Bug #

Scan Server 20 NDA+-PPEProd Srvrs

Rule Id Result Rule Title General.COMPU Failed Accounts are not shared TER among administrators MANAGER.300 (FAILED)

24 NDA+-PPEProd Srvrs 33 NDA+-PPEProd Srvrs

General.COMPU Failed TER MANAGER.1250 General.COMPU Failed TER MANAGER.1150

Remote Registry service is set to manual (FAILED) Service "NDAPlus PDF Conversion Service" is not running administrator privileges (FAILED)

Rule Description It is a standards violation to have more than one local administrator account on a server. Domain user accounts or security groups should be used to manage administrators. Local accounts are more difficult to ensure timely provisioning and deprovisioning. Ensure that the Remote Registry service is not set to automatic.

Services should run with least privileges required to run. If the service account gets compromised it limits the damage done.

34 NDA+-PPEProd Srvrs

General.COMPU Failed TER MANAGER.1150

Service "NDAPlus E-Sign Service" is not running administrator privileges (FAILED)

Services should run with least privileges required to run. If the service account gets compromised it limits the damage done.

38 NDA+-PPEProd Srvrs

General.COMPU Failed TER MANAGER.1050 General.COMPU Failed TER MANAGER.1350

Administrator account is renamed (FAILED)

42 NDA+-PPEProd Srvrs

Event viewer Application log has an appropriate maximum log size (FAILED)

The administrator account name is the most popular account to try to compromise. The account name should be changed in order to offer obfuscation from more common exploits / automated attacks. Event viewer logs must have an appropriate size

43 NDA+-PPEProd Srvrs

General.COMPU Failed TER MANAGER.1351

Event viewer Security log Event viewer logs must has an appropriate size has an appropriate maximum log size (FAILED)

44 NDA+-PPEProd Srvrs

General.COMPU Failed TER MANAGER.1352

Event viewer System log has Event viewer logs must have an appropriate size an appropriate maximum log size (FAILED)

47 NDA+-PPEProd Srvrs

General.EXPLORE Failed R.1800

Unnecessary files and directories are removed (FAILED)

Having unnecessary files and directories increase the attack surface.

54 NDA+-PPEProd Srvrs

General.EXPLORE Failed R.1750

56 NDA+-PPEProd Srvrs

General.SECPOL. Failed MSC.3800

Administrator and System accounts only have access to the applicationHost.config file (FAILED) Audit Policy Setting "Account Lockout" does not meet Policy Requirements (FAILED)

Only the Administrator and System accounts should have privileges on metabase.xml (IIS6/7) or applicationHost.config (IIS7). Otherwise it might be possible for a malicious user to tamper with it to conceal their activities. Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Account Lockout events Success and Failure

57 NDA+-PPEProd Srvrs

General.SECPOL. Failed MSC.3850

Audit Policy Setting "Special Logon" does not meet Policy Requirements (FAILED)

Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Special Logon events Success and Failure

58 NDA+-PPEProd Srvrs

General.SECPOL. Failed MSC.3900

Audit Policy Setting "Other Logon/Logoff Events" does not meet Policy Requirements (FAILED)

Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Other Logon/Logoff Events events Success and Failure

59 NDA+-PPEProd Srvrs

General.SECPOL. Failed MSC.3950

Audit Policy Setting "User Event logs are useless without data in them. Each server must Account Management" does log and store a standard list of events. As in the previous section not meet Policy regarding Event Logs, the set settings must be set equal or Requirements (FAILED) greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit User Account Management events Success and Failure

60 NDA+-PPEProd Srvrs

General.SECPOL. Failed MSC.4000

Audit Policy Setting "Computer Account Management" does not meet Policy Requirements (FAILED)

Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Computer Account Management events Success and Failure

61 NDA+-PPEProd Srvrs

General.SECPOL. Failed MSC.4050

Audit Policy Setting "Security Group Management" does not meet Policy Requirements (FAILED)

Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Security Group Management events Success and Failure

62 NDA+-PPEProd Srvrs

General.SECPOL. Failed MSC.4100

Audit Policy Setting "Distribution Group Management" does not meet Policy Requirements (FAILED)

Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Distribution Group Management events Success and Failure

