12 Replies Latest reply on Feb 19, 2016 2:16 PM by Bill Robinson

    Parts missing in the CIS compliance template of Windows 2008

    Elizabeth T

      Hi team,

       

      “Administrative templates” parts missing in the BBSA CIS compliance template of Windows 2008, whether these can be configured separately and how to do that?

       

      Please let us know on this

       

       

       

       

       

       

       

       

       

       

       

       

       

      Regards,

      Elizabeth.T

        • 1. Re: Parts missing in the CIS compliance template of Windows 2008
          Niranjay Bharati

          What is the rule number? Which BSA version are you on?

          • 2. Re: Parts missing in the CIS compliance template of Windows 2008
            Elizabeth T

            Hello Niranjay,

             

             

            Bladelogic/ Version / Patch : 8.6.


            There is no any rule number and want to configure new rules in CIS compliance template and I cannot do that.


            Please suggest me on this.



            Regards,

            Elizabeth.T

            • 3. Re: Parts missing in the CIS compliance template of Windows 2008
              Chetan Gupta

              You can create the rules manually , In the component template :-

               

              1) Go to the Parts , add the registry key to validate (you can find the complete path from CIS benchmark document) by browsing any Windows 2008 box or from GPO

              2) Save the CT

              3) Go to the Compliance Tab and create rule by selecting the parts you added (you can find them under "Configuration Objects ")

              • 4. Re: Parts missing in the CIS compliance template of Windows 2008
                Niranjay Bharati

                I will not suggest you to work with OOTB compliance content templates to add new rules. If you want to do that then you have to manage the entire template with the rules you want to add. Create a separate component template and add new rules as you want.

                • 5. Re: Parts missing in the CIS compliance template of Windows 2008
                  Elizabeth T

                  Hello Niranjay,

                   

                  Thanks for update. But here we need PARTS to be configured with Windows LOCAL POLICY Object like Administrative Template\Windows Components\AutoPlay Policy\Turn off AutoPlay


                  Please suggest on this .

                   

                   

                  Regards,

                  Elizabeth.T

                  • 6. Re: Parts missing in the CIS compliance template of Windows 2008
                    Niranjay Bharati

                    Hi, If you can see the policy in the server's live browse "security settings" server object then try using it inside the component template. if its not listed there then you might have to use extended object.

                    • 7. Re: Parts missing in the CIS compliance template of Windows 2008
                      Bill Robinson

                      Are those part of the CIS checklist ?  if so, what section ?

                      • 8. Re: Parts missing in the CIS compliance template of Windows 2008
                        Elizabeth T

                        Hello Team,

                        Below Administrative templates settings which we need to configure in CIS 2003 Template. Please provide us steps to update these below parameters in CIS Template using Extended Object.

                         

                         

                        Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Always prompt client for password upon connection

                        Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Set client connection encryption level

                        Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow drive redirection - (For Windows 2008/2012 Settings)
                        Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection\Do not allow drive redirection - (For Windows 2003 Settings)

                        Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Do not allow passwords to be saved  - (For Windows 2008/2012 Settings)
                        Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Client\Do not allow passwords to be saved  - (For Windows 2003 Settings)

                        Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off downloading of print drivers over HTTP

                        Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Publish to Web" task for files and folders

                        Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet download for Web publishing and online ordering wizards

                        Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off printing over HTTP

                        Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Search Companion content file updates

                        Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the Windows Messenger Customer Experience Improvement Program

                        Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Update device driver searching

                        Computer Configuration\Administrative Templates\System\Logon\Do not process the legacy run list

                        Computer Configuration\Administrative Templates\System\Logon\Do not process the run once list

                        Computer Configuration\Administrative Templates\System\Group Policy\Registry policy processing
                        Computer Configuration\Administrative Templates\System\Group Policy\Configure registry policy processing (For Windows 2012 settings)

                        Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\Turn off Autoplay - (For Windows 2008/2012 Settings)
                        Computer Configuration\Administrative Templates\System\Turn off Autoplay - (For Windows 2003 Settings)

                        Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\Enumerate administrator accounts on elevation

                        Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\Require trusted path for credential entry

                        Computer Configuration\Administrative Templates\Windows Components\NetMeeting\Disable remote Desktop Sharing

                        Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup\Specify the maximum log file size (KB)

                        Computer Configuration\Administrative Templates\Windows Components\App runtime\Allow Microsoft accounts to be optional

                        Computer Configuration\Administrative Templates\System\Remote Assistance\Offer Remote Assistance

                        Computer Configuration\Administrative Templates\System\Remote Assistance\Solicited Remote Assistance

                        Computer Configuration\Administrative Templates\System\Remote Procedure Call\Restrictions for Unauthenticated RPC clients

                        Computer Configuration\Administrative Templates\System\Remote Procedure Call\RPC Endpoint Mapper Client Authentication

                        • 9. Re: Parts missing in the CIS compliance template of Windows 2008
                          Bill Robinson

                          which version of the content is this from ?  and this is for 2003 or 2008 ?

                          • 10. Re: Parts missing in the CIS compliance template of Windows 2008
                            Elizabeth T

                            Hi Bill,

                             

                            This is from BBSA 8.6 SP1 and it is for Windows 2003.

                             

                            Please help us on this.

                            • 11. Re: Parts missing in the CIS compliance template of Windows 2008
                              Elizabeth T

                              This issue is for both the versions 2003 and 2008. Few parameters are not available in 2003 template while few are missing in 2008.

                              For ex:

                              Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service

                              This parameter is missing from both the versions.

                               

                              Also the parameters listed above is for administrative templates are missing from the version of 2003 CIS template.

                              For ex:

                              Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off downloading of print drivers over HTTP

                               

                              Can you please guide us how to use this with the help of extended objects?

                              • 12. Re: Parts missing in the CIS compliance template of Windows 2008
                                Bill Robinson

                                If the parameter is missing in the template and it’s specifically called out in the cis document, that would seem to be a defect in the template.  have you opened a support ticket about this.

                                 

                                If you don’t see these nodes under live browse you’ll need to create an extended object to dump this info, which means figuring out the command line tool to dump the info and format it.