Benchmark - Deploy Security Measures Using Group Policy

By Ononay Das

Professor Timothy Montgomery

ITT-430-O500-Security Driven Systems Administration

GRAND CANYON UNIVERSITY

23 September 2024
Part 1: CIS Benchmark Settings for Windows Servers

Following the review of the CIS Microsoft Windows Server 2022 Benchmark document, I chose

10 specific security policies for each Windows Server. These specific environments were chosen

in order to adhere to best practices and to strengthen the security system of the servers in our lab.

Following is a description of each setting and its significance.

Windows Server Setting Description

Server 1 (Domain

Controller)

1.1.1 Enforce password history Ensures users cannot reuse the same

(24 or more passwords) password for 24 iterations.

1.2.1 Account lockout duration Locks accounts for 15 minutes after

(15 minutes or more) failed logon attempts to prevent brute-

force attacks.

17.1.1 Audit credential Tracks both successful and failed logon

validation (Success and activities for security monitoring.

Failure)

2.2.1 Access credential Prevents unauthorized access to the

manager as a trusted credential manager, reducing credential

caller (No One) theft risk.

9.1.1 Windows Firewall (On - Ensures firewall is enabled by default,

Recommended) blocking unauthorized network traffic.

17.5.4 Audit Logon (Success Captures both successful and failed logon

and Failure) attempts for monitoring suspicious

2.2.12 Change system time Restricts time changes to prevent

(Administrators, LOCAL timestamp manipulation attacks.

SERVICE)

2.3.9.4 Microsoft Network Disconnects clients when logon hours

Server: Disconnect expire to prevent unauthorized access.

clients when logon hours

expire

18.4.4 Network Security: LAN This policy helps mitigate the risk of

Manager Authentication pass-the-hash

Level

18.9.6 Interactive Logon: Do Disabling this option requires users to

not require press CTRL+ALT+DEL before logging

CTRL+ALT+DEL in, which prevents certain types of

malware from capturing login credentials

Server 2 (Member

Server)

1.1.5 Password must meet Requires passwords to have uppercase,

complexity requirements lowercase, numbers, and symbols for

(Enabled) better security.

1.2.2 Account lockout Locks accounts after 5 failed logon

threshold (5 or fewer attempts to prevent brute-force attacks.

invalid logon attempts)

Management (Success monitor for unauthorized modifications.

and Failure)

2.2.8 Allow log on locally Restricts local logon to administrators to

(Administrators) minimize the attack surface.

18.4.3 Configure SMBv1 client Disables SMBv1 client to remove

driver (Disabled) vulnerabilities associated with outdated

protocols.

17.5.1 Audit account lockout Tracks failed account lockout attempts to

(Failure) identify targeted brute-force attacks.

2.3.7.3 Interactive logon: Locks inactive sessions after 15 minutes

Machine inactivity limit to reduce unauthorized access.

(900 seconds or fewer)

2.3.5.3 Domain controller: Enforces LDAP signing to prevent man-

LDAP server signing in-the-middle attacks during

requirements (Require communication.

signing)

18.9.7 Prevent device metadata Prevents device information from being

retrieval from the internet exposed online, reducing exploitation

(Enabled) risk.

18.10.7.2 Turn off Autoplay for all Disables autoplay to prevent automatic

drives (Enabled) execution of malware from external

drives.
Server 3 (File Server)

1.1.4 Minimum password Enforces a 14-character password

length (14 or more minimum to strengthen password

characters) security.

17.1.3 Audit Kerberos Service Audits Kerberos service tickets to track

Ticket Operations authentication and ticket-related issues.

(Success and Failure)

2.2.10 Allow log on through Restricts remote desktop access to

Remote Desktop Services administrators and authorized users.

(Administrators, Remote

Desktop Users)

18.9.25.4 Password settings: Ensures strong passwords across the

Password Complexity server by enforcing complexity

(Enabled) requirements.

18.9.49.1 Turn off the advertising Disables the advertising ID to protect

ID (Enabled) privacy and reduce the attack surface.

18.9.24.1 Enumeration policy for Blocks external devices that are

devices incompatible incompatible with DMA protection.

with Kernel DMA

protection (Enabled:

Block All)

17.3.2 Audit Process Creation Logs all process creation events to

(Success) identify unauthorized processes.

and security model for with their own credentials for share

local accounts (Classic) access.

18.9.17 NTFS Filesystem: Enable Adds an additional layer of security for

NTFS File System file handling on the server.