63 NDA+-PPEProd Srvrs

General.SECPOL. Failed MSC.4150

Audit Policy Setting "Application Group Management" does not meet Policy Requirements (FAILED)

Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Application Group Management events Success and Failure

64 NDA+-PPEProd Srvrs

General.SECPOL. Failed MSC.4200

Audit Policy Setting "Other Account Management Events" does not meet Policy Requirements (FAILED)

Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Other Account Management Events events Success and Failure

65 NDA+-PPEProd Srvrs

General.SECPOL. Failed MSC.4250

Audit Policy Setting "Kerberos Service Ticket Operations" does not meet Policy Requirements (FAILED)

Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Kerberos Service Ticket Operations events Success and Failure

66 NDA+-PPEProd Srvrs

General.SECPOL. Failed MSC.4300

Audit Policy Setting "Other Account Logon Events" does not meet Policy Requirements (FAILED)

Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Other Account Logon Events events Success and Failure

67 NDA+-PPEProd Srvrs

General.SECPOL. Failed MSC.4350

Audit Policy Setting "Kerberos Authentication Service" does not meet Policy Requirements (FAILED)

Event logs are useless without data in them. Each server must log and store a standard list of events. As in the previous section regarding Event Logs, the set settings must be set equal or greater than the Windows Server 2003 Security Guide details the following settings for auditing: Audit Kerberos Authentication Service events Success and Failure

80 NDA+-PPEProd Srvrs

DEBUG_IS_SET_T Failed O_TRUE

In <compilation> element debug attribute is set to false (FAILED)

In the configuration file setting <configuration><system.web><compilation debug="true"> causes extra information in the binary which is not required for normal execution of the program.

84 NDA+-PPEProd Srvrs

FORMS_AUTH_N Failed OT_SET_TO_REQ UIRE_SSL

85 NDA+-PPEProd Srvrs

FORMS_AUTH_N Failed OT_SET_TO_REQ UIRE_SSL

89 NDA+-PPEProd Srvrs

VALIDATION_KEY Failed _AND_DECRYPTI ON_KEY_SAME

In <forms> element The requireSSL attribute value set in the configuration file for an requireSSL attribute is set to ASP.NET application determines whether SSL (Secure Sockets true (FAILED) Layer) is required to return the forms-authentication cookie. For more information on this attribute please check http://msdn.microsoft.com/enus/library/system.web.security.formsauthentication.requiressl.a spx. In <forms> element The requireSSL attribute value set in the configuration file for an requireSSL attribute is set to ASP.NET application determines whether SSL (Secure Sockets true (FAILED) Layer) is required to return the forms-authentication cookie. For more information on this attribute please check http://msdn.microsoft.com/enus/library/system.web.security.formsauthentication.requiressl.a spx. In <machineKey> element The decryption attribute of machineKey element specifies the validationKey attribute is key used to validate encrypted data. validationKey is used when set to enableViewStateMAC is true in order to create a message AutoGenerate,IsolateApps authentication code (MAC) to ensure that view state has not (FAILED) been tampered with. validationKey is also used to generate outof-process, application-specific session IDs to ensure that session state variables are isolated between sessions. More information can be found at http://msdn.microsoft.com/enus/library/w8h3skw9.aspx.

90 NDA+-PPEProd Srvrs

VALIDATION_KEY Failed _AND_DECRYPTI ON_KEY_SAME

In <machineKey> element validationKey attribute is set to AutoGenerate,IsolateApps (FAILED)

The decryption attribute of machineKey element specifies the key used to validate encrypted data. validationKey is used when enableViewStateMAC is true in order to create a message authentication code (MAC) to ensure that view state has not been tampered with. validationKey is also used to generate outof-process, application-specific session IDs to ensure that session state variables are isolated between sessions. More information can be found at http://msdn.microsoft.com/enus/library/w8h3skw9.aspx.

147 NDA+-PPEProd Srvrs

serviceMetadata Failed _httpGetEnabled

In <serviceMetadata> element httpGetEnabled attribute is set to false (FAILED) In <serviceDebug> element includeExceptionDetailInFa ults attribute is set to false (FAILED)

The httpGetEnabled attribute of serviceMetadata element allows the binding to be used in HTTPS GET scenarios to be specified by name. More information can be found at http://msdn.microsoft.com/en-us/library/ms731317.aspx. The includeExceptionDetailInFaults attribute of serviceDebug element specifies whether to include managed exception information in the detail of SOAP faults returned to the client for debugging purposes. More information can be found at http://msdn.microsoft.com/en-us/library/ms788993.aspx.

