Standard Operating Procedures Ver 3.0 Jan 2014

Standard Operating Procedures
(Version 3.0)
for
Cyber Security Policies
for
Government of India
(January 2014)
Cyber Security Group

National Informatics Division
Department of Electronics & Information Technology
Ministry of Communications & Information Technology
Government of India
Standard Operating Procedures
(Version 3.0)
for
Cyber Security Policies
for
Government of India
(January 2014)
Cyber Security Group

National Informatics Division
Department of Electronics & Information Technology
Ministry of Communications & Information Technology
Government of India
Contents
S. Title Page
No. No.
1 Asset Management Procedure 1
2 Removable Media Boot-up Disable Procedure 4
3 Active Content Configuration Procedure - Internet 6
Explorer 9 & 10
4 Antivirus Management Procedure - Windows 7 12
5 Auto-Complete Disable Procedure - Internet Explorer 9 21
& 10
6 Auto-Logon Disable Procedure - Windows 7 24
7 Auto-Run Disable Procedure - Windows 7 26
8 Cookie Blocking Procedure - Internet Explorer 9 & 10 28
9 Data Backup & Restoration Procedure - Windows 7 31
10 Hard Disk / Folder Sharing Procedure - Windows 7 39
11 Limited User Account Creation Procedure - Windows 7 45
12 Password Enabling Procedure - Windows 7 48
13 Patch Installation Procedure - Windows 7 53
14 Patch Verification Procedure - Windows 7 55
15 Remote Login Disable Procedure - Windows 7 58
16 System Idle Timeout Configuration Procedure - 60
Windows 7
17 Active Content Configuration Procedure - Linux 64
18 Auto-Complete Disable Procedure - Linux 71
19 Auto-Logon Disable Procedure - Linux 73
20 Auto-Run Disable Procedure - Linux 75
21 Cookie Blocking Procedure - Linux 76
22 Data Backup & Restoration Procedure - Linux 78
23 Hard Disk / Folder Sharing Procedure - Linux 81
24 Limited User Account Creation Procedure - Linux 83
25 Linux Operating System Hardening Procedure - Linux 84
26 Password Enabling Procedure - Linux 112
27 Remote Login Disable Procedure - Linux 118
28 System Idle Timeout Configuration Procedure - Linux 120
Name of the Document Asset Management Procedure
Classification Restricted Audience Client System Administrator,
Network Administrator and
Network Security Administrator
st
Version 3.0 Date of last change 1 Jan, 2014
ASSET MANAGEMENT PROCEDURE
1. Introduction
An asset is a hardware or software which is of value / importance to a Ministry /
Department. Therefore it is essential to maintain a proper record of each asset.
Assets, if not maintained properly, might be stolen or misused.
This document provides necessary steps for maintaining the record of cyber
resources.
2. Asset Register
Asset Register should be maintained which includes the following information about
an asset:
2.1. Asset ID: A unique asset identification number assigned to each asset for
easy and quick identification. (refer: Asset Management Guidelines)
2.2. Asset Name1: Name given for identification of Asset based on its functionality.
2.3. Asset Details: Details about the asset such as IP Address, MAC Address,
Hostname, Software license number, etc.
2.3.1. IP address: Logical address allocated to the client systems,
network devices and network security devices by the System
Administrator or Network Administrator.
2.3.2. MAC address: MAC address (Media Access Control address) is a
unique identifier assigned to network adapters or network interface
cards by the manufacturer for identification.
2.3.3. Hostname: A hostname is a unique name by which a system /
network devices / network security devices connected on the
network can be identified.
2.3.4. Serial No. / License: In case of hardware provide serial number
and for software provide license key.
2.4. Asset Type: There are two types of assets as follows:
2.4.1. Hardware: Physical devices which are required / used to support
operations. For example – client systems, routers, firewalls,
printers, etc.
1
Asset Name: ‘Payroll Server’ could be a name of the asset which is used for
processing the salary of employees. In case there are more than one asset providing
the same functionality, asset name should be suffixed by a number like Payroll Server
1, Payroll Server 2 and so on.
Asset Management Procedure Page 1

st
2.4.2. Software: Software which is used to support / facilitate operations

of Ministry / Department. For example – Operating Software,
Application Software, Development tools and Utilities.
2.5. Physical Location: Physical location and details where the asset is located.
2.6. Owner: User who is assigned the asset for the operations of Ministry /
Department.
Asset information should be captured using Asset Register Template (Attached in the
Annexure).
3. Procedure
Asset Management procedure is a bottom-up approach, which collects asset
information for every Ministry / Department in each location. The role of each person
is defined below:
3.1. For Network devices / Network Security devices

3.1.1. Network Administrator / Network Security Administrator
3.1.1.1. Collect and maintain asset information using Asset
Register Template.
3.1.1.2. Forward the asset information to Information Security
Officer and National Security Operation Centre.
3.1.2. National Security Operations Centre
3.1.2.1. Maintain the consolidated Asset information from all
locations.
3.2. For Client Systems, Software, Peripheral devices and other Accessories
3.2.1. System Administrator
3.2.1.1. Collect and maintain asset information using Asset
Register Template.
3.2.1.2. Forward the asset information to the respective
Information Security Officer, Network Administrator and
Network Security Administrator.
3.2.2. Information Security Officer

3.2.2.1. Review and maintain the Asset information received from
System Administrator, Network Administrator and
3.2.2.2. Forward the consolidated Asset Information to the Chief
Information Security Officer of respective Ministry /
Department at a frequency defined in the Asset
Management Guidelines.

st
3.2.3. Chief Information Security Officer

3.2.3.1. Maintain the consolidated Asset information from all
locations.
4. Annexure
Annexure Template Name
Asset Register Template

Asset Register.xls
5. References
5.1. Security Policy for System Administrator
5.2. Security Policy for Department
5.3. Security Policy for Network connected to Internet
5.4. Asset Management Guidelines

Name of the Document Removable Media Boot Up Disable Procedure
Classification Restricted Audience System Administrators
st
REMOVABLE MEDIA BOOT UP DISABLE PROCEDURE
1. Introduction
During boot-up the BIOS scans the defined bootable media to start the client system.
The removable media can also be used as bootable media.
If booting from removable media is enabled, any malicious user could gain access to the
client system using a removable media. Hence, this feature should be disabled.
This document provides steps to disable boot-up from any removable media like: CD-
ROMs, Floppy Disks, USB Flash drives, etc.
2. Applicability
All systems
3. Implication
After applying these settings the client systems will not boot from any removable media.
NOTE: The steps in this procedure may change depending on the BIOS version. Please refer
BIOS manual for more information.
4. Definition
4.1. BIOS: Basic Input / Output System (BIOS) is a boot firmware, designed to be the
‘first code’ run by a client system when powered on. The function of the BIOS is to
identify, test, and initialize client system devices such as, video display card, hard
disk, floppy disk, etc.
5. Instructions for Changing BIOS Settings

The following keys can be used to navigate or perform tasks in BIOS.
5.1. Up and down arrow keys can be used to select an item on the current screen.
5.2. Right or left arrow keys can be used to switch between each of the available
menus.
5.3. To change the values a user may use + / - keys.
5.4. To enter a submenu, use the Enter key.
5.5. Finally, once the values have been changed pressing the F10 key will save the
values and exit from the BIOS setup.
6. Procedure
6.1. Switch on the client system and Press the F2 key, before the Windows XP screen,
to enter the BIOS. (This key may vary depending on the make of the BIOS)
6.2. Enter the setup password to enter the BIOS setup. A screen as shown below
appears. (refer: Figure 1)
Removable Media Boot Up Disable Procedure Page 4

Name of the Document Removable Media Boot Up Disable Procedure
st
Figure 1
6.3. Use the right arrow key on the keyboard to go to the Boot Menu.
6.4. Use the down arrow key to go to the First Boot Device.
6.5. Press the Enter key and use Up or Down arrow key to select Hard Drive option
in First Boot Device section.
6.5 First Boot Device Settings
Figure 2
6.6. Press F10 key to save configuration and exit.

6.7. Choose Yes and press Enter key when prompted.
7. Reference
7.1. Security Policy for User
Removable Media Boot Up Disable Procedure Page 5

Name of the Document Active Content Configuration Procedure – Internet Explorer 9&
10
Classification Restricted Audience Client System Users and System
Administrators
st
ACTIVE CONTENT CONFIGURATION PROCEDURE

- INTERNET EXPLORER 9 & 10
1 Introduction
Some Web pages contain active content (such as ActiveX applications, JavaScript
applications, etc.) that may pose security risk. In case the browser settings are not
configured appropriately, malicious content may get downloaded / executed on the client
system without user’s knowledge.
This document provides steps to restrict the active content in the Internet Explorer.
2 Applicability
Internet Explorer version 9.0 and 10.
3 Implication
After applying these settings some applications / Websites may not load if active content
is blocked.
4 Definitions
4.1 Active Content: A Web page that provides interaction or dynamic changes
and contains "action items" (such as animated GIFs, Java, JavaScript,
streaming audio and video or ActiveX controls).
4.2 ActiveX: ActiveX is one of the technologies used to add interactivity to Web
pages. It can be automatically downloaded and executed by a Web browser.
5 Procedure
5.7 Open the Internet Explorer; left click on icon show in figure 1.
5.8 Click on Internet Options.
Active Content Configuration Procedure – Internet Explorer 9& 10 Page 6

10
Administrators
st
Figure 1
5.9 Click on Security tab.
5.10 Select Internet Web content zone to specify its security settings.
5.11 Click Custom Level to customize settings. (The default level for each zone is
already set) (refer figure 2).

10
Administrators
st
5.4 Choosing web content zone
Figure 2
5.12 In the Security Settings box make the following selections:

10
Administrators
st
5.6.1 Settings
5.6.2 Settings
5.6.3 Settings
Figure 3
5.12.1 Download signed ActiveX controls. This option determines

whether users can download signed ActiveX controls from a page in
the zone.
Select Prompt. This prompts users to choose whether to download
controls signed by publishers who are not trusted, but still silently
downloads code validly signed by trusted publishers.
5.12.2 Download Unsigned ActiveX controls. This option

determines whether users can download unsigned ActiveX controls
from the zone.
Select Disable. This prevents unsigned controls from running.
(refer: figure 3)

10
Administrators
st
5.6.3 Initialize and script ActiveX controls not marked

as safe. ActiveX controls are classified as either trusted or un-
trusted. This option controls whether a script can interact with un-
trusted controls in the zone.
Select Disable. This enforces object safety for un-trusted data or
scripts. ActiveX controls that cannot be trusted are not loaded with
parameters or scripted. (refer: figure 3)
5.6.4 Settings
5.6.5 Settings
Figure 4
5.6.4 Run ActiveX controls and plug-ins. This option determines

whether Internet Explorer can run ActiveX controls and plug-ins
from pages in the zone.
Select Prompt. This prompts users to choose whether to allow the
controls or plug-ins to run (refer: figure 4)
5.12.5 Script ActiveX controls marked safe for scripting.
This option determines whether an ActiveX control that is marked
safe for scripting can interact with a script. This option does not
affect controls that are loaded with <param> tags.
Select Enable. This allows script interaction without user
intervention (refer: figure 4).
5.12.6 Click OK, and then click OK again.

