Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013...
Transcript of Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013...
Nuclear Regulatory Commission Computer Security Office
Computer Security Standard
Office Instruction: CSO-STD-1109
Office Instruction Title: Microsoft Windows Server 2008 R2 Configuration Standard
Revision Number: 1.0
Effective Date: December 1, 2013
Primary Contacts: Kathy Lyons-Burke, SITSO
Responsible Organization: CSO/PST
Summary of Changes: CSO-STD-1109, “Microsoft Windows Server 2008 R2 Configuration Standard,” provides the minimum requirements that must be applied to NRC servers running the Microsoft Windows Server® 2008 R2 operating system.
Training: As requested
ADAMS Accession No.: ML12340A419
Approvals
Primary Office Owner
Policies, Standards, and Training
Signature Date
Standards Working Group Chair
Bill Dabbs /RA/ 5/15/2013
Responsible SITSO Kathy Lyons-Burke /RA 5/15/2013
DAA for Non-major IT Investments
CSO Tom Rich /RA/ 5/16/2013
Director, OIS Jim Flanagan /RA/ 5/21/2013
CSO Standard CSO-STD-1109 Page i
TABLE OF CONTENTS
1 PURPOSE ................................................................................................................ 1
2 GENERAL REQUIREMENTS .................................................................................. 1
2.1 APPLICATION HARDENING ................................................................................................................... 2 2.2 PATCH APPLICATION ........................................................................................................................... 3
3 SPECIFIC REQUIREMENTS ................................................................................... 3
3.1 WINDOWS 2008 R2 SERVER ROLES ................................................................................................... 3 3.2 WINDOWS 2008 R2 STIGS ................................................................................................................. 4 3.3 REQUIREMENTS IN ADDITION TO THE DISA STIGS ............................................................................... 4 3.4 NRC MODIFICATIONS TO STIG REQUIREMENTS .................................................................................. 5
3.4.1 Windows Server 2008 R2 Member Server and Domain Controller STIGs .............................. 7 3.4.2 Windows Server 2008 R2 Domain Controller STIG .............................................................. 17 3.4.3 Windows Server 2008 R2 Active Directory Domain STIG ..................................................... 21 3.4.4 Windows Server 2008 R2 Active Directory Forest STIG ....................................................... 25
4 DEFINITIONS ......................................................................................................... 27
5 ACRONYMS ........................................................................................................... 29
Computer Security Standard CSO-STD-1109
NRC Microsoft Windows Server 2008 R2 Configuration Standard
1 PURPOSE CSO-STD-1109, Nuclear Regulatory Commission (NRC) Windows® Server® 2008 R2 Configuration Standard provides configuration settings for NRC servers running the Microsoft (MS) Windows Server 2008 R2 operating system (referred to throughout this standard as “Windows 2008 R2 servers”).1 These settings serve to minimize the probability of NRC sensitive information compromise. This standard applies to systems used to process Sensitive Unclassified Non-Safeguards Information (SUNSI), Safeguards Information (SGI), or classified information. This configuration standard is intended to be used by system administrators and information system security officers (ISSOs) who have the required knowledge, skills, and abilities to apply configuration settings to an MS Windows server. In addition to the requirements specified in this standard, NRC servers must meet all applicable federally mandated and NRC-defined security requirements.
2 GENERAL REQUIREMENTS All NRC servers running the MS Windows Server 2008 R2 operating system that are owned, managed, and/or operated by the NRC or by other parties on behalf of the NRC must comply with this standard as a minimum set of controls. Additional controls may be required after a system risk analysis is completed.
There may be circumstances where a specific configuration requirement cannot be met. Implementations that do not meet this minimum configuration standard must go through the agency deviation request process outlined in CSO-PROS-1324, “Deviation Request Process” prior to obtaining an approval to operate and being placed into operation or into the operational environment.
Windows 2008 R2 servers must comply with the Defense Information Systems Agency (DISA) Windows Server 2008 R2 Security Technical Implementation Guide (STIG) listed as effective on the CSO Standards web page, as modified by this document. The Windows 2008 R2 STIG is comprised of four individual STIGs, listed below:
• Windows 2008 R2 Member Server STIG
• Windows 2008 R2 Domain Controller STIG
• Active Directory® Domain STIG2
• Active Directory Forest STIG
1 ® Microsoft and Windows Server, are registered trademarks of Microsoft Corporation in the United States and other countries. 2 ® Active Directory is a registered trademark of Microsoft Corporation in the United States and other countries.
CSO Standard CSO-STD-1109 Page 2
All four STIGs are not required when configuring a server; each of the four STIGs above provides guidance for configuring servers for specific roles. Depending on a server’s role, one (or more) of the STIGs apply. For example, if the server’s role is that of just a member server, the server must be configured to comply with the Windows 2008 R2 Member Server STIG; the server does not need to be configured to comply with the Domain Controller or Active Directory STIGs. Table 3.2-1 in Section 3.2 of this standard lists the applicable Windows 2008 R2 STIGs for each server role.
Whenever possible, automated mechanisms must be used to implement this standard to minimize errors typical in manual configurations. This standard does not address physical security or the following areas of server configuration as they are beyond the scope of the document:
• Virtual or physical hardware configurations, including firmware, Basic Input/Output System (BIOS), and storage configuration
• Network Interface Card (NIC) configuration
• IP address and routing configuration
• Name resolution (e.g., Domain Name System (DNS) and Windows Internet Name Service (WINS)) configuration
• Page file/virtual memory configuration (This document assumes a default page file configuration on the main system drive. The required size, number, and location of system page files are not addressed in this document.)
2.1 Application Hardening Applications in the Operating System (OS) must be hardened in accordance with the requirements stated in the applicable, effective standard listed on the CSO Standards web page. Applications must be secured using the principle of least privilege with respect to access and unneeded services. When hardening applications, the following principles apply:
• Installation paths: The default installation path for many applications is easy to determine, and often resides on the same file system as the core operating system. Use of the default path is risky, because malicious users can potentially use the path to access and compromise application files, and possibly, the entire system. To mitigate this risk, modify the installation process as follows:
– If it is possible to install an application in a different file system than the core operating system, you must do so. If the application or file system does not allow you to change the default installation path, installing the application in a different file system is not required.
– File systems that store a large volume of data or dynamic files (e.g., database files, web content, temporary files, data queues, and logs) must also be isolated from the operating system and from the relatively static components of the application itself (e.g., executables, scripts, and configuration files). If it is possible to install these file systems in a different file system than the core operating system and the relatively static components, you must do so. If the application or file system does not allow you to change the default installation path, installing the application in a different file system is not required.
CSO Standard CSO-STD-1109 Page 3
• File and registry permissions: Many application installation routines leave directories or registry keys that contain sensitive data accessible to all users (e.g., private keys or application credentials); therefore, system administrators and ISSOs must ensure that permissions for application paths and files are configured in accordance with the principles of least privilege.
• Service accounts: Many third-party applications install service components set to run as the LOCAL SYSTEM account. Configuring applications to run using service accounts other than the LOCAL SYSTEM account will help employ the principle of least privilege, and gives applications only the privileges required to perform their function. This reduces the risk of an attacker obtaining higher privileges should the application become compromised.
– If it is possible to configure the service to run under a service account other than the default service account, you must do so. You must also evaluate permissions following the principal of least privilege, and then grant only those permissions required.
– Service accounts must be managed in the same manner as any other account on the system (e.g., conduct periodic reviews of the accounts, ensuring that passwords comply with CSO password complexity requirements, etc.).
– If the service does not allow you to create and use a different service account, use of a different account is not required; however, if it is possible to grant fewer account privileges, you must do so.
2.2 Patch Application All available patches and security updates must be applied to Windows 2008 R2 servers before the servers are placed into an NRC computing environment (e.g., development, test, production). Patches must be applied on an ongoing basis per the requirements specified in CSO-STD-0020, “Organization Defined Values for System Security Controls.” This ensures that known vulnerabilities are remediated on a regular schedule.
3 SPECIFIC REQUIREMENTS
This section provides requirements that differ from or are required in addition to those published in the four individual DISA Windows 2008 R2 STIGs listed in Table 3.2-1.
