Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013...

33
Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: CSO-STD-1109 Office Instruction Title: Microsoft Windows Server 2008 R2 Configuration Standard Revision Number: 1.0 Effective Date: December 1, 2013 Primary Contacts: Kathy Lyons-Burke, SITSO Responsible Organization: CSO/PST Summary of Changes: CSO-STD-1109, “Microsoft Windows Server 2008 R2 Configuration Standard,” provides the minimum requirements that must be applied to NRC servers running the Microsoft Windows Server ® 2008 R2 operating system. Training: As requested ADAMS Accession No.: ML12340A419 Approvals Primary Office Owner Policies, Standards, and Training Signature Date Standards Working Group Chair Bill Dabbs /RA/ 5/15/2013 Responsible SITSO Kathy Lyons-Burke /RA 5/15/2013 DAA for Non-major IT Investments CSO Tom Rich /RA/ 5/16/2013 Director, OIS Jim Flanagan /RA/ 5/21/2013

Transcript of Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013...

Page 1: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

Nuclear Regulatory Commission Computer Security Office

Computer Security Standard

Office Instruction: CSO-STD-1109

Office Instruction Title: Microsoft Windows Server 2008 R2 Configuration Standard

Revision Number: 1.0

Effective Date: December 1, 2013

Primary Contacts: Kathy Lyons-Burke, SITSO

Responsible Organization: CSO/PST

Summary of Changes: CSO-STD-1109, “Microsoft Windows Server 2008 R2 Configuration Standard,” provides the minimum requirements that must be applied to NRC servers running the Microsoft Windows Server® 2008 R2 operating system.

Training: As requested

ADAMS Accession No.: ML12340A419

Approvals

Primary Office Owner

Policies, Standards, and Training

Signature Date

Standards Working Group Chair

Bill Dabbs /RA/ 5/15/2013

Responsible SITSO Kathy Lyons-Burke /RA 5/15/2013

DAA for Non-major IT Investments

CSO Tom Rich /RA/ 5/16/2013

Director, OIS Jim Flanagan /RA/ 5/21/2013

Page 2: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CSO Standard CSO-STD-1109 Page i

TABLE OF CONTENTS

1 PURPOSE ................................................................................................................ 1

2 GENERAL REQUIREMENTS .................................................................................. 1

2.1 APPLICATION HARDENING ................................................................................................................... 2 2.2 PATCH APPLICATION ........................................................................................................................... 3

3 SPECIFIC REQUIREMENTS ................................................................................... 3

3.1 WINDOWS 2008 R2 SERVER ROLES ................................................................................................... 3 3.2 WINDOWS 2008 R2 STIGS ................................................................................................................. 4 3.3 REQUIREMENTS IN ADDITION TO THE DISA STIGS ............................................................................... 4 3.4 NRC MODIFICATIONS TO STIG REQUIREMENTS .................................................................................. 5

3.4.1 Windows Server 2008 R2 Member Server and Domain Controller STIGs .............................. 7 3.4.2 Windows Server 2008 R2 Domain Controller STIG .............................................................. 17 3.4.3 Windows Server 2008 R2 Active Directory Domain STIG ..................................................... 21 3.4.4 Windows Server 2008 R2 Active Directory Forest STIG ....................................................... 25

4 DEFINITIONS ......................................................................................................... 27

5 ACRONYMS ........................................................................................................... 29

Page 3: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

Computer Security Standard CSO-STD-1109

NRC Microsoft Windows Server 2008 R2 Configuration Standard

1 PURPOSE CSO-STD-1109, Nuclear Regulatory Commission (NRC) Windows® Server® 2008 R2 Configuration Standard provides configuration settings for NRC servers running the Microsoft (MS) Windows Server 2008 R2 operating system (referred to throughout this standard as “Windows 2008 R2 servers”).1 These settings serve to minimize the probability of NRC sensitive information compromise. This standard applies to systems used to process Sensitive Unclassified Non-Safeguards Information (SUNSI), Safeguards Information (SGI), or classified information. This configuration standard is intended to be used by system administrators and information system security officers (ISSOs) who have the required knowledge, skills, and abilities to apply configuration settings to an MS Windows server. In addition to the requirements specified in this standard, NRC servers must meet all applicable federally mandated and NRC-defined security requirements.

2 GENERAL REQUIREMENTS All NRC servers running the MS Windows Server 2008 R2 operating system that are owned, managed, and/or operated by the NRC or by other parties on behalf of the NRC must comply with this standard as a minimum set of controls. Additional controls may be required after a system risk analysis is completed.

There may be circumstances where a specific configuration requirement cannot be met. Implementations that do not meet this minimum configuration standard must go through the agency deviation request process outlined in CSO-PROS-1324, “Deviation Request Process” prior to obtaining an approval to operate and being placed into operation or into the operational environment.

Windows 2008 R2 servers must comply with the Defense Information Systems Agency (DISA) Windows Server 2008 R2 Security Technical Implementation Guide (STIG) listed as effective on the CSO Standards web page, as modified by this document. The Windows 2008 R2 STIG is comprised of four individual STIGs, listed below:

• Windows 2008 R2 Member Server STIG

• Windows 2008 R2 Domain Controller STIG

• Active Directory® Domain STIG2

• Active Directory Forest STIG

1 ® Microsoft and Windows Server, are registered trademarks of Microsoft Corporation in the United States and other countries. 2 ® Active Directory is a registered trademark of Microsoft Corporation in the United States and other countries.

Page 4: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CSO Standard CSO-STD-1109 Page 2

All four STIGs are not required when configuring a server; each of the four STIGs above provides guidance for configuring servers for specific roles. Depending on a server’s role, one (or more) of the STIGs apply. For example, if the server’s role is that of just a member server, the server must be configured to comply with the Windows 2008 R2 Member Server STIG; the server does not need to be configured to comply with the Domain Controller or Active Directory STIGs. Table 3.2-1 in Section 3.2 of this standard lists the applicable Windows 2008 R2 STIGs for each server role.

Whenever possible, automated mechanisms must be used to implement this standard to minimize errors typical in manual configurations. This standard does not address physical security or the following areas of server configuration as they are beyond the scope of the document:

• Virtual or physical hardware configurations, including firmware, Basic Input/Output System (BIOS), and storage configuration

• Network Interface Card (NIC) configuration

• IP address and routing configuration

• Name resolution (e.g., Domain Name System (DNS) and Windows Internet Name Service (WINS)) configuration

• Page file/virtual memory configuration (This document assumes a default page file configuration on the main system drive. The required size, number, and location of system page files are not addressed in this document.)

2.1 Application Hardening Applications in the Operating System (OS) must be hardened in accordance with the requirements stated in the applicable, effective standard listed on the CSO Standards web page. Applications must be secured using the principle of least privilege with respect to access and unneeded services. When hardening applications, the following principles apply:

• Installation paths: The default installation path for many applications is easy to determine, and often resides on the same file system as the core operating system. Use of the default path is risky, because malicious users can potentially use the path to access and compromise application files, and possibly, the entire system. To mitigate this risk, modify the installation process as follows:

– If it is possible to install an application in a different file system than the core operating system, you must do so. If the application or file system does not allow you to change the default installation path, installing the application in a different file system is not required.

– File systems that store a large volume of data or dynamic files (e.g., database files, web content, temporary files, data queues, and logs) must also be isolated from the operating system and from the relatively static components of the application itself (e.g., executables, scripts, and configuration files). If it is possible to install these file systems in a different file system than the core operating system and the relatively static components, you must do so. If the application or file system does not allow you to change the default installation path, installing the application in a different file system is not required.

Page 5: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CSO Standard CSO-STD-1109 Page 3

• File and registry permissions: Many application installation routines leave directories or registry keys that contain sensitive data accessible to all users (e.g., private keys or application credentials); therefore, system administrators and ISSOs must ensure that permissions for application paths and files are configured in accordance with the principles of least privilege.

• Service accounts: Many third-party applications install service components set to run as the LOCAL SYSTEM account. Configuring applications to run using service accounts other than the LOCAL SYSTEM account will help employ the principle of least privilege, and gives applications only the privileges required to perform their function. This reduces the risk of an attacker obtaining higher privileges should the application become compromised.

– If it is possible to configure the service to run under a service account other than the default service account, you must do so. You must also evaluate permissions following the principal of least privilege, and then grant only those permissions required.

– Service accounts must be managed in the same manner as any other account on the system (e.g., conduct periodic reviews of the accounts, ensuring that passwords comply with CSO password complexity requirements, etc.).

