Acme  QA Results
Script Version: v4.17.1026 Configuration file: development Generated on: 2017/10/26 10:17 Generated by: acme\username
SERVER01.ACME.LAN
VMware Virtual Guest
Microsoft Windows Server 2012 R2 Standard
2x Intel Core i5-6300U CPU @ 2.40GHz,    32.0GB
Pass30
Warning5
Fail32
Manual1
N/A26
Error0
Jump Links To Sections

Accounts Compliance Drives HyperV Host Network Regional Security System Virtual

Accounts
  • Accounts
    01
    Check all local users to ensure that no non-standard accounts exist. Unless the server is not in a domain, there should be no additional user accounts. Example standard accounts include "ASPNET", "__VMware"

  • PassNo additional local accounts
  • WarningThis is a work group server, is this correct.?
  • FailOne or more local accounts exist

  • Applies ToAll Servers
  • acc01
    Local Users
    No additional local accounts
    Data
    None
  • Accounts
    02
    Checks to see if the default local "Administrator" and "Guest" accounts have been renamed.

  • PassLocal accounts have been renamed
  • FailA local account was found that needs to be renamed

  • Applies ToAll Servers
  • acc02
    Local Account Names
    A local account was found that needs to be renamed
    Data
    Administrator: Administrator,
    Guest: Guest
  • Accounts
    03
    Check the local administrators group to ensure no non-standard accounts exist.
    If there is a specific application requirement for local administration access then these need to be well documented.

  • PassNo local administrators found
  • WarningThis is a work group server, is this correct.?
  • FailOne or more local administrator accounts exist

  • Applies ToAll Servers
  • acc03
    Local Administrators
    One or more local administrator accounts exist
    Data
    Administrator,
  • Accounts
    04
    Check all local groups and ensure no additional groups exist.
    If there is a specific application requirement for local groups then these need to be documented with a designated team specified as the owner. If you use specific role groups, make sure they are excluded in the settings file.

  • PassNo additional local accounts
  • FailOne or more local groups exist
  • N/AServer is a domain controller

  • Applies ToAll Servers
  • acc04
    Local Groups
    No additional local accounts
    Data
    None
  • Accounts
    05
    Checks all services to ensure no user accounts are assigned.
    If specific application service accounts are required then they should be domain level accounts (not local) and restricted from interactive access by policy.

  • PassNo services found running under a local accounts
  • WarningOne or more services was found to be running under local accounts

  • Applies ToAll Servers
  • acc05
    Service Logon Accounts
    No services found running under a local accounts
    Data
    None
  • Accounts
    06
    Checks to make sure that the guest user account has been disabled. The guest account is located via the well known SID.

  • PassGuest account is disabled
  • FailGuest account has not been disabled
  • N/AGuest account does not exist

  • Applies ToAll Servers
  • acc06
    Guest Account
    Guest account is disabled
    Data
    None
  • Accounts
    07
    Checks the built-in group memberships to make sure specific users or groups are members. If there is only one entry in "GroupMembers", then "AllMustExist" will be set to "TRUE".
    This is check 1 of 3 that can be used to check different groups.

  • PassGroup membership configured correctly
    One or more users are members of the selected group
  • WarningInvalid group name, or group member list is empty
  • FailGroup membership is not correct

  • Applies ToAll Servers
  • acc07
    Built-In Group Members (1 of 3)
    Invalid group name, or group member list is empty
    Data
    Remote Desktop Users
    Compliance
  • Compliance
    01
    Check that McAfee anti-virus is installed and virus definitions are up to date.

  • PassMcAfee product found,
    DATs are OK,#
    Access Protection is installed and running
  • FailMcAfee product found, but wrong version,
    DATs are not up-to-date,#
    No DAT version found,#
    Access Protection is not installed or enabled
    {0} not found, install required

  • Applies ToAll Servers
  • com01
    McAfee AV Installed
    McAfee VirusScan Enterprise not found, install required
    Data
    None
  • Compliance
    02
    Check relevant monitoring tool agent is installed and that the correct port is open to the management server.

  • PassVersion {0},#Port {1} open to {2}
  • FailVersion {0},#Port {1} not open to {2}
    Version {0},#Agent not configured with port and/or server name
    Monitoring software not found, install required

  • Applies ToAll Servers
  • com02
    Monitoring Installed
    Monitoring software not found, install required
    Data
    None
  • Compliance
    03
    Check relevant SCCM agent process is running, and that the correct port is open to the management server.

  • FailSCCM agent not found, install required

  • Applies ToAll Servers
  • com03
    SCCM Installed
    SCCM agent not found, install required
    Data
    None
  • Compliance
    04
    Check NetBackup agent is installed and that the correct port is open to the management server. Only applies to physical servers, or virtual servers with a list of known software installed.

  • ManualNetBackup agent not found, VADP backup.?