3.1 Windows 2008 R2 Server Roles The three possible server roles are described below:
• Member Server – A member server is a computer that runs a Windows Server operating system, belongs to a domain, and is not a domain controller.
• Workgroup Server – A workgroup server is a computer that runs a Windows Server operating system, does not belong to a domain, and is not a domain controller.
• Domain Controller – A domain controller is the centerpiece of the Windows Active Directory service. It authenticates users, stores user account information, and enforces security policy for a Windows domain.
CSO Standard CSO-STD-1109 Page 4
3.2 Windows 2008 R2 STIGs NRC servers must comply with the Windows 2008 R2 STIGs that apply to the server’s role. Table 3.2-1 lists the applicable Windows 2008 R2 STIGs for each role.
Table 3.2-1: Windows 2008 R2 STIGs by Server Role
Role Windows 2008 R2 STIG
Member Server Windows 2008 R2 Member Server STIG
Workgroup Server Windows 2008 R2 Member Server STIG
Domain Controller Windows 2008 R2 Domain Controller STIG
Active Directory Domain STIG
Active Directory Forest STIG
3.3 Requirements in Addition to the DISA STIGs
The following requirements regarding Active Directory domain and local account security are in addition to the required DISA STIG:
• Local administrator accounts, such as the built-in administrator account, on each Windows 2008 R2 server must be protected by implementing the following requirements:
– For Windows 2008 R2 servers in a Demilitarized Zone (DMZ), each local administrator account must be assigned a unique password. Passwords set for these local accounts must be unique for the server and unique when compared with other Windows servers. For example, if the same privileged account exists on multiple servers, the account must have a different password for each server.
– For intranet Windows 2008 R2 servers, network access to local administrator accounts is prohibited. Assign each account the “SeDenyNetworkLogonRight” (also known as “Deny access to this computer from the network”) and the “SeDenyRemoteInteractiveLogonRight” (also known as “Deny log on through Remote Desktop Services”) rights.
Note: Alternatively, it is permissible to assign unique passwords to local administrator accounts in the same manner specified for servers located in a DMZ (rather than disabling network access for the accounts).
• Service and application accounts must not have the ability to login interactively either locally or remotely. This can be configured through assigning these accounts the “SeDenyInteractiveLogonRight” (also known as “Deny logon locally”) and the “SeDenyRemoteInteractiveLogonRight” (also known as “Deny logon through Remote Desktop Services”) rights.
• All privileged Active Directory domain accounts must have the "Account is sensitive and cannot be delegated" user right to prevent applications and network services from assuming the identity of the privileged account and initiating a new connection to another computer as that account.
CSO Standard CSO-STD-1109 Page 5
3.4 NRC Modifications to STIG Requirements NRC servers running the Windows 2008 Server R2 operating system must be configured to conform to DISA STIGs as modified by the settings provided in this standard. The following sections provide the configuration settings that differ from those specified in each of the DISA STIGs.
When reading supporting STIGs, substitute the NRC terms supplied in Table 3.4-1 for the equivalent terms and requirements used throughout the STIGs.
Table 3.4-1: STIG and NRC Terms and Requirements
STIG NRC
DOD (Department Of Defense) NRC
Information Assurance Manager (IAM), Information Assurance Officer (IAO), Network Security Officer (NSO), and Site Representative
ISSO
Mission Assurance Category (MAC-1) Systems with a Federal Information Processing Standard (FIPS)-199 High Sensitivity Level
Mission Assurance Category (MAC-2) Systems with a FIPS-199 Moderate Sensitivity Level
Mission Assurance Category (MAC-3) Systems with a FIPS-199 Low Sensitivity Level
NIPRNet Unclassified Network or System
SIPRNet Refer to the note the below regarding how the requirements associated with the term SIPRNet apply to NRC information systems.
For example, if a DISA STIG setting indicates that the title of a warning banner must be set to “DoD Warning Banner,” the NRC equivalent would be to set the title to “NRC Warning Banner.” Any guidance in this document and the supporting STIGs that references SIPRNet shall apply to NRC information systems that store or process classified information at the GENSER Secret level and below as well as SGI. If the information system stores or processes Restricted Data or information above the GENSER Secret level, then the ISSO must contact the Policy, Standards and Training (PST) Senior Information Technology Security Officer (SITSO) for direction.
CSO Standard CSO-STD-1109 Page 6
This page intentionally left blank.
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 7
3.4.
1 W
ind
ow
s S
erve
r 20
08 R
2 M
emb
er S
erve
r an
d D
om
ain
Co
ntr
olle
r S
TIG
s
Tab
le 3
.4-2
bel
ow li
sts
the
requ
ired
NR
C c
onfig
urat
ion
setti
ngs
that
diff
er fr
om th
e co
mm
on s
ettin
gs s
peci
fied
in b
oth
the
MS
W
indo
ws
Ser
ver
2008
R2
Mem
ber
Ser
ver
and
Dom
ain
Con
trol
ler
ST
IGs.
Tab
le 3
.4-3
on
page
17
of th
is s
tand
ard
lists
exc
eptio
ns to
se
tting
s sp
ecifi
ed o
nly
in th
e M
S W
indo
ws
Ser
ver
2008
R2
Dom
ain
Con
trol
ler
ST
IG.
Tab
le 3
.4-2
: R
equ
irem
ents
th
at D
iffe
r fr
om
th
e W
ind
ow
s S
erve
r 20
08 R
2 M
emb
er S
erve
r an
d D
om
ain
Co
ntr
olle
r S
TIG
s
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
s
1.
1.
032
Arc
hivi
ng A
udit
Logs
A
udit
logs
will
be
reta
ined
for
at le
ast 1
ye
ar.
Con
figur
e au
dit l
og
rete
ntio
n pe
r th
e re
quire
men
ts in
C
SO
-ST
D-0
020.
The
NR
C r
equi
rem
ent f
or a
udit
log
rete
ntio
n is
sp
ecifi
ed fo
r th
e A
U-1
1 co
ntro
l in
CS
O-S
TD
-00
20, “
Org
aniz
atio
n D
efin
ed V
alue
s fo
r S
yste
m S
ecur
ity C
ontr
ols.
”
2.
2.
009
Str
ong
Pas
swor
d F
ilter
ing
Inst
all p
assw
ord
com
plex
ity s
oftw
are
and
conf
igur
e it
to
enfo
rce
the
requ
ired
Dep
artm
ent o
f D
efen
se (
DO
D)
stan
dard
s of
a c
ase
sens
itive
cha
ract
er
mix
of u
pper
cas
e le
tters
, low
er c
ase
lette
rs, n
umbe
rs, a
nd
spec
ial c
hara
cter
s,
incl
udin
g at
leas
t one
of
eac
h.
Con
figur
e pa
ssw
ords
per
the
requ
irem
ents
in
CS
O-S
TD
-000
1.
The
NR
C r
equi
rem
ent f
or p
assw
ord
com
plex
ity is
spe
cifie
d in
CS
O-S
TD
-000
1,
“Str
ong
Pas
swor
d S
tand
ard.
”
3.
3.
011
Lega
l Not
ice
Dis
play
T
he r
equi
red
lega
l no
tice
will
be
conf
igur
ed to
dis
play
be
fore
con
sole
logo
n.
Con
figur
e th
e N
RC
le
gal n
otic
e to
di
spla
y be
fore
co
nsol
e lo
gon.
The
NR
C r
equi
rem
ent t
o di
spla
y th
e le
gal
notic
e is
spe
cifie
d in
CS
O-G
UID
-110
2, “
NR
C
Pas
swor
d an
d W
arni
ng B
anne
r G
uida
nce.
”
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 8
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
s
4.
3.
047
Sm
art C
ard
Rem
oval
Opt
ion
The
Sm
art C
ard
Rem
oval
opt
ion
will
be
con
figur
ed to
F
orce
Log
off o
r Lo
ck
Wor
ksta
tion
For
ser
vers
loca
ted
with
in a
utho
rized
da
ta c
ente
rs in
NR
C
faci
litie
s, o
r in
oth
er
auth
oriz
ed d
ata
cent
ers
with
se
para
te p
rote
cted
ar
eas
for
NR
C
asse
ts (
e.g.
