Re: Server 2008 GPOs for isolated PCI environment

["Eric C. Lukens" <eric.lukens () UNI EDU>]

I used the Microsoft "SSLF" (Specialized Security – Limited
Functionality) standards as the starting point for my GPOs. Keep in mind
that the SSLF standard disables Remote Desktop in about 3 or 4 different
ways, so if you using a Remote Desktop server with thin clients like I
am, you need to change some of the settings.

Generally I found the settings work well, but they are harsh in a few
spots and some applications need a specific setting reverted, which I do
on a server-by-server basis with a second group policy object that is
only applied to that server. There are a lot of "security" settings that
aren't set in these policies, because in reality those settings don't
prevent users from doing things, they just hide things. But you still
will need to go through and enable additional settings that make sense
for your environment.

The CIS standards are very similar, but the advantage of the Microsoft
standards are in the use of the Security Compliance Manager application.
It lets you export the standards as a Group Policy backup, among other
options, that can easily be imported into Group Policy or SCCM.
Regardless, I'd still read through the CIS standards to make sure you're
doing everything you should, though our QSAs were fine with the SSLF
standards from Microsoft.

http://technet.microsoft.com/en-us/library/gg236605.aspx

When documenting, I say I use the SSLF standard:

"Server 2008 x86, Server 2008 x64, and Server 2008 R2 shall be
configured according to the manufacturer’s documentation titled “Windows
Server® 2008 Security Guide Version 3.0,” published in February 2009 as
part of the “Security Compliance Management Toolkit Series.”  Newer
versions of the same security standard shall be acceptable.  The
“Windows Server® 2008 Security Guide Version 3.0” provides two security
standards, the “Specialized Security – Limited Functionality (SSLF)”
standard shall be used."

I then go and list the exceptions that are made, like for remote desktop
and settings on individual machines. I document the other, non-security
settings separately as they are not part of the "hardening" of the system.

-Eric


-------- Original Message --------
Subject: [SECURITY] Server 2008 GPOs for isolated PCI environment
From: Nick Recchia <nprecchia () USFCA EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Date: 11/27/2012 6:58 PM

> We are implementing a new 2008 server to assist in fulfilling PCI SAQ D
> requirements (our vendor is Moneris).
> Does anyone have PCI 2008 GPOs we may leverage?
>
> Thanks in advance.
>
> -Nick
>
> -- 
> Nicholas Recchia, Ed.D.
> /Security Administrator/
> ITS - Security Services
> infosec.usfca.edu <http://infosec.usfca.edu>

-- 
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
(319) 273-7434
http://www.uni.edu/elukens/

If you see an attachment called smime.p7s, you may disregard it. It is
an S/MIME digital signature file to validate the authenticity of this
email message.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature