Professional Documents
Culture Documents
(Version 3.0)
for
Cyber Security Policies
for
Government of India
(January 2014)
(January 2014)
1. Introduction
An asset is a hardware or software which is of value / importance to a Ministry /
Department. Therefore it is essential to maintain a proper record of each asset.
This document provides necessary steps for maintaining the record of cyber
resources.
2. Asset Register
Asset Register should be maintained which includes the following information about
an asset:
2.1. Asset ID: A unique asset identification number assigned to each asset for
easy and quick identification. (refer: Asset Management Guidelines)
2.2. Asset Name1: Name given for identification of Asset based on its functionality.
2.3. Asset Details: Details about the asset such as IP Address, MAC Address,
Hostname, Software license number, etc.
2.3.1. IP address: Logical address allocated to the client systems,
network devices and network security devices by the System
Administrator or Network Administrator.
2.3.2. MAC address: MAC address (Media Access Control address) is a
unique identifier assigned to network adapters or network interface
cards by the manufacturer for identification.
2.3.3. Hostname: A hostname is a unique name by which a system /
network devices / network security devices connected on the
network can be identified.
2.3.4. Serial No. / License: In case of hardware provide serial number
and for software provide license key.
2.4. Asset Type: There are two types of assets as follows:
2.4.1. Hardware: Physical devices which are required / used to support
operations. For example – client systems, routers, firewalls,
printers, etc.
1
Asset Name: ‘Payroll Server’ could be a name of the asset which is used for
processing the salary of employees. In case there are more than one asset providing
the same functionality, asset name should be suffixed by a number like Payroll Server
1, Payroll Server 2 and so on.
3. Procedure
Asset Management procedure is a bottom-up approach, which collects asset
information for every Ministry / Department in each location. The role of each person
is defined below:
3.2. For Client Systems, Software, Peripheral devices and other Accessories
3.2.1. System Administrator
3.2.1.1. Collect and maintain asset information using Asset
Register Template.
3.2.1.2. Forward the asset information to the respective
Information Security Officer, Network Administrator and
Network Security Administrator.
4. Annexure
5. References
5.1. Security Policy for System Administrator
5.2. Security Policy for Department
5.3. Security Policy for Network connected to Internet
5.4. Asset Management Guidelines
1. Introduction
During boot-up the BIOS scans the defined bootable media to start the client system.
The removable media can also be used as bootable media.
If booting from removable media is enabled, any malicious user could gain access to the
client system using a removable media. Hence, this feature should be disabled.
This document provides steps to disable boot-up from any removable media like: CD-
ROMs, Floppy Disks, USB Flash drives, etc.
2. Applicability
All systems
3. Implication
After applying these settings the client systems will not boot from any removable media.
NOTE: The steps in this procedure may change depending on the BIOS version. Please refer
BIOS manual for more information.
4. Definition
4.1. BIOS: Basic Input / Output System (BIOS) is a boot firmware, designed to be the
‘first code’ run by a client system when powered on. The function of the BIOS is to
identify, test, and initialize client system devices such as, video display card, hard
disk, floppy disk, etc.
6. Procedure
6.1. Switch on the client system and Press the F2 key, before the Windows XP screen,
to enter the BIOS. (This key may vary depending on the make of the BIOS)
6.2. Enter the setup password to enter the BIOS setup. A screen as shown below
appears. (refer: Figure 1)
Figure 1
6.3. Use the right arrow key on the keyboard to go to the Boot Menu.
6.4. Use the down arrow key to go to the First Boot Device.
6.5. Press the Enter key and use Up or Down arrow key to select Hard Drive option
in First Boot Device section.
Figure 2
7. Reference
7.1. Security Policy for User
This document provides steps to restrict the active content in the Internet Explorer.
2 Applicability
Internet Explorer version 9.0 and 10.
3 Implication
After applying these settings some applications / Websites may not load if active content
is blocked.
4 Definitions
4.1 Active Content: A Web page that provides interaction or dynamic changes
and contains "action items" (such as animated GIFs, Java, JavaScript,
streaming audio and video or ActiveX controls).
4.2 ActiveX: ActiveX is one of the technologies used to add interactivity to Web
pages. It can be automatically downloaded and executed by a Web browser.
5 Procedure
5.7 Open the Internet Explorer; left click on icon show in figure 1.
5.8 Click on Internet Options.
Figure 1
5.9 Click on Security tab.
5.10 Select Internet Web content zone to specify its security settings.
5.11 Click Custom Level to customize settings. (The default level for each zone is
already set) (refer figure 2).
Figure 2
5.6.1 Settings
5.6.2 Settings
5.6.3 Settings
Figure 3
5.6.4 Settings
5.6.5 Settings
Figure 4
6 References
6.1 Security Guidelines for User
1. Introduction
If anti-virus software is not installed or updated, client systems may be vulnerable to
various attacks leading to system compromise and / or data leakage.
2. Applicability
Microsoft Windows 7.
3. Implication
Client system may become slow during anti-virus scans.
Figure 1
Figure 2
Figure 3
4.2.1. There is an icon for Trend micro Antivirus on the right side of
toolbar. (refer: figure 4)
Figure 4
Figure: 5
4.3.1. Right click on Trend micro Antivirus icon following options as shown in
figure 6 will appear.
4.3.2. Click on the update now option. ( refer figure: 6)
Figure 6
4.3.2. Again, click on update now in trend micro OfficeScan window. (refer figure: 7)
Figure 7
Figure: 8
4.4.2. If virus definition file is more than 7 days old, as marked in figure: 9 report it to
System Administrator.
Figure 9
5.1.2. Check settings for security -> Virus Protection (refer figure
1).
Figure 1
5.2.1. There is an icon for Symantec AV on the right side of toolbar. (refer:
figure 2)
Figure 2
Figure: 3
5.3.1. Right click on Symantec AV icon options as shown in figure 4 will appear.
5.3.2. Click on the update Policy. (refer figure: 4)
Figure 4
Figure 5
4.4.2. If virus definition file is more than 7 days old, as marked in figure: 6 report it to
System Administrator.
Figure 6
6. References
6.1. Security Policy for User
6.2. Client System Security Guidelines
1. Introduction
AutoComplete feature stores web addresses, usernames and passwords and entries made in
the forms of web pages. It uses this stored information to complete similar entries during
subsequent use.
Such features provide a window of opportunity for a malicious user to login to the website using
stored credentials of a legitimate user.
This document provides steps to disable the AutoComplete feature for usernames and
passwords.
2. Applicability
Internet Explorer version 9.0 and 10.
3. Implication
After applying these settings, user will have to type in the user ID, password, name, etc. every
time he / she uses the Internet Explorer to logon to any Intranet or Internet websites.
4. Procedure
4.1. Open the Internet Explorer and left click on icon show in figure 1.
4.2. Click on Internet Options Content Tab.
Figure 1
Figure 2
4.4. On the Auto Complete Settings window, ensure the configuration of use auto
complete for section is as per Table 1.
Figure 3
Options Setting
Web addresses checked
Forms checked
Username and password on forms Unchecked
Table 1
4.5. Click on the delete autocomplete history button to clear the Autocomplete history.
(refer: Figure 3).