10
Administrators
st
6 References
6.1 Security Guidelines for User

Name of the Document Antivirus Management procedure - Windows 7
Administrators
st
ANTIVIRUS MANAGEMENT PROCEDURE – WINDOWS 7
1. Introduction
If anti-virus software is not installed or updated, client systems may be vulnerable to
various attacks leading to system compromise and / or data leakage.
This document provides necessary steps for:

 Verifying the presence of Antivirus software.
 Verifying the configuration of Antivirus software.
 Updating Antivirus pattern files.
 Reviewing the presence of updated Antivirus pattern files.
All above procedures are meant for following Antivirus Solutions:

 Trend Micro Antivirus software (procedure 4).
 Symantec Antivirus software (procedure 5).
2. Applicability
Microsoft Windows 7.
3. Implication
Client system may become slow during anti-virus scans.
4. Procedure To Verifying the presence of Trend Micro Antivirus software.

4.1.1. Navigate to Start -> Control Panel -> Action Center
(refer figure 1& 2).
Figure 1
Antivirus Management procedure – Windows 7 Page 12

Administrators
st
Figure 2
4.1.2. Check settings for security -> Virus Protection.
Figure 3
4.1.3. If settings for Virus Protection is OFF, report it to System

Administrator.
4.2. Verifying the configuration of trend micro Antivirus

Administrators
st
4.2.1. There is an icon for Trend micro Antivirus on the right side of
toolbar. (refer: figure 4)
Figure 4
4.2.2. Double click on Trend micro Antivirus icon as shown in

figure 4, window as shown in figure 5 will appear.
4.2.3. If an entry for weekly scans does not exist as highlighted in figure 5,
report it to System Administrator.
Figure: 5
4.3. Updating of Antivirus pattern files

Administrators
st
4.3.1. Right click on Trend micro Antivirus icon following options as shown in
figure 6 will appear.
4.3.2. Click on the update now option. ( refer figure: 6)
Figure 6
4.3.2. Again, click on update now in trend micro OfficeScan window. (refer figure: 7)
Figure 7

Administrators
st
4.4. Reviewing presence of updated virus pattern files
4.4.1. Click on component versions option. (refer figure8):
Figure: 8
4.4.2. If virus definition file is more than 7 days old, as marked in figure: 9 report it to
System Administrator.
Figure 9

Administrators
st
5. Procedure Verifying the presence of Symantec Antivirus software

5.1.1. Navigate to Start / Control Panel / Action Center (refer
figure 1& 2 of procedure 4).
5.1.2. Check settings for security -> Virus Protection (refer figure
1).
Figure 1
5.1.2. If settings for Virus Protection is OFF, report it to System

Administrator.
5.2. Verifying the configuration of Symantec Antivirus
5.2.1. There is an icon for Symantec AV on the right side of toolbar. (refer:
figure 2)

Administrators
st
Figure 2
5.2.2. Double click on the Symantec AV icon as shown in figure 2,

window as shown in figure 3 will appear.
5.2.3. If an entry for weekly scans does not exist as highlighted in figure 3,
report it to System Administrator.
Figure: 3

Administrators
st
5.3. Updating of Antivirus pattern files
5.3.1. Right click on Symantec AV icon options as shown in figure 4 will appear.
5.3.2. Click on the update Policy. (refer figure: 4)
Figure 4
5.4. Reviewing presence of updated virus pattern files
5.4.1. Click on Open Symantec Endpoint Protection.(refer figure 5):
Figure 5
4.4.2. If virus definition file is more than 7 days old, as marked in figure: 6 report it to
System Administrator.

Administrators
st
Figure 6
6. References
6.2. Client System Security Guidelines

Name of the Document Auto Complete Disable Procedure – Internet Explorer 9& 10
Administrators
st
AUTO COMPLETE DISABLE PROCEDURE – INTERNET

EXPLORER 9 & 10
1. Introduction
AutoComplete feature stores web addresses, usernames and passwords and entries made in
the forms of web pages. It uses this stored information to complete similar entries during
subsequent use.
Such features provide a window of opportunity for a malicious user to login to the website using
stored credentials of a legitimate user.
This document provides steps to disable the AutoComplete feature for usernames and
passwords.
2. Applicability
3. Implication
After applying these settings, user will have to type in the user ID, password, name, etc. every
time he / she uses the Internet Explorer to logon to any Intranet or Internet websites.
4. Procedure
4.1. Open the Internet Explorer and left click on icon show in figure 1.
4.2. Click on Internet Options  Content Tab.
Figure 1
Auto Complete Disable Procedure – Internet Explorer 9& 10 Page 21

Administrators
st
4.3. Click on the Settings button in the Autocomplete section.
Figure 2
4.4. On the Auto Complete Settings window, ensure the configuration of use auto
complete for section is as per Table 1.
Figure 3

Administrators
st
Options Setting
Web addresses checked
Forms checked
Username and password on forms Unchecked
Table 1
4.5. Click on the delete autocomplete history button to clear the Autocomplete history.
(refer: Figure 3).
4.6. Click on the OK button on all windows to confirm the settings.
5. References
5.1 Security Guidelines for User

Name of the Document Auto Logon Disable Procedure - Windows 7
Administrators
st
AUTO LOGON DISABLE PROCEDURE – WINDOWS 7
1. Introduction
Auto Logon in Windows 7 is a feature that enables automatic log-in to the system without user
intervention.
Anyone having physical access to the client system can also gain access to all the resources of
the system.
This document provides steps for disabling Auto logon.
2. Applicability
Windows 7
3. Implication
By applying these settings, user will have to type in the user ID and password every time while
logging on to the client system.
4. Procedure
4.1. Press Window + R , to open Run window or click on start button on desktop and
then type Run on space specify as shown in figure: 1 and press enter.
Type “Run”
their
Start button
Figure 1
Auto Logon Disable Procedure – Windows 7 Page 24

