Top Failed CIS Windows Server 2008 R2 Checks

CIS MS Windows Server
2008 R2 MS V2.1.0
November 3, 2014 at 1:47pm EST
[michaelwillison]
RESEARCH
Confidential: The following report contains confidential information. Do not distribute,
email, fax, or transfer via any electronic mechanism unless it has been approved by the
recipient company's security policy. All copies and backups of this document should be
saved on protected storage at all times. Do not share any of the information contained
within this report with anyone unless they are authorized to view the information. Violating
any of the previous instructions is grounds for termination.
Table of Contents
About This Report
................................................................................................................................................................................................
Chapter 1
............................................................................................................................................................................................................................
1.1 - Data CIS_MS_Windows_Server_2008_R2_MS_V2.1.0 .............................................................................................................................................. 2
1.2 - Data CIS_MS_Windows_Server_2008_R2_MS_V2.1.0 ...........................................................................................................................................48
Table of Contents
CIS MS Windows Server 2008 R2 MS V2.1.0
About This Report

This report is a template used for reporting on the results from CIS compliance scans with the
CIS_MS_Windows_Server_2008_R2_MS_V2.1.0 audit file. The Center for Internet Security is an organization
that works with end users, vendors, and auditors to develop a set of 'best practice' security standards for
configuring operating systems and applications. These 'best practices' are known as 'CIS Benchmarks'.
Tenable Network Security is a CIS member and has submitted several audit policies for certification against
specific benchmarks. The policies included in CIS_MS_Windows_Server_2008_R2_MS_V2.1.0 have been
approved and have been certified by CIS staff members. Tenable has submitted example positive and
negative test cases for each of the unique test criteria for CIS_MS_Windows_Server_2008_R2_MS_V2.1.0
benchmarks.
The CIS_MS_Windows_Server_2008_R2_MS_V2.1.0 CIS audit file contains a description of how to
perform the scan. When performing managed scans with SecurityCenter, some CIS audits require
additional patch audits and vulnerability checks. Any additional requirements for completing an audit with
CIS_MS_Windows_Server_2008_R2_MS_V2.1.0 are included with the audit file description text. In some
cases, multiple scans may be required to be performed.
When performing audit scans with SecurityCenter, the CIS_MS_Windows_Server_2008_R2_MS_V2.1.0
must first be uploaded to SecurityCenter. Next, the appropriate credentials must be added, after
which a scan policy can be created. Finally, a scan can be scheduled. As part of the post scan jobs,
the 'Auto-Run Reports' can be enabled automatically, running this report on the data collected for the
CIS_MS_Windows_Server_2008_R2_MS_V2.1.0.
If there are several audit scans and the auditor would like the data in a single report for
CIS_MS_Windows_Server_2008_R2_MS_V2.1.0, then editing the report template is required. When editing
the report template, first go to Reports and select the CIS_MS_Windows_Server_2008_R2_MS_V2.1.0 report,
then click on the 'Edit' button. Navigate to the definition, and select 'Find / Update' link in the top center of the
screen.
In the top search filter, select 'Audit File' and 'is not set', then click 'Save'. The filter will then move to just
below the 'Add Filter' link. Next, under 'Update Actions', select 'Audit File' and select 'is set to'. A new box will
appear with a drop-down list, select the CIS_MS_Windows_Server_2008_R2_MS_V2.1.0 and click 'Save'.
Note that the results will be displayed in the windows on the bottom. Click the 'Update' button just above the
results box. The screen will update with a specified number of filters updated. Now you can close the window
and submit the report. Next, launch the report. This report sometimes can take a while depending on the
length of the CIS_MS_Windows_Server_2008_R2_MS_V2.1.0 and the number of systems checked.
This .audit is designed to query the MS Windows Server 2008 R2 OS as defined by CIS in the
CIS_Microsoft_Windows_Server_2008_R2_Benchmark_v2.1.0.pdf https://benchmarks.cisecurity.org/tools2/
windows/CIS_Microsoft_Windows_Server_2008_R2_Benchmark_v2.1.0.pdf
About This Report
Chapter 1
1.1 - Data CIS_MS_Windows_Server_2008_R2_MS_V2.1.0
Section Matrix Summary

System Count
Passed
Manual
Failed
7 Days
22
26
16
14 Days
21 Days
28 Days
11
> 29 Days
16
119
38
15
Compliance By Subnet (Top 10)
Chapter 1
Failed Check Summary

Plugin Name
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
Severity
Total
1.12.8 Do not allow additional path delimiters (verify ALLOW_BACKSLASH is

set to false)
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
1.12.13 Increase the entropy in session identifiers

Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.12 Force SSL for all applications
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.9 Do not allow custom header status messages
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.8 Do not allow additional path delimiters (verify ALLOW_ENCODED_
SLASH is set to false)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.11.3 Disable deploy on startup applications
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.11.2 Disabling auto deployment of applications
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.7 Turn off session facade recycling
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.6 Enable strict servlet Compliance
Chapter 1
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.4 Force SSL when accessing the manager application
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.11.1 Starting Tomcat with Security Manager
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.1.27 Default account passwords - 'Change the default password for 'XDB'
172.26.22.127
Plugin Name
1.1.26 Default account passwords - 'Change the default password for
'WMSYS'
172.26.22.127
Plugin Name
'WKSYS'
172.26.22.127
Plugin Name
1.1.23 Default account passwords - 'Change the default password for 'WK_
TEST'
172.26.22.127
Plugin Name
'SYSTEM'
172.26.22.127
Plugin Name
'SPATIAL_WFS_ADMIN_USR'
172.26.22.127
Chapter 1
Plugin Name
'SPATIAL_CSW_ADMIN_USR'
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High

172.26.22.127
Plugin Name
1.1.18 Default account passwords - 'Change the default password for 'SI_
INFORMTN_SCHEMA'
172.26.22.127
Plugin Name
'OWBSYS'
172.26.22.127
Plugin Name
'OWBSYS_AUDIT'
172.26.22.127
Plugin Name
'OUTLN'
172.26.22.127
Plugin Name
'ORDSYS'
172.26.22.127
Plugin Name
'ORDPLUGINS'
172.26.22.127
Plugin Name
'ORDDATA'
172.26.22.127
Chapter 1
Plugin Name
Severity
Total
High
Severity
Total
High
Plugin Name
Severity
Total
1.1.8 Default account passwords - 'Change the default password for MDSYS'
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High

'ORACLE_OCM'
172.26.22.127
Plugin Name
OLAPSYS'
172.26.22.127

172.26.22.127
Plugin Name
MDDATA'
172.26.22.127
Plugin Name
EXFSYS'
172.26.22.127
Plugin Name
1.1.5 Default account passwords - 'Change the default password for DIP'
172.26.22.127
Plugin Name
CTXSYS'
172.26.22.127
Plugin Name
APPQOSSYS'
172.26.22.127
Plugin Name
1.1.2.4 Require Timeout for Login Sessions - 'console timeout < 10'
Chapter 1

