Solved

CIS scripts to check hardening for RHEL 5+6, Solaris 10 x86, Windows 2008 R2, Suse Linux

Posted on 2014-11-18
19
1,930 Views
Last Modified: 2014-12-28
Q1:
Can point me to where I can download scripts (that I need to run to verify CIS hardening) are
in place.

I may tweak the Shell & windows (ideally it's .bat or .cmd or VB instead of PowerShell).

I recall CIS has a scanning tool but we don't want to install the tool.

Need to review the outputs.

Q2:
Is there any VA scan (via network so that it's less intrusive) that could tell if the OS CIS
hardenings are in place?  I guess it's only partial, right?  We'll need a scanner to be
running right inside the servers to get a complete coverage of what's been hardened, right?
0
Comment
Question by:sunhux
  • 7
  • 5
  • 3
  • +1
19 Comments
 
LVL 25

Expert Comment

by:madunix
Comment Utility
Don't go into securing an OS thinking. Red Hat does provide a high level of security in the OS and packages that they distribute. As security issues are discovered in various applications, Red Hat provides updated packages in a way which keeps potential risk to a minimum. I would prefer using the standard things to secure the system such as Monitoring/Logging/Firewall/IPtables/se_linux/mod_security ....etc
0
 

Author Comment

by:sunhux
Comment Utility
That makes sense but auditors don't care: they wanted proof that we've
actually done the hardenings.

So I'll still need the scripts: used to see them somewhere but I've
lost track of those CIS scripts
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Auditors should acquire tools of trade themselves.
CIS checking scripts are for subscribers/members. General public can get standard guides which have some rudimentary scripts for checking Level 1 scored recommendations. (If you are multiple admins - just make other review your work like a checklist - auditors like internal control procedures)
0
 
LVL 61

Assisted Solution

by:btan
btan earned 280 total points
Comment Utility
There are various plugin per se in Nessus
https://support.tenable.com/support-center/nessus_compliance_checks.pdf
And for the benchmark @ http://benchmarks.cisecurity.org/membership/certified/tenable/
there is no "open"script to do those to align to CIS and since you are focusinf to CIS then do consider its tool instead.
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 115 total points
Comment Utility
From CIS website:
Availability
The CIS-CAT Assessment Tool is available only to CIS Security Benchmarks Members. Members can download CIS-CAT from the CIS Members Web site.
CIS does offer a 30 day trial of the tool for enterprises considering CIS Security Benchmarks membership.  Please contact us if you are interested.
To learn about becoming a Member, click here.
0
 

Author Comment

by:sunhux
Comment Utility
Correct me:
understand Tenable is a scanner that scans from outside/network, so would
it be possible to detect all possible OS hardenings?  Ports that are shut down
is no issue but what about certain registry keys & UNIX patch level?

I used to have the old tool (looks like scripts to me) for Linux & SOlaris from CIS:
I'll update from there
0
 
LVL 61

Assisted Solution

by:btan
btan earned 280 total points
Comment Utility
Nessus can do as part of compliance -- do check out the pdf shared in last posting
https://support.tenable.com/support-center/nessus_compliance_checks.pdf
Nessus can be used to log into Unix and Windows servers, Cisco devices, SCADA systems, IBM iSeries servers, and databases to determine if they have been configured in accordance to the local site security policy. Nessus can also search the entire hard drive of Windows and Unix systems, for unauthorized content.
Nessus can perform vulnerability scans of network services as well as log into servers to discover any missing patches. However, a lack of vulnerabilities does not mean the servers are configured correctly or are “compliant” with a particular standard.
The advantage of using Nessus to perform vulnerability scans and compliance audits is that all of this data can be obtained at one time. Knowing how a server is configured, how it is patched and what vulnerabilities are present can help determine measures to mitigate risk.

At a higher level, if this information is aggregated for an entire network or asset class (as with Tenable’s SecurityCenter), security and risk can be analyzed globally. This allows auditors and network managers to spot trends in non-compliant systems and adjust controls to fix these on a larger scale.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 105 total points
Comment Utility
IMHO Nessus is a good all around vulnerability scanner, also check NeXpose, openvas, Retina, Metasploit and rapid7.
0
 
LVL 61

Accepted Solution

by:
btan earned 280 total points
Comment Utility
Microsoft base d- MSBA and MS Security Compliance Mgr would still be good though it is not directly using CIS check
http://technet.microsoft.com/en-us/security/cc184923
http://www.windowsecurity.com/articles-tutorials/misc_network_security/Security-Compliance-Microsoft-SCM.html

CIS Shell Scripts to Update Configuration of RHEL 4 or 5
http://www.sysxperts.com/audit-compliance-scripting/cis-shell-scripts-to-update-configuration-of-rhel-4-or-5

UNIX Assessment Tools (CIS include Solaris but may not  reflect the latest CIS Benchmark guidance)
http://benchmarks.cisecurity.org/downloads/browse/?category=tools.unix
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 61

Assisted Solution

by:gheist
gheist earned 115 total points
Comment Utility
CIS-CAT does not check solaris.
External scan cannot detect (most of) CIS omissions.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 280 total points
Comment Utility
What I meant is this - CIS Solaris 2.5.1-9 Scoring Tool for the 1.3.0 Benchmark v1.0.0 below
http://benchmarks.cisecurity.org/downloads/show-single/?file=solaristool
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
It would yield 20% of false positives and 20 percent of false negatives, as it is designed for very old Solaris OS, checking against very old security guide. It may cover the hole, but say Apache 1.2 benchmarking in the world of Apache 2.4 would be quite useless...
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
very old indeed as always compliance is catch up routine and benchmarking is as of that moment of check, threat also changed and it should be in accordance to the target system build where poss..thks
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 105 total points
Comment Utility
I would recommend building your own Operating System Security Policy, it should include that (example what we use in our policy):
- All system components installation and configuration must follow well-known security configuration benchmarks and standards. Sources of industry-accepted system hardening standards may include
•      Centre for Internet Security (CIS)
•      International Organization for Standardization (ISO)
•      SysAdmin Audit Network Security (SANS) Institute
•      National Institute of Standards Technology (NIST)

- These configuration standards must be continuously updated by ISO as new vulnerabilities issues are identified; and these standards shall be applied when new systems are configured.

- Only one primary function per server should be implemented to prevent functions that require different security level from co-existing on the same server. (For example: web servers, database servers, and Exchange should be implemented on separate servers.) If virtualized technologies are used; only one primary function should be implemented per virtual machine component or device.

- All system components must have only secure services, protocols, daemons, etc. enabled as required for the function of the system.

- Common security parameters settings must be enabled in the system configuration standards.

- All unnecessary functionality must be disabled such as scripts, drivers, features, file systems and unnecessary web servers.


- All default administrative accounts should be renamed and passwords and/or encryption keys are to be put under dual control and split knowledge.

- Accounts used to run as services or to run system routines must avoid the need to run with privileges. For example, account used to run as a service must run as normal local/or domain account, and should not run as local/or domain administrator.

- All non-console administrative access should be encrypted using strong cryptography. Technologies such as SSH, IPsecVPN, or SSL/TLS should be used for web based management and other non-console administrative access.

- System settings and vendor documentations must be examined to ensure that access control systems are in place for all system components. The access must be configured to enforce privileges assigned to individuals based on job classification and function.

- The use of utility programs that might be capable of changing system and application settings should be restricted and highly controlled. These utilities should not be made available to normal users accessing the application and it should be used only by authorized personnel.

...etc
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Just to add -

Most of the baseline should go by principle to remove/disable all unnecessary service, interface and account. See below as a general coverage to guide the assessment. This largely include infra-systems, application, and network services.  

Service - local/shared/remote app & network & OS
Interface - wired & wireless, attached & removable storage  
Account - system admin, privileged user/admin, operational user, 3rd parties  

probably the principle hardening guidelines will be a good baseline to start off for further tightening. The challenge is to manage multiple version of hardening listing or checklist but slowly as build up it will be stabilise as a regime baseline.
0
 

Author Comment

by:sunhux
Comment Utility
I'll need to be able to issue at Windows command line to find out the values
for the following:

Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain controller: Allow server operators to schedule tasks
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Network access: Let Everyone permissions apply to anonymous users
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and subpaths
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU)
MSS: Enable the computer to stop generating 8.3 style filenames
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Accounts: Administrator account status
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Shut down system immediately if unable to log security audits
DCOM: Machine Access Restrictions
DCOM: Machine Launch Restrictions
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Devices: Unsigned driver installation behavior
Domain controller: Allow server operators to schedule tasks
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Do not display last user name
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before suspending session
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow storage of credentials or .NET Passports for network authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: Do not store LAN Manager hash value on next password change
MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended)
MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended)
MSS: (AFD MaximumDynamicBacklog) Maximum number of "quasi-free" connections for Winsock applications
MSS: (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for systems under attack, 10 otherwise)
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU)
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS)
MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
MSS: (TCPMaxPortsExhausted) How many dropped connect requests to initiate SYN attack protection (5 is recommended)
MSS: Disable Autorun for all drives
MSS: Enable Safe DLL search mode (recommended)
MSS: Enable the computer to stop generating 8.3 style filenames
MSS: How often keep-alive packets are sent in milliseconds
Percentage threshold for the security event log at which the system will generate a warning
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
Store passwords using reversible encryption
Account lockout duration
Account lockout threshold
Reset account lockout counter after
Enforce user logon restrictions
Maximum lifetime for service ticket
Maximum lifetime for user ticket
Maximum lifetime for user ticket renewal
Maximum tolerance for computer clock synchronization
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Access Credential Manager as a Trusted Caller
Access this computer from the network
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Terminal Services
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a page file
Create a token object
Create global objects
Create permanent shared objects
Create symbolic links
Debug programs
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
Manage auditing and security log
Modify an object label
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Replace a process level token
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or objects
Accounts: Administrator account status
Accounts: Guest account status
Accounts : Limit local account use of blank passwords to console logon only
Accounts: Rename Administrator account
Accounts: Rename Guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Network security: Do not store LAN Manager hash value on next password change
Network Security : Force logoff when logon hours expire
Network Security: LAN Manager Authentication Level
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP
based (including secure RPC) clients
based (including secure RPC) servers
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
Network security: Restrict NTLM: Add server exceptions in this domain
Network security: Restrict NTLM: Audit incoming NTLM traffic
Network security: Restrict NTLM: Audit NTLM authentication in this domain
Network security: Restrict NTLM: Incoming NTLM traffic
Network security: Restrict NTLM: NTLM authentication in this domain
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and all folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on the computer
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System objects: Require case insensitivity for non-Windows
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic links)
System settings: Optional subsystems
System settings: User Certificate Rules on Windows Executables for Software Restriction Policies
User Account Control: Admin Approval mode for the Built-in Administrator Account
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in secure locations
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
MSS: (TcpMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
(System) : Security System Extension
(System) : System Integrity
(System) : IPsec Driver
(System) : Other System Events
(System) : Security State Change
(Logon/Logoff) : Logon
(Logon/Logoff) : Logoff
(Logon/Logoff) : Account Lockout
(Logon/Logoff) : IPsec Main Mode
(Logon/Logoff) : IPsec Quick Mode
(Logon/Logoff) : IPsec Extended Mode
(Logon/Logoff) : Special Logon
(Logon/Logoff) : Other Logon/Logoff Events
(Logon/Logoff) : Network Policy Server
(Object Access) : File System
(Object Access) : Registry
(Object Access) : Kernel Object
(Object Access) : SAM
(Object Access) : Certification Services
(Object Access) : Application Generated
(Object Access) : Handle Manipulation
(Object Access) : File Share
(Object Access) : Filtering Platform Packet Drop
(Object Access) : Filtering Platform Connection
(Object Access) : Other Object Access Events
(Object Access) : Detailed File Share
(Privilege Use) : Sensitive Privilege Use
(Privilege Use) : Non Sensitive Privilege Use
(Privilege Use) : Other Privilege Use Events