– If the service does not allow you to create and use a different service account, use of a different account is not required; however, if it is possible to grant fewer account privileges, you must do so.

2.2 Patch Application All available patches and security updates must be applied to Windows 2008 R2 servers before the servers are placed into an NRC computing environment (e.g., development, test, production). Patches must be applied on an ongoing basis per the requirements specified in CSO-STD-0020, “Organization Defined Values for System Security Controls.” This ensures that known vulnerabilities are remediated on a regular schedule.

3 SPECIFIC REQUIREMENTS

This section provides requirements that differ from or are required in addition to those published in the four individual DISA Windows 2008 R2 STIGs listed in Table 3.2-1.

3.1 Windows 2008 R2 Server Roles The three possible server roles are described below:

• Member Server – A member server is a computer that runs a Windows Server operating system, belongs to a domain, and is not a domain controller.

• Workgroup Server – A workgroup server is a computer that runs a Windows Server operating system, does not belong to a domain, and is not a domain controller.

• Domain Controller – A domain controller is the centerpiece of the Windows Active Directory service. It authenticates users, stores user account information, and enforces security policy for a Windows domain.

Page 6: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CSO Standard CSO-STD-1109 Page 4

3.2 Windows 2008 R2 STIGs NRC servers must comply with the Windows 2008 R2 STIGs that apply to the server’s role. Table 3.2-1 lists the applicable Windows 2008 R2 STIGs for each role.

Table 3.2-1: Windows 2008 R2 STIGs by Server Role

Role Windows 2008 R2 STIG

Member Server Windows 2008 R2 Member Server STIG

Workgroup Server Windows 2008 R2 Member Server STIG

Domain Controller Windows 2008 R2 Domain Controller STIG

Active Directory Domain STIG

Active Directory Forest STIG

3.3 Requirements in Addition to the DISA STIGs

The following requirements regarding Active Directory domain and local account security are in addition to the required DISA STIG:

• Local administrator accounts, such as the built-in administrator account, on each Windows 2008 R2 server must be protected by implementing the following requirements:

– For Windows 2008 R2 servers in a Demilitarized Zone (DMZ), each local administrator account must be assigned a unique password. Passwords set for these local accounts must be unique for the server and unique when compared with other Windows servers. For example, if the same privileged account exists on multiple servers, the account must have a different password for each server.

– For intranet Windows 2008 R2 servers, network access to local administrator accounts is prohibited. Assign each account the “SeDenyNetworkLogonRight” (also known as “Deny access to this computer from the network”) and the “SeDenyRemoteInteractiveLogonRight” (also known as “Deny log on through Remote Desktop Services”) rights.

Note: Alternatively, it is permissible to assign unique passwords to local administrator accounts in the same manner specified for servers located in a DMZ (rather than disabling network access for the accounts).

• Service and application accounts must not have the ability to login interactively either locally or remotely. This can be configured through assigning these accounts the “SeDenyInteractiveLogonRight” (also known as “Deny logon locally”) and the “SeDenyRemoteInteractiveLogonRight” (also known as “Deny logon through Remote Desktop Services”) rights.

• All privileged Active Directory domain accounts must have the "Account is sensitive and cannot be delegated" user right to prevent applications and network services from assuming the identity of the privileged account and initiating a new connection to another computer as that account.

Page 7: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CSO Standard CSO-STD-1109 Page 5

3.4 NRC Modifications to STIG Requirements NRC servers running the Windows 2008 Server R2 operating system must be configured to conform to DISA STIGs as modified by the settings provided in this standard. The following sections provide the configuration settings that differ from those specified in each of the DISA STIGs.

When reading supporting STIGs, substitute the NRC terms supplied in Table 3.4-1 for the equivalent terms and requirements used throughout the STIGs.

Table 3.4-1: STIG and NRC Terms and Requirements

STIG NRC

DOD (Department Of Defense) NRC

Information Assurance Manager (IAM), Information Assurance Officer (IAO), Network Security Officer (NSO), and Site Representative

ISSO

Mission Assurance Category (MAC-1) Systems with a Federal Information Processing Standard (FIPS)-199 High Sensitivity Level

Mission Assurance Category (MAC-2) Systems with a FIPS-199 Moderate Sensitivity Level

Mission Assurance Category (MAC-3) Systems with a FIPS-199 Low Sensitivity Level

NIPRNet Unclassified Network or System

SIPRNet Refer to the note the below regarding how the requirements associated with the term SIPRNet apply to NRC information systems.

For example, if a DISA STIG setting indicates that the title of a warning banner must be set to “DoD Warning Banner,” the NRC equivalent would be to set the title to “NRC Warning Banner.” Any guidance in this document and the supporting STIGs that references SIPRNet shall apply to NRC information systems that store or process classified information at the GENSER Secret level and below as well as SGI. If the information system stores or processes Restricted Data or information above the GENSER Secret level, then the ISSO must contact the Policy, Standards and Training (PST) Senior Information Technology Security Officer (SITSO) for direction.

Page 8: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CSO Standard CSO-STD-1109 Page 6

This page intentionally left blank.

Page 9: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 7

3.4.

1 W

ind

ow

s S

erve

r 20

08 R

2 M

emb

er S

erve

r an

d D

om

ain

Co

ntr

olle

r S

TIG

s

Tab

le 3

.4-2

bel

ow li

sts

the

requ

ired

NR

C c

onfig

urat

ion

setti

ngs

that

diff

er fr

om th

e co

mm

on s

ettin

gs s

peci

fied

in b

oth

the

MS

W

indo

ws

Ser

ver

2008

R2

Mem

ber

Ser

ver

and

Dom

ain

Con

trol

ler

ST

IGs.

Tab

le 3

.4-3

on

page

17

of th

is s

tand

ard

lists

exc

eptio

ns to

se

tting

s sp

ecifi

ed o

nly

in th

e M

S W

indo

ws

Ser

ver

2008

R2

Dom

ain

Con

trol

ler

ST

IG.

Tab

le 3

.4-2

: R

equ

irem

ents

th

at D

iffe

r fr

om

th

e W

ind

ow

s S

erve

r 20

08 R

2 M

emb

er S

erve

r an

d D

om

ain

Co

ntr

olle

r S

TIG

s

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

s

1.

1.

032

Arc

hivi

ng A

udit

Logs

A

udit

logs

will

be

reta

ined

for

at le

ast 1

ye

ar.

Con

figur

e au

dit l

og

rete

ntio

n pe

r th

e re

quire

men

ts in

C

SO

-ST

D-0

020.

The

NR

C r

equi

rem

ent f

or a

udit

log

rete

ntio

n is

sp

ecifi

ed fo

r th

e A

U-1

1 co

ntro

l in

CS

O-S

TD

-00

20, “

Org

aniz

atio

n D

efin

ed V

alue

s fo

r S

yste

m S

ecur

ity C

ontr

ols.

2.

2.

009

Str

ong

Pas

swor

d F

ilter

ing

Inst

all p

assw

ord

com

plex

ity s

oftw

are

and

conf

igur

e it

to

enfo

rce

the

requ

ired

Dep

artm

ent o

f D

efen

se (

DO

D)

stan

dard

s of

a c

ase

sens

itive

cha

ract

er

mix

of u

pper

cas

e le

tters

, low

er c

ase

lette

rs, n

umbe

rs, a

nd

spec

ial c

hara

cter

s,

incl

udin

g at

leas

t one

of

eac

h.

Con

figur

e pa

ssw

ords

per

the

requ

irem

ents

in

CS

O-S

TD

-000

1.

The

NR

C r

equi

rem

ent f

or p

assw

ord

com

plex

ity is

spe

cifie

d in

CS

O-S

TD

-000

1,

“Str

ong

Pas

swor

d S

tand

ard.

3.

3.

011

Lega

l Not

ice

Dis

play

T

he r

equi

red

lega

l no

tice

will

be

conf

igur

ed to

dis

play

be

fore

con

sole

logo

n.

Con

figur

e th

e N

RC

le

gal n

otic

e to

di

spla

y be

fore

co

nsol

e lo

gon.

The

NR

C r

equi

rem

ent t

o di

spla

y th

e le

gal

notic

e is

spe

cifie

d in

CS

O-G

UID

-110

2, “

NR

C

Pas

swor

d an

d W

arni

ng B

anne

r G

uida

nce.

Page 10: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 8

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

s

4.