Name of the Document Auto Logon Disable Procedure - Windows 7
Administrators
st
4.2. In the Run window type the command control userpasswords2 and click on the
OK button.
Figure 2
4.3. A User Accounts window would appear, as shown below
4.4. Check this option
Figure 3
4.4. Click on the Users tab and check the option Users must enter a user name
and password to use this computer. (refer: figure 3)
4.5. Click on the OK button to confirm the configuration.
Note: This procedure applicable in a non-domain environment, to the user who has enabled
this option for his convenience and wants to disable as per the Security Policy for User.
5. References
Auto Logon Disable Procedure – Windows 7 Page 25

Name of the Document Auto-Run Disable Procedure - Windows 7
Classification Restricted Audience Client System Users
st
AUTO-RUN DISABLE PROCEDURE – WINDOWS 7

7 Introduction
Auto-run feature enables the execution of programs upon inserting the removable media
such as, portable storage media, CDs, DVDs, etc. without manual intervention.
If the Auto-run feature is enabled, a malicious executable file on the media could infect
the system.
This document provides steps to disable Auto-run in a client system.
8 Applicability
Windows 7
9 Implication
After these settings apply to, CDs, DVDs, Floppy Disks, portable storage devices, etc.,
when inserted into the system will not run automatically.
10Procedure
10.7 Go to Start  Run, type gpedit.msc and press enter key.
10.8 In the group policy window, select Administrative Templates
10.9 Click on Window Component.
10.10 Then, click on Autoplay Policies.
10.11 Double-click Turn Off Autoplay.
4.2 Click this option

Figure 1
Auto-Run Disable Procedure – Windows 7 Page 26

Name of the Document Auto-Run Disable Procedure - Windows 7
st
10.12 Following window will appear.
4.6 Click this

option
4.7 Select this

option
Figure 2
10.13 Set the radio button to Enabled.

10.14 Change the Turn off Autoplay on to All drives.
10.15 Click Apply and OK to save the settings.
11 Reference
11.1 Security Policy for User
Auto-Run Disable Procedure – Windows 7 Page 27

Name of the Document Cookie Blocking Procedure – Internet Explorer 9& 10
st
COOKIE BLOCKING PROCEDURE – INTERNET EXPLORER 9

& 10
1. Introduction
A cookie (also called tracking cookie, browser cookie or HTTP cookie) is a small text file placed
by a Web server on the user's client system. Cookie is used to maintain state information as
users navigate different pages on a Web site. A cookie consists of information such as user
preferences, shopping cart contents, identifier for a server-based session, or other data used
by websites.
A first party cookie is that which originates from the Web site that user is currently viewing. A
third-party cookie is that which originates from a Web site different from the one that user is
currently viewing.
This document provides steps for blocking third party cookies.
1. Applicability
2. Implication
After applying this setting, user may not be able to access or view some parts of the websites
which uses third party cookie.
Procedure
a. Open the Internet Explorer and left click on icon show in figure 1.
b. Click on Internet Options  Privacy  select Advanced(refer figure
1&2)
Cookie Blocking Procedure – Internet Explorer 9& 10 Page 28

st
Figure 1
Figure 2

st
2.1. Select Override automatic cookie handling

2.2. Select First Party Cookies to Accept.
2.3. Select Third Party Cookies to Block.
Figure 3
2.4. Press Ok to save settings.
3. References
3.1 Security Guidelines for User.

Name of the Document Data Backup and Restoration Procedure - Windows 7
st
DATA BACKUP AND RESTORATION PROCEDURE

- WINDOWS 7
1. Introduction
Backup is the process of making copy of the original data so that the copy may be used to
restore the original data in case of an incident or data loss.
If backup of critical2 data is not taken on a regular basis, data may not be available in case of
an incident (such as loss of system, operating system crash, natural disaster etc.).
This document provides steps for backing up the data.
2. Applicability
The procedure given is applicable to Microsoft Windows 7 to backup the data stored on the
client systems. Data can be either backed up on separate drive or any data storage media
(such as CD, DVD, USB storage media, etc.) depending upon the requirement or guidelines
defined by the Ministry / Department.
3. Implication
NIL
4. Procedure
4.1. Identify the data which needs to be backed up.
4.2. Manual Backup
4.2.1. For copying to Portable Media / Client Systems / Hard-disks
4.2.1.1. Right click the file or folder to be backed up, Select Copy
option3 (refer: Figure 1)
4.2.1.2. Go to the destination folder
4.2.1.3. Right Click
4.2.1.4. Select Paste Option (refer: Figure 2)
Figure 1
2
Critical data should be defined by the user based on his / her requirement
3
For copying multiple files, Copy and Ctrl should be selected simultaneously
Data Backup and Restoration Procedure – Windows 7 Page 31

st
Figure 2
4.2.2. For copying to CD, DVD

4.2.2.1. Use authorized CD burning software for copying data
4.3. Backup using System Utility
4.3.1. To set up a backup in Windows 7 open up Computer right-click on your local

drive and select Properties. Then click on the Tools tab and Double click the
on Back up now.

st
4.3.2. Now, click on set up backup.
4.3.3. Windows will search for a suitable drive to store the backup or you can also choose a
location on your network. If you backup to a network location you might need the password to
the share. So, select suitable drive and click next.

st
4.3.4 You can have Windows choose what to backup or you can choose the files and
directories.
Note: If you let Windows choose it will not backup Program Files, anything formatted with the
FAT file system, files in the Recycle Bin, or any temp files that are 1GB or more.
4.3.5 Select the files and folder to include in the backup. Also notice you can select
the option to create an image of your local drive and click on next.

st
4.3.6 Here, click on save settings and Run backup to backup selected file and folders
4.3.6.1 Here you can also schedule the days and times the backup occurs.

st
4.3.7 Save the backup settings and kick off your first backup and while it runs you can monitor
the progress.
4.3.7.1 Click the View Details button to see exactly what is being backup during the
process.

st
4.4 Procedure Restore Files from Backup
4.4.1 Open previously store back up file and Double click on the backup file.
4.4.2 Click on restore my files from this backup or you can also manage the size of
the backups folder.

st
4.4.3 Click on Restore my files in the Backup and Restore Center.
4.4.4 Next you can select restore them back to the original location or choose a
different spot then click Restore.
4.4.5 Progress of the restoration will vary depending on the size of the data and location it’s
restoring from.
12 Reference
12.7 Security Policy for User.