149 NDA+-PPEProd Srvrs

serviceMetadata Failed _includeExceptio nDetailInFaults

165 NDA+-PPEProd Srvrs 170 NDA+-PPEProd Srvrs 171 NDA+-PPEProd Srvrs

IIS.IIS Failed MANAGER.1950 IIS.IIS Failed MANAGER.2550 IIS.IIS Failed MANAGER.2050

Standard http ports are being used (FAILED) Default web site has been removed (FAILED)

Where possible, use standard port 80.

The recommendation is to remove the default Web Site on IIS servers. The site SHOULD be removed and new site created instead IIS Log files are not located Logging provides the ability gain detailed information on the on the system drive for activity of your web server. If disabled or not properly "Default Web Site" (FAILED) configured, malicious activity may not be traceable / recognized.

Ensure logging is performed to: 1. Non-System Drive 2. Different Drive from the web files 3. NTFS formatted drive. In addition, review the ACL's on the log file directories ensuring the following: Administrators Full Control System Full Control Domain Users RWC

173 NDA+-PPEProd Srvrs

IIS.IIS Failed MANAGER.2100

IIS Logging configuration contains recommended fields (FAILED)

Logging provides the ability to get detailed information on the activity of your web server. If disabled or not properly configured, malicious activity may not be traceable / recognized.

179 NDA+-PPEProd Srvrs

IIS.IIS Failed MANAGER.1852

Write permissions in handler mappings is disabled on "/ESignNotificationListener" for website "Default Web Site" (FAILED)

Failure to lock down IIS Settings can result in a compromised web site. Details/Policy: Enabling Script Source Access allows users access source files. When enabled, if Write is selected, then source can be written to. Script Source Access includes the source code for scripts. This option is not available if neither Read nor Write is selected. When you select Script source access, users might be able to view sensitive information, such as a user name and password. They might also be able to change source code that runs on your server, and thereby significantly affect your server's configuration and performance. Enabling Write give users to write / upload to the directories in this web site. For security reasons you should only enable execution of scripts and not applications directly. For more information on this as a policy requirement, see: http://technet2.microsoft.com/windowsserver/en/library/a08eb d6f-c2cb-468c-85e7-afa48b0943521033.mspx?mfr=true Note: that some of these settings no longer directly apply in Win2008.

188 NDA+-PPEProd Srvrs

IIS.IIS Failed MANAGER.2700

In IIS 7.5 extended protection for website "Default Web Site" is enabled (FAILED)

Extended Protection for Authentication (EP) is a new set of features in Windows that enhance security by binding your Windows login to the underlying protocols. It was announced and released concurrently with the release of Windows 7. See the following security advisory http://www.microsoft.com/technet/security/advisory/973811.m spx for in-depth technical and background information. Extended Protection is needed to protect against some attacks where a malicious man-in-the-middle relays Windows credentials to another system in order gain unauthorized access. All these attacks can be initiated by simply luring a user to do any operation that would cause your system to connect to a compromised machine with Windows authentication. This could be as simple as clicking a link, opening a document, and in some cases reading an email in Outlook. This small act could allow a malicious user to relay the authentication credentials to get access to any other system that you have access to. Using Windows 7 and Internet Explorer will help. They are already patched and configured to use Extended Protection for client connections to Web sites and file shares. Unfortunately, servers and previous OS versions are NOT set up for Extended Protection by default. These systems will be required to install

189 NDA+-PPEProd Srvrs

IIS.IIS Failed MANAGER.2700

In IIS 7.5 extended protection for website "Default Web Site" is enabled (FAILED)

Extended Protection for Authentication (EP) is a new set of features in Windows that enhance security by binding your Windows login to the underlying protocols. It was announced and released concurrently with the release of Windows 7. See the following security advisory http://www.microsoft.com/technet/security/advisory/973811.m spx for in-depth technical and background information. Extended Protection is needed to protect against some attacks where a malicious man-in-the-middle relays Windows credentials to another system in order gain unauthorized access. All these attacks can be initiated by simply luring a user to do any operation that would cause your system to connect to a compromised machine with Windows authentication. This could be as simple as clicking a link, opening a document, and in some cases reading an email in Outlook. This small act could allow a malicious user to relay the authentication credentials to get access to any other system that you have access to.