, re
stric
ted
data
ce
nter
roo
ms
or
cage
s), t
he r
emov
al
optio
n do
es n
ot
need
to b
e co
nfig
ured
to fo
rce
a lo
goff
or lo
ck th
e w
orks
tatio
n.
For
all
othe
r ci
rcum
stan
ces,
the
ST
IG r
equi
rem
ent t
o co
nfig
ure
the
Sm
art
Car
d R
emov
al
optio
n to
forc
e a
logo
ff or
lock
the
wor
ksta
tion
appl
ies.
To
faci
litat
e an
adm
inis
trat
ors
abili
ty to
wor
k us
ing
the
cons
oles
of m
ultip
le s
erve
rs
sim
ulta
neou
sly
(e.g
., fo
r tr
oubl
esho
otin
g pu
rpos
es),
NR
C d
oes
not r
equi
re a
forc
ed
scre
en lo
ck o
r us
er lo
gout
upo
n re
mov
al o
f a
smar
t car
d if
the
serv
er is
loca
ted
with
in
auth
oriz
ed d
ata
cent
ers
in N
RC
faci
litie
s, o
r in
ot
her
auth
oriz
ed d
ata
cent
ers
with
sep
arat
e pr
otec
ted
area
s fo
r N
RC
ass
ets.
5.
3.
084
Win
dow
s T
ime
Ser
vice
–
Con
figur
e N
TP
C
lient
Con
figur
e tim
e se
rvic
e to
use
an
auth
oriz
ed ti
me
serv
er.
Con
figur
e th
e tim
e se
rver
per
the
requ
irem
ents
sta
ted
in C
SO
-ST
D-2
005.
The
NR
C ti
me
serv
er r
equi
rem
ents
are
sp
ecifi
ed in
CS
O-S
TD
-200
5, “
Sys
tem
M
onito
ring
Sta
ndar
d.”
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 9
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
s
6.
3.
092
Aud
it Lo
g W
arni
ng
Leve
l T
he s
yste
m w
ill
gene
rate
an
audi
t ev
ent w
hen
the
audi
t lo
g re
ache
s a
perc
ent f
ull t
hres
hold
.
Con
figur
e th
e A
udit
Log
War
ning
Lev
el
per
the
requ
irem
ents
st
ated
in C
SO
-ST
D-
0020
.
The
NR
C r
equi
rem
ent i
s sp
ecifi
ed fo
r th
e A
U-
5 co
ntro
l in
CS
O-S
TD
-002
0, “
Org
aniz
atio
n D
efin
ed V
alue
s fo
r S
yste
m S
ecur
ity C
ontr
ols.
”
7.
3.
122
Adm
inis
trat
or
Acc
ount
P
assw
ord
Cha
nges
Adm
inis
trat
or
pass
wor
ds w
ill b
e ch
ange
d as
req
uire
d
Con
figur
e ad
min
istr
ator
pa
ssw
ords
per
the
requ
irem
ents
sta
ted
in C
SO
-ST
D-0
001.
The
NR
C a
dmin
istr
ator
pas
swor
d re
quire
men
ts a
re s
peci
fied
in C
SO
-ST
D-0
001,
“S
tron
g P
assw
ord
Sta
ndar
d.”
8.
3.
130
UA
C –
Adm
in
Ele
vatio
n P
rom
pt
Use
r A
ccou
nt C
ontr
ol
will
at m
inim
um,
prom
pt
adm
inis
trat
ors
for
cons
ent.
Con
figur
e U
AC
to
“Pro
mpt
for
Con
sent
on
the
Sec
ure
Des
ktop
,” o
r th
e m
ore
secu
re o
ptio
n,
“Pro
mpt
for
Cre
dent
ials
on
the
Sec
ure
Des
ktop
.”
The
NR
C r
equi
rem
ent i
s co
nsis
tent
with
the
valu
e fo
r S
TIG
ID 3
.135
, whi
ch r
equi
res
that
U
AC
sw
itch
to th
e S
ecur
e D
eskt
op w
hen
prom
ptin
g fo
r el
evat
ion.
9.
3.
154
Ker
bero
s E
ncry
ptio
n T
ypes
K
erbe
ros
encr
yptio
n ty
pes
will
be
conf
igur
ed to
pre
vent
th
e us
e of
DE
S
encr
yptio
n su
ites.
Con
figur
e th
e K
erbe
ros
encr
yptio
n ty
pes
per
the
requ
irem
ents
sta
ted
in C
SO
-ST
D-2
009.
NR
C e
ncry
ptio
n re
quire
men
ts a
re s
peci
fied
in
CS
O-S
TD
-200
9, “
Cry
ptog
raph
ic C
ontr
ol
Sta
ndar
d.”
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 10
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
s
10.
4.
002
Bad
Log
on
Atte
mpt
s C
onfig
ure
the
syst
em
to lo
ck o
ut a
n ac
coun
t afte
r th
ree
inva
lid lo
gon
atte
mpt
s.
Con
figur
e th
e B
ad
Logo
n A
ttem
pts
setti
ng p
er th
e re
quire
men
t sta
ted
in C
SO
-ST
D-0
020.
The
NR
C r
equi
rem
ent i
s sp
ecifi
ed fo
r th
e A
C-
7 co
ntro
l in
CS
O-S
TD
-002
0, “
Org
aniz
atio
n D
efin
ed V
alue
s fo
r S
yste
m S
ecur
ity C
ontr
ols.
”
11.
4.
003
Bad
Log
on
Cou
nter
Res
et
Con
figur
e th
e sy
stem
to
hav
e th
e lo
ckou
t co
unte
r re
set i
tsel
f af
ter
a m
inim
um o
f 60
min
utes
.
Con
figur
e th
e B
ad
Logo
n C
ount
er
Res
et s
ettin
g pe
r th
e re
quire
men
t sta
ted
in C
SO
-ST
D-0
020.
The
NR
C r
equi
rem
ent i
s sp
ecifi
ed fo
r th
e A
C-
7 co
ntro
l in
CS
O-S
TD
-002
0, “
Org
aniz
atio
n D
efin
ed V
alue
s fo
r S
yste
m S
ecur
ity C
ontr
ols.
”
12.
4.
004
Lock
out D
urat
ion
The
lock
out d
urat
ion
will
mee
t min
imum
re
quire
men
ts.
Con
figur
e th
e Lo
ckou
t Dur
atio
n se
tting
per
the
requ
irem
ent s
tate
d in
CS
O-S
TD
-002
0.
The
NR
C r
equi
rem
ent i
s sp
ecifi
ed fo
r th
e A
C-
7 co
ntro
l in
CS
O-S
TD
-002
0, “
Org
aniz
atio
n D
efin
ed V
alue
s fo
r S
yste
m S
ecur
ity C
ontr
ols.
”
13.
4.
011
Max
imum
P
assw
ord
Age
60
day
s C
onfig
ure
the
max
imum
pas
swor
d ag
e pe
r th
e re
quire
men
ts s
tate
d in
CS
O-S
TD
-000
1.
The
NR
C r
equi
rem
ent f
or m
axim
um p
assw
ord
age
is s
peci
fied
in C
SO
-ST
D-0
001,
“S
tron
g P
assw
ord
Sta
ndar
d.”
14.
4.
012
Min
imum
P
assw
ord
Age
1
day
Con
figur
e th
e m
inim
um p
assw
ord
age
per
the
requ
irem
ents
sta
ted
in C
SO
-ST
D-0
001.
The
NR
C r
equi
rem
ent f
or th
e m
inim
um
pass
wor
d ag
e is
spe
cifie
d in
CS
O-S
TD
-000
1,
“Str
ong
Pas
swor
d S
tand
ard.
”
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 11
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
s
15.
4.
013
Min
imum
P
assw
ord
Leng
th
Pas
swor
ds m
ust b
e at
a m
inim
um 1
4 ch
arac
ters
Con
figur
e th
e m
inim
um p
assw
ord
leng
th p
er th
e re
quire
men
ts s
tate
d in
CS
O-S
TD
-000
1.
The
NR
C m
inim
um p
assw
ord
leng
th
requ
irem
ent i
s sp
ecifi
ed in
CS
O-S
TD
-000
1,
“Str
ong
Pas
swor
d S
tand
ard.
”
16.
4.
