VCU Desktop Operating System
Configuration Checklist
Windows
XP Professional
The configuration checklist is for hardening the operating system and is based on the Center for Internet Security (CIS) comprehensive benchmark checklists. The VCU Security Team has distilled the CIS lists down to the most critical steps for your systems with a focus on the configuration issues specific to the computing environment at VCU.
How to
Use the Checklist
Print the checklist and check off each item you complete to ensure that you cover critical steps for securing your server. The checklist has numerical references to the Summary Checklist contained in the Center for Internet Security Windows XP Benchmark Version 2.01. This document has several Security Levels that are defined on Page 10. Use these definitions to identify which level type classifies your system.
If you need to make an exception to any of the steps, fill in the Exceptions box provided at the bottom of the checklist, and depending on the criticality of the system and the step, you will need to get approval from the Chief Information Officer. See VCU Note items for those steps that are critical and cannot be altered without approval.
Explanation
of the Checklist
Step – this is the step number in the procedure. If there is a VCU Note for this step, the note number corresponds to the step number.
Check (√) - This is for installer to check off when she/he completes this portion.
To Do - Basic instructions on what to do
to harden
the respective system
CIS - Reference number in the Center for Internet Security
Windows
XP Benchmark Version 2.01. The CIS
document outlines in much greater detail how to complete each step.
VCU Note - The VCU Note at the bottom of the page provides additional detail about the step for the university computing environment.
Cat I - For systems that include Category I Data required steps are denoted with the ! symbol. All steps are required.
Cat II/III - For systems that include Category
II or III Data,
all steps are recommended, and some
are required (denoted by the !).
|
|
MAC
Address |
|
||||||
|
|
IP
Address |
|
||||||
|
|
Machine
Name |
|
||||||
|
|
Asset
Tag |
|
||||||
|
|
System
Owner Name |
|
||||||
|
|
Department |
|
||||||
|
|
Location
of Computer |
|
||||||
|
|
Support
Technician Name |
|
||||||
|
|
Date |
|
||||||
|
Step |
√ |
To
Do |
CIS |
VCU Note |
Cat I |
Cat II/III |
||
|
1 |
|
If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened. |
|
§ |
! |
|
||
|
2 |
|
When the operating system has been installed with patches and security settings configured or the operating system is being checked, the CIS Next Generation Scoring Tool should be used to assess the system’s security state. |
|
§ |
|
|
||
|
3 |
|
Install the latest service packs and hotfixes from Microsoft. |
1.1.1 |
§ |
! |
! |
||
|
4 |
|
Install security updates and enable automatic notification of patch availability or use a desktop management system that is configured to deliver patch updates. |
1.2.1 |
§ |
! |
! |
||
|
5 |
|
Configure Audit policy as described. |
2.2.1 |
§ |
! |
|
||
|
6 |
|
Set minimum password length. |
2.2.2.3 |
|
! |
|
||
|
7 |
|
Enable Password Complexity. |
2.2.2.4 |
|
! |
|
||
|
8 |
|
Sensitive systems must change passwords after a pre-determined period of time defined by System Owner |
|
§ |
! |
! |
||
|
9 |
|
Password history files must be maintained |
|
§ |
! |
|
||
|
10 |
|
Group accounts and shared passwords are not allowed |
|
§ |
! |
! |
||
|
11 |
|
Configure event Log Settings. |
2.2.4 |
|
! |
|
||
|
12 |
|
Disable anonymous SID/Name translation. |
3.1.1 |
|
! |
|
||
|
13 |
|
Do not allow Anonymous Enumeration of SAM Accounts and Shares. |
3.1.2 |
|
! |
|
||
|
14 |
|
Do not allow Anonymous Enumeration of SAM Accounts and Shares. |
3.1.3 |
|
! |
|
||
|
15 |
|
Disable the guest account. |
3.2.1.2 |
|
! |
|
||
|
16 |
|
Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always). |
3.2.1.20 |
|
! |
|
||
|
17 |
|
Domain Member: Digitally Encrypt Secure Channel Data (When Possible). |
3.2.1.21 |
|
! |
|
||
|
18 |
|
Domain Member: Digitally Sign Secure Channel Data (When Possible). |
3.2.1.22 |
|
! |
|
||
|
19 |
|
Interactive Logon: Do Not Display Last User Name |
3.2.1.26 |
|
! |
|
||
|
20 |
|
Microsoft Network Client: Digitally sign communications (if server agrees). |
3.2.1.35 |
|
! |
! |
||
|
21 |
|
Do not allow storage of credentials or .NET passports for network authentication. |
3.2.1.41 |
|
! |
|
||
|
22 |
|
Network Access: Let Everyone permissions apply to anonymous users. |
3.2.1.42 |
|
! |
! |
||
|
23 |
|
Remotely accessible registry paths. |
3.2.1.44 |
|
! |
|
||
|
24 |
|
Network Access: Shares that can be accessed anonymously. |
3.2.1.45 |
|
! |
|
||
|
25 |
|
Choose "Classic" as the sharing and security model for local accounts. |
3.2.1.46 |
|
! |
|
||
|
26 |
|
Do not store LM password hash value on next password change |
3.2.1.47 |
|
! |
|
||
|
27 |
|
LAN Manager Authentication Level |
3.2.1.49 |
|
! |
! |
||
|
28 |
|
Minimum session security for NTLM SSP based (including secure RPC) clients |
3.2.1.51 |
|
! |
|
||
|
29 |
|
Disable or uninstall unused services. |
4.1 |
§ |
! |
|
||
|
30 |
|
Disable or delete unused users. |
|
|
! |
! |
||
|
31 |
|
Configure User Rights to be as secure as possible. |
4.2 |
§ |
! |
! |
||
|
32 |
|
Ensure all volumes are using the NTFS file system. |
4.3.1 |
§ |
! |
! |
||
|
33 |
|
Enable Windows Personal Firewall or a University approved third party host based fire wall. |
4.3.3 |
§ |
! |
! |
||
|
34 |
|
Configure file system permissions. |
4.4.1 |
§ |
! |
|
||
|
35 |
|
Firewall Settings |
5.2 |
§ |
! |
! |
||
|
36 |
|
Turn on |
5.3.1.1 |
§ |
! |
! |
||
|
37 |
|
Install and enable anti-virus software. |
|
§ |
! |
! |
||
|
38 |
|
Install and enable anti-spyware software |
|
§ |
! |
! |
||
|
39 |
|
Anti-virus software should be configured to update daily at a minimum. |
|
§ |
! |
! |
||
|
40 |
|
Configure anti-spyware software to update daily. |
|
|||||