Name of the Document Hard disk / Folder sharing Procedure - Windows 7
Administrators
st
HARD DISK / FOLDER SHARING PROCEDURE - WINDOWS 7

1. Introduction
Hard disk / Folder sharing is a method of providing access to stored information, such as
data, documents, etc. to other users over the network. A physical Hard disk may include
more than one logical drives depending upon the configuration.
Sharing of Hard disk / Folders with other users on the network may pose a risk of
unauthorized disclosure, deletion or modification of data.
The procedure detailed below consists of common steps to share a Drive or Folder.
2. Applicability
Windows 7
3. Implication
Sharing with infected systems is a potential security risk.
4. Procedure
4.1. Select the Folder / Drive to be shared.
4.2. Right click the mouse on the Folder / Drive and select Properties.(refer: Figure 1 & 2)
Figure 1 – folder Sharing
Hard disk / Folder sharing Procedure - Windows 7 Page 39

Administrators
st
Figure 2 – Drive Sharing
4.3. A properties window with Sharing tab appears, here click on advance sharing.(refer:
Figure 3 & 4)
Figure 3 Folder sharing

Administrators
st
Figure 4 Drive sharing
4.4. In advance sharing tab Check the Share this folder option. Mention the share name
and a comment to inform the intended recipient about the contents of the folder.
4.5. Check the Allow this number of users option to limit the number of concurrent
users requiring access to the folder in the User limit section.
4.6. Click on the Permissions button to set the permission of intended users as shown in
Figure 5.

Administrators
st
Option to share the

Folder & add
Comment
Allow this
number of users
Figure 5.

Administrators
st
4.7. In permission tab Highlight the group Everyone and click on Remove to deny permission to
all.
4.7. Remove
Everyone
4.8. Option to
Add users
Figure 6
4.8. Click on the Add button to add the user / group to whom the permission is to be
granted (refer: Figure 6).
Note: For providing access to users in client systems which are not in any domain, user ID for
each user needs to be created on the client system on which Folder / Drive is to be shared. This
should be done as per the User ID Creation Procedure.
4.9. In the Select User or Groups window add the name of user / group and click on the
Check Names.

Administrators
st
4.10. OK button after

check names
Figure 7
4.10. Once the name is resolved click on the OK button.

4.11. The resolved name will appear in the Group or user name section.(refer: Figure 8)
4.12. Permission to
be provided to the
user / group
Figure 8
4.12. Highlight the user / group in the Group or user names section and check the
appropriate options in the Permission for Users section depending on the requirement.
5. References

Name of the Document Limited User Account Creation Procedure - Windows 7
st
LIMITED USER ACCOUNT CREATION PROCEDURE

-WINDOWS 7
1. Introduction
Microsoft Windows 7 operating system permits the creation of a user account for
each person requiring to use the system. The System Administrator can create either
an Administrator account or an account with limited privileges depending on the
requirement.
Administrator account should be used for administrative activities only. Limited

account should be used for carrying out day-to-day activities.
This document provides steps for creation of limited user account.
2. Applicability
Windows 7
3. Implications
Limited user cannot change client system settings and install software. With limited
privileges some programs may not run.
4. Procedure
4.1. On the desktop right click on the My Computer icon and select Manage.
Figure 1
Limited User Account Creation Procedure – Windows 7 Page 45

st
4.2. A Computer Management window appears as shown below.
Figure 2
4.3. Click on the + sign to expand the System Tools and then expand Local Users
and Groups. (refer: figure 2)
4.4. Under the Local Users and Groups select the Users folder.
4.4. Users
Folder
4.5. New
User
Figure 3
4.5. Right click the mouse on the empty screen on the right pane and select New User.
(refer: Figure 3)
4.6. A New User window appears as shown below.

st
4.7. User name,

Full Name,
Description
4.8. Password
details
4.9. Appropriate
options
4.9. Create
button
Figure 4
4.7. Enter the required details like User name, Full Name, Description in the top
section of the window. (refer: Figure 4)
4.8. Enter the password details in the Password and Confirm password fields.
4.9. Select appropriate options as per Table 1.
Options Setting
User must change password at next Logon Checked
User cannot change password Unchecked
Password never expires Unchecked
Account is disabled Unchecked
Table 1
4.10. Click on the Create button to create the user account (refer: Figure 4)
4.11. A new user will be created as shown in the figure below
Figure 5
5. References
5.2. Hard disk / Folder Sharing Procedure

Name of the Document Password Enabling Procedure - Windows 7
Administrators
st
PASSWORD ENABLING PROCEDURE - WINDOWS 7
1. Introduction
A password is a secret word or string of characters that is used for authentication of a
user. It is imperative to enable the passwords on the client systems at various levels to
achieve an appropriate level of security. Passwords at different levels of the client
system act as a deterrent to users with malicious intent.
If passwords are not set, unauthorized users may gain access to the client system.
This document provides steps to enable the password at 3 levels on the client system.
These levels are as follows:
1.1. BIOS – During boot-up process.
1.2. Operating System – To logon to the operating system.
1.3. Screensaver – To resume the client system from an idle state.
2. Applicability
Windows 7 Professional
3. Implication
After applying these settings, users will have to supply passwords at 3 different levels on
a client system.
4. Procedure To Enable Password on the BIOS