014
Pas
swor
d U
niqu
enes
s E
nfor
ce a
pas
swor
d hi
stor
y of
24
used
pa
ssw
ords
.
Con
figur
e pa
ssw
ord
uniq
uene
ss p
er th
e re
quire
men
ts s
tate
d in
CS
O-S
TD
-000
1.
The
NR
C r
equi
rem
ent f
or p
assw
ord
uniq
uene
ss is
spe
cifie
d in
CS
O-S
TD
-000
1,
“Str
ong
Pas
swor
d S
tand
ard.
”
17.
4.
018
App
licat
ion
Acc
ount
P
assw
ords
App
licat
ion
acco
unt
pass
wor
ds w
ill m
eet
DO
D r
equi
rem
ents
fo
r le
ngth
, com
plex
ity
and
chan
ges
Con
figur
e ap
plic
atio
n ac
coun
t pa
ssw
ords
per
the
requ
irem
ents
in
CS
O-S
TD
-000
1.
The
NR
C a
pplic
atio
n ac
coun
t pas
swor
d re
quire
men
ts a
re s
peci
fied
in C
SO
-ST
D-0
001,
“S
tron
g P
assw
ord
Sta
ndar
d.”
18.
5.
003
Boo
ting
into
M
ultip
le O
pera
ting
Sys
tem
s
Boo
ting
into
alte
rnat
e no
n-S
TIG
com
plai
nt
oper
atin
g sy
stem
s w
ill n
ot b
e pe
rmitt
ed.
Alte
rnat
e op
erat
ing
syst
ems
mus
t be
hard
ened
in
acco
rdan
ce w
ith
effe
ctiv
e C
SO
st
anda
rds
and
be
appr
oved
by
the
NR
C.
The
NR
C T
echn
ical
Ref
eren
ce M
odel
(T
RM
) id
entif
ies
all a
genc
y ap
prov
ed o
pera
ting
syst
ems,
and
app
rove
d op
erat
ing
syst
ems
mus
t be
hard
ened
per
effe
ctiv
e C
SO
st
anda
rds.
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 12
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
s
19.
5.
038
Ter
min
al S
ervi
ces/
R
emot
e D
eskt
op
Ser
vice
s (T
S/R
DS
) -
Ses
sion
Lim
it
Rem
ote
Des
ktop
S
ervi
ces
will
lim
it us
ers
to o
ne r
emot
e se
ssio
n.
Con
figur
e re
mot
e de
skto
p se
rvic
es p
er
the
requ
irem
ents
in
CS
O-S
TD
-002
0.
The
NR
C r
equi
rem
ents
for
rem
ote
desk
top
serv
ices
are
spe
cifie
d fo
r th
e A
C-1
0 co
ntro
l in
CS
O-S
TD
-002
0, “
Org
aniz
atio
n D
efin
ed
Val
ues
for
Sys
tem
Sec
urity
Con
trol
s.”
20.
5.
043
TS
/RD
S -
Set
E
ncry
ptio
n Le
vel
Rem
ote
Des
ktop
S
ervi
ces
will
be
conf
igur
ed w
ith th
e cl
ient
con
nect
ion
encr
yptio
n se
t to
the
requ
ired
leve
l.
Con
figur
e th
e cl
ient
co
nnec
tion
encr
yptio
n le
vel p
er
the
requ
irem
ents
st
ated
in C
SO
-ST
D-
2009
.
NR
C e
ncry
ptio
n re
quire
men
ts a
re s
peci
fied
in
CS
O-S
TD
-200
9, “
Cry
ptog
raph
ic C
ontr
ol
Sta
ndar
d.”
21.
5.
046
TS
/RD
S -
Tim
e Li
mit
for
Dis
conn
ecte
d S
essi
on
Rem
ote
Des
ktop
S
ervi
ces
will
be
conf
igur
ed to
set
a
time
limit
for
disc
onne
cted
se
ssio
ns.
Con
figur
e th
e tim
e lim
it to
no
mor
e th
an
the
max
imum
tim
e lim
it st
ated
for
inac
tive
sess
ions
in
in C
SO
-ST
D-0
020.
The
NR
C r
equi
rem
ent t
o di
scon
nect
inac
tive
sess
ions
afte
r a
max
imum
tim
e lim
it is
sp
ecifi
ed fo
r th
e S
C-1
0 co
ntro
l in
CS
O-S
TD
-00
20, “
Org
aniz
atio
n D
efin
ed V
alue
s fo
r S
yste
m S
ecur
ity C
ontr
ols.
”
22.
5.
073
TS
/RD
S -
C
lipbo
ard
Red
irect
ions
The
sys
tem
will
be
conf
igur
ed to
pre
vent
us
ers
from
sha
ring
clip
boar
d co
nten
t on
thei
r cl
ient
com
pute
rs
with
Rem
ote
Des
ktop
S
essi
on H
ost t
hat
they
acc
ess.
Dis
able
the
"Do
not
allo
w c
lipbo
ard
redi
rect
ion"
gro
up
polic
y se
tting
.
The
NR
C p
erm
its c
lipbo
ard
redi
rect
ion
to
faci
litat
e co
mm
on c
ut-a
nd-p
aste
ope
ratio
ns
betw
een
the
adm
inis
trat
ive
wor
ksta
tion
and
the
rem
ote
host
.
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 13
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
s
23.
5.
140
HB
SS
McA
fee
Age
nt
The
HB
SS
McA
fee
Age
nt w
ill b
e in
stal
led
An
NR
C-a
ppro
ved
endp
oint
pro
tect
ion
solu
tion
mus
t be
impl
emen
ted.
The
NR
C T
echn
ical
Ref
eren
ce M
odel
(T
RM
) id
entif
ies
all a
genc
y ap
prov
ed e
ndpo
int
prot
ectio
n so
lutio
ns.
NR
C e
ndpo
int p
rote
ctio
n re
quire
men
ts a
re
spec
ified
on
the
CS
O S
tand
ards
web
pag
e.
24.
W
INA
U-
0006
04
Aud
it -
File
S
yste
m -
Fai
lure
T
he s
yste
m w
ill b
e co
nfig
ured
to b
e ab
le
to a
udit
"Obj
ect
Acc
ess
-> F
ile
Sys
tem
" fa
ilure
s.
The
sys
tem
will
be
conf
igur
ed to
be
able
to a
udit
"Obj
ect
Acc
ess
-> F
ile
Sys
tem
" su
cces
ses
and
failu
res.
The
DIS
A S
TIG
onl
y re
quire
s th
at th
e sy
stem
be
con
figur
ed to
be
able
to a
udit
faile
d fil
e sy
stem
acc
ess
atte
mpt
s.
The
NR
C r
equi
res
the
syst
em b
e co
nfig
ured
to
be a
ble
to a
udit
succ
essf
ul a
ttem
pts
in
addi
tion
to fa
iled
atte
mpt
s. T
his
setti
ng d
oes
not t
urn
on th
e au
ditin
g, b
ut r
athe
r pe
rmits
tu
rnin
g on
the
audi
ting,
allo
win
g ad
min
istr
ator
s to
con
trol
aud
iting
usi
ng S
yste
m A
cces
s C
ontr
ol L
ists
(S
AC
Ls)
on in
divi
dual
file
sys
tem
ob
ject
s.
NO
TE
: S
AC
Ls m
ust b
e co
nfig
ured
on
indi
vidu
al fi
le s
yste
m o
bjec
ts fo
r au
dit l
ogs
to
reco
rd fi
le s
yste
m o
bjec
t acc
ess
for
spec
ific
obje
cts.
SA
CLs
are
set
on
file
syst
em o
bjec
ts
usin
g th
e S
ecur
ity ta
b in
that
obj
ect's
P
rope
rtie
s di
alog
box
.
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 14
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
s
25.
W
INA
U-
0006
10
Aud
it -
Reg
istr
y -
Fai
lure
T
he s
yste
m w
ill b
e co
nfig
ured
to b
e ab
le
to a
udit
"Obj
ect
Acc
ess
-> R
egis
try"
fa
ilure
s.
The
sys
tem
will
be
conf
igur
ed to
be
able
to a
udit
"Obj
ect
Acc
ess
-> R
egis
try"
su
cce
sses
and
fa
ilure
s.
