1. Operating System Security Baseline

1.1 Patch & Update Management

• All servers must remain fully patched using Windows Update, WSUS, or an approved centralized patching solution.
• Critical and security updates must be applied within defined maintenance windows.

1.2 Malware Protection

• A single, supported antivirus platform must be enabled with real-time protection.
• Multiple antivirus engines on the same system are prohibited.
• Required Askia directories and executables must be explicitly whitelisted.

1.3 Access Control

• Least-privilege principles must be enforced at all times.
• Domain Admin and Local Administrator accounts must not be used for routine operations.
• Strong password policies must be enforced, including length, complexity, lockout thresholds, and privileged account rotation.

1.4 System Hardening

• Windows Firewall must be enabled with inbound rules restricted to required services only.
• Full-disk encryption (BitLocker or equivalent) must be enabled on all server volumes.
• Legacy and insecure protocols (e.g., SMBv1, SSLv3, NTLMv1) must be disabled.
• Automatic logoff for inactive RDP and console sessions must be enforced via Group Policy.

1.5 Logging & Monitoring

• Windows Event Logs must be reviewed regularly.
• Logs must be forwarded to a centralized SIEM or log analysis platform for correlation and investigation.

2. Windows Server Configuration Standards

• The built-in Administrator account must be renamed or disabled and secured with a strong password.
• Unused Windows Roles and Features must be removed.
• RDP access must enforce Network Level Authentication (NLA), restricted source IPs, VPN routing, and MFA where feasible.
• Unnecessary services (e.g., Remote Registry, legacy SNMP) must be disabled.
• Local Administrators group membership must be audited regularly.
• Accurate NTP time synchronization must be configured.

3. User Account Control (UAC)

• UAC must be set to Always Notify on all servers.
• Administrator credentials must be required for elevation.
• Known UAC bypass mechanisms must be blocked via Group Policy.
• Exceptions (e.g., CTArchitect requiring an active user session) must be reviewed with Askia Support.

4. Active Directory & Identity Security

4.1 Domain Controllers

• Domain Controllers must host only Active Directory Domain Services.
• Strong password and lockout policies must be enforced via Group Policy.
• Domain health and replication must be verified regularly.
• A tiered administrative model must be implemented.
• Privileged groups must be closely monitored.
• LDAPS must be required, and legacy authentication protocols restricted.

4.2 Active Directory Management

• Organizational Units must be structured for clear policy targeting.
• Stale user and computer accounts must be disabled or removed.
• MFA must be required for privileged accounts and high-value systems.
• Group memberships and delegated permissions must be reviewed periodically.
• AD-aware and system state backups must be performed and restoration tested.
• Standardized security baseline GPOs must be applied consistently.

5. IIS Security Baseline

• TLS 1.0, TLS 1.1, and weak cipher suites must be disabled using registry settings or approved tools (e.g., IISCrypto).
• Default .NET and ASP.NET folders must be removed.
• Unused Application Pools must be deleted.
• Application Pools must run under least-privilege identities (IISAppPool\AppPoolName).
• Unused protocol bindings (net.pipe, net.msmq) must be removed.
• Insecure HTTP headers must be removed or modified.
• HSTS must be enabled (without forced HTTP-to-HTTPS redirection).
• IIS logs must be centralized.
• Failed Request Tracing must be enabled.
• Default IIS content pages must be removed.
• Web crawler access must be restricted via a robots.txt policy.

6. Third-Party Software Standards

• Only supported and required VC++ Redistributables may be installed and must remain patched.
• Only approved Microsoft Access Database Engines and runtimes may be installed.
• All third-party software must be kept current and patched.