5. References
5.1 Security Guidelines for User
1. Introduction
Auto Logon in Windows 7 is a feature that enables automatic log-in to the system without user
intervention.
Anyone having physical access to the client system can also gain access to all the resources of
the system.
2. Applicability
Windows 7
3. Implication
By applying these settings, user will have to type in the user ID and password every time while
logging on to the client system.
4. Procedure
4.1. Press Window + R , to open Run window or click on start button on desktop and
then type Run on space specify as shown in figure: 1 and press enter.
Type “Run”
their
Start button
Figure 1
4.2. In the Run window type the command control userpasswords2 and click on the
OK button.
Figure 2
Figure 3
4.4. Click on the Users tab and check the option Users must enter a user name
and password to use this computer. (refer: figure 3)
4.5. Click on the OK button to confirm the configuration.
Note: This procedure applicable in a non-domain environment, to the user who has enabled
this option for his convenience and wants to disable as per the Security Policy for User.
5. References
5.1. Security Policy for User
If the Auto-run feature is enabled, a malicious executable file on the media could infect
the system.
This document provides steps to disable Auto-run in a client system.
8 Applicability
Windows 7
9 Implication
After these settings apply to, CDs, DVDs, Floppy Disks, portable storage devices, etc.,
when inserted into the system will not run automatically.
10Procedure
10.7 Go to Start Run, type gpedit.msc and press enter key.
10.8 In the group policy window, select Administrative Templates
10.9 Click on Window Component.
10.10 Then, click on Autoplay Policies.
10.11 Double-click Turn Off Autoplay.
Figure 1
Figure 2
11 Reference
11.1 Security Policy for User
1. Introduction
A cookie (also called tracking cookie, browser cookie or HTTP cookie) is a small text file placed
by a Web server on the user's client system. Cookie is used to maintain state information as
users navigate different pages on a Web site. A cookie consists of information such as user
preferences, shopping cart contents, identifier for a server-based session, or other data used
by websites.
A first party cookie is that which originates from the Web site that user is currently viewing. A
third-party cookie is that which originates from a Web site different from the one that user is
currently viewing.
1. Applicability
Internet Explorer version 9.0 and 10.
2. Implication
After applying this setting, user may not be able to access or view some parts of the websites
which uses third party cookie.
Procedure
a. Open the Internet Explorer and left click on icon show in figure 1.
b. Click on Internet Options Privacy select Advanced(refer figure
1&2)
Figure 1
Figure 2
Figure 3
2.4. Press Ok to save settings.
3. References
3.1 Security Guidelines for User.
If backup of critical2 data is not taken on a regular basis, data may not be available in case of
an incident (such as loss of system, operating system crash, natural disaster etc.).
2. Applicability
The procedure given is applicable to Microsoft Windows 7 to backup the data stored on the
client systems. Data can be either backed up on separate drive or any data storage media
(such as CD, DVD, USB storage media, etc.) depending upon the requirement or guidelines
defined by the Ministry / Department.
3. Implication
NIL
4. Procedure
4.1. Identify the data which needs to be backed up.
4.2. Manual Backup
4.2.1. For copying to Portable Media / Client Systems / Hard-disks
4.2.1.1. Right click the file or folder to be backed up, Select Copy
option3 (refer: Figure 1)
4.2.1.2. Go to the destination folder
4.2.1.3. Right Click
4.2.1.4. Select Paste Option (refer: Figure 2)
Figure 1
2
Critical data should be defined by the user based on his / her requirement
3
For copying multiple files, Copy and Ctrl should be selected simultaneously
Figure 2
4.3.3. Windows will search for a suitable drive to store the backup or you can also choose a
location on your network. If you backup to a network location you might need the password to
the share. So, select suitable drive and click next.
4.3.4 You can have Windows choose what to backup or you can choose the files and
directories.
Note: If you let Windows choose it will not backup Program Files, anything formatted with the
FAT file system, files in the Recycle Bin, or any temp files that are 1GB or more.
4.3.5 Select the files and folder to include in the backup. Also notice you can select
the option to create an image of your local drive and click on next.
4.3.6 Here, click on save settings and Run backup to backup selected file and folders
4.3.6.1 Here you can also schedule the days and times the backup occurs.
4.3.7 Save the backup settings and kick off your first backup and while it runs you can monitor
the progress.
4.3.7.1 Click the View Details button to see exactly what is being backup during the
process.
4.4.1 Open previously store back up file and Double click on the backup file.
4.4.2 Click on restore my files from this backup or you can also manage the size of
the backups folder.
4.4.4 Next you can select restore them back to the original location or choose a
different spot then click Restore.
4.4.5 Progress of the restoration will vary depending on the size of the data and location it’s
restoring from.
12 Reference
12.7 Security Policy for User.
Sharing of Hard disk / Folders with other users on the network may pose a risk of
unauthorized disclosure, deletion or modification of data.
The procedure detailed below consists of common steps to share a Drive or Folder.
2. Applicability
Windows 7
3. Implication
Sharing with infected systems is a potential security risk.
4. Procedure
4.1. Select the Folder / Drive to be shared.
4.2. Right click the mouse on the Folder / Drive and select Properties.(refer: Figure 1 & 2)
4.3. A properties window with Sharing tab appears, here click on advance sharing.(refer:
Figure 3 & 4)
4.4. In advance sharing tab Check the Share this folder option. Mention the share name
and a comment to inform the intended recipient about the contents of the folder.
4.5. Check the Allow this number of users option to limit the number of concurrent
users requiring access to the folder in the User limit section.
4.6. Click on the Permissions button to set the permission of intended users as shown in
Figure 5.
Allow this
number of users
Figure 5.
4.7. In permission tab Highlight the group Everyone and click on Remove to deny permission to
all.
4.7. Remove
Everyone
4.8. Option to
Add users
Figure 6
4.8. Click on the Add button to add the user / group to whom the permission is to be
granted (refer: Figure 6).
Note: For providing access to users in client systems which are not in any domain, user ID for
each user needs to be created on the client system on which Folder / Drive is to be shared. This
should be done as per the User ID Creation Procedure.
4.9. In the Select User or Groups window add the name of user / group and click on the
Check Names.
Figure 7
4.12. Permission to
be provided to the
user / group
Figure 8
4.12. Highlight the user / group in the Group or user names section and check the
appropriate options in the Permission for Users section depending on the requirement.
4.13. Click on the OK button to confirm the configuration.
5. References
5.1. Security Policy for User
2. Applicability
Windows 7
3. Implications
Limited user cannot change client system settings and install software. With limited
privileges some programs may not run.