The
DIS
A S
TIG
onl
y re
quire
s th
at th
e sy
stem
be
con
figur
ed to
be
able
to a
udit
faile
d re
gist
ry
acce
ss a
ttem
pts.
The
NR
C r
equi
res
the
syst
em b
e co
nfig
ured
to
be a
ble
to a
udit
succ
essf
ul a
ttem
pts
in
addi
tion
to fa
iled
atte
mpt
s. T
his
setti
ng d
oes
not t
urn
on th
e au
ditin
g, b
ut r
athe
r pe
rmits
tu
rnin
g on
the
audi
ting,
allo
win
g ad
min
istr
ator
s to
con
trol
aud
iting
usi
ng S
yste
m A
cces
s C
ontr
ol L
ists
(S
AC
Ls)
on in
divi
dual
reg
istr
y ob
ject
s.
NO
TE
: S
AC
Ls m
ust b
e co
nfig
ured
on
indi
vidu
al r
egis
try
obje
cts
for
audi
t log
s to
re
cord
reg
istr
y ob
ject
acc
ess
for
spec
ific
obje
cts.
SA
CLs
are
set
on
regi
stry
obj
ects
us
ing
the
Sec
urity
tab
in th
at o
bjec
t's
Pro
pert
ies
dial
og b
ox.
26.
W
INP
K-0
0000
1 W
INP
K-0
0000
1-
DO
D R
oot
Cer
tific
ate
The
DO
D R
oot
Cer
tific
ate
mus
t be
inst
alle
d.
Dig
ital c
ertif
icat
es
that
are
issu
ed a
nd
sign
ed b
y an
NR
C-
appr
oved
C
ertif
icat
ion
Aut
horit
y (C
A)
mus
t be
use
d.
The
NR
C M
anag
ed P
ublic
Key
Infr
astr
uctu
re
(PK
I) m
ust b
e us
ed.
27.
W
INP
K-0
0000
2 W
INP
K-0
0000
2 E
xter
nal
Cer
tific
ate
Aut
horit
y (C
A)
Roo
t Cer
tific
ate
The
Ext
erna
l CA
R
oot C
ertif
icat
e m
ust
be in
stal
led.
Dig
ital c
ertif
icat
es
that
are
issu
ed a
nd
sign
ed b
y an
NR
C-
appr
oved
CA
mus
t be
use
d.
The
NR
C M
anag
ed P
KI m
ust b
e us
ed.
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 15
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
s
28.
W
INP
K-0
0000
3 W
INP
K-0
0000
3 D
OD
In
tero
pera
bilit
y R
oot C
A to
DO
D
Roo
t CA
2 c
ross
ce
rtifi
cate
The
DO
D
Inte
rope
rabi
lity
Roo
t C
A to
DO
D R
oot C
A
2 cr
oss
cert
ifica
te
mus
t be
inst
alle
d.
Dig
ital c
ertif
icat
es
that
are
issu
ed a
nd
sign
ed b
y an
NR
C-
appr
oved
CA
mus
t be
use
d.
The
NR
C M
anag
ed P
KI m
ust b
e us
ed.
29.
W
INU
R-
0000
07
Bac
k up
file
s an
d di
rect
orie
s N
o ac
coun
ts o
r gr
oups
oth
er th
an th
e A
dmin
istr
ator
s gr
oup
will
hav
e th
e “B
acku
p fil
es a
nd d
irect
orie
s”
user
rig
ht.
In a
dditi
on to
the
Adm
inis
trat
ors
grou
p, a
ccou
nts
and
grou
ps a
ppro
ved
by
the
syst
em IS
SO
an
d do
cum
ente
d in
th
e S
yste
m S
ecur
ity
Pla
n m
ay b
e gr
ante
d th
e “B
acku
p fil
es
and
dire
ctor
ies”
use
r rig
ht.
Per
mitt
ing
a de
sign
ated
acc
ount
or
grou
p fo
r ba
ckup
ope
ratio
ns fa
cilit
ates
the
use
of a
less
pr
ivile
ged
acco
unt f
or r
outin
e/pe
riodi
c op
erat
ions
in a
ccor
danc
e w
ith th
e pr
inci
ple
of
leas
t priv
ilege
.
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 16
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
s
30.
W
INU
R-
0000
19
Den
y lo
g on
as
a se
rvic
e N
o ac
coun
ts s
houl
d be
gra
nted
the
“Den
y Lo
g on
as
a S
ervi
ce”
right
.
Ass
ign
the
“Den
y Lo
g on
as
a S
ervi
ce”
right
to th
e G
uest
s gr
oup.
Gra
ntin
g th
e “D
eny
Log
on a
s a
Ser
vice
” rig
ht
to th
e G
uest
s gr
oup
acco
unt r
estr
icts
the
use
of g
uest
acc
ount
s.
Thi
s al
igns
with
num
erou
s S
TIG
set
tings
, w
hich
als
o re
quire
that
the
Gue
sts
grou
p be
as
sign
ed r
ight
s fo
r th
e pu
rpos
e of
res
tric
ting
the
use
of g
uest
acc
ount
s.
Exa
mpl
es in
clud
e W
INU
R-0
0001
7 (D
eny
Acc
ess
from
the
Net
wor
k), W
INU
R-0
0001
8 (D
eny
log
on a
s a
batc
h jo
b), a
nd W
INU
R-
0000
20 (
Den
y lo
g on
loca
lly).
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 17
3.4.
2 W
ind
ow
s S
erve
r 20
08 R
2 D
om
ain
Co
ntr
olle
r S
TIG
Tab
le 3
.4-3
list
s th
e re
quire
d N
RC
con
figur
atio
n se
tting
s th
at d
iffe
r fr
om s
ettin
gs th
at a
re o
nly
spec
ified
in th
e D
omai
n C
ontr
olle
r S
TIG
; the
se s
ettin
gs a
re n
ot a
pplic
able
or
spec
ified
in th
e M
embe
r S
erve
r S
TIG
.
Tab
le 3
.4-3
: R
equ
irem
ents
th
at D
iffe
r fr
om
th
e W
ind
ow
s S
erve
r 20
08 R
2 D
om
ain
Co
ntr
olle
r S
TIG
Ste
p
ST
IG ID
S
etti
ng
N
ame
DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e fo
r D
iffe
rin
g f
rom
th
e D
ISA
ST
IG
1.
A
D.1
033_
2008
_R2
PK
I A
uthe
ntic
atio
n R
equi
rem
ent
"Sm
art c
ard
is
requ
ired
for
inte
ract
ive
logo
n"
mus
t be
chec
ked
for
each
acc
ount
.
Thi
s se
tting
is n
ot
requ
ired.
S
mar
t car
ds m
ust b
e us
ed fo
r in
tera
ctiv
e lo
gon
whe
n te
chni
cally
feas
ible
; how
ever
, enf
orci
ng th
e us
e of
sm
art c
ards
in a
ll ci
rcum
stan
ces
is n
ot r
equi
red
due
to le
gacy
sys
tem
s an
d ap
plic
atio
ns th
at s
peci
fical
ly
requ
ire th
e us
e of
the
user
nam
e an
d pa
ssw
ord.
Bec
ause
of c
erta
in N
RC
app
licat
ions
, whi
ch r
equi
re
the
use
of A
D u
ser
nam
es a
nd p
assw
ords
, thi
s co
nfig
urat
ion
setti
ng is
not
req
uire
d.
CS
O w
ill c
ontin
ue to
res
earc
h ho
w to
mak
e th
is
setti
ng m
anda
tory
.
2.
D
S00
.119
0_20
08_R
2 D
irect
ory
Ser
ver
Dat
a F
ile L
ocat
ions
The
dire
ctor
y se
rver
dat
a fil
es
mus
t be
loca
ted
on a
diff
eren
t lo
gica
l par
titio
n fr
om th
e da
ta fi
les
owne
d by
use
rs.
Dom
ain
cont
rolle
rs
are
not p
erm
itted
to
have
par
titio
ns w
ith
data
file
s ow
ned
by
use
rs.
In a
ccor
danc
e w
ith th
e pr
inci
ple
of le
ast f
unct
iona
lity,
pa
rtiti
ons
on d
omai
n co
ntro
llers
mus
t not
con
tain
us
er-o
wne
d da
ta fi
les.
