Control Compliance Suite

 View Only
Back to Library

How to fix CIS Microsoft Windows Server 2012 R2 v2.2.0/v2.2.1 

Jan 08, 2018 11:29 AM

Predefined CCS Technical standards "CIS Microsoft Windows Server 2012 R2 v2.2.0" and "CIS Microsoft Windows Server 2012 R2 v2.2.1" have issue with following checks:

  • 1.2.3 Is the 'Reset account lockout counter after' parameter set to '15 or more minute(s)'?
    • Expression should use “Greater or equal to” instead of “Equal to”
  • 18.4.13.1 (18.4.14.1) Is the 'Hardened UNC Paths' parameter set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'?
    • check logic has trouble reading unusual registry value name like "\\*\SYSVOL".
  • 18.9.22.3 (18.9.24.3) Is the 'Default Protections for Internet Explorer' parameter set to 'Enabled'?
    • Check logic has trouble reading unusual registry value name like " *\Internet Explorer\iexplore.exe". On top of that, original checks does not verify if registry value data matches.
  • 18.9.22.4 (18.9.24.4) Is the 'Default Protections for Popular Software' parameter set to 'Enabled'?
    • Check logic has trouble reading unusual registry value name like " *\7-Zip\7z.exe". On top of that, original checks does not verify if registry value data matches.
  • 18.9.22.5 (18.9.24.5) Is the 'Default Protections for Recommended Software' parameter set to 'Enabled'?
    • Check logic has trouble reading unusual registry value name like " *\Adobe\*\Reader\AcroRd32.exe". On top of that, original checks does not verify if registry value data matches.
  • 18.9.24.4.2 (18.9.26.4.2) Is the 'System: Specify the maximum log file size (KB)' parameter set to 'Enabled: 32,768 or greater'?
    • Some bug in WMI registry check that caused it not to recognize values properly.

I have provided more details about the issues and few ways to fix them in the attached Word document. Due to considerable amount of screen shots and table data from evidence, it was easier for me to put that into Word document than creating all that content here. 

​You will also find attached standard with fixed checks in the download section https://www.symantec.com/connect/downloads/fixed-checks-cis-microsoft-windows-server-2012-r2-v220v221

The issue were confirmed by the Symantec CCS support personnel and they are working on fixes that will probably be included in next SCU.

DISCLAIMER: Information here is provided AS IS without warranty of any kind, do not use them in production environment without proper testing.

 

 

 

Statistics
0 Favorited
1 Views
1 Files
0 Shares
2 Downloads
Attachment(s)
docx file
How to fix CIS Microsoft Windows Server 2012 R2 v2.2.0_v2....docx   151 KB   1 version
Uploaded - Feb 25, 2020
 
Download

Tags and Keywords

Related Entries and Links

No Related Resource entered.