4. Procedure
4.1. On the desktop right click on the My Computer icon and select Manage.
Figure 1
Figure 2
4.3. Click on the + sign to expand the System Tools and then expand Local Users
and Groups. (refer: figure 2)
4.4. Under the Local Users and Groups select the Users folder.
4.4. Users
Folder
4.5. New
User
Figure 3
4.5. Right click the mouse on the empty screen on the right pane and select New User.
(refer: Figure 3)
4.6. A New User window appears as shown below.
4.9. Appropriate
options
4.9. Create
button
Figure 4
4.7. Enter the required details like User name, Full Name, Description in the top
section of the window. (refer: Figure 4)
4.8. Enter the password details in the Password and Confirm password fields.
4.9. Select appropriate options as per Table 1.
Options Setting
User must change password at next Logon Checked
User cannot change password Unchecked
Password never expires Unchecked
Account is disabled Unchecked
Table 1
4.10. Click on the Create button to create the user account (refer: Figure 4)
4.11. A new user will be created as shown in the figure below
Figure 5
5. References
5.1. Security Policy for User
5.2. Hard disk / Folder Sharing Procedure
1. Introduction
A password is a secret word or string of characters that is used for authentication of a
user. It is imperative to enable the passwords on the client systems at various levels to
achieve an appropriate level of security. Passwords at different levels of the client
system act as a deterrent to users with malicious intent.
If passwords are not set, unauthorized users may gain access to the client system.
This document provides steps to enable the password at 3 levels on the client system.
These levels are as follows:
1.1. BIOS – During boot-up process.
1.2. Operating System – To logon to the operating system.
1.3. Screensaver – To resume the client system from an idle state.
2. Applicability
Windows 7 Professional
3. Implication
After applying these settings, users will have to supply passwords at 3 different levels on
a client system.
Figure 1
4.2.2. Using the right arrow key, go to the Security tab. (refer: Figure 2)
4.2.3. On the Security Tab, use the down arrow key to go to Set Setup
Password4 and press Enter key.
Figure 2
4.2.4. A window to set the set Setup password appears.
4.2.5. Enter the desired password.
4.2.6. Using the down arrow key, go to the User Setup Access and set the access
level of the user from default Full Access to Limited Access.
Figure 3
4.2.7. Press the F10 Key to save and exit from the BIOS.
4
In some version of the BIOS, this may be referred to as “Set Supervisor Password”
Password Enabling Procedure – Windows 7 Page 49
Name of the Document Password Enabling Procedure - Windows 7
Classification Restricted Audience Client System Users and System
Administrators
st
Version 3.0 Date of last change 1 Jan, 2014
Note: By configuring Limited access in the User Setup Access window, user would
be able to set only the user password and change the date and time option in the BIOS.
Figure 4
Figure 5
Note: The steps in this procedure may change depending on the BIOS version. Please refer the
BIOS manual for more information.
Figure 6
5.4. Create
password link
5.4. User to
which
passwords has
to be set
Figure 7
5
5.4. Highlight the User to which the password has to be set and click on the Create a
password for an account. (refer: Figure 7)
5.5. A window to create password appears.
5.6. Password
Figure 8
5.6. Enter the desired password in the Type the new password and Type the new
password again to confirm sections. (refer: Password Management
Guidelines)
5.7. Click on Create password.
7. References
7.1. Security Policy for User.
5
Illustration in figure 7 is for a user account ‘Test User’.
Password Enabling Procedure – Windows 7 Page 52
Name of the Document Patch Installation Procedure - Windows 7
Classification Restricted Audience Client System Users
st
Version 3.0 Date of last change 1 Jan, 2014
7. Introduction
A patch is software designed to fix the identified problems in an Operating System. It can
be downloaded from the vendor’s website as an immediate solution. Patch is released for
fixing security vulnerabilities, other bugs, and improving the usability or performance of an
Operating System.
If patches are not updated on a regular basis, systems may remain vulnerable to various
attacks.
This document provides steps for allowing latest patch / service pack / hotfix to be
installed on the systems.
8. Applicability
Microsoft Windows 7.
9. Implication
After applying patches, some applications or programs may stop working.
10. Procedure
10.1. Standalone Systems
10.1.1. Verify the updates as per the Patch Verification Procedure.
10.1.2. Request the System Administrator for the installation of updates if they
are found to be outdated or missing.
10.1.3. System Administrator will install the updates through authorized media.
10.1.4. Updates would be installed on the system. It will prompt for restart
depending upon the patch / service pack / hotfix in few cases.
10.1.5. If any applications or programs stop working, contact System
Administrator for rollback.
6
Assumed that client systems are configured with “automatic updates” and updates are ready to be installed
Figure 1
Figure 2
11. References
11.1. Security Policy for User
11.2. Client System Security Guidelines
12. Introduction
A patch is software designed to fix the identified problems in an Operating System. It can
be downloaded from the vendor’s website as an immediate solution. Patch is released for
fixing security vulnerabilities, other bugs, and improving the usability or performance of an
Operating System.
If patches are not updated on a regular basis, systems may remain vulnerable to various
attacks.
This document provides steps for checking presence of latest patch / service pack /
hotfix.
13. Applicability
Microsoft Windows 7.
14. Implication
Nil
15. Procedure
Figure 1
3.1. Navigate to Window Updates.
Figure 2
Figure 3
Figure 4
4.5. Notify System Administrator if any patch /service pack / hotfix are not
updated.
16. References
16.1. Security Policy for User
16.2. Client System Security Guidelines
This feature can be exploited by an attacker to gain un-authorized access to a client system.
This document provides steps to disable remote access and remote assistance to the client
systems.
14Applicability
Windows 7.
15Implication
After applying these settings the users of client systems cannot gain remote access to other
client systems and accept remote access invitations.
16Procedure
4.1 To disable this feature using My Computer the following steps need to be followed:
4.1.1 Right Click on My Computer.
4.1.2 Select Properties.
4.1.3 Click on the Remote tab.
4.1.4 Uncheck the box next to Allow Remote Assistance invitations
to be sent from this computer and Allow users to connect
remotely to this computer. (refer: Figure 2).
Figure 1
4.1.4
Remote
Assistance
4.1.4 Remote
connection
Figure 2
17 References
16.1. Security Policy for System Administrator
If a client system is not configured with system idle timeout, the client systems may be
misused leading to data theft or destruction.
This document provides steps for enabling system idle timeout configuration.
18. Applicability
Microsoft Windows 7.
19. Implication
After applying this setting, users will be forced to submit a password after a stipulated
period of inactivity.
20. Procedure
20.1. Right click on the power icon on the right side of taskbar, select more
Power options.
4.3. Select put the computer to sleep and set the time after which computer
will go to sleep mode. (Recommended is 5 minutes) and press save changes.
Setting the
period of
inactivity
4.4. Now, Select On resume password protect. For that click on require a
password on wakeup.
21. References
21.1. Security Policy for User
21.1. Security Guidelines for User
This document provides steps to restrict the active content in the Firefox web browser.
2 Applicability
Mozilla Firefox 3.6 web browser1
3 Implication
After applying these settings some applications / Websites may not load if active content
is blocked.
4 Definitions
4.1 Active Content: A Web page that provides interaction or dynamic changes
and contains "action items" (such as animated GIFs, Java, JavaScript,
streaming audio and video).
5 Procedure
5.1 On the Mozilla Firefox, select the Tools menu.
5.2 Click on Options.
Figure 1
1
Snapshots attached are for Firefox 3.6 web browser, steps may vary marginally for other web browsers.