4.1. Configuring Supervisor / Setup Password by the Administrator.
4.2. Switch on the client system and Press the F2 key, before the Windows 7 screen, to
enter the BIOS. (This key may vary depending on the make of the BIOS)
4.2.1. A BIOS screen as shown below appears.
Figure 1
Password Enabling Procedure – Windows 7 Page 48

Administrators
st
4.2.2. Using the right arrow key, go to the Security tab. (refer: Figure 2)
4.2.3. On the Security Tab, use the down arrow key to go to Set Setup
Password4 and press Enter key.
Figure 2
4.2.4. A window to set the set Setup password appears.
4.2.5. Enter the desired password.
4.2.6. Using the down arrow key, go to the User Setup Access and set the access
level of the user from default Full Access to Limited Access.
Figure 3
4.2.7. Press the F10 Key to save and exit from the BIOS.
4
In some version of the BIOS, this may be referred to as “Set Supervisor Password”
Administrators
st
Note: By configuring Limited access in the User Setup Access window, user would
be able to set only the user password and change the date and time option in the BIOS.
4.3. Configuring the BIOS password by the User

4.3.1. Switch on the client system and Press the F2 key, before the Windows XP
screen, to enter the BIOS. (This key may vary depending on the make of the
BIOS
4.3.2. A BIOS screen as show below appears.
Figure 4
4.3.3. Using the right arrow key, go to the Security tab.

4.3.4. On the Security Tab, use the down arrow key to go to Set User Password
and press Enter key. (refer: Figure 5)
Figure 5

Administrators
st
4.3.5. A window to set the user password appears.

4.3.6. Enter the desired password and press F10 to save and exit.
4.3.7. This Configuration will result in a password prompt each time the client system
boots-up.
Note: The steps in this procedure may change depending on the BIOS version. Please refer the
BIOS manual for more information.
5. Procedure to Enable password on the Operating System

5.1. Navigate to Start \ Control Panel.
5.2. In the Control Panel window click on the User Accounts icon.
Figure 6
5.3. A User Accounts window appears. (refer: Figure 7)

Administrators
st
5.4. Create
password link
5.4. User to
which
passwords has
to be set
Figure 7
5
5.4. Highlight the User to which the password has to be set and click on the Create a
password for an account. (refer: Figure 7)
5.5. A window to create password appears.
5.6. Password
Figure 8
5.6. Enter the desired password in the Type the new password and Type the new
password again to confirm sections. (refer: Password Management
Guidelines)
5.7. Click on Create password.
6. Procedure to Enable the Screensaver Password

Please refer System Idle Timeout Configuration Procedure [page 49].
7. References
7.1. Security Policy for User.
5
Illustration in figure 7 is for a user account ‘Test User’.
Name of the Document Patch Installation Procedure - Windows 7
st
PATCH INSTALLATION PROCEDURE - WINDOWS 7
7. Introduction
A patch is software designed to fix the identified problems in an Operating System. It can
be downloaded from the vendor’s website as an immediate solution. Patch is released for
fixing security vulnerabilities, other bugs, and improving the usability or performance of an
Operating System.
If patches are not updated on a regular basis, systems may remain vulnerable to various
attacks.
This document provides steps for allowing latest patch / service pack / hotfix to be
installed on the systems.
8. Applicability
9. Implication
After applying patches, some applications or programs may stop working.
10. Procedure
10.1. Standalone Systems
10.1.1. Verify the updates as per the Patch Verification Procedure.
10.1.2. Request the System Administrator for the installation of updates if they
are found to be outdated or missing.
10.1.3. System Administrator will install the updates through authorized media.
10.1.4. Updates would be installed on the system. It will prompt for restart
depending upon the patch / service pack / hotfix in few cases.
10.1.5. If any applications or programs stop working, contact System
Administrator for rollback.
10.2. Systems connected to Network

10.2.1. System will receive notification whenever new updates6 (refer: figure 1).
6
Assumed that client systems are configured with “automatic updates” and updates are ready to be installed
Patch Installation Procedure – Windows 7 Page 53

Name of the Document Patch Installation Procedure - Windows 7
st
Figure 1
10.2.2. Double click the highlighted alert and press Enter.
Figure 2
10.2.3. Select Express Install setting.

10.2.4. Updates would be installed on the system, restart may be required
depending upon the patch / service pack / hotfix.
10.2.5. If any applications or programs stop working, contact System
Administrator for rollback.
11. References
Patch Installation Procedure – Windows 7 Page 54

Name of the Document Patch Verification Procedure - Windows 7
st
PATCH VERIFICATION PROCEDURE - WINDOWS 7
12. Introduction
A patch is software designed to fix the identified problems in an Operating System. It can
be downloaded from the vendor’s website as an immediate solution. Patch is released for
fixing security vulnerabilities, other bugs, and improving the usability or performance of an
Operating System.
If patches are not updated on a regular basis, systems may remain vulnerable to various
attacks.
This document provides steps for checking presence of latest patch / service pack /
hotfix.
13. Applicability
14. Implication
Nil
15. Procedure
4.1. Right click on My Computer, Select Properties.
Figure 1
3.1. Navigate to Window Updates.
Patch Verification Procedure - Windows 7 Page 55

st
Figure 2
3.2. Select view update History on the browser on a fortnightly basis.
Figure 3
4.4. Identify the patches installed successfully.

st
Figure 4
4.5. Notify System Administrator if any patch /service pack / hotfix are not
updated.
16. References