191 NDA+-PPEProd Srvrs

IIS.IIS Failed MANAGER.2150

Using Windows 7 and Internet Explorer will help. They are already patched and configured to use Extended Protection for client connections to Web sites and file shares. Unfortunately, servers and previous OS versions are NOT set up for Extended Protection by default. These systems will be required to install Virtual path "/" for website Locating the web site on the system drive may lead to potential "Default Web Site" is not on denial of service attacks in the event that a malicious user can System Drive (FAILED) gain control of the web site distribution. Virtual path "/" for website Locating the web site on the system drive may lead to potential "Default Web Site" is not on denial of service attacks in the event that a malicious user can System Drive (FAILED) gain control of the web site distribution. Log files are not located on web application drive for virtual path "/" under website "Default Web Site" (FAILED) Logging provides the ability to get detailed information on the activity of your web server. If disabled or not properly configured, malicious activity may not be traceable / recognized. Ensure logging is performed to a: 1. Non- System Drive, 2. in a different Drive of the web files 3. NTFS formatted drive. In addition, review the ACL's on the log file directories and ensure the following: Administrators Full Control System Full Control Domain Users RWC Log files are not located on Logging provides the ability to get detailed information on the web application drive for activity of your web server. If disabled or not properly virtual path "/" under configured, malicious activity may not be traceable / recognized. website "Default Web Site" Ensure logging is performed to a: (FAILED) 1. Non- System Drive, 2. in a different Drive of the web files 3. NTFS formatted drive. In addition, review the ACL's on the log file directories and ensure the following: Administrators Full Control System Full Control Domain Users RWC Virtual directory Web site directories need to explicitly verify a deny write ACL for "C:\inetpub\wwwroot" for anonymous internet accounts. website "Default Web Site" has deny write permission for anonymous internet account (FAILED) Virtual directory Web site directories need to explicitly verify a deny write ACL for "C:\inetpub\wwwroot\ESig anonymous internet accounts. nNotificationListener" for website "Default Web Site" has deny write permission for anonymous internet account (FAILED)

192 NDA+-PPEProd Srvrs

IIS.IIS Failed MANAGER.2150

193 NDA+-PPEProd Srvrs

IIS.IIS Failed MANAGER.2051

194 NDA+-PPEProd Srvrs

IIS.IIS Failed MANAGER.2051

195 NDA+-PPEProd Srvrs

IIS.IIS Failed MANAGER.2201

196 NDA+-PPEProd Srvrs

IIS.IIS Failed MANAGER.2201

197 NDA+-PPEProd Srvrs

IIS.IIS Failed MANAGER.2200

Virtual directory Web site directories need to explicitly verify a deny write ACL for "C:\inetpub\wwwroot" for anonymous internet accounts. website "Default Web Site" has deny write permission for IIS_USRS group (FAILED) Virtual directory Web site directories need to explicitly verify a deny write ACL for "C:\inetpub\wwwroot\ESig anonymous internet accounts. nNotificationListener" for website "Default Web Site" has deny write permission for IIS_USRS group (FAILED) IIS6 Metabase Compatibility Metabase Compatibility feature allows IIS 7 is typically feature is not installed unnecessary and should be removed unless explicitly required. (FAILED) It allows for backward compatibility for features that have been enhanced and the metabase.xml file is not directly used by IIS unless this feature is explicitly installed. More information can be found on http://learn.iis.net/page.aspx/125/metabase-compatibility-withiis-7/

198 NDA+-PPEProd Srvrs

IIS.IIS Failed MANAGER.2200

200 NDA+-PPEProd Srvrs

IIS.IIS Failed MANAGER.1900

Rule Resolution Remove all local accounts but the built-in system administrator account from the administrators group. Use Domain user account or security groups to manage administrators who must have access to the server.

Action ITSVC0 is the renamed admin acct name

1. Start | run | compmgmt.msc /s 2. Navigate to the Computer Management / Services and Applications / Services node in the tree 3. Verify that the Remote Registry Service is set to manual. Set services to run as a non-administrator Domain account, Local Service, or Network Service account. SQL Server does not need to be running as administrator. Nor should SQL Server be running as Network Service. Often times running SQL Server under Network Service results in additional rights being added, which elevates privileges for other services inappropriately. Occasionally the SQLAgent service may need to run as administrator, but only if the following are true. 1. if you create CmdExec. 2. ActiveScript jobs that belong to someone other than a SQL Server administrator. 3. If you use the AutoRestart feature. 4. SQL server is in a clustered configuration. Otherwise SQL Agent needs to run under a non-admin account. Members of Power Users can, in some conditions, elevate themselves to Administrator. This should not be used. See: http://support.microsoft.com/default.aspx?scid=kb;en-us;825069 Set services to run as a non-administrator Domain account, Local Service, or Network Service account. SQL Server does not need to be running as administrator. Nor should SQL Server be running as Network Service. Often times running SQL Server under Network Service results in additional rights being added, which elevates privileges for other services inappropriately. Occasionally the SQLAgent service may need to run as administrator, but only if the following are true. 1. if you create CmdExec. 2. ActiveScript jobs that belong to someone other than a SQL Server administrator. 3. If you use the AutoRestart feature. 4. SQL server is in a clustered configuration. Otherwise SQL Agent needs to run under a non-admin account. Members of Power Users can, in some conditions, elevate themselves to Administrator. This should not be used. See: http://support.microsoft.com/default.aspx?scid=kb;en-us;825069 Rename the administrator account to something other than 'administrator.'

no sql on this box

Project team to address

ITSVC0 is the renamed admin acct name

1. Start | run | compmgmt.msc /s 2. Navigate to the Computer Management / System Tools / Event Viewer/ Windows Logs node in the tree. 3. On Application node right click and select properties. 4. Verify the max log size is according to the recommended sizes at http://support.microsoft.com/kb/957662. 5. Set the log to overwrite events as needed. 1. Start | run | compmgmt.msc /s 2. Navigate to the Computer Management / System Tools / Event Viewer/ Windows Logs node in the tree. 3. On Security node right click and select properties. 4. Verify the max log size is according to the recommended sizes at http://support.microsoft.com/kb/957662. 5. Set the log to overwrite events as needed. 1. Start | run | compmgmt.msc /s 2. Navigate to the Computer Management / System Tools / Event Viewer/ Windows Logs node in the tree. 3. On System node right click and select properties. 4. Verify the max log size is according to the recommended sizes at http://support.microsoft.com/kb/957662. 5. Set the log to overwrite events as needed. In Windows Explorer, verify that none of the following exists. If any of them is found please delete it. c:\config.msi c:\inetpub\mailroot c:\inetpub\wwwroot\*.* c:\program files\online services c:\windows\help\iishelp\iis c:\windows\system32\inetsrv\iisadmpwd c:\windows\system32\inetsrv\metaback\*.*- System Admins should do this regularly as a means to backup the important IIS Meta info. However, these backup files should not be kept on the Web Server. IIS should not be using the system drive, so any inetpub directories are likely artifacts from the default configuration.

invalid kb even setting the log higher it will change it back automatically

invalid kb even setting the log higher it will change it back automatically

invalid kb even setting the log higher it will change it back automatically

none of them exist..

IIS6: Lock down the permissions of metabase.xml. IIS7: Lock down the permissions of applicationHost.config. The default (correct) permissions are for System and Administrator. Verify the need for any other permissions defined. 1. Start | run | cmd 2. run auditpol /get /subcategory:"Account Lockout" and verify the settings shown below. Otherwise file a bug. Policy Should BE -----------------------------------------------------Account Lockout Success and Failure

need to come back to this one

1. Start | run | amd 2. run auditpol /get /subcategory:"Special Logon" and verify the settings shown below. Otherwise file a bug. Policy Should BE -----------------------------------------------------Special Logon Success and Failure