Thu
s, d
omai
n co
ntro
llers
m
ust n
ot h
ave
user
vol
umes
or
user
file
sha
res.
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 18
Ste
p
ST
IG ID
S
etti
ng
N
ame
DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e fo
r D
iffe
rin
g f
rom
th
e D
ISA
ST
IG
3.
D
S00
.214
0_20
08_R
2 D
irect
ory
PK
I C
ertif
icat
e S
ourc
e –
Ser
ver
PK
I cer
tific
ates
(s
erve
r an
d cl
ient
s) m
ust b
e is
sued
by
the
DO
D P
KI o
r an
ap
prov
ed
Ext
erna
l CA
.
Dig
ital c
ertif
icat
es
that
are
issu
ed a
nd
sign
ed b
y an
NR
C-
appr
oved
cer
tific
atio
n au
thor
ity (
CA
) m
ust
be u
sed.
The
NR
C M
anag
ed P
KI m
ust b
e us
ed.
4.
D
S00
.214
1_20
08_R
2 D
irect
ory
PK
I C
ertif
icat
e S
ourc
e -
Use
rs
PK
I cer
tific
ates
(u
ser
cert
ifica
tes)
m
ust b
e is
sued
by
the
DO
D P
KI
or a
n ap
prov
ed
Ext
erna
l CA
.
Dig
ital c
ertif
icat
es
that
are
issu
ed a
nd
sign
ed b
y an
NR
C-
appr
oved
CA
mus
t be
use
d.
The
NR
C M
anag
ed P
KI m
ust b
e us
ed.
5.
D
S00
.313
1_20
08_R
2 A
nony
mou
s A
cces
s to
N
on-P
ublic
R
oot D
SE
D
ata
Ano
nym
ous
acce
ss to
the
root
D
irect
ory
Ser
ver
Ent
ries
(DS
E)
of
a no
n-pu
blic
di
rect
ory
mus
t be
disa
bled
.
Thi
s re
quire
men
t is
not r
equi
red.
T
his
requ
irem
ent i
s no
t cur
rent
ly p
ossi
ble
base
d on
th
e m
etho
d us
ed to
acc
ess
the
root
DS
E in
Mic
roso
ft W
indo
ws
Ser
ver
Dom
ain
Con
trol
lers
.
Info
rmat
ion
foun
d in
the
root
DS
E c
an b
e fo
und
in
the
follo
win
g M
icro
soft
artic
le:
http
://m
sdn.
mic
roso
ft.co
m/e
n-us
/libr
ary/
win
dow
s/de
skto
p/m
s684
291(
v=vs
.85)
.asp
x
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 19
Ste
p
ST
IG ID
S
etti
ng
N
ame
DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e fo
r D
iffe
rin
g f
rom
th
e D
ISA
ST
IG
6.
D
S00
.328
1_20
08_R
2 R
eplic
atio
n E
ncry
ptio
n –
Cla
ssifi
catio
n F
acto
r
Sep
arat
e, N
SA
-ap
prov
ed (
Typ
e 1)
cry
ptog
raph
y m
ust b
e us
ed to
pr
otec
t the
di
rect
ory
data
-in-
tran
sit f
or
dire
ctor
y se
rvic
e im
plem
enta
tions
at
a c
lass
ified
co
nfid
entia
lity
leve
l whe
n re
plic
atio
n da
ta
trav
erse
s a
netw
ork
clea
red
to a
low
er le
vel
than
the
data
.
Con
figur
e en
cryp
tion
per
the
requ
irem
ents
st
ated
in C
SO
-ST
D-
2009
.
NR
C e
ncry
ptio
n re
quire
men
ts a
re s
peci
fied
in C
SO
-S
TD
-200
9, “
Cry
ptog
raph
ic C
ontr
ol S
tand
ard.
”
7.
D
S00
.337
0_20
08_R
2 In
activ
e S
erve
r C
onne
ctio
ns
The
dire
ctor
y se
rvic
e m
ust b
e co
nfig
ured
to
term
inat
e LD
AP
-ba
sed
netw
ork
conn
ectio
ns to
th
e di
rect
ory
serv
er a
fter
five
(5)
min
utes
of
inac
tivity
.
Con
figur
e al
l net
wor
k co
nnec
tion
term
inat
ion
(incl
udin
g LD
AP
) pe
r th
e re
quire
men
ts s
tate
d in
CS
O-S
TD
-002
0.
The
NR
C r
equi
rem
ent f
or n
etw
ork
conn
ectio
n te
rmin
atio
n af
ter
a pe
riod
of in
activ
ity is
spe
cifie
d fo
r th
e S
C-1
0 co
ntro
l in
CS
O-S
TD
-002
0, “
Org
aniz
atio
n D
efin
ed V
alue
s fo
r S
yste
m S
ecur
ity C
ontr
ols.
”
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 20
Ste
p
ST
IG ID
S
etti
ng
N
ame
DIS
A S
etti
ng
N
RC
-Sp
ecif
ic
Req
uir
emen
t R
atio
nal
e fo
r D
iffe
rin
g f
rom
th
e D
ISA
ST
IG
8.
W
INU
R-0
0000
6 A
llow
log
on
thro
ugh
Rem
ote
Des
ktop
S
ervi
ces
Una
utho
rized
ac
coun
ts w
ill n
ot
have
the
"Allo
w
log
on th
roug
h R
emot
e D
eskt
op
Ser
vice
s" u
ser
right
. If
the
serv
er is
pr
ovid
ing
Rem
ote
Des
ktop
ser
vice
s to
use
rs, a
cces
s w
ill b
e m
anag
ed
thro
ugh
the
Rem
ote
Des
ktop
U
sers
gro
up o
r an
othe
r re
stric
ted
grou
p an
d do
cum
ente
d.
The
"A
llow
log
on
thro
ugh
Rem
ote
Des
ktop
Ser
vice
s"
user
rig
ht m
ust n
ot
be a
ssig
ned
to a
ny
user
s ot
her
than
au
thor
ized
A
dmin
istr
ator
s fo
r th
e pu
rpos
e of
ser
ver
adm
inis
trat
ion.
Dom
ain
cont
rolle
rs m
ust n
ot p
rovi
de R
emot
e D
eskt
op s
ervi
ces
to u
sers
. U
se o
f Rem
ote
Des
ktop
se
rvic
es o
n do
mai
n co
ntro
llers
is o
nly
perm
itted
for
auth
oriz
ed A
dmin
istr
ator
s pe
rfor
min
g se
rver
ad
min
istr
atio
n.
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 21
3.4.
3 W
ind
ow
s S
erve
r 20
08 R
2 A
ctiv
e D
irec
tory
Do
mai
n S
TIG
The
Act
ive
Dire
ctor
y D
om
ain
ST
IG a
nd A
ctiv
e D
irect
ory
For
est S
TIG
pro
vide
sec
urity
req
uire
me
nts
for
Act
ive
Dire
ctor
y (A
D)
on
Dom
ain
Con
trol
lers
for
Win
dow
s S
erve
rs.
Tab
le 3
.4-4
list
s th
e re
quire
d N
RC
con
figur
atio
n se
tting
s th
at d
iffer
from
set
tings
that
are
sp
ecifi
ed in
the
Act
ive
Dire
ctor
y D
omai
n S
TIG
.
Tab
le 3
.4-4
: R
equ
irem
ents
th
at D
iffe
r fr
om
th
e W
ind
ow
s S
erve
r 20
08 R
2 A
ctiv
e D
irec
tory
Do
mai
n S
TIG
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C-S
pec
ific
R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
1.
A
D.0
151
The
Dire
ctor
y S
ervi
ce R
esto
re
Mod
e (D
SR
M)
pass
wor
d m
ust
be c
hang
ed a
t le
ast a
nnua
lly.
Cre
ate
or im
plem
ent
a lo
cal s
ite p
olic
y to
ch
ange
the
DS
RM
pa
ssw
ord
at le
ast
year
ly.