10.31.254.254 - DNS Name: asa-inside.net.melcara.int
Plugin Name
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
Severity
Total
1.1.5.3 Require SNMP Trap Server When SNMP is Used - 'snmp-server host'
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
1.1.2.4 Require Timeout for Login Sessions - 'ssh timeout < 10'
Plugin Name
1.1.5.4 Require Authorized Read SNMP Community Strings and Access
Control - 'snmp-server host'
Plugin Name
1.1.5.4 Require Authorized Read SNMP Community Strings and Access
Control - 'snmp-server community'

Plugin Name
1.1.5.2 Forbid SNMP Traps
Plugin Name
1.1.5.1 Forbid SNMP Read Access
Plugin Name
1.1.3.4 Require ASDM Banner
Plugin Name
1.1.3.3 Require MOTD Banner
Plugin Name
1.1.3.2 Require Login Banner
Chapter 1

Plugin Name
1.1.3.1 Require EXEC Banner
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High

Plugin Name
1.1.2.5 Require SSH Access Control
Plugin Name
1.1.2.2 Require ASDM Management Access Control
Plugin Name
1.1.1.5 Require AAA Accounting (aaa accounting command privilege)
Plugin Name
1.1.1.4 Require AAA Command Authorization - 'aaa authorization command
tacacs+_server_group local'
Plugin Name
1.1.1.4 Require AAA Command Authorization - 'aaa authorization command
local'
Plugin Name
1.1.1.4 Require AAA Command Authorization - 'aaa authorization exec
authentication-server'
Plugin Name
1.1.1.3 Require Defined AAA Servers and Protocols - 'aaa-server timeout'
Plugin Name
1.1.1.3 Require Defined AAA Servers and Protocols - 'aaa-server host'
Chapter 1

Plugin Name
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
Severity
Total
1.1.5.11 Require AES128 or Better Encryption for SNMPv3 Access - 'All SNMP
users > AES 128 encryption'
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
1.1.1.2 Require AAA Authentication for Console and Other Interactive

Management Protocols - 'Secure-http-client'
Plugin Name
1.1.5.6 Require AES128 or better encryption for SNMPv3 Access
Plugin Name
1.1.5.5 Require Group for SNMPv3 Access

10.31.102.250 - MAC Address: a4:0c:c3:74:68:40 DNS Name: c2960.net.melcara.int
10.31.102.253 - MAC Address: a8:b1:d4:f4:8f:c0 DNS Name: vlan102-core.net.melcara.int
Plugin Name
1.1.3 Installing Apache
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.17 Logging. (/etc/logrotate.d/httpd)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.17 Logging. (CustomLog)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.17 Logging. (ErrorLog)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.17 Logging. (LogLevel)
Chapter 1

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Plugin Name
Severity
Total
1.16 Software Information Leakage Protection. (ErrorDocument 401 /custom4

01.html)
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
1.16 Software Information Leakage Protection. (ErrorDocument 500 /

custom500.html)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
custom405.html)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
custom404.html)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
custom403.html)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
custom400.html)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.16 Software Information Leakage Protection. (ServerSignature Off)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.16 Software Information Leakage Protection. (ServerTokens Prod)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Chapter 1
10
Plugin Name
1.15 Implementing Mod_SSL. (/usr/local/apache2/conf/httpd.conf 'SSLProt
ocol all -SSLv2')
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.14 Buffer Overflow Protection Tuning. (LimitRequestLine)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.14 Buffer Overflow Protection Tuning. (LimitRequestFieldSize)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.14 Buffer Overflow Protection Tuning. (LimitRequestFields)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.14 Buffer Overflow Protection Tuning. (LimitRequestBody)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.13 Denial of Service Prevention Tuning. (AcceptFilter https)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.13 Denial of Service Prevention Tuning. (AcceptFilter http)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.13 Denial of Service Prevention Tuning. (KeepAliveTimeout)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.13 Denial of Service Prevention Tuning. (KeepAlive)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Chapter 1
11
Plugin Name
1.13 Denial of Service Prevention Tuning. (Timeout)
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12 Restrict File Extensions.
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.11 Restrict HTTP Protocol Version. (RewriteRUle)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.11 Restrict HTTP Protocol Version. (RewriteCond)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.11 Restrict HTTP Protocol Version. (RewriteEngine)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.1.1 Enforce password history (>=24)
172.26.23.13 - MAC Address: 00:50:56:bd:76:73 DNS Name: wsus.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\WSUS
172.26.23.27 - MAC Address: 00:50:56:bd:76:61 DNS Name: s11c.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\S11C
172.26.23.33 - MAC Address: 00:50:56:bd:76:3d DNS Name: s3d.lab.tenablesecurity.com NetBIOS Name: WORKGROUP\S3D
172.26.23.47 - DNS Name: winsevm.lab.tenablesecurity.com NetBIOS Name: UNKNOWN\WINSEVM
172.26.23.58 - MAC Address: 00:50:56:bd:61:43
172.26.23.73 - DNS Name: s7d.lab.tenablesecurity.com NetBIOS Name: UNKNOWN\S7D
172.26.23.107 - NetBIOS Name: UNKNOWN\WINSEVM
Plugin Name
1.1.3 Minimum password age (>=1)
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.1.4 Minimum password length (>=8)
Severity
Total
High
Chapter 1
12
172.26.23.58 - MAC Address: 00:50:56:bd:61:43
172.26.23.84 - MAC Address: 00:50:56:bd:46:04 DNS Name: winsevm.lab.tenable NetBIOS Name: FM\SQL08
Plugin Name
Severity
Total
1.1 Use the Latest OS Release - Check if Solaris 10 10/09 release is installed
High

172.26.48.98 - MAC Address: 00:50:56:bd:69:2c DNS Name: solaris9.target.tenablesecurity.com
Plugin Name
1.1 Establish firewall configuration standards (inetd_enable)
Severity
Total
High

172.26.48.94 - MAC Address: 00:50:56:bd:6a:81 DNS Name: wsus.adsitarget.tenablesecurity.com
172.26.48.96 - MAC Address: 00:50:56:bd:4f:12
Plugin Name
1.12.14 Require trusted path for credential entry = Enabled
Severity
Total
High

172.26.48.75 - MAC Address: 00:50:56:be:27:da DNS Name: win7x64.target.tenablesecurity.com NetBIOS Name: TARGET\WIN7X64
Plugin Name
1.12.13 Enumerate administrator accounts on elevation = Disabled
Severity
Total
High

Plugin Name
1.12.11 RPC Endpoint Mapper Client Authentication = Enabled
Severity
Total
High

Plugin Name
Severity
Total
1.12.10 Restrictions for Unauthenticated RPC Clients = Enabled and Authent

icated
High

Plugin Name
1.12.9 Solicited Remote Assistance = Disabled
Severity
Total
High

Plugin Name
1.12.8 Offer Remote Assistance = Disabled
Severity
Total
High

Chapter 1
13
Plugin Name
1.12.6 Do not process the run once list = Enabled
Severity
Total
High