1. Start | run | cmd 2. run auditpol /get /subcategory:"Other Logon/Logoff Events" and verify the settings shown below. Otherwise file a bug. Policy Should BE -----------------------------------------------------Other Logon/Logoff Events Success and Failure

C:\Windows\system32>aud itpol /get /subcategory:"Account Lockout" System audit policy Category/Subcategory Setting Logon/Logoff Account Lockout Success and Failure C:\Windows\system32>aud itpol /get /subcategory:"Special Logon" System audit policy Category/Subcategory Setting Logon/Logoff Special Logon Success and Failure C:\Windows\system32>aud itpol /get /subcategory:"Other Logon/Logoff Events" System audit policy Category/Subcategory Setting Logon/Logoff Other Logon/Logoff Events Success and Failure

1. Start | run | cmd 2. run auditpol /get /subcategory:"User Account Management" and verify the settings shown below. Otherwise file a bug. Policy Should BE -----------------------------------------------------User Account Management Success and Failure

C:\Windows\system32>aud itpol /get /subcategory:"User Account Management" System audit policy Category/Subcategory Setting Account Management User Account Management Success and Failure 1. Start | run | cmd C:\Windows\system32>aud 2. run auditpol /get /subcategory:"Computer Account Management" and verify the settings shown below. Otherwise file a itpol /get bug. /subcategory:"Security Policy Should BE Group Management" -----------------------------------------------------System audit policy Computer Account Management Success and Failure Category/Subcategory Setting Account Management Security Group Management Success and Failure 1. Start | run | cmd C:\Windows\system32>aud 2. run auditpol /get /subcategory:"Security Group Management" and verify the settings shown below. Otherwise file a bug. itpol /get Policy Should BE /subcategory:"Security -----------------------------------------------------Group Management" Security Group Management Success and Failure System audit policy Category/Subcategory Setting Account Management Security Group Management Success and Failure

1. Start | run | cmd 2. run auditpol /get /subcategory:"Distribution Group Management" and verify the settings shown below. Otherwise file a bug. Policy Should BE -----------------------------------------------------Distribution Group Management Success and Failure

1. Start | run | cmd 2. run auditpol /get /subcategory:"Application Group Management" and verify the settings shown below. Otherwise file a bug. Policy Should BE -----------------------------------------------------Application Group Management Success and Failure

C:\Windows\system32>aud itpol /get /subcategory:"Distribution Group Management" System audit policy Category/Subcategory Setting Account Management Distribution Group Management Success and Failure C:\Windows\system32>aud itpol /get /subcategory:"Application Group Management" System audit policy Category/Subcategory Setting Account Management Application Group Management Success and Failure C:\Windows\system32>aud itpol /get /subcategory:"Other Account Management Events

1. Start | run | cmd 2. run auditpol /get /subcategory:"Other Account Management Events" and verify the settings shown below. Otherwise file a bug. Policy Should BE -----------------------------------------------------Other Account Management Events Success and Failure

System audit policy Category/Subcategory Setting Account Management Other Account Management Events Success and Failure 1. Start | run | cmd C:\Windows\system32>aud 2. run auditpol /get /subcategory:"Kerberos Service Ticket Operations" and verify the settings shown below. Otherwise file a itpol /get bug. /subcategory:"Kerberos Policy Should BE Service Ticket Operatio -----------------------------------------------------ns" Kerberos Service Ticket Operations Success and Failure System audit policy Category/Subcategory Setting Account Logon Kerberos Service Ticket Operations Success and Failure 1. Start | run | cmd C:\Windows\system32>aud 2. run auditpol /get /subcategory:"Other Account Logon Events" and verify the settings shown below. Otherwise file a bug. itpol /get Policy Should BE /subcategory:"Other -----------------------------------------------------Account Logon Events" Other Account Logon Events Success and Failure System audit policy Category/Subcategory Setting Account Logon Other Account Logon Events Success and Failure 1. Start | run | cmd C:\Windows\system32>aud 2. run auditpol /get /subcategory:"Kerberos Authentication Service" and verify the settings shown below. Otherwise file a itpol /get bug. /subcategory:"Kerberos Policy Should BE Authentication Service -----------------------------------------------------Kerberos Authentication Service Success and Failure System audit policy Category/Subcategory Setting Account Logon Kerberos Authentication Service Success and Failure