(Detailed Tracking) : Process Termination
(Detailed Tracking) : DPAPI Activity
(Detailed Tracking) : RPC Events
(Detailed Tracking) : Process Creation
(Policy Change) : Audit Policy Change
(Policy Change) : Authentication Policy Change
(Policy Change) : Authorization Policy Change
(Policy Change) : MPSSVC Rule-Level Policy Change
(Policy Change) : Filtering Platform Policy Change
(Policy Change) : Other Policy Change Events
(Account Management) : User Account Management
(Account Management) : Computer Account Management
(Account Management) : Security Group Management
(Account Management) : Distribution Group Management
(Account Management) : Application Group Management
(Account Management) : Other Account Management Events
(DS Access) : Directory Service Changes
(DS Access) : Directory Service Replication
(DS Access) : Detailed Directory Service Replication
(DS Access) : Directory Service Access
(Account Logon) : Kerberos Service Ticket Operations
(Account Logon) : Other Account Logon Events
(Account Logon) : Kerberos Authentication Service
(Account Logon) : Credential Validation
(Windows Components/Remote Desktop Services/Remote Desktop Connection Clients) :
Do not allow passwords to be saved
(Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security) :
Always prompt for password upon connection
(Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security) :
Set client connection encryption level
(System/Internet Communication Management/Internet Communication settings) :
Turn off downloading of print drivers over HTTP
(System/Internet Communication Management/Internet Communication settings) :
Turn off Internet download for Web publishing and online ordering wizards
(System/Internet Communication Management/Internet Communication settings) :
Turn off printing over HTTP
(System/Internet Communication Management/Internet Communication settings) :
Turn off Search Companion content file updates
(System/Internet Communication Management/Internet Communication settings) :
Turn off the "Publish to Web" task for files and folders
(System/Internet Communication Management/Internet Communication settings) :
Turn off the Windows Messenger Customer Experience Improvement Program
(Windows Components/AutoPlay Policies) : Turn off Autoplay
(Windows Components/Credential User Interface) : Require trusted path for credential entry
(Windows Components/NetMeeting) : Disable remote Desktop Sharing
(Windows Components/Event Log Service/Application) : Maximum Log Size (KB)
(Windows Components/Event Log Service/Application) : Retain old events
(Windows Components/Event Log Service/Security) : Maximum Log Size (KB)
(Windows Components/Event Log Service/Security) : Retain old events
(Windows Components/Event Log Service/System) : Maximum Log Size (KB)
(Windows Components/Event Log Service/System) : Retain old events
(Windows Components/Credential User Interface) : Require trusted path for credential entry
(Windows Components/NetMeeting) : Disable remote Desktop Sharing
(Windows Components/Windows Update) : Configure Automatic Updates
(System/Group Policy/Policy): Registry policy processing
(System/Group Policy/Policy/Registry policy processing: Enabled) :
Do not apply during periodic background processing
(System/Group Policy/Policy/Registry policy processing: Enabled) :
Process even if the Group Policy objects have not changed
Always prompt client for password upon connection
Set client connection encryption level
Do not allow passwords to be saved
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Interactive logon: Do not display last user name
Interactive logon: Require Domain Controller authentication to unlock workstation
System cryptography: Force strong key protection for user keys stored on the computer
Use Certificate Rules on Windows Executables for Software Restriction Policies
User Account Control: Admin Approval Mode for the Built-in Administrator account
MSS: Enable the computer to stop generating 8.3 style filenames
MSS: How often keep-alive packets are sent in milliseconds
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.
Devices: Restrict floppy access to locally logged-on user only
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Interactive logon: Do not display last user name
Interactive logon: Require Domain Controller authentication to unlock workstation
System cryptography: Force strong key protection for user keys stored on the computer
Use Certificate Rules on Windows Executables for Software Restriction Policies
User Account Control: Admin Approval Mode for the Built-in Administrator account
MSS: Enable the computer to stop generating 8.3 style filenames
MSS: How often keep-alive packets are sent in milliseconds
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Open the "resulting group policy" management console, connect to remote computer, generate resulting policy and compare the values.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 280 total points
Comment Utility
may just use gpresult which can displays the Resultant Set of Policy (RSoP) information for a target user and computer.
..and believe it is available in SCCM for Client Settings -> Resultant Client Settings (which only work for custom/default client settings though). also if you want to just look at a server the gpmc can shed what got applied and from where (and generate reports)
http://blog.thesysadmins.co.uk/group-policy-gpresult-examples.html
http://deployhappiness.com/gpresult-or-rsop/
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Learn the basics of while and for loops in Python.  while loops are used for testing while, or until, a condition is met: The structure of a while loop is as follows:     while <condition>:         do something         repeate: The break statement m…
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now