Enrichment (Enabled)

2.2.13 Change time zone Restricts time zone changes to prevent

(Administrators, LOCAL time manipulation attacks.

SERVICE)

1. Enforce Password History (8 or more passwords)

Path:

Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies >

Password Policy

 Double-click Enforce password history.

 Set the value to 8.

2. Account Lockout Duration

Path:

Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies >

Account Lockout Policy

 Double-click Account lockout duration.

 Set the value to 30 minutes.

3. Audit Credential Validation (Success and Failure)

Path:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit

Policy Configuration > Audit Policies > Logon/Logoff

 Double-click Audit credential validation.

 Select Configure the following audit events.

 Check Success and Failure.

4. Access Credential Manager as a Trusted Caller

Path:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies >

User Rights Assignment

 Double-click Access credential manager as a trusted caller.

 Remove all entries so that No One is allowed to access it.

5. Windows Firewall

Path: > Security Settings > Windows Firewall with Advanced Security > Domain Profile

 Double-click Windows Firewall: Protect all network connections.

 Ensure it’s set to On.

6. Audit Logon (Success and Failure)

Path:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit

Policy Configuration > Audit Policies > Logon/Logoff

 Double-click Audit logon.

 Select Configure the following audit events.

 Check Success and Failure.

7. Change System Time (Administrators, LOCAL SERVICE)

Path:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies >

User Rights Assignment

 Double-click Change the system time.

 Ensure only Administrators and LOCAL SERVICE are listed.

8. Microsoft Network Server: Disconnect Clients When Logon Hours Expire

Path:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies >

Security Options

 Double-click Microsoft Network Server: Disconnect clients when logon hours expire.

 Set to Enabled.
  Click OK.

9. Network Security: LAN Manager Authentication Level

Path:

 Computer Configuration > Policies > Windows Settings > Security Settings > Local

Policies > Security Options

1. Double-click Network Security: LAN Manager Authentication Level.

2. Set it to Send NTLMv2 response only. Refuse LM & NTLM.

10. Interactive Logon: Do not require CTRL+ALT+DEL (Disabled)

Path:

 Computer Configuration > Policies > Windows Settings > Security Settings > Local

Policies > Security Options

1. Click Do not require CTRL+ALT+DEL.

2. Disabled it.
 3. Click OK.

Summary

NIST and CIS serve as effective frameworks in the protection of assets by incorporation of tight

security measures such as Protocols. These frameworks have fundamental safeguards—like

passwords and access to restricted data—for organisations and their employees. Implementing

these best practises does not replace legal obligations and enriches the organisation’s security.

The enforcement of sound security policies is a necessity if an organisation wants its data to be

safe. Security measures such as password implementation, firewall configuration, and logging all

minimise both outside and inside threats. Through implementing these controls organisations

achieve a safe environment where only authorised parties get access and perform unlawful acts

are discouraged.
Others like CIS also help the organisation maintain constant compliance. Legal mandates are

prescribed by law, on the other hand requirements are emphasised on voluntary norms. This way

both strategies can accommodate each other and respond to legal requirements and at the same

time achieve a high level of security.

Last but not the least; compliance audit is crucial in confirming compliance. To some extent,

there are special applications which allow the administrator to examine the logs and make sure

that the policies are being complies with as required. Standard compliance cheque and

assessments serve as a means to ensure the constant health of the system with particular attention

to the security policies and measures and that compliance is taken through proper enforcement

and evaluation at the long run.

CIS and NIST assist in protecting IP through the imposition of strict security measures. These

frameworks set fundamentals of specifics of protections like passwords and access to classified

information. Implementing these best practises is well over and above the basic legal compliance

standards and greatly improves the security.

Having robust security policies and procedure isfor the defense of an organization’s information

is essential. Security policies that may include password proliferation, firewall administration,

and logging decrease the chances of internal and outsider security threats. Such controls help in

establishing organizational security that restricts users from accessing specific areas and prevent

unfavorable occurrences.

Others, such as CIS, also mean continuing compliance on child abuse. While legal requirement

deals with proper regulatory standards, framework deals with proper standard. By integrating
both management types, the organizations are able to fulfil legal requirements while at the same

time accomplish high security.

Last but not least, the audits have to be conducted, in order to cheque the compliance of the

circumstances. Utilities such as Event Viewer assist the administrator in rereading the logs and

guarantee that the policies are as well being practiced. The costs of conducted audits are on

regular basis that help to maintain the integrity of the system in terms of security characteristics,

checking the effectiveness of measures adopted during the verification time.