Set debug attribute to false in the \\tk5lcapweb11\C$\inetpub\wwwroot\ESignNotificationListener\Web.config file. Ex: Project team to address <configuration><system.web><compilation debug="false" /></system.web></configuration>. If debugging is required then supress this warning using SupressMessageAttribute: [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity", "CA11002:CompilationDebugEnabledRule")] Set requireSSL attribute to true in the \\tk5lcapweb11\C$\inetpub\wwwroot\ESignNotificationListener\Web.config file. Ex: Project team to address <configuration><system.web><authentication><forms requireSSL="true" /></authentication></system.web></configuration>. If SSL cannot be used supress this warning using SupressMessageAttribute then place this in [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11003:FormsAuthenticationRe quireSSLRule")] your code.

Set requireSSL attribute to true in the \\tk5lcapweb11\C$\inetpub\wwwroot\ESignNotificationListener\Web.Release.config Project team to address file. Ex: <configuration><system.web><authentication><forms requireSSL="true" /></authentication></system.web></configuration>. If SSL cannot be used supress this warning using SupressMessageAttribute then place this in [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.WebConfigurationSecurity","CA11003:FormsAuthenticationRe quireSSLRule")] your code. Set validationKey attribute to AutoGenerate,IsolateApps in the \\tk5lcapweb11\C$\inetpub\wwwroot\ESignNotificationListener\Web.config file. Ex: <configuration><system.web><machineKey validationKey="AutoGenerate,IsolateApps" /></system.web></configuration>. Project team to address

Set validationKey attribute to AutoGenerate,IsolateApps in the \\tk5lcapweb11\C$\inetpub\wwwroot\ESignNotificationListener\Web.Release.config file. Ex: <configuration><system.web><machineKey validationKey="AutoGenerate,IsolateApps" /></system.web></configuration>.

Project team to address

Set httpGetEnabled attribute to false in the \\tk5lcapweb11\C$\inetpub\wwwroot\ESignNotificationListener\Web.config file. Project team to address Ex: <configuration><system.serviceModel><behaviors><serviceBehaviors><behavior><serviceMetadata httpGetEnabled="false" /></behavior></serviceBehaviors></behaviors></system.serviceModel></configuration>.

Set includeExceptionDetailInFaults attribute to false in the \\tk5lcapweb11\C$\inetpub\wwwroot\ESignNotificationListener\Web.config file. Ex: <configuration><system.serviceModel><behaviors><serviceBehaviors><behavior><serviceDebug includeExceptionDetailInFaults="false" /></behavior></serviceBehaviors></behaviors></system.serviceModel></configuration>.

Project team to address

Where possible, use standard port 80. The default web site should be stopped/deleted and a new web site created.

not using SSL Project team to address

Ensure logging is performed to: 1. Non-System Drive 2. Different Drive from the web files 3. NTFS formatted drive. In addition, review the ACL's on the log file directories ensuring the following: Administrators Full Control System Full Control Domain Users RWC

Project team to address

Ensure adequate information is included in the log. Specifically ensure the following W3C Logging Fields are selected: o Client IP Address o User Name o Method o URI Stem o HTTP Status (if available as an option) o Win32 Status o User Agent o Server IP Address o Server Port Lock down the settings for the web site / virtual directories on the server to conform with the following: 1. Start | run | %SystemRoot%\system32\inetsrv\iis.msc 2. Navigate to the (local computer) \ Web sites node. o Script Source Access is unchecked o Write is unchecked o Directory Browsing is unchecked o Log Visits is checked Execute Permissions = Scripts only Project team to address