Plugin Name
1.12.5 Do not process the legacy run list = Enabled
Severity
Total
High

Plugin Name
1.12.4 Turn off Data Execution Prevention for Explorer = Disabled
Severity
Total
High

Plugin Name
1.12.3 Allow Remote Shell Access = Disabled
Severity
Total
High

Plugin Name
Severity
Total
1.12.2 Require a Password When a Computer Wakes (Plugged In) = Enabled
High

Plugin Name
Severity
Total
1.12.1 Require a Password When a Computer Wakes (On Battery) = Enabled
High

Plugin Name
1.11.7 Turn off Windows Update device driver searching = Enabled
Severity
Total
High

Plugin Name
1.10.3 Do not allow drive redirection = Enabled
Severity
Total
High

Plugin Name
1.10.2 Set client connection encryption level = Enabled to High Level
Severity
Total
High

Plugin Name
1.10.1 Always prompt client for password upon connection = Enabled
Severity
Total
High
Chapter 1
14

Plugin Name
1.1.3 Minimum Password Age: Minimum of 1 day
Severity
Total
High

Plugin Name
1.1.1 Enforce Password History: minimum of 24 passwords
Severity
Total
High

Plugin Name
1.12.14 Require trusted path for credential entry: Enabled
Severity
Total
High

Plugin Name
1.12.13 Enumerate administrator accounts on elevation: Disabled
Severity
Total
High

Plugin Name
1.12.11 RPC Endpoint Mapper Client Authentication: Enabled
Severity
Total
High

Plugin Name
1.12.10 Restrictions for Unauthenticated RPC Clients: Enabled and Authent
icated
Severity
Total
High

Plugin Name
1.12.9 Solicited Remote Assistance: Disabled
Severity
Total
High

Plugin Name
1.12.8 Offer Remote Assistance: Disabled
Severity
Total
High

Plugin Name
1.12.6 Do not process the run once list: Enabled
Severity
Total
High
Chapter 1
15
Plugin Name
1.12.5 Do not process the legacy run list: Enabled
Severity
Total
High

Plugin Name
1.12.3 Allow Remote Shell Access: Disabled
Severity
Total
High

Plugin Name
1.11.7 Turn off Windows Update device driver searching: Enabled
Severity
Total
High

Plugin Name
1.10.3 Do not allow drive redirection: Enabled
Severity
Total
High

Plugin Name
1.1.4 Minimum Password Length: Minimum of 12 characters
Severity
Total
High

Plugin Name
1.1.4 Minimum Password Length: at least 8 characters
Severity
Total
High

Plugin Name
1.1.3 Minimum Password Age: at least 1 day
Severity
Total
High

Plugin Name
1.1.1 Enforce Password History: at least 24 passwords remembered
Severity
Total
High

Plugin Name
1.12.7 Registry policy processing
Severity
Total
High

Chapter 1
16
Plugin Name
1.13.9 Screen Saver timeout = at most 900 seconds
Severity
Total
High

Plugin Name
1.13.8 Force specific screen saver = scrnsave.scr
Severity
Total
High

Plugin Name
1.13.7 Password protect the screen saver = Enabled
Severity
Total
High

Plugin Name
1.1.5 Password Must Meet Complexity Requirements: Enabled
Severity
Total
High

Plugin Name
1.1.4 Minimum Password Length: 8 characters
Severity
Total
High

Plugin Name
1.1.3 Minimum Password Age: 1 day
Severity
Total
High

Plugin Name
1.1.1 Enforce Password History: 24 passwords
Severity
Total
High

Plugin Name
1.12.11 Disable remote Desktop Sharing
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.12.10 Require trusted path for credential entry
Severity
Total
High
Chapter 1
17

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.12.8 Turn off Autoplay
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.12.7 RPC Endpoint Mapper Client Authentication
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.12.6 Restrictions for Unauthenticated RPC clients
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.12.5 Solicited Remote Assistance
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Chapter 1
18
Plugin Name
1.12.4 Offer Remote Assistance
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.12.2 Do not process the run once list
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.12.1 Do not process the legacy run list
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.11.7 Turn off Windows Update device driver searching
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
Severity
Total
1.11.6 Turn off the Windows Messenger Customer Experience Improvement

Program
High

Chapter 1
19
172.26.23.58 - MAC Address: 00:50:56:bd:61:43

Plugin Name
1.11.5 Turn off Search Companion content file updates
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.11.4 Turn off printing over HTTP
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.11.3 Turn off Internet download for Web publishing and online ordering
wizards
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.11.2 Turn off the 'Publish to Web' task for files and folders
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.11.1 Turn off downloading of print drivers over HTTP
Severity
Total
High
Chapter 1
20
172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.10.4 Do not allow passwords to be saved
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.10.2 Set client connection encryption level
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.10.1 Always prompt client for password upon connection
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.12.3 Registry policy processing (NoBackgroundPolicy)
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Chapter 1
21
Plugin Name
1.12.3 Registry policy processing (NoGPOListChanges)
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.1.5 Password must meet complexity requirements
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.1.24 Disable Mounting of udf Filesystems - '/etc/modprobe.d/CIS - install
udf /bin/true'
Severity
Total
High

172.26.48.45 - MAC Address: 00:50:56:be:27:e0 DNS Name: rhel3.target.tenablesecurity.com
172.26.48.47 - MAC Address: 00:50:56:be:27:d8 DNS Name: lce.target.tenablesecurity.com
172.26.48.48 - MAC Address: 00:50:56:be:27:d5 DNS Name: pvs.target.tenablesecurity.com
172.26.48.49 - MAC Address: 00:50:56:be:27:d9 DNS Name: securitycenter.target.tenablesecurity.com
172.26.48.50 - MAC Address: 00:50:56:be:27:f4 DNS Name: rhel5x86.target.tenablesecurity.com
172.26.48.51 - MAC Address: 00:50:56:be:27:ee DNS Name: rhel5x64.target.tenablesecurity.com
172.26.48.52 - MAC Address: 00:50:56:be:27:e5 DNS Name: rhel6x86.target.tenablesecurity.com
172.26.48.53 - DNS Name: rhel6x64.target.tenablesecurity.com
Plugin Name
1.1.23 Disable Mounting of squashfs Filesystems - '/etc/modprobe.d/CIS install squashfs /bin/true'
Severity
Total
High

Plugin Name
1.1.22 Disable Mounting of hfsplus Filesystems - '/etc/modprobe.d/CIS install hfsplus /bin/true'
Severity
Total
High
Chapter 1
22

Plugin Name
1.1.21 Disable Mounting of hfs Filesystems - '/etc/modprobe.d/CIS - install
hfs /bin/true'
Severity
Total
High

Plugin Name
1.1.20 Disable Mounting of jffs2 Filesystems - '/etc/modprobe.d/CIS - install
jffs2 /bin/true'
Severity
Total
High