Figure 2
Figure 3
5.3.3 When the user is prompted, the contents of the cookie can be viewed and the
user can select whether to accept the cookies from other sites. This gives
the user more information about what sites are using cookies and also gives
more granular control of cookies as opposed to globally enabling them.
5.3.3.1 Select ‘Accept cookies from sites and accept
third-party cookies’ to have the browser remember the
decision and the pop up will not prompt whenever site is revisited.
Figure 4
5.3.4 Click on the Security category, the Passwords section contains various
options to manage stored passwords, and a Master Password feature to
encrypt the data on your system. This option is will allow Firefox to manage
passwords.
5.3.5 The Warning message is prompted when a website tries to install add-ons.
The option will display a warning bar at the top of the browser when a web site
attempts to take such action.
Figure 5
Figure 6
5.3.6 The Content category contains an option to Enable Java to view the website’s
content. Uncheck to disable this feature unless it is a trusted website. After
you are finished visiting the site, disable Java until required again.
Figure 7
Figure 8
Select Settings from the Tools menu to use this privacy feature. A pop up
will appear, checking the related content ‘browsing history’
‘downloading history’, ‘active logging’ , ‘cache’ will remove
potentially sensitive information from the web browser.
Figure 9
Figure 10
6 References
6.1 Security Guidelines for User.
Snapshots attached are for Firefox 3.6 web browser, steps may vary marginally for other web browsers.
1. Introduction
AutoComplete feature stores web addresses, usernames and passwords and entries made in the
forms of web pages. It uses this stored information to complete similar entries during subsequent
use.
Such features provide a window of opportunity for a malicious user to login to the website using
stored credentials of a legitimate user.
This document provides steps to disable the AutoComplete feature for usernames and passwords.
2. Applicability
Firefox 3.6 web browser1
3. Implication
After applying these settings, user will have to type in the user ID, password, name, etc. every time
he / she used the Firefox web browser to logon to any Intranet or Internet websites.
4. Procedure
4.1. Open the Firefox browser and navigate to Tools Options Privacy Tab
Figure 1
1
Snapshots attached are for Firefox 3.6 web browser, steps may vary for other web browsers.
5. References
5.1. Security Guidelines for User.
1. Introduction
Auto Logon in Linux is a feature that enables automatic log-in to the system without user
intervention.
Anyone having physical access to the client system can also gain access to all the resources of the
system.
2. Applicability
Linux1
3. Implication
By applying these settings, user will have to type in the user ID and password every time while
logging on to the client system.
4. Procedure
4.1. By default Auto logon is disabled. To check click on the System Administration Login
Screen. A popup will appear.
Figure 1
1
Snapshots attached are for Red Hat Enterprise Linux version 3, 4 & 5, steps may vary for other versions.
4.2. Go to the Security tab. Verify if the checkbox for Enable automatic Login is active/enable.
If enable select to uncheck it. This will disable the auto logon.
Figure 2
Note: This procedure applies to the user who has enabled this option for his convenience and wants to
disable as per the Security Policy for User.
5. References
5.1. Security Policy for User
If the Autorun feature is enabled, a malicious executable file on the media could infect the system.
2 Applicability
Linux1
3 Implication
After these settings are applied, CDs, DVDs, Floppy Disks, portable storage devices, etc. will not run
automatically when inserted into the system.
4 Procedure
4.1 The GConf system is one of the primary means to configure the users' desktops.
4.2 The GConf editor is available through Applications (main menu on the panel)
System Tools Configuration Editor and press enter key.
4.3 In the Configuration Editor’s browser panel, go to Desktop gnome
volume_manager_autorun.
4.4 Click the check box Autorun to stop autorun programs to run from a newly mounted
removable media.
Figure 1
5 Reference
5.1 Security Policy for User
1
Snapshots attached are for Red Hat Enterprise Linux version 3, 4 & 5, steps may vary for other versions.
1. Introduction
A cookie (also called tracking cookie, browser cookie or HTTP cookie) is a small text file placed by a
Web server on the user's client system. Cookie is used to maintain state information as users navigate
different pages on a Web site. A cookie consists of information such as user preferences, shopping cart
contents, identifier for a server-based session, or other data used by websites.
A first party cookie is that which originates from the Web site that user is currently viewing. A third-party
cookie is that which originates from a Web site different from the one that user is currently viewing. As
compared to first party cookie, third party cookie is vulnerable to various attacks (such as cookie theft,
cookie poisoning, cookie hijacking, etc. leading to disclosure of sensitive data). Hence, it is important to
block third party cookie.
2. Applicability
Firefox 3.6 Web Browser1
3. Implication
After applying this setting, user may not be able to access or view some parts of the websites which
uses third party cookie.
4. Procedure
4.1. Open Firefox and navigate to Tools Options Privacy Tab.
Figure 1
1
Snapshots attached are for Firefox 3.6 web browser, steps may vary for other web browsers.
4.2. Un-check the “Accept third-party cookies”. This will disable the third party cookies on the
Firefox web browser.
4.3. Press Close to save settings.
5. References
5.1. Security Guidelines for User
1. Introduction
Backup is the process of making copy of the original data so that the copy may be used to restore the
original data in case of an incident or data loss.
If backup of critical8 data is not taken on a regular basis, data may not be available in case of an
incident (such as loss of system, operating system crash, natural disaster etc.).
2. Applicability
The procedure given is applicable to Linux Enterprise Version 3, 4, & 5 to backup the data stored on
the client systems. Data can be either backed up on separate drive or any data storage media (such as
CD, DVD, USB storage media, etc.) depending upon the requirement or guidelines defined by the
Ministry / Department.
3. Implication
If backup of critical data is not taken on a regular basis, data may not be available in case of an incident
(such as loss of system, operating system crash, natural disaster etc.).
The implication can be high CPU usage, heavy disk activity, heavy network traffic if the backup is taken
over the network. If these are not reported in advance then the monitoring systems can incorrectly
identify it as a suspicious activity. It will also help the system owner to schedule it during the off office
hours if the resource usage is very high.
4. Procedure
Red Hat Linux is not capable of performing a tape boot when running on backup tape. However, it is
also possible to use your Red Hat Linux CD-ROM as a rescue disk. Red Hat Linux comes with several
different programs for backing up and restoring data. The utility programs tar, cpio, dump can be used
for data backup.
4.1. The tar utility is the archiving method of choice for sharing ad-hoc bits of source code and
files between systems. The tar implementation included with Red Hat Linux is GNU tar, one
of the more feature-rich tar implementations.
Example:
tar cvf /mnt/backup/home-backup.tar /home/
8
Critical data should be defined by the user based on user requirement
4.1.3. The resulting archive file will be nearly as large as the data being backed up.
Depending on the type of data being backed up, compressing the archive file can
result in significant size reductions. The archive file can be compressed by adding a
single option to the previous command:
4.2. The cpio utility is a general-purpose program for moving data from one place to another and,
as such, can serve well as a backup program.