Configuring Channel Binding from the IIS 7.5 Console: To enable Channel Binding for a TLS/SSL site hosted in Windows 7 or Windows Server 2008 R2: 1. Open IIS 7.0/7.5 management console. 2. Click on the node where you want to apply channel binding. This may be the entire server, default web site or any other site you are hosting. The site should have TLS/SSL enabled. 3. Click on the Authentication Icon 4. If Windows Authentication is enabled, select the Windows Authentication entry on the list 5. Click the Advanced Settings action 6. In the Extended Protection dropdown, select Accept (partial hardening). If you need to enable strict hardening, select Require . Strict hardening should be used on high-security servers where it is known that all clients have been properly updated with the Extended Protection features enabled. Configuring Channel Binding from the Command Line: To perform the same steps from the command line, you can run the following: Enable partial hardening: %windir%\system32\inetsrv\appcmd.exe set config your site name/your app name section:system.webServer/security/authentication/windowsAuthentication extendedProtection.tokenChecking:Allow commitpath:apphost Enable full or strict hardening: %windir%\system32\inetsrv\appcmd.exe set config your site name/your app name section:system.webServer/security/authentication/windowsAuthentication extendedProtection.tokenChecking:Require

not using SSL

Configuring Channel Binding from the IIS 7.5 Console: To enable Channel Binding for a TLS/SSL site hosted in Windows 7 or Windows Server 2008 R2: 1. Open IIS 7.0/7.5 management console. 2. Click on the node where you want to apply channel binding. This may be the entire server, default web site or any other site you are hosting. The site should have TLS/SSL enabled. 3. Click on the Authentication Icon 4. If Windows Authentication is enabled, select the Windows Authentication entry on the list 5. Click the Advanced Settings action 6. In the Extended Protection dropdown, select Accept (partial hardening). If you need to enable strict hardening, select Require . Strict hardening should be used on high-security servers where it is known that all clients have been properly updated with the Extended Protection features enabled. Configuring Channel Binding from the Command Line: To perform the same steps from the command line, you can run the following: Enable partial hardening: %windir%\system32\inetsrv\appcmd.exe set config your site name/your app name section:system.webServer/security/authentication/windowsAuthentication extendedProtection.tokenChecking:Allow commitpath:apphost Enable full or strict hardening: %windir%\system32\inetsrv\appcmd.exe set config your site name/your app name section:system.webServer/security/authentication/windowsAuthentication extendedProtection.tokenChecking:Require Move Web site files / directories to a non system drive.

not using SSL

Project team to address

Move Web site files / directories to a non system drive.

Project team to address

Ensure logging is performed to a: 1. Non- System Drive, 2. in a different Drive of the web files 3. NTFS formatted drive.

Project team to address

Ensure logging is performed to a: 1. Non- System Drive, 2. in a different Drive of the web files 3. NTFS formatted drive.

Project team to address

If any of the following accounts / groups have permissions on the root directory (and corresponding sub-directories) of your website, then they explicitly have a deny for the write attribute on that directory hierarchy. o IIS_machine name o IIS_USRS o IIS_WPG

Project team to address

If any of the following accounts / groups have permissions on the root directory (and corresponding sub-directories) of your website, then they explicitly have a deny for the write attribute on that directory hierarchy. o IIS_machine name o IIS_USRS o IIS_WPG

Project team to address

If any of the following accounts / groups have permissions on the root directory (and corresponding sub-directories) of your website, then they explicitly have a deny for the write attribute on that directory hierarchy. o IIS_machine name o IIS_USRS o IIS_WPG If any of the following accounts / groups have permissions on the root directory (and corresponding sub-directories) of your website, then they explicitly have a deny for the write attribute on that directory hierarchy. o IIS_machine name o IIS_USRS o IIS_WPG

Project team to address

Project team to address

This component is not installed by default. IIS 7 uses a new configuration system with new interfaces. The legacy interfaces Project team to address have limitations and are not ideal for working with distributed configuration files. It is recommended to port legacy scripts and applications over to the new system interfaces. Once ported, uninstall the Metabase compatibility feature.

Column1

Fixed

Configuration is changed

We have used http because the Microsoft Enterprise eSign Platoform recommends this via their eSign onboarding documentation examples.

We have used http because the Microsoft Enterprise eSign Platoform recommends this via their eSign onboarding documentation examples.

Necessary changes are made by dev team

Necessary changes are made by dev team

Necessary changes are made by dev team

Necessary changes are made by dev team

Necessary changes are made by dev team

Necessary changes are made by dev team

Web site files are moved to D drive

Necessary changes are made by dev team

Necessary changes are made by dev team

Necessary changes are made by dev team

Necessary changes are made by dev team

Necessary changes are made by dev team

Necessary changes are made by dev team

Necessary changes are made by dev team