Remediation - Windows 2008 R2 Standard Configuration Example

Version 5
    Blade ZipKit Package Info
    Name: Component Template with Remediation - Windows 2008 R2 Standard Configuration Example
    Type:Component Template (version Neutral)
    BSA Compatible Version: 8.3, 8.5, 8.6, 8.7
    Version: 1.1
    More Info:https://docs.bmc.com/docs/display/public/bsa85/Working+with+components+and+component+templates

    Created by: Akbar Aziz

    Tested on version: 8.3.03.82, 8.5.00.416, 8.6.00.215, 8.7.00.239
    Tested against host running on: Windows 2008 R2

     

    This Component Template performs the following actions:

    • Creates a Component Template called Windows 2008 R2 Standard Configuration
    • Imports multiple depot objects for auto-remediation
    • Checks if the Guest Account is disabled (auto-remediation enabled)
    • Checks if the Administrator Account has been renamed
    • Checks the RSCD agent version installed is 8.6.00.215 (auto-remediation enabled). For 8.3, it will check for version 8.3.03.82
    • Checks the BladeLogic Agent service is set to start automatically and running (auto-remediation enabled)
    • Checks the VMware Tools version installed is 9.0.10.29005 (auto-remediation enabled)
    • Checks the NotePad++ version installed is 6.7 (auto-remediation enabled)
    • Checks if Do not require CTRL+ALT+DEL security policy is disabled for Interactive Logon (auto-remediation enabled)
    • Checks if Do not display last user name security policy is enabled for Interactive Logon (auto-remediation enabled)
    • Checks if Message title for users attempting to log on security policy is enabled for Interactive Logon (auto-remediation enabled)
    • Checks if Message text for users attempting to log on security policy is enabled for Interactive Logon (auto-remediation enabled)
    • Checks if Minimum Password length security policy is set to 8 (auto-remediation enabled)
    • Checks if Remote Desktop is enabled (auto-remediation enabled)
    • Checks if Internet Explorer Enhanced Security Configuration is disabled for the Administrator user (auto-remediation enabled)


    Instructions for importing the package:

    1. Download the attached zip file
    2. From the BSA Console, select Component Templates , right-click and select Import (version-neutral)
    3. Browse to the location of the download file
    4. Check the box for "Automatically map or create export group"
    5. Click Next twice
    6. Select a location where to place this new package in BSA (default will keep structure of the package as it was exported)
    7. Click Finish

     

    Once the import has completed, browse to the location of the package in Component Templates to confirm the configuration and settings.

     

    There are Auto-Remediation tasks enabled so please un-check if not needed.


    Here is an example screen-shot from BMC Server Automation:

    2014-04-02_23-56-43.png


    Example results from the initial compliance job run:

    2014-04-02_23-58-31.png


    Emailed results from first run:

    Compliance Job Notification

     

    Job id: 3394

    Name: Compliance Windows 2008 R2 Standard Configuration

    Description:

    Job Group id: 2000419

    Job Run id: 6619

    Passed Checks: 3

    Failed Checks: 9

    Passed Servers: 0

    Failed Servers: 1

    Start Time: Wed Apr 02 18:31:03 CDT 2014

    End Time: Wed Apr 02 18:32:21 CDT 2014

     

    *************************   Compliance Results   ***************************

     

    Template: Windows 2008 R2 Standard Configuration

    Server: WIN2008-64

    Component: Windows 2008 R2 Standard Configuration (WIN2008-64)

    Rule: NotePad++ Version Installed is 6.5.5

    Rule Definition: "Windows Application:Notepad++" exists  AND

    "Windows Application:Notepad++"."Version (Windows)" equals "6.5.5"

    Result: Fail

    Documented Exception:

    Compliant: N

     

    Template: Windows 2008 R2 Standard Configuration

    Server: WIN2008-64

    Component: Windows 2008 R2 Standard Configuration (WIN2008-64)

    Rule: Windows Update Service is Running and set to Auto Start

    Rule Definition: "Windows Service:Windows Update"."State (Windows)" equals "RUNNING"  AND

    "Windows Service:Windows Update"."Start Type (Windows)" equals "AUTO_START"

    Result: Fail

    Documented Exception:

    Compliant: N

     

    Template: Windows 2008 R2 Standard Configuration

    Server: WIN2008-64

    Component: Windows 2008 R2 Standard Configuration (WIN2008-64)

    Rule: Administrator Account is Renamed

    Rule Definition: "Windows User:Administrator".Name does not equal "Administrator"

    Result: Fail

    Documented Exception:

    Compliant: N

     

    Template: Windows 2008 R2 Standard Configuration

    Server: WIN2008-64

    Component: Windows 2008 R2 Standard Configuration (WIN2008-64)

    Rule: Set Mininum Password Length to 8 characters

    Rule Definition: "Security Setting:Security Settings\Account Policies\Password Policy\Minimum password length"."Local setting as String Value (Windows)" equals "8"

    Result: Fail

    Documented Exception:

    Compliant: N

     

    Template: Windows 2008 R2 Standard Configuration

    Server: WIN2008-64

    Component: Windows 2008 R2 Standard Configuration (WIN2008-64)

    Rule: Enable Remote Desktop

    Rule Definition: "Registry Value:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections"."String Value (Windows)" equals "0x00000000"

    Result: Fail

    Documented Exception:

    Compliant: N

     

    Template: Windows 2008 R2 Standard Configuration

    Server: WIN2008-64

    Component: Windows 2008 R2 Standard Configuration (WIN2008-64)

    Rule: Disable Internet Explorer Enhanced Security Configuration for Administrators

    Rule Definition: "Registry Value:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled"."Integer Value (Windows)" equals 0

    Result: Fail

    Documented Exception:

    Compliant: N

     

    Template: Windows 2008 R2 Standard Configuration

    Server: WIN2008-64

    Component: Windows 2008 R2 Standard Configuration (WIN2008-64)

    Rule: Enable "CTRL+ALT+DEL required to login" Security Policy

    Rule Definition: "Security Setting:Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL"."Effective setting as String Value (Windows)" equals "0"

    Result: Fail

    Documented Exception:

    Compliant: N

     

    Template: Windows 2008 R2 Standard Configuration

    Server: WIN2008-64

    Component: Windows 2008 R2 Standard Configuration (WIN2008-64)

    Rule: Enable "Do Not Display Last User Name" Security Policy

    Rule Definition: "Security Setting:Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name"."Effective setting as String Value (Windows)" equals "1"

    Result: Fail

    Documented Exception:

    Compliant: N

     

    Template: Windows 2008 R2 Standard Configuration

    Server: WIN2008-64

    Component: Windows 2008 R2 Standard Configuration (WIN2008-64)

    Rule: Enable Login Banner

    Rule Definition: "Security Setting:Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on"."Local setting as String Value (Windows)" equals "Company Name"  AND

    "Security Setting:Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on"."Local setting as String Value (Windows)" equals "By accessing and using this system you are consenting to system monitoring for law enforcement and other purposes. Unauthorized use of this computer system may subject you to criminal prosecution and penalties."

    Result: Fail

    Documented Exception:

    Compliant: N

    ***********************************************************************

     

    Second compliance job results with Auto-Remediation enabled - the only item that is not remediated was the Administrator account name:

     

    2014-04-03_00-01-19.png

     

    Email results from second run showing only 1 non-compliant item that needs manual remediation:

    Compliance Job Notification

     

    Job id: 3394

    Name: Compliance Windows 2008 R2 Standard Configuration

    Description:

    Job Group id: 2000419

    Job Run id: 6626

    Passed Checks: 11

    Failed Checks: 1

    Passed Servers: 0

    Failed Servers: 1

    Start Time: Wed Apr 02 18:33:28 CDT 2014

    End Time: Wed Apr 02 18:33:31 CDT 2014

     

    *************************   Compliance Results   ***************************

     

    Template: Windows 2008 R2 Standard Configuration

    Server: WIN2008-64

    Component: Windows 2008 R2 Standard Configuration (WIN2008-64)

    Rule: Administrator Account is Renamed

    Rule Definition: "Windows User:Administrator".Name does not equal "Administrator"

    Result: Fail

    Documented Exception:

    Compliant: N

    ***********************************************************************

     

    Community.jpg

    *Note: This is a community supported package.