Updated On: 06.01.2014(Version 1.

0) INTERNAL USE

BASELINE CHECKLIST

No. Baseline Setting Value Comply Remarks

(Y/N) (if not comply)
1. FILE SYSTEM
1.1. Use of secure File System NTFS

2. ACCOUNT POLICIES
2.1. Account lockout threshold 3 invalid logon attempts
2.2. Account lockout duration 0 minutes
2.3. Reset account lockout counter after 60 minutes
2.4. Enforce password history 6 passwords remembered
2.5. Maximum password age 90 days
2.6. Minimum password age 1 day
2.7. Minimum password length 8 characters
2.8. Password must meet complexity requirements Enabled
2.9. Store password using reversible encryption for all users in the domain Disabled

3. USER RIGHTS ASSIGNMENT

3.1. Force shutdown from a remote system Administrators
Act as part of the operating system
3.2. No One
*This rules doesn’t applicable to domain controller & cluster servers
Add workstations to domain
3.3. *This control will not applicable to standalone server, as there isn’t any domain available or Domain Administrators, DCS
the server not design to work with domain controller.
Allow log on locally
3.4. *This rules doesn’t applicable to Citrix servers, where the architecture consist level 2 Administrators
authentication, user access control and Citrix system access requirement
3.5. Change the System Time LOCAL SERVICE, Administrators
3.6. Deny log on as a batch job Guests
3.7. Deny log on through Terminal Services Guests

4. AUDIT POLICIES
4.1. Account Logon: Credential Validation Success and Failure
4.2. Account Management: Computer Account Management Success and Failure
4.3. Account Management Other Account Management Events Success and Failure
4.4. Account Management: Security Group Management Success and Failure
4.5. Account Management: User Account Management Success and Failure

PETRONAS Windows Server 2012 Security Baseline Page 1 of 6

Updated On: 06.01.2014(Version 1.0) INTERNAL USE

No. Baseline Setting Value Comply Remarks

(Y/N) (if not comply)
4.6. Logon-Logoff: Logoff Success
4.7. Logon-Logoff: Logon Success and Failure
4.8. Logon-Logoff: Special Logon Success and Failure
4.9. Logon-Logoff: Other Logon/Logoff Events Success and Failure
4.10. Policy Change: Audit Policy Change Success and Failure
4.11. Policy Change: Authentication Policy Change Success
4.12. Policy Change: Authorization Policy Change Success
4.13. System: IPsec Driver Success and Failure
4.14. System: Security State Change Success and Failure
4.15. System: Security System Extension Success and Failure
4.16. System: System Integrity Success and Failure
4.17. Privilege Use: Sensitive Privilege Use Success and Failure

5. SECURITY OPTIONS
5.1. Accounts: Guest Account Status Disabled
5.2. Accounts: Limit local accounts use of blank passwords to the console only Enabled
5.3. Accounts: Rename Guest account Verify that Guest account is renamed
5.4. Accounts: Rename administrator account Verify that Administrator account is renamed
5.5. Audit: Audit use of backup and restore privilege Enabled
5.6. Audit: Audit the access of global system objects Disabled
5.7. Audit: Shutdown system immediately if unable to log security audits Disabled
5.8. Audit: Force audit policy subcategory settings to override audit policy category settings Enabled
5.9. Devices: Restrict CD-ROM access to locally logged-on user only Enabled
5.10. Devices: Restrict floppy access to locally logged-on user only Enabled
5.11. Domain member: Digitally encrypt or sign secure channel data (always) setting. Enabled
5.12. Domain member: Digitally encrypt secure channel data (when possible) setting. Enabled
5.13. Domain member: Digitally sign secure channel data (when possible) setting. Enabled
5.14. Domain member: Disable machine account password changes Disabled
5.15. Domain member: Require strong session key Enabled
5.16. Microsoft network client: Digitally sign communications (always) Enabled
5.17. Microsoft network client: Digitally sign communications (if server agrees) Enabled
5.18. Microsoft network client: Send unencrypted password to third-party SMB Servers Disabled
5.19. Microsoft network server: Amount of idle time required before suspending session 15 minutes