Thi
s D
ISA
req
uire
men
t ta
kes
prec
eden
ce o
ver
the
adm
inis
trat
or
acco
unt m
axim
um
pass
wor
d ag
e re
quire
men
t spe
cifie
d in
C
SO
-ST
D-0
001,
“S
tron
g P
assw
ord
Sta
ndar
d.”
The
NR
C r
equi
rem
ent d
oes
not d
iffer
from
the
DIS
A S
TIG
req
uire
men
t.
Due
to th
e op
erat
iona
l im
pact
ass
ocia
ted
with
ch
angi
ng th
e D
SR
M p
assw
ord,
the
max
imum
pa
ssw
ord
age
for
the
DS
RM
pas
swor
d is
one
ye
ar r
athe
r th
an th
e ag
e sp
ecifi
ed in
CS
O-S
TD
-00
1, a
nd D
SR
M p
assw
ords
mus
t be
chan
ged
at
leas
t yea
rly.
2.
A
D.0
180
Inte
rcon
nect
ions
be
twee
n D
OD
di
rect
ory
serv
ices
of
diff
eren
t cl
assi
ficat
ion
leve
ls m
ust u
se a
cr
oss-
dom
ain
solu
tion
that
is
appr
oved
for
use
with
inte
r-cl
assi
ficat
ion
trus
ts.
Del
ete
the
trus
t re
latio
nshi
p th
at is
de
fined
bet
wee
n en
titie
s w
ith
reso
urce
s at
diff
eren
t D
OD
cla
ssifi
catio
n le
vels
.
The
NR
C d
oes
not
auth
oriz
e an
y cr
oss-
dom
ain
solu
tions
.
The
NR
C d
oes
not a
utho
rize
any
cros
s-do
mai
n so
lutio
ns.
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 22
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C-S
pec
ific
R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
3.
A
D.0
240
The
num
ber
of
mem
ber
acco
unts
in
priv
ilege
d gr
oups
m
ust n
ot b
e ex
cess
ive.
The
num
ber
of
Dom
ain
Adm
ins
shou
ld b
e be
twee
n on
e (1
) an
d te
n (1
0).
The
num
ber
of D
omai
n A
dmin
s gr
oup
mus
t not
ex
ceed
fifte
en (
15).
The
DIS
A r
equi
rem
ent t
o ha
ve a
tota
l num
ber
of
Dom
ain
Adm
ins
betw
een
one
(1)
and
ten
(10)
is
too
rest
rictiv
e fo
r N
RC
.
Alth
ough
the
NR
C r
equi
rem
ent p
erm
its u
p to
fif
teen
(15
) D
omai
n A
dmin
s, m
embe
rshi
p in
the
Dom
ain
Adm
ins
grou
p m
ust b
e gr
ante
d ac
cord
ing
to th
e pr
inci
pal o
f lea
st p
rivile
ge.
4.
A
D.0
270
Rea
d-on
ly
Dom
ain
Con
trol
ler
(RO
DC
) ar
chite
ctur
e an
d co
nfig
urat
ion
mus
t com
ply
with
di
rect
ory
serv
ices
re
quire
men
ts.
Ens
ure
com
plia
nce
with
VP
N a
nd IP
Sec
re
quire
men
ts in
the
Net
wor
k In
fras
truc
ture
S
TIG
.
Enc
apsu
late
traf
fic
betw
een
the
Dom
ain
Con
trol
ler
and
the
RO
DC
.
NR
C r
equi
rem
ents
for
traf
fic e
ncap
sula
tion
are
stat
ed (
eith
er im
plic
itly
or e
xplic
itly)
on
the
CS
O
Sta
ndar
ds w
eb p
age.
For
exa
mpl
e, if
a V
PN
tunn
el is
use
d, th
en th
e C
SO
sta
ndar
d re
quire
men
ts fo
r V
PN
s (a
s st
ated
on
the
stan
dard
s w
eb p
age)
will
app
ly.
5.
A
D.9
100
Rev
iew
of
Hos
ting
Dom
ain
and
For
est
Sec
urity
ass
essm
ents
of
the
dom
ain
and/
or
fore
st in
whi
ch th
e do
mai
n co
ntro
ller
resi
des
mus
t be
cond
ucte
d at
leas
t an
nual
ly.
The
freq
uenc
y an
d tim
ing
of A
ctiv
e D
irect
ory
dom
ain
and/
or
fore
st s
ecur
ity
asse
ssm
ents
mus
t alig
n w
ith a
nd c
oinc
ide
with
th
e co
nfig
urat
ion
(har
deni
ng)
chec
ks o
f th
e re
side
nt d
omai
n co
ntro
ller.
Act
ive
Dire
ctor
y do
mai
ns a
nd fo
rest
s w
ill b
e as
sess
ed in
acc
orda
nce
with
NR
C a
sses
smen
t re
quire
men
ts.
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 23
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C-S
pec
ific
R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
6.
D
S00
.016
0_A
D
Dire
ctor
y D
ata
Bac
kup
Dire
ctor
y da
ta m
ust
be b
acke
d up
at l
east
da
ily fo
r M
AC
I or
II
syst
ems
and
at le
ast
wee
kly
for
MA
C II
I sy
stem
s.
Per
form
bac
kups
of
dire
ctor
y da
ta in
ac
cord
ance
with
the
requ
irem
ents
sta
ted
in
CS
O-S
TD
-200
2.
NR
C s
yste
m b
ack-
up r
equi
rem
ents
are
spe
cifie
d in
CS
O-S
TD
-200
2, “
Sys
tem
Bac
k-up
Sta
ndar
d.”
7.
D
S00
.112
0_A
D
Cro
ss-D
irect
ory
Aut
hent
icat
ion
Doc
umen
tatio
n
Eac
h cr
oss-
dire
ctor
y au
then
ticat
ion
conf
igur
atio
n m
ust b
e do
cum
ente
d.
Eac
h cr
oss-
dire
ctor
y au
then
ticat
ion
conf
igur
atio
n m
ust b
e do
cum
ente
d. T
rust
re
latio
nshi
ps m
ust b
e do
cum
ente
d an
d re
view
ed s
emi-a
nnua
lly
to e
nsur
e th
at th
ey a
re
still
req
uire
d fo
r th
e sy
stem
to fu
nctio
n.
DIS
A c
onsi
ders
this
a C
AT
III r
equi
rem
ent;
NR
C
has
incr
ease
d th
e se
verit
y of
this
req
uire
men
t to
CA
T-I
I.
NO
TE
: T
he o
nly
chan
ge to
this
req
uire
men
t is
the
NR
C s
ever
ity le
vel.
8.
D
S00
.114
0_A
D
Dire
ctor
y S
ervi
ce
Inte
r-E
ncla
ve
VP
N U
sage
A V
PN
mus
t be
used
to
pro
tect
dire
ctor
y ne
twor
k tr
affic
for
dire
ctor
y se
rvic
e im
plem
enta
tion
span
ning
enc
lave
bo
unda
ries.
Pro
tect
dire
ctor
y se
rvic
es c
omm
unic
atio
n ov
er e
xter
nal,
non-
NR
C
netw
orks
usi
ng a
VP
N.
The
NR
C e
quiv
alen
t to
dire
ctor
y se
rvic
e co
mm
unic
atio
n oc
curr
ing
acro
ss D
oD e
ncla
ve
boun
darie
s is
dire
ctor
y se
rvic
e co
mm
unic
atio
n oc
curr
ing
over
ext
erna
l, no
n-N
RC
net
wor
ks.
NR
C V
PN
sec
urity
req
uire
men
ts a
re s
peci
fied
on th
e C
SO
Sta
ndar
ds w
eb p
age.
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 24
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C-S
pec
ific
R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
9.
D
S00
.612
0_A
D
Dire
ctor
y S
ervi
ce
Arc
hite
ctur
e D
R
Doc
umen
tatio
n
AD
impl
emen
tatio
n in
form
atio
n m
ust b
e ad
ded
to th
e si
tes
dis
aste
r re
cove
ry
plan
s, in
clud
ing
AD
fo
rest
, tre
e, a
nd
dom
ain
stru
ctur
e.
NR
C r
equi
res
this
in
form
atio
n to
be
adde
d to
dis
aste
r re
cove
ry
plan
s fo
r al
l sys
tem
s ca
tego
rized
with
Low
, M
oder
ate,
or
Hig
h A
D
dom
ains
.