Plugin Name
1.1.19 Disable Mounting of freevxfs Filesystems - '/etc/modprobe.d/CIS install freevxfs /bin/true'
Severity
Total
High

Plugin Name
Severity
Total
1.1.18 Disable Mounting of cramfs Filesystems - '/etc/modprobe.d/CIS - install

cramfs /bin/true'
High
Chapter 1
23

Plugin Name
1.1.23 Disable Mounting of squashfs Filesystems '/etc/modprobe.d/CIS install squashfs /bin/true'
Severity
Total
High

Plugin Name
Severity
Total
1.1.22 Disable Mounting of hfsplus Filesystems '/etc/modprobe.d/CIS - install

hfsplus /bin/true'
High

Plugin Name
Severity
Total
1.1.21 Disable Mounting of hfs Filesystems '/etc/modprobe.d/CIS - install hfs /

bin/true'
High

Plugin Name
1.1.20 Disable Mounting of jffs2 Filesystems '/etc/modprobe.d/CIS - install
jffs2 /bin/true'
Severity
Total
High

Plugin Name
Severity
Total
1.1.19 Disable Mounting of freevxfs Filesystems '/etc/modprobe.d/CIS - install

freevxfs /bin/true'
High

Plugin Name
Severity
Total
1.1.18 Disable Mounting of cramfs Filesystems '/etc/modprobe.d/CIS - install

cramfs /bin/true'
High

Chapter 1
24
Plugin Name
1.1.24 Disable Mounting of udf Filesystems - '/etc/modprobe.d/CIS.conf install udf /bin/true'
Severity
Total
High

172.26.48.34 - MAC Address: 00:50:56:be:27:eb DNS Name: fedora10.target.tenablesecurity.com
172.26.48.35 - MAC Address: 00:50:56:be:27:ff DNS Name: fedora11.target.tenablesecurity.com
172.26.48.37 - MAC Address: 00:50:56:be:28:15 DNS Name: fedora15.target.tenablesecurity.com
Plugin Name
Severity
Total
1.1.23 Disable Mounting of squashfs Filesystems - '/etc/modprobe.d/CIS.conf

- install squashfs /bin/true'
High

Plugin Name
Severity
Total
1.1.22 Disable Mounting of hfsplus Filesystems - '/etc/modprobe.d/CIS.conf install hfsplus /bin/true'
High

Plugin Name
1.1.21 Disable Mounting of hfs Filesystems - '/etc/modprobe.d/CIS.conf install hfs /bin/true'
Severity
Total
High

Plugin Name
1.1.20 Disable Mounting of jffs2 Filesystems - '/etc/modprobe.d/CIS.conf install jffs2 /bin/true'
Severity
Total
High

Plugin Name
Severity
Total
1.1.19 Disable Mounting of freevxfs Filesystems - '/etc/modprobe.d/CIS.conf install freevxfs /bin/true'
High
Chapter 1
25

Plugin Name
1.1.18 Disable Mounting of cramfs Filesystems - '/etc/modprobe.d/CIS.conf install cramfs /bin/true'
Severity
Total
High

Plugin Name
1.1.24 Disable Mounting of udf Filesystems
Severity
Total
High

172.26.48.24 - DNS Name: centos6.target.tenablesecurity.com
172.26.48.25 - DNS Name: centos6x64.target.tenablesecurity.com
172.26.48.78
172.26.48.79 - MAC Address: 00:50:56:bd:28:3e DNS Name: webapp1.target.tenablesecurity.com
Plugin Name
1.1.23 Disable Mounting of squashfs Filesystems
Severity
Total
High

172.26.48.78
Plugin Name
1.1.22 Disable Mounting of hfsplus Filesystems
Severity
Total
High

172.26.48.78
Plugin Name
1.1.21 Disable Mounting of hfs Filesystems
Severity
Total
High

172.26.48.78
Plugin Name
1.1.20 Disable Mounting of jffs2 Filesystems
Severity
Total
High

172.26.48.78
Chapter 1
26
Plugin Name
1.1.19 Disable Mounting of freevxfs Filesystems
Severity
Total
High

172.26.48.78
Plugin Name
1.1.18 Disable Mounting of cramfs Filesystems
Severity
Total
High

172.26.48.78
Plugin Name
1.1.17 Set Sticky Bit on All World-Writable Directories
Severity
Total
High

172.26.48.78
Plugin Name
1.1.16 Add noexec Option to /dev/shm Partition
Severity
Total
High
13

172.26.48.78
Plugin Name
1.1.15 Add nosuid Option to /dev/shm Partition
Severity
Total
High
13

Chapter 1
27
172.26.48.78
Plugin Name
Severity
Total
High
13
1.1.14 Add nodev Option to /dev/shm Partition


172.26.48.78
Plugin Name
Severity
Total
High
1.1.13 Add nosuid Option to Removable Media Partitions


Plugin Name
Severity
Total
High
1.1.12 Add noexec Option to Removable Media Partitions


Plugin Name
Severity
Total
High
1.1.11 Add nodev Option to Removable Media Partitions


Plugin Name
Severity
Total
High
13
1.1.10 Add nodev Option to /home

Chapter 1
28

172.26.48.78
Plugin Name
1.1.9 Create Separate Partition for /home
Severity
Total
High
13

172.26.48.78
Plugin Name
1.1.8 Create Separate Partition for /var/log/audit
Severity
Total
High
13

172.26.48.78
Plugin Name
1.1.7 Create Separate Partition for /var/log
Severity
Total
High
13

172.26.48.78
Chapter 1
29
Plugin Name
Severity
Total
High
13
1.1.6 Bind Mount the /var/tmp directory to /tmp


172.26.48.78
Plugin Name
Severity
Total
High
13
1.1.5 Create Separate Partition for /var


172.26.48.78
Plugin Name
Severity
Total
High
13
1.1.4 Set noexec option for /tmp Partition


172.26.48.78
Plugin Name
Severity
Total
High
13
1.1.3 Set nosuid option for /tmp Partition

Chapter 1
30

172.26.48.78
Plugin Name
1.1.2 Set nodev option for /tmp Partition
Severity
Total
High
13

172.26.48.78
Plugin Name
1.1.1 - Create Separate Partition for /tmp
Severity
Total
High
13

172.26.48.78
Manual Check Required Summary

Plugin Name
1.1 Require Current Software - 'show version'
Severity
Total
Medium
Severity
Total
Medium
Hosts in Repository 'net_172.26.0':

172.26.0.17 - MAC Address: 00:24:dc:0e:3b:88
Plugin Name
1.1.1.4 Require AAA Command Authorization - 'List All Commands'
Chapter 1
31
Plugin Name
1.1 Use the Latest Package Updates
Severity
Total
Medium

172.26.48.99 - MAC Address: 0:50:56:bd:7a:18 DNS Name: solaris10.target.tenablesecurity.com
172.26.48.100 - MAC Address: 0:50:56:bd:23:c7 DNS Name: solaris11.target.tenablesecurity.com
Plugin Name
1.1.2 Do not connect to the Internet when setting up a Mac
Severity
Total
Medium