4.2.1. cpio reads the names of the files that needs to process via standard input. A
common method of generating a list of files for cpio is to use programs such as find
whose output is then piped to cpio:
find /home/ | cpio -o > /mnt/backup/home-backup.cpio
4.2.2. The following command creates a cpio archive file (containing all data in /home/)
called home-backup.cpio and residing in the /mnt/backup directory.
It will not restore the file, but only show the content of backup file.
4.4. In order to obtain the backup files, they are required to be restored. To restore the files with
either tar or cpio, provide the following commands:
4.4.1. Restoration from tar backup
Example:
# tar –xvf /mnt/backup/home-backup.tar
Note: while restoring from tar utility it will restore the backup from where the command is executed.
So first go at the location using cd command where the data backup needs to be restored,
thereafter execute the tar command for restoration.
Note:
backup the content in output file
restore the file from backup file
5. References
5.1. Security Policy for User
2
The .gz extension is traditionally used to signify that the file has been compressed with gzip. Sometimes
.tar.gz is shortened to .tgz to keep file names reasonably sized.
Sharing of Hard disk / Folders with other users on the network may pose a risk of unauthorized
disclosure, deletion or modification of data.
The Samba Server Configuration Tool is used to configure a Samba Server with which can share
files and / or printers with other computers which can be Linux or Microsoft.
2. Applicability
Linux1
3. Implication
Sharing with infected systems is a potential security risk.
4. Procedure
4.1. To start application on the desktop, go to main menu of the panel, click on System
Administration Server Settings Samba.
Figure 1
1
Snapshots attached are for Red Hat Enterprise Linux version 3, 4 & 5, steps may vary for other versions.
4.2. The Samba Server Configuration Tool is a graphical interface for managing Samba shares,
users, and basic server settings. It modifies the configuration files in the /etc/samba/ directory.
Any changes to these files not made using the application are preserved. The details of the
shared resources are added by clicking Add Share.
Figure 2
Figure 3
5. References
5.1. Security Policy for User
Administrator account should be used for administrative activities only. Limited account should be
used for carrying out day-to-day activities.
2. Applicability
Linux1
3. Implications
Limited user cannot change client system settings and install software. With limited privileges some
programs may not run.
4. Procedure
4.1. One can add privileges to a user by making him a system group member. This needs a root
authentication. To create new users go to System Administration users &
groups.
4.2. Click on Add user. A popup will appear. Provide the user details.
1. Introduction
The default configuration of Linux operating systems may have weak configuration which
can be exploited by a malicious user. To minimize the exploitation possibilities, operating
system needs to be hardened.
This document provides hardening procedure for Red Hat Enterprise Linux operating
system
2. Procedure
By default SSH is running version 1 and allowing direct root access to the system.
Disable the direct root access on the sshd_config file and use only protocol 2
which is more secure.
2.1.2. Solution
1) /etc/ssh/sshd_config
2) Change Protocol 2, 1 to Protocol 2
3) PermitRootLogin yes = no
4) Restart SSHD: /etc/rc.d/init.d/sshd restart
However where telnet terminal is used, banner information should be hidden. For
security reason, it is recommended not to use the telnet terminal.
2.2.2. Solution
2.3.2. Solution
2.4.2. Solution
Displaying appropriate warning messages when users access a system will assist in
processing computer crime cases and will also act as an effective deterrent.
2.5.2. Solution
maintenance, the activities of authorized users may also be monitored and recorded.
Any material so recorded may be disclosed as appropriate. Anyone using this
system consents to these terms.
2.6.2. Solution
2.6.2.1. /etc/securetty
2.6.2.2. Leave only two connections:
tty1
tty2
2.7.2. Solution
2.7.2.1. /etc/login.defs
2.7.2.2. Change PASS_MIN_LEN 5 to PASS_MIN_LEN 8
2.8.2. Solution
2.9.2. Solution
2.9.2.1. /etc/inittab
2.9.2.2. ~~:S:wait:/sbin/sulogin
This instructs the init to prompt for the root password by
executing the 'sulogin' program.
Users may use weak passwords or may not change passwords on a periodic
basis, such user accounts will be compromised and can lead to unauthorized
access.
2.10.2. Solution
2.10.2.1. Edit /etc/login.defs file and set the following password
configuration
2.11.2. Solution
2.11.2.1. /etc/pam.d/system-auth
In Red Hat Enterprise Linux, there are two predominant runlevels for operation.
Runlevel 5 boots directly into X Windows, so as to allow graphical login or easy
use of specialized X terminals and other convenient graphical tools. Otherwise,
for normal text-based console login, runlevel 3 is desirable. GUI login is activated
or deactivated by changing this runlevel in /etc/inittab.
Note: runlevel 3 allows a user to run X Windows (assuming the xfs service is
running) by typing:
startx
2.12.2. Solution
2.12.2.1. /etc/inittab
2.12.2.2. id:5:initdefault: ( change the value 5 -> 3).
2.13.2. Solution
2.13.2.1. /etc/ssh/sshd_config
2.13.2.2. Add the following line
AllowUsers user1 user2
2.14.2. Solution
2.14.2.1. /etc/sshd/banner
2.14.2.2. Add the banner content in the above file.
/etc/ssh/sshd_config
2.14.2.3. Add
Banner /etc/ssh/banner
2.14.2.4. Restart the service
/etc/init.d/sshd restart
2.15.2. Solution
2.15.2.1. /etc/inittab
2.15.2.2. Add the following line
#ca::ctrlaltdel:/sbin/shutdown –t3 –r –now
2.15.2.3. Save the change and restart init service for the change to take
effect
/sbin/init q
2.16.2. Solution
2.16.2.1. Ntsysv –level 35
2.16.2.2. Enable only sshd, gpm, xfs, sylog, sysstat.
2.16.2.3. Login as root and run the setup command.
Below is the list of services that needs to be enabled on the client system, other
services can be disabled if not required.
User accounts are vulnerable to attacks and hence the passwords should be a
stored in a secure format.
2.17.2. Solution
By default, during installation of RHEL, the option for encrypting the password using
MD5 is enabled. Ensure that it is not been altered in the following location
This allows a malicious user at the console to bypass any client system protection
and move into run level 1 as root and change system settings.
2.18.2. Solution
2.18.2.1. Edit /etc/inittab file to have entry as shown below.
id:5:initdefault:
~~:S:wait:/sbin/sulogin
[root]# /sbin/init q
2.19. Set a Password to the BIOS and Disable boot-up from BIOS
2.19.1. Description
By default BIOS on any client system is not configured with a password and boot-up
may be set to any of the devices like CD / DVD, floppies and external devices.
Configure the BIOS to disable booting from any devices and set a password to
protect these settings.
Booting from the BIOS may result in malicious software or virus being run from the
removable devices. Setting a password to the BIOS will prevent users from entering
single user mode or changing settings at boot time.
2.19.2. Solution
Set a password for the GRUB bootloader. Generate a password hash using the
command /sbin/grub-md5-crypt. Add the hash to the first line of
/etc/grub.conf as follows:
2.20.2. Solution
Check /etc/passwd file for all user accounts in the client system. Accounts that
can be safely disabled or deleted are:
Non-essential accounts
Root user should not be permitted to login from a remote console. The login
command is part of the authentication process to access a local Linux Operating
Environment account. Any action requiring direct login to the client system using
‘root’ should be restricted to the local console.