3.

047

Sm

art C

ard

Rem

oval

Opt

ion

The

Sm

art C

ard

Rem

oval

opt

ion

will

be

con

figur

ed to

F

orce

Log

off o

r Lo

ck

Wor

ksta

tion

For

ser

vers

loca

ted

with

in a

utho

rized

da

ta c

ente

rs in

NR

C

faci

litie

s, o

r in

oth

er

auth

oriz

ed d

ata

cent

ers

with

se

para

te p

rote

cted

ar

eas

for

NR

C

asse

ts (

e.g.

, re

stric

ted

data

ce

nter

roo

ms

or

cage

s), t

he r

emov

al

optio

n do

es n

ot

need

to b

e co

nfig

ured

to fo

rce

a lo

goff

or lo

ck th

e w

orks

tatio

n.

For

all

othe

r ci

rcum

stan

ces,

the

ST

IG r

equi

rem

ent t

o co

nfig

ure

the

Sm

art

Car

d R

emov

al

optio

n to

forc

e a

logo

ff or

lock

the

wor

ksta

tion

appl

ies.

To

faci

litat

e an

adm

inis

trat

ors

abili

ty to

wor

k us

ing

the

cons

oles

of m

ultip

le s

erve

rs

sim

ulta

neou

sly

(e.g

., fo

r tr

oubl

esho

otin

g pu

rpos

es),

NR

C d

oes

not r

equi

re a

forc

ed

scre

en lo

ck o

r us

er lo

gout

upo

n re

mov

al o

f a

smar

t car

d if

the

serv

er is

loca

ted

with

in

auth

oriz

ed d

ata

cent

ers

in N

RC

faci

litie

s, o

r in

ot

her

auth

oriz

ed d

ata

cent

ers

with

sep

arat

e pr

otec

ted

area

s fo

r N

RC

ass

ets.

5.

3.

084

Win

dow

s T

ime

Ser

vice

Con

figur

e N

TP

C

lient

Con

figur

e tim

e se

rvic

e to

use

an

auth

oriz

ed ti

me

serv

er.

Con

figur

e th

e tim

e se

rver

per

the

requ

irem

ents

sta

ted

in C

SO

-ST

D-2

005.

The

NR

C ti

me

serv

er r

equi

rem

ents

are

sp

ecifi

ed in

CS

O-S

TD

-200

5, “

Sys

tem

M

onito

ring

Sta

ndar

d.”

Page 11: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 9

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

s

6.

3.

092

Aud

it Lo

g W

arni

ng

Leve

l T

he s

yste

m w

ill

gene

rate

an

audi

t ev

ent w

hen

the

audi

t lo

g re

ache

s a

perc

ent f

ull t

hres

hold

.

Con

figur

e th

e A

udit

Log

War

ning

Lev

el

per

the

requ

irem

ents

st

ated

in C

SO

-ST

D-

0020

.

The

NR

C r

equi

rem

ent i

s sp

ecifi

ed fo

r th

e A

U-

5 co

ntro

l in

CS

O-S

TD

-002

0, “

Org

aniz

atio

n D

efin

ed V

alue

s fo

r S

yste

m S

ecur

ity C

ontr

ols.

7.

3.

122

Adm

inis

trat

or

Acc

ount

P

assw

ord

Cha

nges

Adm

inis

trat

or

pass

wor

ds w

ill b

e ch

ange

d as

req

uire

d

Con

figur

e ad

min

istr

ator

pa

ssw

ords

per

the

requ

irem

ents

sta

ted

in C

SO

-ST

D-0

001.

The

NR

C a

dmin

istr

ator

pas

swor

d re

quire

men

ts a

re s

peci

fied

in C

SO

-ST

D-0

001,

“S

tron

g P

assw

ord

Sta

ndar

d.”

8.

3.

130

UA

C –

Adm

in

Ele

vatio

n P

rom

pt

Use

r A

ccou

nt C

ontr

ol

will

at m

inim

um,

prom

pt

adm

inis

trat

ors

for

cons

ent.

Con

figur

e U

AC

to

“Pro

mpt

for

Con

sent

on

the

Sec

ure

Des

ktop

,” o

r th

e m

ore

secu

re o

ptio

n,

“Pro

mpt

for

Cre

dent

ials

on

the

Sec

ure

Des

ktop

.”

The

NR

C r

equi

rem

ent i

s co

nsis

tent

with

the

valu

e fo

r S

TIG

ID 3

.135

, whi

ch r

equi

res

that

U

AC

sw

itch

to th

e S

ecur

e D

eskt

op w

hen

prom

ptin

g fo

r el

evat

ion.

9.

3.

154

Ker

bero

s E

ncry

ptio

n T

ypes

K

erbe

ros

encr

yptio

n ty

pes

will

be

conf

igur

ed to

pre

vent

th

e us

e of

DE

S

encr

yptio

n su

ites.

Con

figur

e th

e K

erbe

ros

encr

yptio

n ty

pes

per

the

requ

irem

ents

sta

ted

in C

SO

-ST

D-2

009.

NR

C e

ncry

ptio

n re

quire

men

ts a

re s

peci

fied

in

CS

O-S

TD

-200

9, “

Cry

ptog

raph

ic C

ontr

ol

Sta

ndar

d.”

Page 12: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 10

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

s

10.

4.

002

Bad

Log

on

Atte

mpt

s C

onfig

ure

the

syst

em

to lo

ck o

ut a

n ac

coun

t afte

r th

ree

inva

lid lo

gon

atte

mpt

s.

Con

figur

e th

e B

ad

Logo

n A

ttem

pts

setti

ng p

er th

e re

quire

men

t sta

ted

in C

SO

-ST

D-0

020.

The

NR

C r

equi

rem

ent i

s sp

ecifi

ed fo

r th

e A

C-

7 co

ntro

l in

CS

O-S

TD

-002

0, “

Org

aniz

atio

n D

efin

ed V

alue

s fo

r S

yste

m S

ecur

ity C

ontr

ols.

11.

4.

003

Bad

Log

on

Cou

nter

Res

et

Con

figur

e th

e sy

stem

to

hav

e th

e lo

ckou

t co

unte

r re

set i

tsel

f af

ter

a m

inim

um o

f 60

min

utes

.

Con

figur

e th

e B

ad

Logo

n C

ount

er

Res

et s

ettin

g pe

r th

e re

quire

men

t sta

ted

in C

SO

-ST

D-0

020.

The

NR

C r

equi

rem

ent i

s sp

ecifi

ed fo

r th

e A

C-

7 co

ntro

l in

CS

O-S

TD

-002

0, “

Org

aniz

atio

n D

efin

ed V

alue

s fo

r S

yste

m S

ecur

ity C

ontr

ols.

12.

4.

004

Lock

out D

urat

ion

The

lock

out d

urat

ion

will

mee

t min

imum

re

quire

men

ts.

Con

figur

e th

e Lo

ckou

t Dur

atio

n se

tting

per

the

requ

irem

ent s

tate

d in

CS

O-S

TD

-002

0.

The

NR

C r

equi

rem

ent i

s sp

ecifi

ed fo

r th

e A

C-

7 co

ntro

l in

CS

O-S

TD

-002

0, “

Org

aniz

atio

n D

efin

ed V

alue

s fo

r S

yste

m S

ecur

ity C

ontr

ols.

13.

4.

011

Max

imum

P

assw

ord

Age

60

day

s C

onfig

ure

the

max

imum

pas

swor

d ag

e pe

r th

e re

quire

men

ts s

tate

d in

CS

O-S

TD

-000

1.

The

NR

C r

equi

rem

ent f

or m

axim

um p

assw

ord

age

is s

peci

fied

in C

SO

-ST

D-0

001,

“S

tron

g P

assw

ord

Sta

ndar

d.”

14.

4.

012

Min

imum

P

assw

ord

Age

1

day

Con

figur

e th

e m

inim

um p

assw

ord

age

per

the

requ

irem

ents

sta

ted

in C

SO

-ST

D-0

001.

The

NR

C r

equi

rem

ent f

or th

e m

inim

um

pass

wor

d ag

e is

spe

cifie

d in

CS

O-S

TD

-000

1,

“Str

ong

Pas

swor

d S

tand

ard.

Page 13: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 11

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

s

15.

4.

013

Min

imum

P

assw

ord

Leng

th

Pas

swor

ds m

ust b

e at

a m

inim

um 1

4 ch

arac

ters

Con

figur

e th

e m

inim

um p

assw

ord

leng

th p

er th

e re

quire

men

ts s

tate

d in

CS

O-S

TD

-000

1.