  • Applies ToAll Servers
  • com04
    NetBackup Agent Installed
    NetBackup agent not found, VADP backup.?
    Data
    Is this server backed up via VADP.? Manually check vCenter annotations
  • Compliance
    05
    Check server is compliant with patch policy (must be patched to latest released patch level for this customer). Check date of last patch and return WARNING if not within specified number of days, and FAIL if not within number of days *2.

  • PassWindows patches applied
  • FailNo last patching date

  • Applies ToAll Servers
  • com05
    Patching Compliant
    No last patching date
    Data
    This server has never been patched
  • Compliance
    06
    Check that a WSUS server has been specified and that the correct port is open to the management server.

  • PassWSUS server configured
  • FailWSUS server has not been configured

  • Applies ToAll Servers
  • com06
    WSUS Server Setting
    WSUS server has not been configured
    Data
    None
  • Compliance
    09
    Check that Trend anti-virus is installed and virus definitions are up to date.

  • PassTrend product found,
    DATs are OK
  • FailTrend product found, but wrong version,
    DATs are not up-to-date
    No DAT version found
    Trend product not found, install required

  • Applies ToAll Servers
  • com09
    Trend AV Installed
    Trend product not found, install required
    Data
    None
  • Compliance
    12
    Check that only one server role or feature is installed

  • PassNo extra server roles or features installed
    One extra server role or feature installed
  • FailOne or more extra server roles or features installed
  • N/AOperating system not supported

  • Applies ToAll Servers
  • com12
    Only One Server Role Or Feature
    One extra server role or feature installed
    Data
    SNMP Service,
    Drives
  • Drives
    01
    Check the system drive is a minimum size of 50gb for Windows 2008+ servers (some are reporting 49gb).

  • PassSystem drive meets minimum required size
  • FailSystem drive is too small, should be {0}GB

  • Applies ToAll Servers
  • drv01
    System Drive Size
    System drive meets minimum required size
    Data
    Current Size: 50GB
  • Drives
    02
    Ensure all drives have a minimum amount of free space. Measured as a percentage.

  • PassAll drives have the required minimum free space of {0}%
  • FailOne or more drives were found with less than {0}% free space
  • ManualUnable to get drive information, please check manually

  • Applies ToAll Servers
  • drv02
    Min Drive % Free Space
    All drives have the required minimum free space of 17%
    Data
    C: (81% free),
  • Drives
    03
    Check the page file is located on the system drive and is a fixed size. The default setting is 4096MB (4GB). If the page file is larger a document detailing the tuning process used must exist and should follow Microsoft best tuning practices (http://support.microsoft.com/kb/2021748).

  • PassPage file is set correctly
  • FailPage file is system managed
    Page file is not set correctly
    Page file does not exist on {0} drive
  • ManualUnable to get page file information, please check manually

  • Applies ToAll Servers
  • drv03
    Page File Location & Size
    Page file is system managed
    Data
    It should be set as follows,
    A fixed custom size of 4096mb and located on the C:\ drive
  • Drives
    04
    If a CD/DVD drive is present on the server confirm it is configured as "R:".

  • PassCD/DVD drive set correctly
  • FailCD/DVD drive found, but not configured as {0}
  • N/ANo CD/DVD drives found

  • Applies ToAll Servers
  • drv04
    CD/DVD Drive Letter
    CD/DVD drive found, but not configured as R:
    Data
    D:,
  • Drives
    05
    Check shared folders to ensure no additional shares are present. Shared folders should be documented with a designated team specified as the owner.

  • PassNo additional shares found
  • WarningShared folders found, check against documentation

  • Applies ToAll Servers
  • drv05
    Shared Folders
    No additional shares found
    Data
    None
  • Drives
    06
    Where SAN storage is used, ensure multipathing software is installed and Dual Paths are present and functioning. This only checks that known software is installed. A manual check must be done to ensure it is configured correctly.

  • FailSAN storage software not found, install required
  • Manual{0} found
  • N/ANot a physical server
    Windows 2012 and above should be using native multipathing
    Operating system not supported

  • Applies ToAll Servers
  • drv06
    SAN Storage Software
    Not a physical server
    Data
    None
  • Drives
    07
    Check local disk array management agent is installed on the server. This only checks that known software is installed. A manual check must be done to ensure it is configured correctly.

  • FailDisk management software not found, install required
  • Manual{0} found
  • N/ANot a physical server
    Operating system not supported

  • Applies ToAll Servers
  • drv07
    Disk Management Agent
    Not a physical server
    Data
    None
  • Drives
    08
    Ensure all drives are formatted as NTFS.

  • PassAll drives are formatted as NTFS
  • FailOne or more drives were found not formatted as NTFS
  • ManualUnable to get drive information, please check manually

  • Applies ToAll Servers
  • drv08
    Drives NTFS format
    All drives are formatted as NTFS
    Data
    None
  • Drives
    09
    Ensure all drives types are set to BASIC and with a partition style of MBR.