Login to the client system through telnet session can reveal the clear text password
of root user. Allowing remote login for root also enables a malicious user to attempt
access to the client system leading to system compromise.
2.21.2. Solution
In /etc/securetty file, verify that all the terminal parameters are present, so that
root cannot establish telnet sessions through those terminals
Ensure that /etc/securetty file contains the list of all terminals from where root
is not allowed to remotely login.
If a malicious user has access to passwd file, he can create user in that file.
Malicious user can alter the MD5 hash of the root password with a known hash in the
shadow file to get into the client system or he can add a newly created user under
root group in the group file.
2.22.2. Solution
Change the owner of the following files to the root
2.22.2.1. /etc/passwd
2.22.2.2. /etc/shadow
2.22.2.3. /etc/group
If SSH is not enabled, data transfer may be in clear text, which can be sniffed over
the network.
2.23.2. Solution
If SSH is required, ensure the SSH configuration file /etc/ssh/sshd_config
includes the following lines:
PermitRootLogin no
Protocol 2
Also limit SSH access to a subset of users. Create a group called sshusers and
only add the users that require remote access. Then, add the following line to
/etc/ssh/sshd_config:
AllowGroups sshusers
Upon typing the su command, the user is prompted for the root password and after
successful authentication it provides with a root shell prompt. Once logged in via
the su command, user gets absolute administrative access to the system.
The sudo command offers another approach for granting administrative access to
users. When a trusted user precedes an administrative command with sudo, he /
she is prompted for a password. After authentication the administrative command is
executed as a root user.
2.24.2. Solution
To restrict the user that can su it is mandatory to add users to the special
administrative group called wheel. To do this, type the following command as root:
Next open the PAM configuration file for su, /etc/pam.d/su, in a text editor and
remove the comment [#] from the following line:
The use of sudo command must be restricted to limited users only. Only authorized
users entry can be added into /etc/sudoers file.
2.25.2. Solution
Check if the following line is present in /etc/syslog.conf file. The same needs
to be created if found missing:
authpriv./var/log/secure
Check if secure file is present in /var/log folder and verify the permission on the
file.
Add the following entry to /etc/syslog.conf for capturing syslog events sent to
LOG_AUTH. This contains information on unsuccessful login attempts, successful
and failed su (switch user) attempts.
authpriv./var/log/secure
Use TAB key to separate auth.info from /var/log/secure and not space.
# touch /var/log/secure
# chown root /var/log/secure
# chmod 600 /var/log/secure
To check for and report potential conflicts and dependencies for deleting a RPM,
run:
rpm -e --test <package_name>
2.27.2. Solution
For Red Hat systems it is recommend Red Hat Network (RHN) for patch
management. For secure environments one may consider Red Hat's Satellite
solution. For more information, see Red Hat Network Architectural Overview.
One of the most important tasks is to detect and close network ports that are not
needed.
2.28.2. Solution
To get a list of listening network ports (TCP and UDP sockets), run the following
command:
# netstat -tulp
From the output confirm that xinetd, sendmail, and sshd are listening.
The current Red Hat Linux distributions sendmail is configured to listen for local
connections only. Sendmail should not listen for incoming network connections
unless the server is a mail or relay server. Running a port scan from another server
will confirm that (make sure that permissions are given to probe a machine):
# nmap -sTU <remote_host>
Note that the above nmap command can take a while. However if the UDP port
scan (without the option "-U") is removed, then nmap will finish the port scan
immediately. Also if it is run on the local machine it will complete very fast. Also
note that nmap might not show all listening network sockets if a firewall is being
used to block ports.
From the output above check that the xinetd daemon is listening on port auth
(port 113) for IDENT. Also check that sendmail is not listening for remote incoming
network connections, see also Securing Sendmail.
Another method to list all of the TCP and UDP sockets to which programs are
listening is lsof:
2.29.2. Solution
2.29.2.1. Enable TCP SYN Cookie Protection
ICMP redirects are used by routers to tell the server that there is a better
path to other networks than the one chosen by the server. However, an
intruder could potentially use ICMP redirect packets to alter the host's
By default, Red Hat sets umask to 022 or 002 which is fine. If the name of
the user account and the group account is the same and the UID is 100 or
larger, then umask is set to 002, otherwise it's set to 022, check
/etc/bashrc for bash shells.
$ id
uid=509(test)gid=510(test)groups=100(users),510(test)
context=user_u:system_r:unconfined_t
$ umask 0002
$ # id
uid=0(root)gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),
10(wheel) context=root:system_r:unconfined_t
# umask 0022
#
Example how umask works:
$ umask 000
$ touch file1
$ ls -l file1
-rw-rw-rw- 1 oracle oinstall 0 Dec 26 19:24 file1
$ umask 002
$ touch file2
$ ls -l file2
-rw-rw-r-- 1 oracle oinstall 0 Dec 26 19:24 file2
$ umask 022
$ touch file3
$ ls -l file3
-rw-r--r-- 1 oracle oinstall 0 Dec 26 19:25 file3
$
For the bash shell the setting of umask in /etc/bashrc. The
/etc/bashrc file is for system-wide aliases and functions and is invoked
by ~/.bashrc.
When the SUID (set user ID) or SGID (set group ID) bits are set on an
executable, it executes with the UID or GID of the owner of the executable
rather than that of the person executing it. This means that e.g. all
executables that have the SUID bit set and are owned by root are
executed with the UID of root. A good example is the passwd command
that allows ordinary users to update the password field in the
/etc/shadow file which is owned by root.
But SUID/SGID bits can be misused when the SUID/SGID executable
has a security hole. Therefore, one might want to search the entire system
for SUID/SGID executables and document it. For example, ensure that
code developers don't set SUID/SGID bits on their programs if it's not an
absolute requirement. Very often one can use workarounds like removing
just the executable bit for world/others. However, a better approach is to
change the design of the software if possible.
To search the entire system for SUID or SGID files, run the following
command:
find / -path /proc -prune -o -type f -perm +6000 -ls
The -prune option in this example is used to skip the /proc
filesystem.
The "! -type l" parameter skips all symbolic links since symbolic links are
always world-writable. However, this is not a problem as long as the target
of the link is not world-writable, which is checked by the above find
command.
World-Writable directories with sticky bit such as the /tmp directory do not
allow anyone except the owner of a file to delete or modify it in this
directory. The sticky bit makes files stick to the user who created it and it
prevents other users from deleting and renaming the files. Therefore
depending on the purpose of the directory, world-writable directories with
sticky are usually not an issue. An example is the /tmp directory:
$ ls -ld /tmp
drwxrwxrwt 18 root root 16384 Dec 23 22:20 /tmp
The "t" mode, which denotes the sticky bit, allows files to be deleted and
renamed only if the user is the owner of this file or the owner of the
directory.