The

NR

C m

inim

um p

assw

ord

leng

th

requ

irem

ent i

s sp

ecifi

ed in

CS

O-S

TD

-000

1,

“Str

ong

Pas

swor

d S

tand

ard.

16.

4.

014

Pas

swor

d U

niqu

enes

s E

nfor

ce a

pas

swor

d hi

stor

y of

24

used

pa

ssw

ords

.

Con

figur

e pa

ssw

ord

uniq

uene

ss p

er th

e re

quire

men

ts s

tate

d in

CS

O-S

TD

-000

1.

The

NR

C r

equi

rem

ent f

or p

assw

ord

uniq

uene

ss is

spe

cifie

d in

CS

O-S

TD

-000

1,

“Str

ong

Pas

swor

d S

tand

ard.

17.

4.

018

App

licat

ion

Acc

ount

P

assw

ords

App

licat

ion

acco

unt

pass

wor

ds w

ill m

eet

DO

D r

equi

rem

ents

fo

r le

ngth

, com

plex

ity

and

chan

ges

Con

figur

e ap

plic

atio

n ac

coun

t pa

ssw

ords

per

the

requ

irem

ents

in

CS

O-S

TD

-000

1.

The

NR

C a

pplic

atio

n ac

coun

t pas

swor

d re

quire

men

ts a

re s

peci

fied

in C

SO

-ST

D-0

001,

“S

tron

g P

assw

ord

Sta

ndar

d.”

18.

5.

003

Boo

ting

into

M

ultip

le O

pera

ting

Sys

tem

s

Boo

ting

into

alte

rnat

e no

n-S

TIG

com

plai

nt

oper

atin

g sy

stem

s w

ill n

ot b

e pe

rmitt

ed.

Alte

rnat

e op

erat

ing

syst

ems

mus

t be

hard

ened

in

acco

rdan

ce w

ith

effe

ctiv

e C

SO

st

anda

rds

and

be

appr

oved

by

the

NR

C.

The

NR

C T

echn

ical

Ref

eren

ce M

odel

(T

RM

) id

entif

ies

all a

genc

y ap

prov

ed o

pera

ting

syst

ems,

and

app

rove

d op

erat

ing

syst

ems

mus

t be

hard

ened

per

effe

ctiv

e C

SO

st

anda

rds.

Page 14: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 12

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

s

19.

5.

038

Ter

min

al S

ervi

ces/

R

emot

e D

eskt

op

Ser

vice

s (T

S/R

DS

) -

Ses

sion

Lim

it

Rem

ote

Des

ktop

S

ervi

ces

will

lim

it us

ers

to o

ne r

emot

e se

ssio

n.

Con

figur

e re

mot

e de

skto

p se

rvic

es p

er

the

requ

irem

ents

in

CS

O-S

TD

-002

0.

The

NR

C r

equi

rem

ents

for

rem

ote

desk

top

serv

ices

are

spe

cifie

d fo

r th

e A

C-1

0 co

ntro

l in

CS

O-S

TD

-002

0, “

Org

aniz

atio

n D

efin

ed

Val

ues

for

Sys

tem

Sec

urity

Con

trol

s.”

20.

5.

043

TS

/RD

S -

Set

E

ncry

ptio

n Le

vel

Rem

ote

Des

ktop

S

ervi

ces

will

be

conf

igur

ed w

ith th

e cl

ient

con

nect

ion

encr

yptio

n se

t to

the

requ

ired

leve

l.

Con

figur

e th

e cl

ient

co

nnec

tion

encr

yptio

n le

vel p

er

the

requ

irem

ents

st

ated

in C

SO

-ST

D-

2009

.

NR

C e

ncry

ptio

n re

quire

men

ts a

re s

peci

fied

in

CS

O-S

TD

-200

9, “

Cry

ptog

raph

ic C

ontr

ol

Sta

ndar

d.”

21.

5.

046

TS

/RD

S -

Tim

e Li

mit

for

Dis

conn

ecte

d S

essi

on

Rem

ote

Des

ktop

S

ervi

ces

will

be

conf

igur

ed to

set

a

time

limit

for

disc

onne

cted

se

ssio

ns.

Con

figur

e th

e tim

e lim

it to

no

mor

e th

an

the

max

imum

tim

e lim

it st

ated

for

inac

tive

sess

ions

in

in C

SO

-ST

D-0

020.

The

NR

C r

equi

rem

ent t

o di

scon

nect

inac

tive

sess

ions

afte

r a

max

imum

tim

e lim

it is

sp

ecifi

ed fo

r th

e S

C-1

0 co

ntro

l in

CS

O-S

TD

-00

20, “

Org

aniz

atio

n D

efin

ed V

alue

s fo

r S

yste

m S

ecur

ity C

ontr

ols.

22.

5.

073

TS

/RD

S -

C

lipbo

ard

Red

irect

ions

The

sys

tem

will

be

conf

igur

ed to

pre

vent

us

ers

from

sha

ring

clip

boar

d co

nten

t on

thei

r cl

ient

com

pute

rs

with

Rem

ote

Des

ktop

S

essi

on H

ost t

hat

they

acc

ess.

Dis

able

the

"Do

not

allo

w c

lipbo

ard

redi

rect

ion"

gro

up

polic

y se

tting

.

The

NR

C p

erm

its c

lipbo

ard

redi

rect

ion

to

faci

litat

e co

mm

on c

ut-a

nd-p

aste

ope

ratio

ns

betw

een

the

adm

inis

trat

ive

wor

ksta

tion

and

the

rem

ote

host

.

Page 15: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 13

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

s

23.

5.

140

HB

SS

McA

fee

Age

nt

The

HB

SS

McA

fee

Age

nt w

ill b

e in

stal

led

An

NR

C-a

ppro

ved

endp

oint

pro

tect

ion

solu

tion

mus

t be

impl

emen

ted.

The

NR

C T

echn

ical

Ref

eren

ce M

odel

(T

RM

) id

entif

ies

all a

genc

y ap

prov

ed e

ndpo

int

prot

ectio

n so

lutio

ns.

NR

C e

ndpo

int p

rote

ctio

n re

quire

men

ts a

re

spec

ified

on

the

CS

O S

tand

ards

web

pag

e.

24.

W

INA

U-

0006

04

Aud

it -

File

S

yste

m -

Fai

lure

T

he s

yste

m w

ill b

e co

nfig

ured

to b

e ab

le

to a

udit

"Obj

ect

Acc

ess

-> F

ile

Sys

tem

" fa

ilure

s.

The

sys

tem

will

be

conf

igur

ed to

be

able

to a

udit

"Obj

ect

Acc

ess

-> F

ile

Sys

tem

" su

cces

ses

and

failu

res.

The

DIS

A S

TIG

onl

y re

quire

s th

at th

e sy

stem

be

con

figur

ed to

be

able

to a

udit

faile

d fil

e sy

stem

acc

ess

atte

mpt

s.

The

NR

C r

equi

res

the

syst

em b

e co

nfig

ured

to

be a

ble

to a

udit

succ

essf

ul a

ttem

pts

in

addi

tion

to fa

iled

atte

mpt

s. T

his

setti

ng d

oes

not t

urn

on th

e au

ditin

g, b

ut r

athe

r pe

rmits

tu

rnin

g on

the

audi

ting,

allo

win

g ad

min

istr

ator

s to

con

trol

aud

iting

usi

ng S

yste

m A

cces

s C

ontr

ol L

ists

(S

AC

Ls)

on in

divi

dual

file

sys

tem

ob

ject

s.

NO

TE

: S

AC

Ls m

ust b

e co

nfig

ured

on

indi

vidu

al fi

le s

yste

m o

bjec

ts fo

r au

dit l

ogs

to

reco

rd fi

le s

yste

m o

bjec

t acc

ess

for

spec

ific

obje

cts.

SA

CLs

are

set

on

file

syst

em o

bjec

ts

usin

g th

e S

ecur

ity ta

b in

that

obj

ect's

P

rope

rtie

s di

alog

box

.

Page 16: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 14

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

s

25.

W

INA

U-

0006

10

Aud

it -

Reg

istr

y -

Fai

lure

T

he s

yste

m w

ill b

e co

nfig

ured

to b

e ab

le

to a

udit

"Obj

ect

Acc

ess

-> R

egis

try"

fa

ilure

s.