Name of the Document Remote Login Disable Procedure - Windows 7
st
REMOTE LOGIN DISABLE PROCEDURE - WINDOWS 7

13 Introduction
Remote Desktop7 and Remote Assistance allow access to the client system from another system
over the network.
This feature can be exploited by an attacker to gain un-authorized access to a client system.
This document provides steps to disable remote access and remote assistance to the client
systems.
14Applicability
Windows 7.
15Implication
After applying these settings the users of client systems cannot gain remote access to other
client systems and accept remote access invitations.
16Procedure
4.1 To disable this feature using My Computer the following steps need to be followed:
4.1.1 Right Click on My Computer.
4.1.2 Select Properties.
4.1.3 Click on the Remote tab.
4.1.4 Uncheck the box next to Allow Remote Assistance invitations
to be sent from this computer and Allow users to connect
remotely to this computer. (refer: Figure 2).
Figure 1
Remote Login Disable Procedure – Windows 7 Page 58

Name of the Document Remote Login Disable Procedure - Windows 7
st
4.1.4
Remote
Assistance
4.1.4 Remote
connection
Figure 2
17 References
16.1. Security Policy for System Administrator
Remote Login Disable Procedure – Windows 7 Page 59

Name of the Document System Idle Timeout Configuration Procedure - Windows
st
SYSTEM IDLE TIMEOUT CONFIGURATION PROCEDURE

- WINDOWS 7
17. Introduction
System Idle Timeout is a configuration setting which forces the user to re-login after a
stipulated period of inactivity.
If a client system is not configured with system idle timeout, the client systems may be
misused leading to data theft or destruction.
This document provides steps for enabling system idle timeout configuration.
18. Applicability
19. Implication
After applying this setting, users will be forced to submit a password after a stipulated
period of inactivity.
20. Procedure
20.1. Right click on the power icon on the right side of taskbar, select more
Power options.
System Idle Timeout Configuration Procedure - Windows Page 60

st
4.2. Click change plan settings.
4.3. Select put the computer to sleep and set the time after which computer
will go to sleep mode. (Recommended is 5 minutes) and press save changes.

st
Setting the
period of
inactivity
4.4. Now, Select On resume password protect. For that click on require a
password on wakeup.
4.4 Password protect

st
4.5. Click on require a password on walkup and apply save changes.
21. References
21.1. Security Guidelines for User

Name of the Document Active Content Configuration Procedure - Linux
st
ACTIVE CONTENT CONFIGURATION PROCEDURE

- LINUX
1 Introduction
Some Web pages contain active content (such as JavaScript applications, etc.) that may
pose security risk. In case the browser settings are not configured appropriately,
malicious content may get downloaded / executed on the client system without user’s
knowledge.
This document provides steps to restrict the active content in the Firefox web browser.
2 Applicability
Mozilla Firefox 3.6 web browser1
3 Implication
After applying these settings some applications / Websites may not load if active content
is blocked.
4 Definitions
4.1 Active Content: A Web page that provides interaction or dynamic changes
and contains "action items" (such as animated GIFs, Java, JavaScript,
streaming audio and video).
5 Procedure
5.1 On the Mozilla Firefox, select the Tools menu.
5.2 Click on Options.
Figure 1
1
Snapshots attached are for Firefox 3.6 web browser, steps may vary marginally for other web browsers.
Active Content Configuration Procedure - Linux Page 64

st
5.3 A popup of Options window appears.

5.3.1 In the General category, select the option ‘Always ask me where
to save files’. This is required when a web page attempts to
save a file to a computer.
Figure 2
5.3.2 Click on the Privacy category.

5.3.2.1 In the ‘Use custom settings for History’ drop
down section, uncheck to disable the option ‘Remember my
browsing history’, ‘Remember search and form
history’, ‘download history’ and ‘clear
history when firefox closes’. If the browser
remembers these options, it can be a privacy violation,
especially if the browser is used in a shared environment.

st
Figure 3
5.3.3 When the user is prompted, the contents of the cookie can be viewed and the
user can select whether to accept the cookies from other sites. This gives
the user more information about what sites are using cookies and also gives
more granular control of cookies as opposed to globally enabling them.
5.3.3.1 Select ‘Accept cookies from sites and accept
third-party cookies’ to have the browser remember the
decision and the pop up will not prompt whenever site is revisited.

st
Figure 4
5.3.4 Click on the Security category, the Passwords section contains various
options to manage stored passwords, and a Master Password feature to
encrypt the data on your system. This option is will allow Firefox to manage
passwords.
5.3.5 The Warning message is prompted when a website tries to install add-ons.
The option will display a warning bar at the top of the browser when a web site
attempts to take such action.

st
Figure 5
Figure 6
5.3.6 The Content category contains an option to Enable Java to view the website’s
content. Uncheck to disable this feature unless it is a trusted website. After
you are finished visiting the site, disable Java until required again.
Press the Advanced button to disable specific JavaScript features.

Click to disable all of the options displayed in this dialog.

st
Figure 7
Figure 8
Select Settings from the Tools menu to use this privacy feature. A pop up
will appear, checking the related content ‘browsing history’
‘downloading history’, ‘active logging’ , ‘cache’ will remove
potentially sensitive information from the web browser.

st
Figure 9
Figure 10
6 References
6.1 Security Guidelines for User.
Snapshots attached are for Firefox 3.6 web browser, steps may vary marginally for other web browsers.