Files not owned by any user or group might not necessarily be a security
problem in itself. However, unowned files could pose a security problem in
the future. For example, if a new user is created and the new users
happens to get the same UID as the unowned files have, then this new
user will automatically become the owner of these files.
To locate files not owned by any user or group, use the following
command:
find / -path /proc -prune -o -nouser -o -nogroup
It is important that all system and vendor accounts that are not used for
logins are locked.
To get the list of unlocked accounts in the system, check the accounts that
do not have an encrypted password string starting with "!" or "*" in
the /etc/shadow file.
If the account is locked using passwd -l, it will put a '!!' in front of the
encrypted password, effectively disabling the password. If the account is
locked using usermod -L, it will put a '!' in front of the encrypted
password. Most of the system and shared accounts are usually locked by
default by having a '*' or '!!' in the password field which renders the
encrypted password into an invalid string.
Hence, to get a list of all unlocked (encryptable) accounts, run:
# egrep -v '.*:\*|:\!' /etc/shadow | awk -F: '{print
$1}'
Also make sure all accounts have a 'x' in the password field in
/etc/passwd. The following command lists all accounts that do not have
a 'x' in the password field:
# grep -v ':x:' /etc/passwd
A 'x' in the password fields means that the password has been shadowed,
i.e. the encrypted password has to be looked up in the /etc/shadow file.
If the password field in /etc/passwd is empty, then the system would not
lookup the shadow file and it will not prompt the user for a password at the
login prompt.
All system or vendor accounts that are not being used by users,
applications, by the system or by daemons should be removed from the
system. Use the following command to find out if there are any files owned
by a specific account:
# find / -path /proc -prune -o -user <account> -ls
The -prune option in this example is used to skip the /proc filesystem.
If one is unsure that an account can be deleted, remove the account using
the following command:
# userdel -r <account>
Without the "-r" option userdel will not delete the user's home directory
and mail spool (/var/spool/mail/<user>).
Some admins suggest to add the following line to the /etc/inittab file
to ensure that a root password is required for Single User Mode logons:
~~:S:wait:/sbin/sulogin
At the GRUB or LILO prompt one can instruct the boot loader to alternate
the init program by using the boot params "init=/bin/bash". This
will lead at a root shell prompt without a password.
Create a new group for each set of users that are allowed to su to the root,
oracle, and postgres account:
# groupadd rootmembers
# groupadd oraclemembers
# groupadd postgresmembers
Add all users who are allowed to su to the root, oracle, and postgres
account to the new member groups created above. The following
requirement will be configured:
- Only admin1 should be able to su to root, oracle, and postgres.
- Only oracledba1 should be able to su to oracle.
- Only postgresdba1 should be able to su to postgres.
- No one else on the system should be able to su to any account.
# usermod -G rootmembers adminuser1
# usermod -G oraclemembers oracleuser1
The control flag required which is specified for both modules means that
both modules have to return Success. Otherwise this PAM service will
return Failure to the "su" PAM service configured in /etc/pam.d/su.
The first line returns Success only if the user is in the rootmembers
groups. The second line allows only access (sense=allow) to those users
specified in /etc/security/rootusername, which is root, oracle, and
postgres - these are the only users that will be accepted as a user
argument to su. The item=user argument instructs pam_listfile that
the entries in /etc/security/rootusername are usernames. If an
error occurs, such as an unreadable configuration file, access is denied
(onerr=fail).
If one of the two PAM services returns Success, it will return Success to
the "su" PAM service configured in /etc/pam.d/su. Otherwise the last
module will be invoked which will deny all further requests and the
authentication fails.
Next the PAM services "su-oracle-members" and "su-postgres-
members" have to be created.
The file /etc/pam.d/su-oracle-members referenced in
/etc/pam.d/su-other-members should read like:
auth required /lib/security/pam_wheel.so use_uid
group=oraclemembers
auth required /lib/security/pam_listfile.so item=user
sense=allow onerr=fail file=/etc/security/su-
oraclemembers-access
Linux allows setting limits on the amount of system resources that users and groups
can use. This is also very handy if bugs in programs accidentally use up too many
resources, slow down the machine, or even render the system unusable. The
incorrect settings allow programs to use up too much resources which made the
server irresponsible for new connections or local logins (e.g. a program uses up all
file handles on the system). This could become a security issue if someone is
allowed to use up all resources and causes a denial of service attack. Depending on
the environment one should review resource limits for user accounts and groups.
2.33.2. Solution
1. For setting or restricting system resources for an Oracle user account, check for
a list of system resource settings with /etc/security/limits.conf. Also
check for the default settings for the resource.
Most shells like Bash provide control over various resources like the maximum
allowable number of open file descriptors or the maximum number of processes
available to a user. To see all shell limits, run:
ulimit –a
For more information on ulimit for the Bash shell, see man bash and search
for ulimit.
2. Setting "hard" and "soft" limits might not work properly when someone login to
oracle using a SSH session. It should work if it is logged in as root and su to
oracle. Resource limits should also work if the application is started
automatically during the boot process. But if the problem is experienced then
changes in the resource limits /etc/security/limits.conf are not applied
when logging in through SSH. Then try to set UsePrivilegeSeparation in
/etc/ssh/sshd_config to "no" and restart the SSH daemon by executing
/etc/init.d/sshd restart. Unfortunately, privilege separation does not
work properly with PAM on some Linux distributions. But also note that turning off
privilege separation is not really recommended since it's a valuable security
feature that has already prevented exploitation of SSH vulnerabilities.
For example, to change the number of file handles or open files that the Oracle
user can use, edit the file /etc/security/limits.conf as root and make
the following changes or add the following lines, respectively:
oracle soft nofile 4096
oracle hard nofile 63536
The "soft limit" in the first line defines the number of file handles or open files that
the Oracle user will have after login. If the Oracle user gets error messages about
running out of file handles, then the Oracle user can increase the number of file
handles like in this example up to 63536 ("hard limit") by running the following
command:
ulimit -n 63536
The "soft" and "hard" limits can be set higher if necessary. It is not recommend
setting the "hard" limit for nofile for the oracle user equal to
/proc/sys/fs/file-max. As the oracle user uses up all the file handles, then
the whole system will be out of file handles. This could mean that one won't be able
to initiate new remote logins any more since the system won't be able to open any
PAM modules which are required for performing a login.
One should ensure that pam_limits is configured in the file
/etc/pam.d/system-auth, or in /etc/pam.d/sshd (for SSH),
/etc/pam.d/su (for su), or /etc/pam.d/login (local logins and telnet) if it is
not enabled for all logins, or if /etc/pam.d/system-auth does not exist like on
SUSE. This is the PAM module that will read the /etc/security/limits.conf
file. The entry should read like:
session required /lib/security/pam_limits.so
Login to the oracle account again since the changes will become effective for new
login sessions only.
$ su - oracle
$ ulimit -n
4096
$
It is important to note that the ulimit options are different for other shells.
The default limit for oracle is now 4096 and the oracle user can increase the
number of file handles up to 63536:
$ su - oracle
$ ulimit -n
4096
$ ulimit -n 63536
$ ulimit -n
63536
$
To make this change permanent, add "ulimit -n 63536" (for Bash) to the
~oracle/.bash_profile file which is the user startup file for the Bash shell on
Red Hat Linux (to verify shell run: echo $SHELL).