The

sys

tem

will

be

conf

igur

ed to

be

able

to a

udit

"Obj

ect

Acc

ess

-> R

egis

try"

su

cce

sses

and

fa

ilure

s.

The

DIS

A S

TIG

onl

y re

quire

s th

at th

e sy

stem

be

con

figur

ed to

be

able

to a

udit

faile

d re

gist

ry

acce

ss a

ttem

pts.

The

NR

C r

equi

res

the

syst

em b

e co

nfig

ured

to

be a

ble

to a

udit

succ

essf

ul a

ttem

pts

in

addi

tion

to fa

iled

atte

mpt

s. T

his

setti

ng d

oes

not t

urn

on th

e au

ditin

g, b

ut r

athe

r pe

rmits

tu

rnin

g on

the

audi

ting,

allo

win

g ad

min

istr

ator

s to

con

trol

aud

iting

usi

ng S

yste

m A

cces

s C

ontr

ol L

ists

(S

AC

Ls)

on in

divi

dual

reg

istr

y ob

ject

s.

NO

TE

: S

AC

Ls m

ust b

e co

nfig

ured

on

indi

vidu

al r

egis

try

obje

cts

for

audi

t log

s to

re

cord

reg

istr

y ob

ject

acc

ess

for

spec

ific

obje

cts.

SA

CLs

are

set

on

regi

stry

obj

ects

us

ing

the

Sec

urity

tab

in th

at o

bjec

t's

Pro

pert

ies

dial

og b

ox.

26.

W

INP

K-0

0000

1 W

INP

K-0

0000

1-

DO

D R

oot

Cer

tific

ate

The

DO

D R

oot

Cer

tific

ate

mus

t be

inst

alle

d.

Dig

ital c

ertif

icat

es

that

are

issu

ed a

nd

sign

ed b

y an

NR

C-

appr

oved

C

ertif

icat

ion

Aut

horit

y (C

A)

mus

t be

use

d.

The

NR

C M

anag

ed P

ublic

Key

Infr

astr

uctu

re

(PK

I) m

ust b

e us

ed.

27.

W

INP

K-0

0000

2 W

INP

K-0

0000

2 E

xter

nal

Cer

tific

ate

Aut

horit

y (C

A)

Roo

t Cer

tific

ate

The

Ext

erna

l CA

R

oot C

ertif

icat

e m

ust

be in

stal

led.

Dig

ital c

ertif

icat

es

that

are

issu

ed a

nd

sign

ed b

y an

NR

C-

appr

oved

CA

mus

t be

use

d.

The

NR

C M

anag

ed P

KI m

ust b

e us

ed.

Page 17: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 15

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

s

28.

W

INP

K-0

0000

3 W

INP

K-0

0000

3 D

OD

In

tero

pera

bilit

y R

oot C

A to

DO

D

Roo

t CA

2 c

ross

ce

rtifi

cate

The

DO

D

Inte

rope

rabi

lity

Roo

t C

A to

DO

D R

oot C

A

2 cr

oss

cert

ifica

te

mus

t be

inst

alle

d.

Dig

ital c

ertif

icat

es

that

are

issu

ed a

nd

sign

ed b

y an

NR

C-

appr

oved

CA

mus

t be

use

d.

The

NR

C M

anag

ed P

KI m

ust b

e us

ed.

29.

W

INU

R-

0000

07

Bac

k up

file

s an

d di

rect

orie

s N

o ac

coun

ts o

r gr

oups

oth

er th

an th

e A

dmin

istr

ator

s gr

oup

will

hav

e th

e “B

acku

p fil

es a

nd d

irect

orie

s”

user

rig

ht.

In a

dditi

on to

the

Adm

inis

trat

ors

grou

p, a

ccou

nts

and

grou

ps a

ppro

ved

by

the

syst

em IS

SO

an

d do

cum

ente

d in

th

e S

yste

m S

ecur

ity

Pla

n m

ay b

e gr

ante

d th

e “B

acku

p fil

es

and

dire

ctor

ies”

use

r rig

ht.

Per

mitt

ing

a de

sign

ated

acc

ount

or

grou

p fo

r ba

ckup

ope

ratio

ns fa

cilit

ates

the

use

of a

less

pr

ivile

ged

acco

unt f

or r

outin

e/pe

riodi

c op

erat

ions

in a

ccor

danc

e w

ith th

e pr

inci

ple

of

leas

t priv

ilege

.

Page 18: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 16

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

s

30.

W

INU

R-

0000

19

Den

y lo

g on

as

a se

rvic

e N

o ac

coun

ts s

houl

d be

gra

nted

the

“Den

y Lo

g on

as

a S

ervi

ce”

right

.

Ass

ign

the

“Den

y Lo

g on

as

a S

ervi

ce”

right

to th

e G

uest

s gr

oup.

Gra

ntin

g th

e “D

eny

Log

on a

s a

Ser

vice

” rig

ht

to th

e G

uest

s gr

oup

acco

unt r

estr

icts

the

use

of g

uest

acc

ount

s.

Thi

s al

igns

with

num

erou

s S

TIG

set

tings

, w

hich

als

o re

quire

that

the

Gue

sts

grou

p be

as

sign

ed r

ight

s fo

r th

e pu

rpos

e of

res

tric

ting

the

use

of g

uest

acc

ount

s.

Exa

mpl

es in

clud

e W

INU

R-0

0001

7 (D

eny

Acc

ess

from

the

Net

wor

k), W

INU

R-0

0001

8 (D

eny

log

on a

s a

batc

h jo

b), a

nd W

INU

R-

0000

20 (

Den

y lo

g on

loca

lly).

Page 19: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 17

3.4.

2 W

ind

ow

s S

erve

r 20

08 R

2 D

om

ain

Co

ntr

olle

r S

TIG

Tab

le 3

.4-3

list

s th

e re

quire

d N

RC

con

figur

atio

n se

tting

s th

at d

iffe

r fr

om s

ettin

gs th

at a

re o

nly

spec

ified

in th

e D

omai

n C

ontr

olle

r S

TIG

; the

se s

ettin

gs a

re n

ot a

pplic

able

or

spec

ified

in th

e M

embe

r S

erve

r S

TIG

.

Tab

le 3

.4-3

: R

equ

irem

ents

th

at D

iffe

r fr

om

th

e W

ind

ow

s S

erve

r 20

08 R

2 D

om

ain

Co

ntr

olle

r S

TIG

Ste

p

ST

IG ID

S

etti

ng

N

ame

DIS

A S

etti

ng

N

RC

-Sp

ecif

ic

Req

uir

emen

t R

atio

nal

e fo

r D

iffe

rin

g f

rom

th

e D

ISA

ST

IG

1.

A

D.1

033_

2008

_R2

PK

I A

uthe

ntic

atio

n R

equi

rem

ent

"Sm

art c

ard

is

requ

ired

for

inte

ract

ive

logo

n"

mus

t be

chec

ked

for

each

acc

ount

.

Thi

s se

tting

is n

ot

requ

ired.

S

mar

t car

ds m

ust b

e us

ed fo

r in

tera

ctiv

e lo

gon

whe

n te

chni

cally

feas

ible

; how

ever

, enf

orci

ng th

e us

e of

sm

art c

ards

in a

ll ci

rcum

stan

ces

is n

ot r

equi

red

due

to le

gacy

sys

tem

s an

d ap

plic

atio

ns th

at s

peci

fical

ly

requ

ire th

e us

e of

the

user

nam

e an

d pa

ssw

ord.

Bec

ause

of c

erta

in N

RC

app

licat

ions

, whi

ch r

equi

re

the

use

of A

D u

ser

nam

es a

nd p

assw

ords

, thi

s co

nfig

urat

ion

setti

ng is

not

req

uire

d.

CS

O w

ill c

ontin

ue to

res

earc

h ho

w to

mak

e th

is

setti

ng m

anda

tory

.

2.

D

S00

.119

0_20

08_R

2 D

irect

ory

Ser

ver

Dat

a F

ile L

ocat

ions

The

dire

ctor

y se

rver

dat

a fil

es

mus

t be

loca

ted

on a

diff

eren

t lo

gica

l par

titio

n fr

om th

e da

ta fi

les

owne

d by

use

rs.

Dom

ain

cont

rolle

rs

are

not p

erm

itted

to

have

par

titio

ns w

ith

data

file

s ow

ned

by

use

rs.

In a

ccor

danc

e w

ith th

e pr

inci

ple

of le

ast f

unct

iona

lity,

pa

rtiti

ons

on d

omai

n co

ntro

llers

mus

t not

con

tain

us

er-o

wne

d da

ta fi

les.

Thu

s, d

omai

n co

ntro

llers

m

ust n

ot h

ave

user

vol

umes

or

user

file

sha

res.

Page 20: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 18

Ste

p

ST

IG ID

S

etti

ng

N

ame

DIS

A S

etti

ng

N

RC

-Sp

ecif

ic

Req

uir

emen

t R

atio

nal

e fo

r D

iffe

rin

g f

rom

th

e D

ISA

ST

IG

3.

D

S00

.214

0_20

08_R

2 D

irect

ory

PK

I C

ertif

icat

e S

ourc

e –

Ser

ver

PK

I cer

tific

ates

(s

erve

r an

d cl

ient

s) m

ust b

e is

sued

by

the

DO

D P

KI o

r an

ap

prov

ed

Ext

erna

l CA

.

Dig

ital c

ertif

icat

es

that

are

issu

ed a

nd

sign

ed b

y an

NR

C-

appr

oved

cer

tific

atio

n au

thor

ity (

CA

) m

ust

be u

sed.

The

NR

C M

anag

ed P

KI m

ust b

e us

ed.

4.

D

S00

.214

1_20

08_R

2 D

irect

ory

PK

I C

ertif

icat

e S

ourc

e -

Use

rs

PK

I cer

tific

ates

(u

ser

cert

ifica

tes)

m

ust b

e is

sued

by

the

DO

D P

KI

or a

n ap

prov

ed

Ext

erna

l CA

.

Dig

ital c

ertif

icat

es

that

are

issu

ed a

nd

sign

ed b

y an

NR

C-

appr

oved

CA

mus

t be

use

d.

The

NR

C M

anag

ed P

KI m

ust b

e us

ed.

5.

D

S00

.313

1_20

08_R

2 A

nony

mou

s A

cces

s to

N

on-P

ublic

R

oot D

SE

D

ata

Ano

nym

ous

acce

ss to

the

root

D

irect

ory

Ser

ver

Ent

ries

(DS

E)

of

a no

n-pu

blic

di

rect

ory

mus

t be

disa

bled

.

Thi

s re

quire

men

t is

not r

equi

red.

T

his

requ

irem

ent i

s no

t cur

rent

ly p

ossi

ble

base

d on

th

e m

etho

d us

ed to

acc

ess

the

root

DS

E in

Mic

roso

ft W

indo

ws

Ser

ver

Dom

ain

Con

trol

lers

.

Info

rmat

ion

foun

d in

the

root

DS

E c

an b

e fo

und

in

the

follo

win

g M

icro

soft

artic

le:

http

://m

sdn.

mic

roso

ft.co

m/e

n-us

/libr

ary/

win

dow

s/de

skto

p/m

s684

291(

v=vs

.85)

.asp

x

Page 21: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 19

Ste

p

ST

IG ID

S

etti

ng

N

ame

DIS

A S

etti

ng

N

RC

-Sp

ecif

ic

Req

uir

emen

t R

atio

nal

e fo

r D

iffe

rin

g f

rom

th

e D

ISA

ST

IG

6.

D

S00

.328

1_20

08_R

2 R

eplic

atio

n E

ncry

ptio

n –

Cla

ssifi

catio

n F

acto

r

Sep

arat

e, N

SA

-ap

prov

ed (

Typ

e 1)

cry

ptog

raph

y m

ust b

e us

ed to

pr

otec

t the

di

rect

ory

data

-in-

tran

sit f

or

dire

ctor

y se

rvic

e im

plem

enta

tions

at

a c

lass

ified

co

nfid

entia

lity

leve

l whe

n re

plic

atio

n da

ta

trav

erse

s a

netw

ork

clea

red

to a

low

er le

vel

than

the

data

.

Con

figur

e en

cryp

tion

per

the

requ

irem

ents

st

ated

in C

SO

-ST

D-

2009

.

NR

C e

ncry

ptio

n re

quire

men

ts a

re s

peci

fied

in C

SO

-S

TD

-200

9, “

Cry

ptog

raph

ic C

ontr

ol S

tand

ard.

7.

D

S00

.337

0_20

08_R

2 In

activ

e S

erve

r C

onne

ctio

ns

The

dire

ctor

y se

rvic

e m

ust b

e co

nfig

ured

to

term

inat

e LD

AP

-ba

sed

netw

ork

conn

ectio

ns to

th

e di

rect

ory

serv

er a

fter

five

(5)

min

utes

of

inac

tivity

.

Con

figur

e al

l net

wor

k co

nnec

tion

term

inat

ion

(incl

udin

g LD

AP

) pe

r th

e re

quire

men

ts s

tate

d in

CS

O-S

TD

-002

0.

The

NR

C r

equi

rem

ent f

or n

etw

ork

conn

ectio

n te

rmin

atio

n af

ter

a pe

riod

of in

activ

ity is

spe

cifie

d fo

r th

e S

C-1

0 co

ntro

l in

CS

O-S

TD

-002

0, “

Org

aniz

atio

n D

efin

ed V

alue

s fo

r S

yste

m S

ecur

ity C

ontr

ols.

Page 22: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 20

Ste

p

ST

IG ID

S

etti

ng

N

ame

DIS

A S

etti

ng

N

RC

-Sp

ecif

ic

Req

uir

emen

t R

atio

nal

e fo

r D

iffe

rin

g f

rom

th

e D

ISA

ST

IG

8.

W

INU

R-0

0000

6 A

llow

log

on

thro

ugh

Rem

ote

Des

ktop

S

ervi

ces

Una

utho

rized

ac

coun

ts w

ill n

ot

have

the

"Allo

w

log

on th

roug

h R

emot

e D

eskt

op

Ser

vice

s" u

ser

right

. If

the

serv

er is

pr

ovid

ing

Rem

ote

Des

ktop

ser

vice

s to

use

rs, a

cces

s w

ill b

e m

anag

ed

thro

ugh

the

Rem

ote

Des

ktop

U

sers

gro

up o

r an

othe

r re

stric

ted

grou

p an

d do

cum

ente

d.

The

"A

llow

log

on

thro

ugh

Rem

ote

Des

ktop

Ser

vice

s"

user

rig

ht m

ust n

ot

be a

ssig

ned

to a

ny

user

s ot

her

than

au

thor

ized

A

dmin

istr

ator

s fo

r th

e pu

rpos

e of

ser

ver

adm

inis

trat

ion.

Dom

ain

cont

rolle

rs m

ust n

ot p

rovi

de R

emot

e D

eskt

op s

ervi

ces

to u

sers

. U

se o

f Rem

ote

Des

ktop

se

rvic

es o

n do

mai

n co

ntro

llers

is o

nly

perm

itted

for

auth

oriz

ed A

dmin

istr

ator

s pe

rfor

min

g se

rver

ad

min

istr

atio

n.

Page 23: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 21

3.4.

3 W

ind

ow

s S

erve

r 20

08 R

2 A

ctiv

e D

irec

tory

Do

mai

n S

TIG

The

Act

ive

Dire

ctor

y D

om

ain

ST

IG a

nd A

ctiv

e D

irect

ory

For

est S

TIG

pro

vide

sec

urity

req

uire

me

nts

for

Act

ive

Dire

ctor

y (A

D)

on

Dom

ain

Con

trol

lers

for

Win

dow

s S

erve

rs.

Tab

le 3

.4-4

list

s th

e re

quire

d N

RC

con

figur

atio

n se

tting

s th

at d

iffer

from

set

tings

that

are

sp

ecifi

ed in

the

Act

ive

Dire

ctor

y D

omai

n S

TIG

.

Tab

le 3

.4-4

: R

equ

irem

ents

th

at D

iffe

r fr

om

th

e W

ind

ow

s S

erve

r 20

08 R

2 A

ctiv

e D

irec

tory

Do

mai

n S

TIG

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C-S

pec

ific

R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

1.

A

D.0

151

The

Dire

ctor

y S

ervi

ce R

esto

re

Mod

e (D

SR

M)

pass

wor

d m

ust

be c

hang

ed a

t le

ast a

nnua

lly.

Cre

ate

or im

plem

ent

a lo

cal s

ite p

olic

y to

ch

ange

the

DS

RM

pa

ssw

ord

at le

ast

year

ly.