172.26.48.86 - MAC Address: 00:50:56:bd:74:b5 DNS Name: osx108.target.tenablesecurity.com NetBIOS Name: UNKNOWN\OSX108
Plugin Name
1.1.1 Securely erase the Mac OS X partition before installation
Severity
Total
Medium

Plugin Name
1.13.3 Notify antivirus programs when opening attachments = Enabled
Severity
Total
Medium

Plugin Name
1.13.2 Hide mechanisms to remove zone information = Enabled
Severity
Total
Medium

Plugin Name
1.12.15 Prevent the computer from joining a homegroup = Enabled
Severity
Total
Medium

Plugin Name
1.12.12 Turn off Autoplay = Enabled for all drives
Severity
Total
Medium

Plugin Name
Severity
Total

Program = Enabled
Medium

Plugin Name
1.11.5 Turn off Search Companion content file updates = Enabled
Severity
Total
Medium

Chapter 1
32
Plugin Name
1.11.4 Turn off printing over HTTP = Enabled
Severity
Total
Medium

Plugin Name
wizards = Enabled
Severity
Total
Medium

Plugin Name
1.11.2 Turn off the 'Publish to Web' task for files and folders = Enabled
Severity
Total
Medium

Plugin Name
1.11.1 Turn off downloading of print drivers over HTTP = Enabled
Severity
Total
Medium

Plugin Name
1.10.5 Do not allow passwords to be saved = Enabled
Severity
Total
Medium

Plugin Name
1.13.3 Notify antivirus programs when opening attachments: Enabled
Severity
Total
Medium

Plugin Name
1.13.2 Hide mechanisms to remove zone information: Enabled
Severity
Total
Medium

Plugin Name
1.12.15 Prevent the computer from joining a homegroup: Enabled
Severity
Total
Medium

Plugin Name
1.12.12 Turn off Autoplay: Enabled for all drives
Severity
Total
Medium

Chapter 1
33
Plugin Name
1.12.10 Restrictions for Unauthenticated RPC Clients: Enabled and Authent
icated.
Severity
Total
Medium

Plugin Name
1.12.4 Turn off Data Execution Prevention for Explorer: Disabled
Severity
Total
Medium

Plugin Name
1.12.2 Require a Password When a Computer Wakes (Plugged In): Enabled
Severity
Total
Medium

Plugin Name
1.12.1 Require a Password When a Computer Wakes (On Battery): Enabled
Severity
Total
Medium

Plugin Name
Severity
Total

Program: Enabled
Medium

Plugin Name
1.11.5 Turn off Search Companion content file updates: Enabled
Severity
Total
Medium

Plugin Name
1.11.4 Turn off printing over HTTP: Enabled
Severity
Total
Medium

Plugin Name
wizards: Enabled
Severity
Total
Medium

Plugin Name
1.11.2 Turn off the 'Publish to Web' task for files and folders: Enabled
Severity
Total
Medium

Chapter 1
34
Plugin Name
1.11.1 Turn off downloading of print drivers over HTTP: Enabled
Severity
Total
Medium

Plugin Name
1.10.5 Do not allow passwords to be saved: Enabled
Severity
Total
Medium

Plugin Name
1.10.2 Set client connection encryption level: Enabled to High Level
Severity
Total
Medium

Plugin Name
1.10.1 Always prompt client for password upon connection: Enabled
Severity
Total
Medium

Plugin Name
1.10.3 Do not allow drive redirection
Severity
Total
Medium

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Passed Checks
Plugin Name
Severity
Total
Info
Plugin Name
Severity
Total
1.12.17 Do not resolve hosts on logging valves (verify server.xml has resolve
Hosts set to false)
Info
Severity
Total
Info
1.1.1 Do not install Tomcat on a multi-use system

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.17 Do not resolve hosts on logging valves (verify context.xml has
resolveHosts set to false)
Chapter 1
35

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Plugin Name
Severity
Total
1.12.5 Rename the manager application (verify the default manager.xml has
been renamed)
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
1.12.11 Configure maxHttpHeaderSize

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.10 Configure connection Timeout
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.5 Rename the manager application (verify the default manager directo
ry has been removed/renamed)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.3 Restrict manager application
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.2 Restrict access to the web administration
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.1 Ensure Web content directory is on a separate partition from the
Tomcat system files (verify Web content directory)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.16 Do not allow cross context requests
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.15 Do not run applications as privileged
Chapter 1
36

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.12.14 Do not allow symbolic linking
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.10.1 Restrict runtime access to sensitive packages
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
'WKPROXY'
172.26.22.127
Plugin Name
1.1.21 Default account passwords - 'Change the default password for 'SYS'
172.26.22.127
Plugin Name
LBACSYS'
172.26.22.127
Plugin Name
DBSNMP'
172.26.22.127
Plugin Name
1.1.1 Default account passwords - 'Change the default password for APEX_
040000'
172.26.22.127
Plugin Name
1.1.5.3 Require SNMP Trap Server When SNMP is Used - 'snmp-server
enable traps snmp authentication'
Chapter 1
37
Plugin Name
1.1.4.2 Require Enable Password
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info

Plugin Name
1.1.4.1 Require Local User and Encrypted Password
Plugin Name
1.1.2.3 Require SSHv2 for Remote Management Access - 'ssh version = 2'
Plugin Name
1.1.2.3 Require SSHv2 for Remote Management Access - 'Telnet is not
enabled'
Plugin Name
1.1.2.1 Require Local Password
Plugin Name
1.1.1.5 Require AAA Accounting - 'aaa accounting enable console'
Plugin Name
1.1.1.5 Require AAA Accounting - 'aaa accounting ssh console'
Plugin Name
1.1.1.5 Require AAA Accounting - 'aaa accounting telnet console'
Plugin Name
1.1.1.5 Require AAA Accounting - 'aaa accounting serial console'
Chapter 1
38
Plugin Name
1.1.1.3 Require Defined AAA Servers and Protocols - 'aaa-server protocol'
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info

Plugin Name
Management Protocols - 'http'
Plugin Name
Management Protocols - 'SSH'
Plugin Name
Management Protocols - 'Telnet'
Plugin Name
Management Protocols - 'Serial'
Plugin Name
1.1.1.1 Require AAA Authentication for Enable Mode
Plugin Name
1.1.5.10 Require Group for SNMPv3 Access - 'snmp-server group is not
plaintext'
Plugin Name
1.1.2 Do not Install on a Multi-use System
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.1.1 Pre-installation Planning Checklist
Chapter 1
39

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.19 Updating Ownership and Permissions. (/usr/local/apache2/logs)
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.19 Updating Ownership and Permissions. (/usr/local/apache2/conf)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.19 Updating Ownership and Permissions. (/usr/local/apache2/*)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.19 Updating Ownership and Permissions. (/usr/local/apache2)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.18 Remove Default Content. (/usr/local/src/httpd-2*)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.18 Remove Default Content. (/usr/local/apache2/manual)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.18 Remove Default Content. (/usr/local/apache2/cgi-bin/*)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.18 Remove Default Content. (/usr/local/apache2/htdocs/*)
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.11 Restrict HTTP Protocol Version. (valid_protocol)
Chapter 1
40
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.10 Limiting HTTP Request Methods.
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.1 Installation
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.1.1 Enforce password history (>=24)
Plugin Name
1.1.3 Minimum password age (>=1)
Severity
Total
Info

Plugin Name
Severity
Total
1.1 Use the Latest OS Release - Check if Solaris 10 10/09 release is installed
Info

Plugin Name
1.1 Establish firewall configuration standards (/etc/hosts.allow)
Severity
Total
Info

172.26.48.96 - MAC Address: 00:50:56:bd:4f:12
Plugin Name
1.1.10 Update system software using verified packages
Severity
Total
Info

Plugin Name
1.13.6 Prevent access to registry editing tools = Enabled
Severity
Total
Info

Plugin Name
1.13.5 Remove Security tab = Enabled
Severity
Total
Info

Chapter 1
41
Plugin Name
1.13.4 Remove CD Burning features = Enabled
Severity
Total
Info

Plugin Name
1.13.1 Do not preserve zone information in file attachments = Disabled
Severity
Total
Info

Plugin Name
1.10.4 Allow users to connect remotely using Remote Desktop Services =
Disabled
Severity
Total
Info

Plugin Name
1.1.9 Reset Account Lockout Counter After: Minimum of 15 minutes
Severity
Total
Info

Plugin Name
1.1.8 Account Lockout Threshold: Maximum of 10 attempts
Severity
Total
Info

Plugin Name
1.1.7 Account Lockout Duration: Minimum of 15 minutes
Severity
Total
Info

Plugin Name
1.1.2 Maximum Password Age: Maximum of 90 days
Severity
Total
Info

Plugin Name
1.13.6 Prevent access to registry editing tools: Enabled
Severity
Total
Info

Plugin Name
1.13.5 Remove Security tab: Enabled
Severity
Total
Info

Chapter 1
42
Plugin Name
1.13.4 Remove CD Burning features: Enabled
Severity
Total
Info

Plugin Name
1.10.4 Allow users to connect remotely using Remote Desktop Services:
Disabled
Severity
Total
Info

Plugin Name
1.1.9 Reset Account Lockout Counter After: minimum of 15 minutes
Severity
Total
Info

Plugin Name
1.1.8 Account Lockout Threshold: maximum of 10 attempts
Severity
Total
Info

Plugin Name
1.1.7 Account Lockout Duration: 15 minutes
Severity
Total
Info

Plugin Name
1.1.2 Maximum Password Age
Severity
Total
Info

Plugin Name
1.1.9 Reset Account Lockout Counter After: at least 15 minutes
Severity
Total
Info

Plugin Name
1.1.8 Account Lockout Threshold: 50 attempts
Severity
Total
Info

Plugin Name
1.1.7 Account Lockout Duration: at least 15 minutes
Severity
Total
Info

Chapter 1
43
Plugin Name
1.1.2 Maximum Password Age: at the most 90 days
Severity
Total
Info

Plugin Name
1.13.10 Enable screen saver = Enabled
Severity
Total
Info

Plugin Name
1.13.1 Do not preserve zone information in file attachments: Disabled
Severity
Total
Info

Plugin Name
1.1.9 Reset Account Lockout Counter After: 15 minutes (minimum)
Severity
Total
Info

Plugin Name
1.1.8 Account Lockout Threshold: maximum of 50 attempts
Severity
Total
Info

Plugin Name
1.1.7 Account Lockout Duration: 15 minutes (minimum)
Severity
Total
Info

Plugin Name
1.1.6 Store Passwords Using Reversible Encryption: Disabled
Severity
Total
Info

Plugin Name
1.1.2 Maximum Password Age: 90 minutes
Severity
Total
Info

Plugin Name
1.1.9 Reset account lockout counter after
Severity
Total
Info

Chapter 1
44
172.26.23.58 - MAC Address: 00:50:56:bd:61:43

Plugin Name
1.1.8 Account lockout threshold
Severity
Total
Info

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.1.7 Account lockout duration
Severity
Total
Info

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.1.6 Store passwords using reversible encryption
Severity
Total
Info

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.1.5 Password must meet complexity requirements
Severity
Total
Info

Plugin Name
1.1.2 Maximum password age (Max of 90 days or less)
Severity
Total
Info

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Chapter 1
45
Plugin Name
1.1 Subscribe to Debian Security Lists
Severity
Total
Info

172.26.48.26 - MAC Address: 00:50:56:be:28:06 DNS Name: debian5.target.tenablesecurity.com
Plugin Name
1.1.17 Set Sticky Bit on All World-Writable Directories
Severity
Total
Info
10

Plugin Name
1.1.13 Add nosuid Option to Removable Media Partitions
Severity
Total
Info

172.26.48.78
Plugin Name
1.1.12 Add noexec Option to Removable Media Partitions
Severity
Total
Info

172.26.48.78
Plugin Name
1.1.11 Add nodev Option to Removable Media Partitions
Severity
Total
Info

172.26.48.78
Chapter 1
46
Chapter 1
47
1.2 - Data CIS_MS_Windows_Server_2008_R2_MS_V2.1.0
Section Matrix Summary

System Count
Passed
7 Days
Manual
Failed
23
14 Days
27
16
21 Days
28 Days
> 29 Days
15
27
14
Compliance By Subnet (Top 10)
Chapter 1
48
Failed Check Summary

Plugin Name
1.2.7 Remove Oracle Sample Users - 'Remove the sample user SH'
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High

172.26.22.127
Plugin Name
1.2.6 Remove Oracle Sample Users - 'Remove the sample user SCOTT'
172.26.22.127
Plugin Name
1.2.5 Remove Oracle Sample Users - 'Remove the sample user PM'
172.26.22.127
Plugin Name
1.2.4 Remove Oracle Sample Users - 'Remove the sample user OE'
172.26.22.127
Plugin Name
1.2.3 Remove Oracle Sample Users - 'Remove the sample user IX'
172.26.22.127
Plugin Name
1.2.2 Remove Oracle Sample Users - 'Remove the sample user HR'
172.26.22.127
Plugin Name
1.2.1 Remove Oracle Sample Users - 'Remove the sample user BI'
172.26.22.127
Plugin Name
1.2.2.1.4 Configure the SSH Timeout - 'ssh timeout < 5'
Plugin Name
1.2.2.1.5 Limit the number of SSH Authentication Tries - 'aaa local authent
ication attempts max-fail < 5'
Chapter 1
49
Plugin Name
1.2.4.2 Require NTP Authentication (ntp server)
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High

Plugin Name
1.2.4.2.3 Define the NTP Trusted Key
Plugin Name
1.2.4.2.2 Define NTP Key Ring and Encryption Key
Plugin Name
1.2.4.2.1 Enable NTP Authentication
Plugin Name
1.2.4.1 Require Primary NTP Server
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging (service-policy)
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging (flow-export event-type)
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging (class)
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging (policy-map)
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging (match access-list)
Chapter 1
50

Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging - 'class-map'
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High

Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging - 'access-list'
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging - 'flow-export delay flowcreate'
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging - 'flow-export template
timeout-rate'
Plugin Name
1.2.3.9 Require NetFlow Secure Event Logging - 'flow-export destination'
Plugin Name
1.2.3.5 Require Logging to Syslog Server
Plugin Name
1.2.3.2 Require Console Logging Severity Level if required by policy 'logging console = critical'
Plugin Name
1.2.3.1 Forbid Console Logging
Plugin Name
1.2.2.3 Forbid ASDM Service If Not Used - 'http server is not enabled'
Chapter 1
51

Plugin Name
1.2.2.2 Forbid DHCP Server Service - 'dhcpd is not enabled'
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High
Severity
Total
High

Plugin Name
1.2.1.3.2 Set Daylight Savings Dates
Plugin Name
1.2.1.2 Forbid Daylight Savings Time Clock Adjustments
Plugin Name
1.2.1.1 Require Clock Timezone - 'Device clock is set to UTC'
Plugin Name
1.2.4.2.4 Bind the NTP Key Ring to each NTP server - 'ntp server is configu
red to use a key ring'
Plugin Name
1.2.4.2.3 Define the NTP Trusted Key - 'ntp trusted-key is defined'
Plugin Name
1.2.4.2.2 Define NTP Key Ring and Encryption Key - 'ntp authentication-key
is defined'
Plugin Name
1.2.4.2.1 Enable NTP Authentication - 'ntp authentication is enabled'
Chapter 1
52
Plugin Name
1.2 ModSecurity Overview.
Severity
Total
High
Severity
Total
High

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2 Use the Latest OS Release - '/etc/redhat-release > 6.1'

Plugin Name
Severity
Total
1.2 Install TCP Wrappers - Check if permissions for /etc/default/inetd are OK.
High

Plugin Name
1.2 Install TCP Wrappers - Ensure 'ENABLE_TCPWRAPPERS' is set to 'YES'
in /etc/default/inetd
Severity
Total
High

Plugin Name
1.2 Install TCP Wrappers - Deny access to this server from all networks
Severity
Total
High

Plugin Name
1.2 Install TCP Wrappers - Allow localhost. Note: Replace 172.16.100.0/255.
255.255.0 with a network block in use at your organization.
Severity
Total
High

Plugin Name
Severity
Total
1.2 Build a firewall configuration that denies all traffic from 'untrusted'
networks and hosts, except for protocols necessary for the cardholder data
environment. (ipfw_load)
High
Chapter 1
53

172.26.48.96 - MAC Address: 00:50:56:bd:4f:12
Plugin Name
Severity
Total
1.2 Build a firewall configuration that denies all traffic from 'untrusted'
networks and hosts, except for protocols necessary for the cardholder data
environment. (firewall_enable)
High

172.26.48.96 - MAC Address: 00:50:56:bd:4f:12
Plugin Name
1.2. Enable SSH (/etc/ssh/sshd_config)
Severity
Total
High

172.26.48.96 - MAC Address: 00:50:56:bd:4f:12
Plugin Name
1.2. Enable SSH (Protocol 2)
Severity
Total
High

172.26.48.96 - MAC Address: 00:50:56:bd:4f:12
Plugin Name
1.2.9 Disable Core Dumps
Severity
Total
High

Plugin Name
1.2.7 Reduce the sudo timeout period
Severity
Total
High

Plugin Name
1.2.3 Create an access warning for the command line
Severity
Total
High

Plugin Name
1.2.1 Use an EFI password
Severity
Total
High

Plugin Name
1.2.11 Audit: Force Audit Policy Subcategory Settings (Windows Vista or
Later) to Override Audit Policy Category Settings: Enabled
Severity
Total
High

Chapter 1
54
Plugin Name
Severity
Total
1.2.11 Audit: Force audit policy subcategory settings (Windows Vista or later)
to override audit policy category settings
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.2.9 Audit system events
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.2.8 Audit process tracking
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.2.7 Audit privilege use
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.2.6 Audit policy change
Severity
Total
High

Chapter 1
55
172.26.23.58 - MAC Address: 00:50:56:bd:61:43

Plugin Name
1.2.5 Audit object access
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.2.4 Audit logon events
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.2.3 Audit directory service access
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.2.2 Audit account management
Severity
Total
High

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.2.1 Audit account logon events
Severity
Total
High
Chapter 1
56
172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
Severity
Total
1.2 Validate Your System Before Making Changes, should pass /var/log/* do
not contain any files with error, warning or critical messages.
High

Plugin Name
1.2.5 Disable yum-updatesd
Severity
Total
High

Plugin Name
1.2 Validate Your System Before Making Changes, should pass if /var/log/*
do not contain any files with error, warning or critical messages.
Severity
Total
High

172.26.48.43 - MAC Address: 00:50:56:be:27:f3 DNS Name: opensuse10.target.tenablesecurity.com
Plugin Name
1.2 Validate Your System Before Making Changes, should if pass /var/log/*
do not contain any files with error, warning or critical messages.
Severity
Total
High

172.26.48.43 - MAC Address: 00:50:56:be:27:f3 DNS Name: opensuse10.target.tenablesecurity.com
Plugin Name
1.2.4 Disable the rhnsd Daemon
Severity
Total
High

Plugin Name
1.2.6 Verify Package Integrity Using RPM
Severity
Total
High

172.26.48.78
Chapter 1
57
Plugin Name
1.2.2 Verify Red Hat GPG Key is Installed
Severity
Total
High

172.26.48.78
Manual Check Required Summary

Plugin Name
Severity
Total
Medium
Plugin Name
Severity
Total
1.2.3.9 Require NetFlow Secure Event Logging (logging flow-export-syslogs)
Medium
Severity
Total
Medium
Severity
Total
Medium
Severity
Total
Medium
1.2 Require Physical Security

Hosts in Repository 'net_172.26.0':
172.26.0.17 - MAC Address: 00:24:dc:0e:3b:88

Plugin Name
1.2.3.3 Require Logging Facility
Plugin Name
1.2.2.1.1 Generate the RSA Key Pair
Plugin Name
1.2.8 Remove unneeded QuickTime components
Plugin Name
1.2.5 Obtain Software Package Updates with yum
Severity
Total
Medium

172.26.48.78
Plugin Name
1.2.1 Configure Connection to the RHN RPM Repositories
Severity
Total
Medium
Chapter 1
58

172.26.48.78
Passed Checks
Plugin Name
Severity
Total
Info
Severity
Total
Info
Plugin Name
Severity
Total
1.2.3.6 Require Logging Trap Severity Level - 'logging trap = informational or

debugging'
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
1.2.3.8 Require Timestamps in Log Messages

Plugin Name
1.2.3.7 Require System Logging

Plugin Name
1.2.3.4 Require Logging History Level - 'logging history = notifications or
informational'
Plugin Name
1.2.2.1.6 Require SSH version 2 - 'ssh version = 2'
Plugin Name
1.2.2.1.3 Configure a local user account
Plugin Name
1.2.2.1.2 Configure AAA authentication local
Plugin Name
1.2.1.3 Require Summer Time Clock When Using Local Time Zone - 'clock
summer-time recurring'
Chapter 1
59
Plugin Name
1.2.1.3.1 Set Local Time Zone
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info
Severity
Total
Info

Plugin Name
1.2.8 Disable Info module - 'info_module is not loaded'
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2.7 Disable User Directories Modules - 'userdir_* is not loaded'
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2.6 Disable Proxy Modules - 'proxy_* is not loaded'
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2.5 Disable Autoindex module - 'autoindex_module is not loaded'
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2.4 Disable Status module - 'status_module is not loaded'
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2.3 Disable WebDAV modules - 'dav_*module is not loaded'
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2.2 Enable the Log Config Module - 'log_config_module is loaded'
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
1.2.1 Enable only necessary Authentication and Authorization Modules 'Loaded ldap* modules'
Chapter 1
60
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b
Plugin Name
Severity
Total
Info
Plugin Name
Severity
Total
1.2 Install TCP Wrappers - Check if permissions for /etc/default/inetd are OK.
Info
1.2.1 Enable only necessary Authentication and Authorization Modules 'Loaded auth._* modules'
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b

Plugin Name
Severity
Total
1.2 Install Solaris 10 Encryption Kit - Check if Package SUNWcryr is installed
Info

Plugin Name
1.2 Install Solaris 10 Encryption Kit - Check if Package SUNWcry is installed
Severity
Total
Info

Plugin Name
Severity
Total
1.2 Install Solaris 10 Encryption Kit - Check if Package SUNWcrman is install

ed
Info

Plugin Name
1.2. Enable SSH (sshd_enable)
Severity
Total
Info

172.26.48.96 - MAC Address: 00:50:56:bd:4f:12
Plugin Name
1.2. Enable SSH (Banner)
Severity
Total
Info

172.26.48.96 - MAC Address: 00:50:56:bd:4f:12
Plugin Name
1.2. Enable SSH (PermitRootLogin)
Severity
Total
Info
Chapter 1
61

172.26.48.96 - MAC Address: 00:50:56:bd:4f:12
Plugin Name
1.2.6 Disable the iSight camera
Severity
Total
Info

Plugin Name
1.2.5 Disable Bluetooth
Severity
Total
Info

Plugin Name
1.2.10 Audit: Shut Down System Immediately if Unable to Log Security
Audits: Disabled
Severity
Total
Info

Plugin Name
1.2.10 Audit: Shut down system immediately if unable to log security audits
Severity
Total
Info

172.26.23.58 - MAC Address: 00:50:56:bd:61:43
Plugin Name
1.2 Establish a BIOS Password
Severity
Total
Info

Plugin Name
1.2.4 Disable the rhnsd Daemon
Severity
Total
Info

172.26.48.78
Plugin Name
1.2.3 Verify that gpgcheck is Globally Activated
Severity
Total
Info
Chapter 1
62

172.26.48.78
Chapter 1
63

Top Failed CIS Windows Server 2008 R2 Checks

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Top Failed CIS Windows Server 2008 R2 Checks

Diunggah oleh

Hak Cipta:

Format Tersedia

CIS MS Windows Server

CIS MS Windows Server 2008 R2 MS V2.1.0

About This Report

About This Report

CIS MS Windows Server 2008 R2 MS V2.1.0

Section Matrix Summary

Compliance By Subnet (Top 10)

CIS MS Windows Server 2008 R2 MS V2.1.0

Failed Check Summary

1.12.8 Do not allow additional path delimiters (verify ALLOW_BACKSLASH is

1.12.13 Increase the entropy in session identifiers

Hosts in Repository 'net_10_31_112':

CIS MS Windows Server 2008 R2 MS V2.1.0

10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b

Hosts in Repository 'net_10_31_112':

CIS MS Windows Server 2008 R2 MS V2.1.0

Hosts in Repository 'net_172_26_22':

CIS MS Windows Server 2008 R2 MS V2.1.0

1.1.11 Default account passwords - 'Change the default password for

Hosts in Repository 'net_172_26_22':

CIS MS Windows Server 2008 R2 MS V2.1.0

Hosts in Repository 'net_10_31_254':

Hosts in Repository 'net_10_31_254':

CIS MS Windows Server 2008 R2 MS V2.1.0

Hosts in Repository 'net_10_31_254':

Hosts in Repository 'net_10_31_254':

CIS MS Windows Server 2008 R2 MS V2.1.0

Hosts in Repository 'net_10_31_254':

1.1.1.2 Require AAA Authentication for Console and Other Interactive

Hosts in Repository 'net_10_31_102':

CIS MS Windows Server 2008 R2 MS V2.1.0

Hosts in Repository 'net_10_31_112':

1.16 Software Information Leakage Protection. (ErrorDocument 401 /custom4

1.16 Software Information Leakage Protection. (ErrorDocument 500 /

Hosts in Repository 'net_10_31_112':

CIS MS Windows Server 2008 R2 MS V2.1.0

Hosts in Repository 'net_10_31_112':

CIS MS Windows Server 2008 R2 MS V2.1.0

Hosts in Repository 'net_10_31_112':

Hosts in Repository 'net_172_26_23':

Hosts in Repository 'net_172_26_23':

CIS MS Windows Server 2008 R2 MS V2.1.0

Hosts in Repository 'net_172_26_48':

Hosts in Repository 'net_172_26_48':

Hosts in Repository 'net_172_26_48':

Hosts in Repository 'net_172_26_48':

Hosts in Repository 'net_172_26_48':

1.12.10 Restrictions for Unauthenticated RPC Clients = Enabled and Authent

Hosts in Repository 'net_172_26_48':

Hosts in Repository 'net_172_26_48':

Hosts in Repository 'net_172_26_48':

CIS MS Windows Server 2008 R2 MS V2.1.0

Hosts in Repository 'net_172_26_48':

Hosts in Repository 'net_172_26_48':

Hosts in Repository 'net_172_26_48':

Hosts in Repository 'net_172_26_48':

1.12.2 Require a Password When a Computer Wakes (Plugged In) = Enabled

Hosts in Repository 'net_172_26_48':

1.12.1 Require a Password When a Computer Wakes (On Battery) = Enabled

Hosts in Repository 'net_172_26_48':

Hosts in Repository 'net_172_26_48':

Hosts in Repository 'net_172_26_48':

Hosts in Repository 'net_172_26_48':