  • PassAll drive types are BASIC, with partition styles of MBR
  • FailOne or more partition styles are not MBR,#
    One or more drives types are not BASIC,#
    One of more drives are unknown
    Ignoring unknown drive types

  • Applies ToAll Servers
  • drv09
    Drive Partition Type
    All drive types are BASIC, with partition styles of MBR
    Data
    None
    HyperV Host
  • HyperV Host
    01
    Check Hyper-V is installed on Windows Server Core.

  • PassHyper-V is using Windows Server Core
  • FailHyper-V is not using Windows Server Core
  • N/ANot a Hyper-V host server

  • Applies ToHyper-V Hosts
  • hvh01
    Server Core
    Not a Hyper-V host server
    Data
    None
  • HyperV Host
    02
    Check all virtual machines are using thick provisioned disks

  • PassAll virtual machines are using thick provisioned disks
  • FailOne or more virtual machines are not using thick provisioned disks
  • N/ANot a Hyper-V host server
    No virtual machines exist on this host

  • Applies ToHyper-V Hosts
  • hvh02
    Thick Provisioned Disks
    Not a Hyper-V host server
    Data
    None
  • HyperV Host
    03
    Check all virtual machines are running from a non-system drive.

  • PassNo virtual machines are using the system drive
  • FailOne or more virtual machines are using the system drive
  • N/ANot a Hyper-V host server
    No virtual machines exist on this host

  • Applies ToHyper-V Hosts
  • hvh03
    VM Location
    Not a Hyper-V host server
    Data
    None
  • HyperV Host
    04
    Check the version of the Integration Services installed on all virtual machines

  • PassAll virtual machines are up to date
  • FailOne or more virtual machines are not up to date, or do not have the integration services installed
  • N/ANot a Hyper-V host server
    No virtual machines exist on this host

  • Applies ToHyper-V Hosts
  • hvh04
    Integration Services
    Not a Hyper-V host server
    Data
    None
  • HyperV Host
    05
    Check the network adapter jumbo frame setting. Should be set to 9000 or more.

  • PassAll network adapters configured correctly
  • FailOne or more network adapters are not using Jumbo Frames
    No network adapters found or enabled
  • N/ANot a Hyper-V host server

  • Applies ToHyper-V Hosts
  • hvh05
    Jumbo Frames Enabled
    Not a Hyper-V host server
    Data
    None
  • HyperV Host
    06
    Check that all Windows 2012+ virtual machines are built as generation 2

  • PassAll virtual machines are the correct generation type
  • FailOne or more Windows 2012+ virtual machines are not set as generation 2
  • N/ANot a Hyper-V host server
    No virtual machines exist on this host

  • Applies ToHyper-V Hosts
  • hvh06
    Generation Type
    Not a Hyper-V host server
    Data
    None
  • HyperV Host
    07
    Check all virtual machines are using VHDX disks if the host is Windows 2012 or above

  • PassAll virtual machines are using VHDX disks
  • FailOne or more virtual machines are not using VHDX disks
  • N/ANot a Hyper-V host server
    No virtual machines exist on this host
    Not a supported operating system for this check

  • Applies ToHyper-V Hosts
  • hvh07
    VHDX Disks
    Not a Hyper-V host server
    Data
    None
    Network
  • Network
    01
    Check the global IPv6 setting and of status of each NIC.


  • Applies ToAll Servers
  • net01
    Global And NIC IPv6 Status
    IPv6 setting enabled globally, all NICs disabled
    Data
    None
  • Network
    02
    Check there are no DHCP enabled network interfaces on the server. All NICs should have a statically assigned IP address.

  • PassNo DHCP enabled adapters found
  • FailDHCP enabled adapters found

  • Applies ToAll Servers
  • net02
    DHCP Enabled Network Adapters
    No DHCP enabled adapters found
    Data
    None
  • Network
    03
    Check network interfaces are labelled so their purpose is easily identifiable. FAIL if any adapter names are "Local Area Connection x" or "Ethernet x".

  • PassAll adapters renamed from default
  • FailAn adapter was found with a default name

  • Applies ToAll Servers
  • net03
    Network Adapter Names
    An adapter was found with a default name
    Data
    Ethernet0,
  • Network
    04
    Check binding order is set correctly for "Production" as the primary network adapter then as applicable for other interfaces.
    If no "Production" adapter is found, then "Management" should be first.

  • PassBinding order correctly set
  • FailRegistry setting not found
    Production or Management adapters not listed
    Binding order incorrect, {0} should be first

  • Applies ToAll Servers
  • net04
    Network Binding Order
    Production or Management adapters not listed
    Data
    Ethernet0,
  • Network
    05
    Check the network adapter speed and duplex settings. Should be set to "Full Duplex" and "Auto".