NR
C r
equi
res
AD
impl
emen
tatio
n in
form
atio
n to
be
incl
uded
in th
e D
isas
ter
Rec
over
y (D
R)
plan
to
ens
ure
a su
cces
sful
and
tim
ely
reco
very
irr
espe
ctiv
e of
the
impa
ct le
vel o
f the
AD
do
mai
n.
10.
D
S00
.710
0_A
D
Cro
ss-D
irect
ory
Aut
hent
icat
ion
INF
OC
ON
P
roce
dure
s
Eva
luat
e cr
oss-
dire
ctor
y co
nfig
urat
ions
(su
ch
as tr
usts
and
pas
s-th
roug
h au
then
ticat
ion)
and
pr
ovid
e do
cum
enta
tion
that
in
dica
tes:
1.
Tha
t an
eval
uatio
n pe
rfor
med
.
2. T
he s
peci
fic A
D
trus
t con
figur
atio
ns, i
f an
y, th
at s
houl
d be
di
sabl
ed d
urin
g ch
ange
s in
INF
OC
ON
st
atus
bec
ause
they
co
uld
repr
esen
t in
crea
sed
risk.
Doc
umen
t and
mai
ntai
n a
list o
f man
ual A
D
trus
ts (
cros
s-di
rect
ory
conf
igur
atio
ns)
with
in
the
Sys
tem
Sec
urity
P
lan.
If a
valid
ated
sec
urity
in
cide
nt o
ccur
s, th
e IS
SO
mus
t ens
ure
that
th
e fo
llow
ing
two
step
s ar
e co
mpl
eted
:
1. T
he IS
SO
, or
de
sign
ee, s
hall
revi
ew
the
list o
f man
ual A
D
trus
ts a
nd d
eter
min
e w
heth
er it
is n
eces
sary
to
dis
able
man
ual A
D
trus
ts.
2.
Dis
able
man
ual A
D
trus
ts if
dee
med
ne
cess
ary
in s
tep
one.
The
INF
OC
ON
leve
ls r
efer
ence
d in
the
DIS
A
ST
IG a
re w
ritte
n fo
r D
oD a
nd a
re n
ot a
pplic
able
to
NR
C in
form
atio
n sy
stem
s.
NO
TE
: Thi
s re
quire
men
t onl
y ap
plie
s to
in
form
atio
n sy
stem
s w
ith m
anua
l AD
trus
ts
(cro
ss-d
irect
ory
conf
igur
atio
ns).
Thi
s in
clud
es
exte
rnal
, for
est,
or r
ealm
tru
st r
elat
ions
hip
type
s.
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 25
3.4.
4 W
ind
ow
s S
erve
r 20
08 R
2 A
ctiv
e D
irec
tory
Fo
rest
ST
IG
Tab
le 3
.4-5
list
s th
e re
quire
d N
RC
con
figur
atio
n se
tting
s th
at d
iffe
r fr
om s
ettin
gs th
at a
re s
peci
fied
in th
e A
ctiv
e D
irect
ory
For
est
ST
IG.
Tab
le 3
.4-5
: R
equ
irem
ents
th
at D
iffe
r fr
om
th
e W
ind
ow
s S
erve
r 20
08 R
2 A
ctiv
e D
irec
tory
Fo
rest
ST
IG
Ste
p
ST
IG ID
S
etti
ng
Nam
e D
ISA
Set
tin
g
NR
C-S
pec
ific
R
equ
irem
ent
Rat
ion
ale
for
Dif
feri
ng
fro
m t
he
DIS
A S
TIG
1.
A
D.0
295
Tim
e S
ynch
roni
zatio
n -
For
est
Aut
horit
ativ
e S
ourc
e
The
Win
dow
s T
ime
Ser
vice
on
the
fore
st
root
Prim
ary
Dom
ain
Con
trol
ler
(PD
C)
Em
ulat
or m
ust b
e co
nfig
ured
to a
cqui
re
its ti
me
from
an
exte
rnal
tim
e so
urce
.
Con
figur
e W
indo
ws
Tim
e S
ervi
ce p
er th
e re
quire
men
ts in
CS
O-
ST
D-2
005.
NR
C ti
me
sync
hron
izat
ion
requ
irem
ents
are
sp
ecifi
ed in
CS
O-S
TD
-200
5, “
Sys
tem
Mon
itorin
g S
tand
ard.
”
CS
O S
tand
ard
CS
O-S
TD
-110
9
Pag
e 26
Thi
s pa
ge in
tent
iona
lly le
ft b
lank
.
CSO Standard CSO-STD-1109 Page 27
4 DEFINITIONS Active Directory Microsoft's directory service that comes with Windows servers and used for
managing permissions and user access to network resources.
BIOS A set of computer instructions in firmware that control input and output operations.
Cleartext Data that is transmitted or stored unencrypted.
Critical Updates This includes fixes for security defects in operating systems and applications as well as current anti-virus definitions and other intrusion detection and prevention information.
Domain Controller
A domain controller is the centerpiece of the Windows Active Directory service. It authenticates users, stores user account information, and enforces security policy for a Windows domain.
Firmware Computer programming instructions that are stored in a read-only memory unit rather than being implemented through software.
Member Server A computer that runs a Windows Server operating system, belongs to a domain, and is not a domain controller.
Pagefile A reserved portion of a hard disk that is used as an extension of random access memory (RAM) for data in RAM that has not been used recently.
Registry The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems.
Remote Desktop Services
In Windows Server 2008 R2, Terminal Services was renamed Remote Desktop Services.
Root Certificate Either an unsigned public key certificate or a self-signed certificate that identifies the Root Certificate Authority.
Root DSE The root of the directory data tree on a directory server. The root DSE provides data about the server, such as its capabilities, the LDAP version it supports, and the naming contexts it uses.
Terminal Services
Microsoft's implementation of thin-client terminal server computing, where Windows applications, or even the entire desktop of the computer running Terminal Services, are made accessible to a remote client machine.
Type 1 Cryptography
A device or system certified by the National Security Agency (NSA) for use in cryptographically securing classified U.S. Government information.
Virtual Memory Storage space on your computer’s hard disk that Windows uses in conjunction with random access memory (RAM).
Work Group A computer that runs a Windows Server operating system, does not belong
CSO Standard CSO-STD-1109 Page 28
Server to a domain, and is not a domain controller.
This page intentionally left blank.
CSO Standard CSO-STD-1109 Page 29
5 ACRONYMS AD Active Directory
BIOS Basic Input/Output System
CA Certificate Authority
CSO Computer Security Office
DC Domain Controller
DCE Distributed Computing Environment
DISA Defense Information Systems Agency
DMZ Demilitarized Zone
DNS Domain Name System
DOD Department of Defense
DR Disaster Recovery
DSE Directory Server Entries
FIPS Federal Information Processing Standard
HBSS Host-Based System Security
HTTP Hypertext Transfer Protocol
IAM Information Assurance Manager
IAO Information Assurance Officer
IP Internet Protocol
ISSO Information System Security Officer
MS Microsoft, Member Server
NIC Network interface Card
NIPRNet Non-classified IP Router Network
NIST National Institute of Standards and Technology
NRC Nuclear Regulatory Commission
NSA National Security Agency
CSO Standard CSO-STD-1109 Page 30
NSO Network Security Officer
OIS Office of Information Services
OS Operating System
PDC Primary Domain Controller
PIV Personal Identity Verification
PKI Public Key Infrastructure
PST Policy, Standards and Training
RDS Remote Desktop Services
RPC Remote Procedure Call
SACL System Access Control List
SGI Safeguards Information
SIPRNet Secret Internet Protocol Router Network
SITSO Senior Information Technology Security Officer
SSL Secure Socket Layer
STIG Security Technical implementation Guide
SUNSI Sensitive Unclassified Non-Safeguards Information
TLS Transport Layer Security
TRM Technical Reference Model
TS Terminal Services
WINS Windows Internet Name Service
CSO Standard CSO-STD-1109 Page 31
CSO-STD-1109 Change History
Date Version Description of Changes Method Used to Announce &
Distribute
Training
15-May-13 1.0 Initial Release CSO web page and notification of ISSO forum
Upon request