PETRONAS Windows Server 2012 Security Baseline Page 2 of 6

Updated On: 06.01.2014(Version 1.0) INTERNAL USE

No. Baseline Setting Value Comply Remarks

(Y/N) (if not comply)
5.20. Microsoft network server: Digitally sign communications (always) Enabled
5.21. Microsoft network server: Digitally sign communications (if client agrees) Enabled
5.22. MSS: (AutoAdminLogon) Enable Automatic Logon Disabled
5.23. MSS: (DisableIPSourceRouting) IP source routing protection level Highest protection, source routing is completely disabled
5.24. MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Disabled
5.25. MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds 300000 or 5 minutes
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway
5.26. Disabled
addresses
5.27. MSS: (SafeDllSearchMode) Enable Safe DLL search mode Enabled
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period
5.28. 0
expires
5.29. MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted 3
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will
5.30. 90%
generate a warning
5.31. Network access: Allow anonymous SID/Name translation Disabled
5.32. Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
Network access: Do not allow storage of passwords and credentials for network
5.33. Enabled
authentication
5.34. Network access: Let Everyone permissions apply to anonymous users Disabled
5.35. Network access: Sharing and security model for local accounts Classic – Local users authenticate as themselves
5.36. Network security: LDAP client signing requirements Require Signing
5.37. Network security: Force logoff when logon hours expire Enabled
5.38. Network security: Do not store LAN Manager hash value on next password change Enabled
5.39. System objects: Strengthen Default permissions on Internal System Objects Enabled
5.40. Interactive Logon: Do not display last username Enabled
This system is restricted to PETRONAS authorised users
5.41. Interactive Logon: Message Title for users attempting to logon
only.
This system is restricted to PETRONAS authorised users
only. Illegal and/or unauthorised access is strictly
5.42. Interactive Logon: Message Text for users attempting to logon prohibited. All activities on this system will be monitored
and appropriate action will be taken against
unauthorised users.
5.43. Interactive logon: Do not require CTRL + ALT + DEL Disabled
5.44. Recovery console: Allow automatic administrative logon Disabled
5.45. Recovery console: Allow floppy copy and access to all drives and all folders Disabled
5.46. Shutdown: Allow system to be shut down without having to log on Disabled
5.47. User Account Control: Admin Approval Mode for the Built-in Administrator account Enabled

PETRONAS Windows Server 2012 Security Baseline Page 3 of 6

Updated On: 06.01.2014(Version 1.0) INTERNAL USE

No. Baseline Setting Value Comply Remarks

(Y/N) (if not comply)
User Account Control: Allow UIAccess applications to prompt for elevation without using the
5.48. Disabled
secure desktop
5.49. User Account Control: Behaviour of the elevation prompt for standard users Prompt for credentials
Remote Procedure Call: Enable restrictions for unauthenticated RPC clients
5.50. Enabled - Authenticated
*This rules doesn’t applicable to domain controller & cluster servers
Remote Procedure Call: RPC Endpoint Mapper client authentication
5.51. Enabled
*This rules doesn’t applicable to domain controller & cluster servers
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style
5.52. Enabled
filenames
System cryptography: Use FIPS140 compliant cryptographic algorithms, including encryption,
5.53. Enabled
hashing and signing algorithms

6. WINDOWS COMPONENTS
6.1. Event Log Service\Application: Maximum log size (KB) 250 MB
6.2. Event Log Service\Application: Retain old events Disabled
6.3. Event Log Service\Security: Maximum log size (KB) 250 MB
6.4. Event Log Service\Security: Retain old events Disabled
6.5. Event Log Service\System: Maximum log size (KB) 250 MB
6.6. Event Log Service\System: Retain old events Disabled
Remote Desktop Services: Do not allow passwords to be saved
6.7. *This rules doesn’t applicable to Citrix servers, where the architecture consist level 2 Enabled
authentication, user access control and Citrix system access requirement access
Remote Desktop Services: Always prompt for password upon connection
6.8. *This rules doesn’t applicable to Citrix servers, where the architecture consist level 2 Enabled
authentication, user access control and Citrix system access requirement access
Remote Desktop Services: Set client connection encryption level
6.9. *This rules doesn’t applicable to Citrix servers, where the architecture consist level 2 High
authentication, user access control and Citrix system access requirement access
6.10. Remote Desktop Services: Sets a time limit for active but idle Terminal Service sessions 15 minutes
6.11. MK Protocol Restriction: Internet Explorer Processes Enabled
6.12. Required user authentication for remote connections by using Network Level Authentication Enabled

7. SERVICES
7.1. Microsoft iSCSI Initiator Service Disabled
7.2. Network Access Protection Agent Disabled
7.3. Remote Procedure Call (RPC) Locator Disabled
7.4. Smart Card Disabled
7.5. Smart Card Removal Policy Disabled

PETRONAS Windows Server 2012 Security Baseline Page 4 of 6

Updated On: 06.01.2014(Version 1.0) INTERNAL USE

No. Baseline Setting Value Comply Remarks

(Y/N) (if not comply)
7.6. SNMP Trap Disabled
7.7. Telnet Disabled
7.8. Microsoft FTP Server Services Disabled

8. CONTROL PANEL
8.1. Display: Enable Screen Saver Enabled
8.2. Display: Screen Saver Timeout 600 seconds
8.3. Display: Password Protect the screen saver Enabled

9. INTERNET COMMUNICATION SETTINGS

9.1. Turn off downloading of print drivers over HTTP Enabled
9.2. Turn off printing over HTTP Enabled
9.3. Turn off Internet download for Web publishing and online ordering wizards Enabled
9.4. Turn off Search Companion content file updates Enabled
9.5. Turn off the “Publish to Web” task for files and folders Enabled
9.6. Turn off the Windows Messenger Customer Experience Improvement Program Enabled

10. AUTOPLAY
10.1. Turn off Autoplay Enabled

11. CREDENTIAL USER INTERFACE

11.1. Enumerate administrator accounts on elevation Enabled

PETRONAS Windows Server 2012 Security Baseline Page 5 of 6

Updated On: 06.01.2014(Version 1.0) INTERNAL USE

Task Details: Date:

Server/Workstation/Device Details:

IP Address: Hostname:

Remarks:

Implemented Verified By:

By:
Signature: Signature:
Name: Name:
Date: Date:

PETRONAS Windows Server 2012 Security Baseline Page 6 of 6