Thi

s D

ISA

req

uire

men

t ta

kes

prec

eden

ce o

ver

the

adm

inis

trat

or

acco

unt m

axim

um

pass

wor

d ag

e re

quire

men

t spe

cifie

d in

C

SO

-ST

D-0

001,

“S

tron

g P

assw

ord

Sta

ndar

d.”

The

NR

C r

equi

rem

ent d

oes

not d

iffer

from

the

DIS

A S

TIG

req

uire

men

t.

Due

to th

e op

erat

iona

l im

pact

ass

ocia

ted

with

ch

angi

ng th

e D

SR

M p

assw

ord,

the

max

imum

pa

ssw

ord

age

for

the

DS

RM

pas

swor

d is

one

ye

ar r

athe

r th

an th

e ag

e sp

ecifi

ed in

CS

O-S

TD

-00

1, a

nd D

SR

M p

assw

ords

mus

t be

chan

ged

at

leas

t yea

rly.

2.

A

D.0

180

Inte

rcon

nect

ions

be

twee

n D

OD

di

rect

ory

serv

ices

of

diff

eren

t cl

assi

ficat

ion

leve

ls m

ust u

se a

cr

oss-

dom

ain

solu

tion

that

is

appr

oved

for

use

with

inte

r-cl

assi

ficat

ion

trus

ts.

Del

ete

the

trus

t re

latio

nshi

p th

at is

de

fined

bet

wee

n en

titie

s w

ith

reso

urce

s at

diff

eren

t D

OD

cla

ssifi

catio

n le

vels

.

The

NR

C d

oes

not

auth

oriz

e an

y cr

oss-

dom

ain

solu

tions

.

The

NR

C d

oes

not a

utho

rize

any

cros

s-do

mai

n so

lutio

ns.

Page 24: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 22

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C-S

pec

ific

R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

3.

A

D.0

240

The

num

ber

of

mem

ber

acco

unts

in

priv

ilege

d gr

oups

m

ust n

ot b

e ex

cess

ive.

The

num

ber

of

Dom

ain

Adm

ins

shou

ld b

e be

twee

n on

e (1

) an

d te

n (1

0).

The

num

ber

of D

omai

n A

dmin

s gr

oup

mus

t not

ex

ceed

fifte

en (

15).

The

DIS

A r

equi

rem

ent t

o ha

ve a

tota

l num

ber

of

Dom

ain

Adm

ins

betw

een

one

(1)

and

ten

(10)

is

too

rest

rictiv

e fo

r N

RC

.

Alth

ough

the

NR

C r

equi

rem

ent p

erm

its u

p to

fif

teen

(15

) D

omai

n A

dmin

s, m

embe

rshi

p in

the

Dom

ain

Adm

ins

grou

p m

ust b

e gr

ante

d ac

cord

ing

to th

e pr

inci

pal o

f lea

st p

rivile

ge.

4.

A

D.0

270

Rea

d-on

ly

Dom

ain

Con

trol

ler

(RO

DC

) ar

chite

ctur

e an

d co

nfig

urat

ion

mus

t com

ply

with

di

rect

ory

serv

ices

re

quire

men

ts.

Ens

ure

com

plia

nce

with

VP

N a

nd IP

Sec

re

quire

men

ts in

the

Net

wor

k In

fras

truc

ture

S

TIG

.

Enc

apsu

late

traf

fic

betw

een

the

Dom

ain

Con

trol

ler

and

the

RO

DC

.

NR

C r

equi

rem

ents

for

traf

fic e

ncap

sula

tion

are

stat

ed (

eith

er im

plic

itly

or e

xplic

itly)

on

the

CS

O

Sta

ndar

ds w

eb p

age.

For

exa

mpl

e, if

a V

PN

tunn

el is

use

d, th

en th

e C

SO

sta

ndar

d re

quire

men

ts fo

r V

PN

s (a

s st

ated

on

the

stan

dard

s w

eb p

age)

will

app

ly.

5.

A

D.9

100

Rev

iew

of

Hos

ting

Dom

ain

and

For

est

Sec

urity

ass

essm

ents

of

the

dom

ain

and/

or

fore

st in

whi

ch th

e do

mai

n co

ntro

ller

resi

des

mus

t be

cond

ucte

d at

leas

t an

nual

ly.

The

freq

uenc

y an

d tim

ing

of A

ctiv

e D

irect

ory

dom

ain

and/

or

fore

st s

ecur

ity

asse

ssm

ents

mus

t alig

n w

ith a

nd c

oinc

ide

with

th

e co

nfig

urat

ion

(har

deni

ng)

chec

ks o

f th

e re

side

nt d

omai

n co

ntro

ller.

Act

ive

Dire

ctor

y do

mai

ns a

nd fo

rest

s w

ill b

e as

sess

ed in

acc

orda

nce

with

NR

C a

sses

smen

t re

quire

men

ts.

Page 25: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 23

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C-S

pec

ific

R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

6.

D

S00

.016

0_A

D

Dire

ctor

y D

ata

Bac

kup

Dire

ctor

y da

ta m

ust

be b

acke

d up

at l

east

da

ily fo

r M

AC

I or

II

syst

ems

and

at le

ast

wee

kly

for

MA

C II

I sy

stem

s.

Per

form

bac

kups

of

dire

ctor

y da

ta in

ac

cord

ance

with

the

requ

irem

ents

sta

ted

in

CS

O-S

TD

-200

2.

NR

C s

yste

m b

ack-

up r

equi

rem

ents

are

spe

cifie

d in

CS

O-S

TD

-200

2, “

Sys

tem

Bac

k-up

Sta

ndar

d.”

7.

D

S00

.112

0_A

D

Cro

ss-D

irect

ory

Aut

hent

icat

ion

Doc

umen

tatio

n

Eac

h cr

oss-

dire

ctor

y au

then

ticat

ion

conf

igur

atio

n m

ust b

e do

cum

ente

d.

Eac

h cr

oss-

dire

ctor

y au

then

ticat

ion

conf

igur

atio

n m

ust b

e do

cum

ente

d. T

rust

re

latio

nshi

ps m

ust b

e do

cum

ente

d an

d re

view

ed s

emi-a

nnua

lly

to e

nsur

e th

at th

ey a

re

still

req

uire

d fo

r th

e sy

stem

to fu

nctio

n.

DIS

A c

onsi

ders

this

a C

AT

III r

equi

rem

ent;

NR

C

has

incr

ease

d th

e se

verit

y of

this

req

uire

men

t to

CA

T-I

I.

NO

TE

: T

he o

nly

chan

ge to

this

req

uire

men

t is

the

NR

C s

ever

ity le

vel.

8.

D

S00

.114

0_A

D

Dire

ctor

y S

ervi

ce

Inte

r-E

ncla

ve

VP

N U

sage

A V

PN

mus

t be

used

to

pro

tect

dire

ctor

y ne

twor

k tr

affic

for

dire

ctor

y se

rvic

e im

plem

enta

tion

span

ning

enc

lave

bo

unda

ries.

Pro

tect

dire

ctor

y se

rvic

es c

omm

unic

atio

n ov

er e

xter

nal,

non-

NR

C

netw

orks

usi

ng a

VP

N.

The

NR

C e

quiv

alen

t to

dire

ctor

y se

rvic

e co

mm

unic

atio

n oc

curr

ing

acro

ss D

oD e

ncla

ve

boun

darie

s is

dire

ctor

y se

rvic

e co

mm

unic

atio

n oc

curr

ing

over

ext

erna

l, no

n-N

RC

net

wor

ks.

NR

C V

PN

sec

urity

req

uire

men

ts a

re s

peci

fied

on th

e C

SO

Sta

ndar

ds w

eb p

age.

Page 26: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 24

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C-S

pec

ific

R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

9.

D

S00

.612

0_A

D

Dire

ctor

y S

ervi

ce

Arc

hite

ctur

e D

R

Doc

umen

tatio

n

AD

impl

emen

tatio

n in

form

atio

n m

ust b

e ad

ded

to th

e si

tes

dis

aste

r re

cove

ry

plan

s, in

clud

ing

AD

fo

rest

, tre

e, a

nd

dom

ain

stru

ctur

e.

NR

C r

equi

res

this

in

form

atio

n to

be

adde

d to

dis

aste

r re

cove

ry

plan

s fo

r al

l sys

tem

s ca

tego

rized

with

Low

, M

oder

ate,

or

Hig

h A

D

dom

ains

.