To check this, copy/paste the following commands for the oracle's Bash shell:
su - oracle
cat >> ~oracle/.bash_profile << EOF
ulimit -n 63536
EOF
To search the entire system for SUID or SGID files, run the following command:
find / -path /proc -prune -o -type f -perm +6000 -ls
To remove the setuid/gid bit for files do:
If cPanel does not runs with /tmp permissions, then provide the following:
root# ls -al /
If the cPanel is not running, then manually mount the filesystems as non-
executable. If the user has a separate partition for /tmp, then simply remount it
with noexec, nosuid options.
Also edit /etc/fstab with this options and type “mount –o remount
/tmp”. Then create a symbolic link from /var/tmp to /tmp (“ln –s /tmp
/var/tmp”). Also backup any of the files in /var/tmp and move them to
/tmp.
Check for the MySQL socket, as it might be required to be recreated. After creating
the symbolic link, remove the MySQL socket and recreate it:
root@server [~]# mount -o rw, noexec,nodev,nosuid,remount
/tmp
A) To setup vsftp server with no shell access to users. Users can log into ftp but
not ssh.
After installation of vsftp server change in vsftpd.conf:
2.37.1.1. Turn off anonymous users with following command
anonymous_enable=NO
1. Introduction
A password is a secret word or string of characters that is used for authentication of a user. It is
imperative to enable the passwords on the client systems at various levels to achieve an appropriate
level of security. Passwords at different levels of the client system act as a deterrent to users with
malicious intent.
If passwords are not set, unauthorized users may gain access to the client system.
This document provides steps to enable the password at 3 levels on the client system. These levels are
as follows:
1.1. BIOS – During boot-up process.
1.2. Operating System – To logon to the operating system.
1.3. Screensaver – To resume the client system from an idle state.
2. Applicability
Linux
3. Implication
After applying these settings, users will have to supply passwords at 3 different levels on a client
system.
Figure 1
4.2.2. Using the right arrow key, go to the Security tab. (refer: Figure 2)
4.2.3. On the Security Tab, use the down arrow key to go to Set Setup Password9 and press
Enter key.
Figure 2
4.2.4. A window to set the set Setup password appears.
4.2.5. Enter the desired password.
9
In some version of the BIOS, this may be referred to as “Set Supervisor Password”
4.2.6. Using the down arrow key, go to the User Setup Access and set the access level of the user
from default Full Access to Limited Access.
Figure 3
4.2.7. Press the F10 Key to save and exit from the BIOS.
Note: By configuring Limited access in the User Setup Access window, user would be able to set
only the user password and change the date and time option in the BIOS.
Figure 4
Figure 5
4.3.5. A window to set the user password appears.
4.3.6. Enter the desired password and press F10 to save and exit.
4.3.7. This Configuration will result in a password prompt each time the client system boots-up.
4.4.1. Configure GRUB by adding a password directive to its configuration file. First decide on a
password, then open a shell prompt, log in as root, and type:
/sbin/grub-md5-crypt
4.4.2. When prompted, type the GRUB password and press [Enter]. This will return an MD5 hash of
the password.
4.4.3. Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the file and below the
timeout line in the main section of the document, add the following line:
4.4.5. The next time you boot the system, the GRUB menu will not let you access the editor or
command interface without first pressing [p] followed by the GRUB password.
4.4.6. However, the above steps do not prevent an attacker from booting into a non-secure operating
system in a dual-boot environment. For this one need to edit a different part of the
/boot/grub/grub.conf file.
4.4.7. Look for the title line of the non-secure operating system and add a line that says
lock directly beneath it.
Warning
You must have a password line in the main section of the /boot/grub/grub.conf file for this to
work properly. Otherwise an attacker will be able to access the GRUB editor interface and remove the
lock line.
4.4.8. To have a different password for a particular operating system, add a lock line to the
stanza followed by a password line.
Note: The steps in this procedure may change depending on the BIOS version. Please refer the BIOS
manual for more information.
The password can be changed for user and group accounts. A normal user may only change the
password for his/her account; the super user may change the password for any account. The
administrator of a group may change the password for the group. The command passwd changes
account information, such as the full name of the user, user's login shell, or password expiry date and
interval.
5.1.3. The user is first prompted for his/her old password, if one is present. This password is then
encrypted and compared against the stored password. The user has only one chance to enter
the correct password. The super user is permitted to bypass this step so that forgotten
passwords may be changed.
5.1.4. A new password is tested for complexity. Passwords should consist of 6 to 8 characters
including one or more from each of following sets:
Lower case alphabetic
Upper case alphabetic
Digits 0 thru 9
Punctuation marks
Where,
ABC - is username or account name.
5.3.1. When the -g option is used, the password for the named group is changed.
For example change password for group sales:
# passwd -g sales
5.3.2. The current group password is not prompted for. The -r option is used with the -g option
to remove the current password from the named group. This allows group access to all
members. The -R option is used with the -g option to restrict the named group for all
users.
7. References
7.1. Security Policy for User.
This document provides steps to disable remote access and remote assistance to the client
systems.
2 Applicability
Linux1
3 Implication
After applying these settings the users of client systems cannot gain remote access to
other client systems and accept remote access invitations.
4 Procedure
4.1 To gain access to a remote user's desktop, the user's environment must be configured to
allow remote access. There are different levels of access that a desktop user may grant to
another, ranging from simple viewing of the user's desktop, to gaining complete control of
the desktop.
The different levels of access are configurable through Applications (the main menu on
the panel) Preferences Remote Desktop.
Note: By default this option is disabled
Figure 1
1
Snapshots attached are for Red Hat Enterprise Linux version 3, 4 & 5, steps may vary for other versions.
4.2 If the check boxes are enabled un-checking the same will disable the remote access.
Figure 2
4.3 With the above access permissions, the administrator should be able to gain complete
access to the user's desktop.
5 References
5.1. Security Policy for System Administrator.
1. Introduction
System Idle Timeout is a configuration setting which forces the user to re-login after a
stipulated period of inactivity.
If a client system is not configured with system idle timeout, the client systems may be
misused leading to data theft or destruction.
This document provides steps for enabling system idle timeout configuration.
By default the screen-saver lockout is set to 10 Min with a password protection. One can
change the lockout time as per his preference.
2. Applicability
Linux1
3. Implication
After applying this setting, users will be forced to submit a password after a stipulated
period of inactivity.
4. Procedure
4.1. Right click on the desktop, select Properties
4.2. Click on the Screen Saver Preferences
Figure 1
1
Snapshots attached are for Red Hat Enterprise Linux version 3, 4 & 5, steps may vary for other versions.
4.3. Set the time after which screensaver should appear. (Recommended is 10
minutes).
4.4. Select Activate Screensaver when computer id idle and Lock Screen when
screen saver is active
4.5. Click the Close button at the bottom to save the settings.
5. Reference
5.1. Security Policy for User
5.2. Security Guidelines for User