  • PassAll network adapters configured correctly
  • WarningOne or more network adapters configured incorrectly
  • FailNo network adapters found or enabled

  • Applies ToAll Servers
  • net05
    Network Speed And Duplex
    All network adapters configured correctly
    Data
    None
  • Network
    07
    Check network interfaces for known teaming names, manually check they are configured correctly. Fail if no teams found or if server is a virtual.
    Checked configuration is: Teaming Mode: "Static Independent"; Load Balancing Mode: "Address Hash"; Standby Adapter: (set).

  • Pass, Team configuration is set correctly
  • FailNo teamed network adapters found
    Teamed network adapters found on a virtual machine
    , Team configuration is not set correctly
    Teaming Count Issue
  • ManualTeamed network adapters found, check they are configured correctly
  • N/ANot a supported operating system for this check
    Not a physical server

  • Applies ToPhysical Servers
  • net07
    Network Teaming
    Not a physical server
    Data
    None
  • Network
    08
    Check that a management network adapter exists. This must always be present on a server and labelled correctly.

  • PassManagement network adapter found
  • FailNo management network adapter

  • Applies ToAll Servers
  • net08
    Management Adapter
    No management network adapter
    Data
    None
  • Network
    09
    Checks to make sure the specified static routes have been added. Add routes to check as: StaticRoute01 = ("destination", "subnet mask", "gateway"). To check for no extra persistent routes, use: StaticRoute01 = ("None", "", "").
    Up to 99 routes can be checked - You must edit the settings file manually for more than the currently configured.

  • PassRequired static routes are present
  • FailNo static routes present
    All entered static routes are missing
    One or more static routes are missing or incorrect
    A static route exists that must not
  • N/ANo static routes to check

  • Applies ToAll Servers
  • net09
    Static Routes
    No static routes to check
    Data
    None
  • Network
    10
    Check network interfaces have their power management switch disabled.

  • PassAll adapters have power saving disabled
  • FailOne or more adapters have power saving enabled
    No enabled network adapters found

  • Applies ToAll Servers
  • net10
    Power Management
    All adapters have power saving disabled
    Data
    None
  • Network
    11
    Checks that all DNS servers are configured, and if required, in the right order.

  • PassAll DNS servers configured and in the right order
    All DNS servers configured
  • FailDNS Server count mismatch
    Mismatched DNS servers
    No DNS servers are configured

  • Applies ToAll Servers
  • net11
    DNS Settings
    DNS Server list is not in the required order
    Data
    Configured: 10.1.1.2,
    Looking For:
  • Network
    12
    Check that File And Print Services has been disabled on all adapters, except for those specified.

  • PassFile And Print Services are disabled correctly
  • FailFile And Print Services are enabled

  • Applies ToAll Servers
  • net12
    File And Print Services
    File And Print Services are enabled
    Data
    Ethernet0,
  • Network
    13
    Check the WINS NetBIOS Settings for each enabled network adapter

  • PassAll adapters are configured correctly
  • WarningNo network adapters configured
  • FailOne or more adapters are not configured correctly

  • Applies ToAll Servers
  • net13
    NetBIOS Over TCP/IP
    One or more adapters are not configured correctly
    Data
    Adapter: Ethernet0: Setting: (0) Default,
    Regional
  • Regional
    01
    Check that the server time is correct. If a valid source is used, the time is also checked against that source. Maximum time difference allowed is 10 seconds, any longer and the check fails.

  • PassTime source is set to a remote server, and is synchronised correctly
  • WarningThis is a work group server, is this correct.?
  • FailTime source is not set
    Time source is not set correctly
    Error getting required information
    Time source is set to a remote server, and is not synchronised correctly
  • ManualNot a supported operating system for this check

  • Applies ToAll Servers
  • reg01
    Local Date/Time
    Time source is not set correctly
    Data
    local cmos clock,
    Time is 26/10/2017 10:17:14
  • Regional
    02
    Check that the server time zone is correct.

  • PassServer time zone set correctly
  • FailServer time zone is incorrect and should be set to {0}

  • Applies ToAll Servers
  • reg02
    Local Time zone
    Server time zone set correctly
    Data
    (UTC) Dublin, Edinburgh, Lisbon, London
  • Regional
    03
    Ensure the Region and Language > Location is set correctly. Default setting is "United Kingdom".

  • PassRegional location set correctly
  • FailRegional location incorrectly set to {0}
    Registry setting not found

  • Applies ToAll Servers
  • reg03
    Region > Location
    Regional location set correctly
    Data
    United Kingdom
  • Regional
    04
    Ensure the Region and Language > keyboard and Languages is set correctly.

  • PassKeyboard layout is set correctly
  • FailKeyboard layout is not set correctly
    Registry setting not found

  • Applies ToAll Servers
  • reg04
    Region > Language
    Keyboard layout is set correctly
    Data
    00000809,
    United Kingdom
    Security
  • Security
    01
    Ensure security ciphers are set correctly. Settings taken from https://www.nartac.com/Products/IISCrypto/Default.aspx using "Best Practices/FIPS 140-2" settings.

  • PassAll ciphers set correctly
  • FailOne or more ciphers set incorrectly

  • Applies ToAll Servers
  • sec01
    Security Settings 1: Ciphers
    One or more ciphers set incorrectly
    Data
    DES 56/56: Missing entry, should be disabled,
    NULL: Missing entry, should be disabled,
    RC2 128/128: Missing entry, should be disabled,
    RC2 40/128: Missing entry, should be disabled,
    RC2 56/128: Missing entry, should be disabled,
    RC2 56/56: Missing entry, should be disabled,
    RC4 128/128: Missing entry, should be disabled,
    RC4 40/128: Missing entry, should be disabled,
    RC4 56/128: Missing entry, should be disabled,
    RC4 64/128: Missing entry, should be disabled,
  • Security
    02
    Ensure hashes are set correctly. Settings taken from https://www.nartac.com/Products/IISCrypto/Default.aspx using "Best Practices/FIPS 140-2" settings.

  • PassAll hashes set correctly
  • FailOne or more hashes set incorrectly

  • Applies ToAll Servers
  • sec02
    Security Settings 2: Hashes
    One or more hashes set incorrectly
    Data
    MD5: Missing entry, should be disabled,
  • Security
    03
    Ensure key exchange algorithms are set correctly. Settings taken from https://www.nartac.com/Products/IISCrypto/Default.aspx using "Best Practices/FIPS 140-2" settings.

  • PassAll key exchange algorithms set correctly
  • FailOne or more key exchange algorithms set incorrectly

  • Applies ToAll Servers
  • sec03
    Security Settings 3: Key Exchange Algorithms
    One or more key exchange algorithms set incorrectly
    Data
    DIFFIE-HELLMAN: Missing entry, should be enabled,
    ECDH: Missing entry, should be enabled,
    PKCS: Missing entry, should be enabled,
  • Security
    04
    Ensure protocols are set correctly. Settings taken from https://www.nartac.com/Products/IISCrypto/Default.aspx using "Best Practices/FIPS 140-2" settings.

  • PassAll protocols set correctly
  • FailOne or more protocols set incorrectly

  • Applies ToAll Servers
  • sec04
    Security Settings 4: Protocols
    One or more protocols set incorrectly
    Data
    MULTI-PROTOCOL UNIFIED HELLO: Key missing,
    PCT 1.0: Key missing,
    SSL 2.0: Key missing,
    SSL 3.0: Key missing,
    TLS 1.0: Key missing,
  • Security
    05
    Ensure the security cipher order is set correctly. Settings taken from https://www.nartac.com/Products/IISCrypto/Default.aspx using "Best Practices/FIPS 140-2" settings.
    Group Policy Location: Computer > Policies > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order

  • PassCipher suite order set correctly
  • FailCipher suite order is missing and therefore set to the default value
    Cipher suite order not set correctly

  • Applies ToAll Servers
  • sec05
    Security Settings 5: Cipher Suite Order
    Cipher suite order is missing and therefore set to the default value
    Data
    None
  • Security
    06
    Ensure the system is set to reject attempts to enumerate accounts in the SAM by anonymous users.

  • PassReject anonymous account enumeration is enabled
  • FailReject anonymous account enumeration is disabled
    Registry setting not found

  • Applies ToAll Servers
  • sec06
    Reject Anonymous Account Enumeration
    Reject anonymous account enumeration is enabled
    Data
    None
  • Security
    07
    Ensure the system is set to reject attempts to enumerate shares in the SAM by anonymous users.

  • PassReject anonymous share enumeration is enabled
  • FailReject anonymous share enumeration is disabled
    Registry setting not found

  • Applies ToAll Servers
  • sec07
    Reject Anonymous Share Enumeration
    Registry setting not found
    Data
    None
  • Security
    08
    Check system is not caching domain credentials.

  • PassDomain credential caching is disabled
  • FailDomain credential caching is enabled
    Registry setting not found

  • Applies ToAll Servers
  • sec08
    Domain Credential Caching
    Registry setting not found
    Data
    None
  • Security
    09
    Ensure the system is set to request administrative credentials before granting an application elevated privileges. Default setting is either "(1):Prompt for credentials on the secure desktop" or "(3):Prompt for credentials". Values and meanings can be seen here - https://msdn.microsoft.com/library/cc232761.aspx

  • PassSystem is configured correctly
  • FailSystem is not configured correctly
    Registry setting not found

  • Applies ToAll Servers
  • sec09
    Elevate Prompt For Administrative Credentials
    System is not configured correctly
    Data
    Current setting: 5: Prompt for consent for non-Windows binaries
  • Security
    10
    Ensure the system is set to restrict anonymous access to named pipes

  • PassRestrict anonymous pipe/share access is enabled
  • FailRestrict anonymous pipe/share access is disabled
    Registry setting not found

  • Applies ToAll Servers
  • sec10
    Reject Anonymous Pipe/Share Access
    Restrict anonymous pipe/share access is enabled
    Data
    None
  • Security
    11
    Checks to see if the default web page is present in IIS, it should be removed.

  • Pass"iisstart.htm" is not listed as a default document
  • Fail"iisstart.htm" is listed as a default document
  • Manual"IIS Management Scripts and Tools" are not installed
  • N/AIIS is not installed
    Operating system not supported

  • Applies ToAll Servers
  • sec11
    IIS Default Page
    IIS is not installed
    Data
    None
  • Security
    12
    Ensure SMB signing is turned on.

  • PassSMB Signing configured correctly
  • FailSMB Signing not configured correctly

  • Applies ToAll Servers
  • sec12
    SMB Signing On
    SMB Signing not configured correctly
    Data
    The following section(s) are not configured correctly:,
    LanmanServer, LanmanWorkstation
  • Security
    13
    If server is Domain Controller or a Terminal Server, check to ensure the RSA Authentication Agent is installed.

  • PassRSA Authentication Agent software found
  • FailRSA Authentication Agent software not found
  • N/ANot a domain controller or terminal services server

  • Applies ToDomain Controllers And Terminal Servers
  • sec13
    RSA Monitoring Installed
    Not a domain controller or terminal services server
    Data
    None
  • Security
    14
    Checks to see if there are any additional firewall rules, and warns if there are any. This ignores all default pre-configured rules

  • PassNo additional firewall rules exist
  • WarningOne or more additional firewall rules exist, check they are required

  • Applies ToAll Servers
  • sec14
    Additional Firewall Rules
    No additional firewall rules exist
    Data
    None
  • Security
    15
    Check if Windows firewall is enabled or disabled for each of the three profiles. Set to "0" for disabled, and "1" for enabled

  • PassWindows firewall is set correctly
  • FailWindows firewall is not set correctly

  • Applies ToAll Servers
  • sec15
    Check Firewall State
    Windows firewall is not set correctly
    Data
    Domain profile is Enabled, but should be Disabled,
  • Security
    16
    Returns a list of ports that are open, excluding anything lower than 1024 and within the dynamic port range. Will also exclude other well known ports. See "default-settings.ini" file for descriptions of default ignore ports.

  • PassNo extra ports are open
  • FailOne or more extra ports are open

  • Applies ToAll Servers
  • sec16
    Check Open Ports
    No extra ports are open
    Data
    Ignoring: 0-1024, 1311, 1556, 2381, 3389, 4750, 5985, 5986, 47001, 49152-65536
  • Security
    17
    Ensure SMBv1 is disabled.

  • PassSMBv1 is disabled
  • FailSMBv1 is enabled

  • Applies ToAll Servers
  • sec17
    SMBv1 Disabled
    SMBv1 is enabled
    Data
    The following registry paths are incorrect:,
    HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10\Start
    System
  • System
    01
    Check for a pending reboot.

  • PassServer is not waiting for a reboot
  • FailServer is waiting for a reboot

  • Applies ToAll Servers
  • sys01
    Pending Reboot
    Server is not waiting for a reboot
    Data
    None
  • System
    02
    Check windows is licensed.

  • PassPort 1688 open to KMS Server {0}
  • FailPort 1688 not open to KMS Server {0}
    Windows licence check failed
    Windows not licensed

  • Applies ToAll Servers
  • sys02
    Windows License
    Windows not licensed
    Data
    Status: Notification,
    Not using a KMS server,
    Product Key is set as a KMS default: https://technet.microsoft.com/library/jj612867%28v=ws.11%29.aspx
  • System
    03
    Check services and ensure all services set to start automatically are running (NetBackup Bare Metal Restore Boot Server, NetBackup SAN Client Fibre Transport Service and .NET4.0 are all expected to be Automatic but not running).

  • PassAll auto-start services are running
  • FailOne or more auto-start services were found not running

  • Applies ToAll Servers
  • sys03
    Services Not Started
    All auto-start services are running
    Data
    None
  • System
    04
    Check services and ensure all listed services are set to disabled and are stopped.

  • PassAll services are configured correctly
  • FailOne or more services are configured incorrectly

  • Applies ToAll Servers
  • sys04
    Services Not Stopped
    All services are configured correctly
    Data
    None
  • System
    05
    Check System Event Log and ensure no errors are present in the last x days. If found, will return the latest y entries

  • PassNo errors found in system event log or its configuration
  • FailEvent log maximum size is not set correctly,#
    Retention method is not set correctly,#

  • Applies ToAll Servers
  • sys05
    System Event Log Errors And Configuration
    Errors were found in the system event log,
    Event log maximum size is not set correctly,
    Data
    .\SERVER01.ACME.LAN_System_Event-Log.csv,
    Current maximum size: 20MB,
  • System
    06
    Check Application Event Log and ensure no errors are present in the last x days. If found, will return the latest y entries

  • PassNo errors found in application event log or its configuration
  • FailEvent log maximum size is not set correctly,#
    Retention method is not set correctly,#

  • Applies ToAll Servers
  • sys06
    Application Event Log Errors And Configuration
    Errors were found in the application event log,
    Event log maximum size is not set correctly,
    Data
    .\SERVER01.ACME.LAN_Application_Event-Log.csv,
    Current maximum size: 20MB,
  • System
    07
    Checks Device Manager to ensure there are no unknown devices, conflicts or errors.

  • PassNo disabled devices or device errors found
  • WarningOne or more disabled devices found
  • FailOne or more device errors found

  • Applies ToAll Servers
  • sys07
    Device Errors
    No disabled devices or device errors found
    Data
    None
  • System
    09
    Check to see if any non standard scheduled tasks exist on the server (Any application specific scheduled tasks should be documented with a designated contact point specified).
    This check automatically ignores any Microsoft labelled specific tasks.

  • PassNo additional scheduled tasks found
  • WarningAdditional scheduled tasks found - make sure these are documented

  • Applies ToAll Servers
  • sys09
    Scheduled Tasks
    No additional scheduled tasks found
    Data
    None
  • System
    10
    Check to see if any printers exist on the server. If printers exist, ensure the spooler directory is not stored on the system drive.

  • PassNo printers found
    Printers found, and spool directory is not set to default path
  • FailRegistry setting not found
    Spool directory is set to the default path and needs to be changed
  • N/APrint Spooler service is not running

  • Applies ToAll Servers
  • sys10
    Print Spool Directory
    No printers found
    Data
    None
  • System
    11
    Ensure Auto-Run is disabled.

  • PassAuto-Run is disabled
  • FailAuto-Run is enabled

  • Applies ToAll Servers
  • sys11
    Drive Auto-Run
    Auto-Run is enabled
    Data
    None
  • System
    12
    Check if SNMP role is install on the server. If so, ensure the SNMP community strings follow the secure password policy.

  • PassSNMP Service installed, but disabled
  • WarningSNMP Service installed, no communities configured
  • ManualSNMP Service installed, communities listed
  • N/ASNMP Service not installed

  • Applies ToAll Servers
  • sys12
    SNMP Configuration
    SNMP Service installed, but disabled
    Data
    None
  • System
    13
    Checks that the server is a member of the domain.

  • PassServer is a domain member
  • WarningThis is a work group server, is this correct.?

  • Applies ToAll Servers
  • sys13
    Domain Member
    Server is a domain member
    Data
    None
  • System
    14
    Check power plan is set to High Performance.

  • PassPower plan is set correctly
  • FailPower plan is not set correctly
    Unknown power plan setting

  • Applies ToAll Servers
  • sys14
    Power Plan
    Power plan is not set correctly
    Data
    Current: Balanced,
    Looking For: Balanced
  • System
    15
    Check to make sure hibernation is disabled.

  • PassHibernation is currently disabled
  • FailHibernation is currently enabled

  • Applies ToAll Servers
  • sys15
    Hibernation
    Hibernation is currently disabled
    Data
    None
  • System
    16
    Check that remote desktop is enabled and that Network Level Authentication (NLA) is set.

  • PassSecure remote desktop enabled
  • FailSecure remote desktop disabled

  • Applies ToAll Servers
  • sys16
    Remote Desktop
    Secure remote desktop disabled
    Data
    None
  • System
    17
    If server is a Terminal Services Server ensure it has a licence server set.

  • PassTerminal services server is licensed
  • FailTerminal services server is not licensed
  • N/ANot a terminal services server

  • Applies ToTerminal Servers
  • sys17
    Terminal Services Licensed
    Not a terminal services server
    Data
    None
  • System
    18
    Check that the current server OU path is not in the default location(s). The list of OUs should contain at least the default "Computers" OU, and must be the full distinguished name of the locations.

  • PassServer not located in a default OU location
  • WarningThis is a work group server, is this correct.?
  • FailServer found in a default OU location
  • N/ANot a domain joined server

  • Applies ToAll Servers
  • sys18
    Check Server OU Location
    Server found in a default OU location
    Data
    cn=computers,
    dc=acme,dc=dev
  • System
    19
    Check the state of the HPe System Management Homepage service and version

  • PassService state and version are correct
  • FailHPe System Management Homepage not installed
    Service state is not correct,#
    Installed version is below the minimum set
  • N/ANot a HPe physical server

  • Applies ToAll Servers
  • sys19
    Check HP SMH Version
    Not a HPe physical server
    Data
    None
  • System
    20
    Check the state of the Dell OpenManage Administrator service and version

  • PassService state and version are correct
  • FailDell OpenManage Administrator not installed
    Service state is not correct,#
    Installed version is below the minimum set
  • N/ANot a Dell physical server

  • Applies ToAll Servers
  • sys20
    Check Dell OMA Version
    Not a Dell physical server
    Data
    None
  • System
    21
    Allows you to check a specific list of registry keys and values to see if your in-house gold image was used.
    Up to 9 registry keys and values can be checked - You must edit the settings file manually for more than the currently configured.
    Note: All keys must be in HKEY_LOCAL_MACHINE hive only.

  • PassAll gold build checks were found and correct
  • FailOne or more gold build checks were not the correct value
  • ManualOne or more gold build checks were "Report Only"
  • N/ANothing to check for

  • Applies ToAll Servers
  • sys21
    Gold Image Check
    One or more gold build checks were "Report Only"
    Data
    01: (Report) InstallDate: 06/30/2017 12:54:43,
    02: (Pass) SystemRoot: C:\Windows,
  • System
    22
    Check that all the memory assigned to a server is visible to the OS.

  • PassAll assigned memory is visible
  • FailNot all assigned memory is visible

  • Applies ToAll Servers
  • sys22
    All RAM Visible
    All assigned memory is visible
    Data
    Installed: 2.00gb
  • System
    23
    Allows you to checks a specific list of system environment variables and values to see if they are set correctly.
    Up to nine system environment variables and values can be checked - You must edit the settings file manually for more than the currently configured. Note: All keys must be machine variables only.

  • PassAll environment variables checks were found and correct
  • FailOne or more environment variables checks were not the correct value
  • ManualOne or more environment variables checks were "Report Only"
  • N/ANothing to check for

  • Applies ToAll Servers
  • sys23
    System Environment Variables
    One or more environment variables checks were not the correct value
    Data
    01: (Report) Path: C:\Windows\system32; C:\Windows; C:\Windows\System32\Wbem; C:\Windows\System32\WindowsPowerShell\v1.0\,
    02: (Fail) ALLUSERSPROFILE: ,
    Virtual
  • Virtual
    01
    Check that the latest VMware tools or Microsoft integration services are installed.

  • PassVMware tools are up to date
  • FailIntegration services not installed
    VMware tools can be upgraded
  • ManualIntegration services found
    Unable to check the VMware Tools version or upgrade status
  • N/ANot a virtual machine

  • Applies ToVirtual Servers
  • vmw01
    HyperV/VMware Tools Version
    VMware tools can be upgraded
    Data
    Current Version: 10.0.10.3275 (build-4301679)
  • Virtual
    02
    Check that VMware Host Time Sync is disabled.

  • PassVMware tools time sync is disabled
  • FailVMware tools time sync is enabled
  • ManualUnable to check the VMware time sync status
  • N/ANot a virtual machine

  • Applies ToVirtual Servers
  • vmw02
    VMware Time Sync
    VMware tools time sync is disabled
    Data
    None
  • Virtual
    03
    Check all virtual servers have network cards that are configured as VMXNET3.

  • PassAll active NICS configured correctly
  • FailNo network adapters found
    One or more active NICs were found not to be VMXNET3
  • N/ANot a virtual machine

  • Applies ToVirtual Servers
  • vmw03
    VMware NIC Type
    One or more active NICs were found not to be VMXNET3
    Data
    Intel(R) 82574L Gigabit Network Connection,
  • Virtual
    04
    Check Windows disk controller is set correctly. Default setting is "LSI logic SAS".

  • PassDisk controller set correctly
  • FailDisk controller not set correctly
    No SCSI controllers found
  • N/ANot a virtual machine

  • Applies ToVirtual Servers
  • vmw04
    VMware Disk Controller
    Disk controller set correctly
    Data
    None
  • Virtual
    05
    Checks to see if there are are more than 8 drives attached to the same SCSI adapter.

  • PassMore than 7 drives exist, but on different SCSI adapters
  • FailMore than 7 drives exist on one SCSI adapter
  • N/ANot a virtual machine
    There are less than 8 drives attached to server

  • Applies ToVirtual Servers
  • vmw05
    VMware SCSI Drive Count
    There are less than 8 drives attached to server
    Data
    Count: 1
  • Virtual
    06
    Checks to see if the total VM size is less than 1TB.

  • PassVM is smaller than 1TB
  • WarningVM is larger than 1TB. Make sure there is an engineering exception in place for this
  • N/ANot a virtual machine

  • Applies ToVirtual Servers
  • vmw06
    Total VM Size
    VM is smaller than 1TB
    Data
    Size: 50GB
  • Virtual
    07
    Checks for any mounted CD/DVD or floppy drives.

  • PassNo CD/ROM or floppy drives are mounted
  • FailOne or more CD/ROM or floppy drives are mounted
  • N/ANot a virtual machine

  • Applies ToVirtual Servers
  • vmw07
    Mounted Drives
    No CD/ROM or floppy drives are mounted
    Data
    None
  • Virtual
    08
    Check that Failover Clustering is not be installed on virtual servers.

  • PassFailover clustering is not installed
  • FailFailover clustering is installed
  • N/ANot a virtual machine
    Operating system not supported

  • Applies ToVirtual Servers
  • vmw08
    Failover Clustering
    Failover clustering is not installed
    Data
    None