NR

C r

equi

res

AD

impl

emen

tatio

n in

form

atio

n to

be

incl

uded

in th

e D

isas

ter

Rec

over

y (D

R)

plan

to

ens

ure

a su

cces

sful

and

tim

ely

reco

very

irr

espe

ctiv

e of

the

impa

ct le

vel o

f the

AD

do

mai

n.

10.

D

S00

.710

0_A

D

Cro

ss-D

irect

ory

Aut

hent

icat

ion

INF

OC

ON

P

roce

dure

s

Eva

luat

e cr

oss-

dire

ctor

y co

nfig

urat

ions

(su

ch

as tr

usts

and

pas

s-th

roug

h au

then

ticat

ion)

and

pr

ovid

e do

cum

enta

tion

that

in

dica

tes:

1.

Tha

t an

eval

uatio

n pe

rfor

med

.

2. T

he s

peci

fic A

D

trus

t con

figur

atio

ns, i

f an

y, th

at s

houl

d be

di

sabl

ed d

urin

g ch

ange

s in

INF

OC

ON

st

atus

bec

ause

they

co

uld

repr

esen

t in

crea

sed

risk.

Doc

umen

t and

mai

ntai

n a

list o

f man

ual A

D

trus

ts (

cros

s-di

rect

ory

conf

igur

atio

ns)

with

in

the

Sys

tem

Sec

urity

P

lan.

If a

valid

ated

sec

urity

in

cide

nt o

ccur

s, th

e IS

SO

mus

t ens

ure

that

th

e fo

llow

ing

two

step

s ar

e co

mpl

eted

:

1. T

he IS

SO

, or

de

sign

ee, s

hall

revi

ew

the

list o

f man

ual A

D

trus

ts a

nd d

eter

min

e w

heth

er it

is n

eces

sary

to

dis

able

man

ual A

D

trus

ts.

2.

Dis

able

man

ual A

D

trus

ts if

dee

med

ne

cess

ary

in s

tep

one.

The

INF

OC

ON

leve

ls r

efer

ence

d in

the

DIS

A

ST

IG a

re w

ritte

n fo

r D

oD a

nd a

re n

ot a

pplic

able

to

NR

C in

form

atio

n sy

stem

s.

NO

TE

: Thi

s re

quire

men

t onl

y ap

plie

s to

in

form

atio

n sy

stem

s w

ith m

anua

l AD

trus

ts

(cro

ss-d

irect

ory

conf

igur

atio

ns).

Thi

s in

clud

es

exte

rnal

, for

est,

or r

ealm

tru

st r

elat

ions

hip

type

s.

Page 27: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 25

3.4.

4 W

ind

ow

s S

erve

r 20

08 R

2 A

ctiv

e D

irec

tory

Fo

rest

ST

IG

Tab

le 3

.4-5

list

s th

e re

quire

d N

RC

con

figur

atio

n se

tting

s th

at d

iffe

r fr

om s

ettin

gs th

at a

re s

peci

fied

in th

e A

ctiv

e D

irect

ory

For

est

ST

IG.

Tab

le 3

.4-5

: R

equ

irem

ents

th

at D

iffe

r fr

om

th

e W

ind

ow

s S

erve

r 20

08 R

2 A

ctiv

e D

irec

tory

Fo

rest

ST

IG

Ste

p

ST

IG ID

S

etti

ng

Nam

e D

ISA

Set

tin

g

NR

C-S

pec

ific

R

equ

irem

ent

Rat

ion

ale

for

Dif

feri

ng

fro

m t

he

DIS

A S

TIG

1.

A

D.0

295

Tim

e S

ynch

roni

zatio

n -

For

est

Aut

horit

ativ

e S

ourc

e

The

Win

dow

s T

ime

Ser

vice

on

the

fore

st

root

Prim

ary

Dom

ain

Con

trol

ler

(PD

C)

Em

ulat

or m

ust b

e co

nfig

ured

to a

cqui

re

its ti

me

from

an

exte

rnal

tim

e so

urce

.

Con

figur

e W

indo

ws

Tim

e S

ervi

ce p

er th

e re

quire

men

ts in

CS

O-

ST

D-2

005.

NR

C ti

me

sync

hron

izat

ion

requ

irem

ents

are

sp

ecifi

ed in

CS

O-S

TD

-200

5, “

Sys

tem

Mon

itorin

g S

tand

ard.

Page 28: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CS

O S

tand

ard

CS

O-S

TD

-110

9

Pag

e 26

Thi

s pa

ge in

tent

iona

lly le

ft b

lank

.

Page 29: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CSO Standard CSO-STD-1109 Page 27

4 DEFINITIONS Active Directory Microsoft's directory service that comes with Windows servers and used for

managing permissions and user access to network resources.

BIOS A set of computer instructions in firmware that control input and output operations.

Cleartext Data that is transmitted or stored unencrypted.

Critical Updates This includes fixes for security defects in operating systems and applications as well as current anti-virus definitions and other intrusion detection and prevention information.

Domain Controller

A domain controller is the centerpiece of the Windows Active Directory service. It authenticates users, stores user account information, and enforces security policy for a Windows domain.

Firmware Computer programming instructions that are stored in a read-only memory unit rather than being implemented through software.

Member Server A computer that runs a Windows Server operating system, belongs to a domain, and is not a domain controller.

Pagefile A reserved portion of a hard disk that is used as an extension of random access memory (RAM) for data in RAM that has not been used recently.

Registry The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems.

Remote Desktop Services

In Windows Server 2008 R2, Terminal Services was renamed Remote Desktop Services.

Root Certificate Either an unsigned public key certificate or a self-signed certificate that identifies the Root Certificate Authority.

Root DSE The root of the directory data tree on a directory server. The root DSE provides data about the server, such as its capabilities, the LDAP version it supports, and the naming contexts it uses.

Terminal Services

Microsoft's implementation of thin-client terminal server computing, where Windows applications, or even the entire desktop of the computer running Terminal Services, are made accessible to a remote client machine.

Type 1 Cryptography

A device or system certified by the National Security Agency (NSA) for use in cryptographically securing classified U.S. Government information.

Virtual Memory Storage space on your computer’s hard disk that Windows uses in conjunction with random access memory (RAM).

Work Group A computer that runs a Windows Server operating system, does not belong

Page 30: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CSO Standard CSO-STD-1109 Page 28

Server to a domain, and is not a domain controller.

This page intentionally left blank.

Page 31: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CSO Standard CSO-STD-1109 Page 29

5 ACRONYMS AD Active Directory

BIOS Basic Input/Output System

CA Certificate Authority

CSO Computer Security Office

DC Domain Controller

DCE Distributed Computing Environment

DISA Defense Information Systems Agency

DMZ Demilitarized Zone

DNS Domain Name System

DOD Department of Defense

DR Disaster Recovery

DSE Directory Server Entries

FIPS Federal Information Processing Standard

HBSS Host-Based System Security

HTTP Hypertext Transfer Protocol

IAM Information Assurance Manager

IAO Information Assurance Officer

IP Internet Protocol

ISSO Information System Security Officer

MS Microsoft, Member Server

NIC Network interface Card

NIPRNet Non-classified IP Router Network

NIST National Institute of Standards and Technology

NRC Nuclear Regulatory Commission

NSA National Security Agency

Page 32: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CSO Standard CSO-STD-1109 Page 30

NSO Network Security Officer

OIS Office of Information Services

OS Operating System

PDC Primary Domain Controller

PIV Personal Identity Verification

PKI Public Key Infrastructure

PST Policy, Standards and Training

RDS Remote Desktop Services

RPC Remote Procedure Call

SACL System Access Control List

SGI Safeguards Information

SIPRNet Secret Internet Protocol Router Network

SITSO Senior Information Technology Security Officer

SSL Secure Socket Layer

STIG Security Technical implementation Guide

SUNSI Sensitive Unclassified Non-Safeguards Information

TLS Transport Layer Security

TRM Technical Reference Model

TS Terminal Services

WINS Windows Internet Name Service

Page 33: Nuclear Regulatory Commission Computer Security Office ...Director, OIS Jim Flanagan /RA/ 5/21/2013 . CSO Standard CSO-STD-1109 Page i TABLE OF CONTENTS ... Many application installation

CSO Standard CSO-STD-1109 Page 31

CSO-STD-1109 Change History

Date Version Description of Changes Method Used to Announce &

Distribute

Training

15-May-13 1.0 Initial Release CSO web page and notification of ISSO forum

Upon request