Name of the Document AutoComplete Disable procedure - Linux
Administrators
st
AUTO COMPLETE DISABLE PROCEDURE - LINUX
1. Introduction
AutoComplete feature stores web addresses, usernames and passwords and entries made in the
forms of web pages. It uses this stored information to complete similar entries during subsequent
use.
Such features provide a window of opportunity for a malicious user to login to the website using
stored credentials of a legitimate user.
This document provides steps to disable the AutoComplete feature for usernames and passwords.
2. Applicability
Firefox 3.6 web browser1
3. Implication
After applying these settings, user will have to type in the user ID, password, name, etc. every time
he / she used the Firefox web browser to logon to any Intranet or Internet websites.
4. Procedure
4.1. Open the Firefox browser and navigate to Tools  Options  Privacy Tab
Figure 1
1
Snapshots attached are for Firefox 3.6 web browser, steps may vary for other web browsers.
AutoComplete Disable procedure - Linux Page 71

Name of the Document AutoComplete Disable procedure - Linux
Administrators
st
4.2. Click on the OK button to confirm the settings.
5. References
5.1. Security Guidelines for User.
AutoComplete Disable procedure - Linux Page 72

Name of the Document Auto Logon Disable Procedure - Linux
st
AUTO LOGON DISABLE PROCEDURE - LINUX
1. Introduction
Auto Logon in Linux is a feature that enables automatic log-in to the system without user
intervention.
Anyone having physical access to the client system can also gain access to all the resources of the
system.
This document provides steps for disabling Auto logon.
2. Applicability
Linux1
3. Implication
By applying these settings, user will have to type in the user ID and password every time while
logging on to the client system.
4. Procedure
4.1. By default Auto logon is disabled. To check click on the System  Administration  Login
Screen. A popup will appear.
Figure 1
1
Snapshots attached are for Red Hat Enterprise Linux version 3, 4 & 5, steps may vary for other versions.
Auto Logon Disable Procedure - Linux Page 73

Name of the Document Auto Logon Disable Procedure - Linux
st
4.2. Go to the Security tab. Verify if the checkbox for Enable automatic Login is active/enable.
If enable select to uncheck it. This will disable the auto logon.
Figure 2
Note: This procedure applies to the user who has enabled this option for his convenience and wants to
disable as per the Security Policy for User.
5. References
Auto Logon Disable Procedure - Linux Page 74

Name of the Document Auto Run Disable Procedure - Linux
st
AUTO RUN DISABLE PROCEDURE - LINUX

1 Introduction
Autorun feature enables the execution of programs upon inserting the removable media such as,
portable storage media, CDs, DVDs, etc. without manual intervention.
If the Autorun feature is enabled, a malicious executable file on the media could infect the system.
This document provides steps to disable Autorun in a client system.
2 Applicability
Linux1
3 Implication
After these settings are applied, CDs, DVDs, Floppy Disks, portable storage devices, etc. will not run
automatically when inserted into the system.
4 Procedure
4.1 The GConf system is one of the primary means to configure the users' desktops.
4.2 The GConf editor is available through Applications (main menu on the panel)
System Tools  Configuration Editor and press enter key.
4.3 In the Configuration Editor’s browser panel, go to Desktop  gnome 
volume_manager_autorun.
4.4 Click the check box Autorun to stop autorun programs to run from a newly mounted
removable media.
Figure 1
5 Reference
5.1 Security Policy for User
1
Auto Run Disable Procedure - Linux Page 75

Name of the Document Cookie Blocking Procedure - Linux
st
COOKIE BLOCKING PROCEDURE - LINUX
1. Introduction
A cookie (also called tracking cookie, browser cookie or HTTP cookie) is a small text file placed by a
Web server on the user's client system. Cookie is used to maintain state information as users navigate
different pages on a Web site. A cookie consists of information such as user preferences, shopping cart
contents, identifier for a server-based session, or other data used by websites.
A first party cookie is that which originates from the Web site that user is currently viewing. A third-party
cookie is that which originates from a Web site different from the one that user is currently viewing. As
compared to first party cookie, third party cookie is vulnerable to various attacks (such as cookie theft,
cookie poisoning, cookie hijacking, etc. leading to disclosure of sensitive data). Hence, it is important to
block third party cookie.
This document provides steps for blocking third party cookies.
2. Applicability
Firefox 3.6 Web Browser1
3. Implication
After applying this setting, user may not be able to access or view some parts of the websites which
uses third party cookie.
4. Procedure
4.1. Open Firefox and navigate to Tools  Options  Privacy Tab.
Figure 1
Cookie Blocking Procedure - Linux Page 76

Name of the Document Cookie Blocking Procedure - Linux
st
1
Snapshots attached are for Firefox 3.6 web browser, steps may vary for other web browsers.
4.2. Un-check the “Accept third-party cookies”. This will disable the third party cookies on the
Firefox web browser.
4.3. Press Close to save settings.
5. References
Cookie Blocking Procedure - Linux Page 77

Name of the Document Data Backup and Restoration Procedure - Linux
st
DATA BACKUP AND RESTORATION PROCEDURE - LINUX
1. Introduction
Backup is the process of making copy of the original data so that the copy may be used to restore the
original data in case of an incident or data loss.
If backup of critical8 data is not taken on a regular basis, data may not be available in case of an
incident (such as loss of system, operating system crash, natural disaster etc.).
This document provides steps for backing up the data.
2. Applicability
The procedure given is applicable to Linux Enterprise Version 3, 4, & 5 to backup the data stored on
the client systems. Data can be either backed up on separate drive or any data storage media (such as
CD, DVD, USB storage media, etc.) depending upon the requirement or guidelines defined by the
Ministry / Department.
3. Implication
If backup of critical data is not taken on a regular basis, data may not be available in case of an incident
(such as loss of system, operating system crash, natural disaster etc.).
The implication can be high CPU usage, heavy disk activity, heavy network traffic if the backup is taken
over the network. If these are not reported in advance then the monitoring systems can incorrectly
identify it as a suspicious activity. It will also help the system owner to schedule it during the off office
hours if the resource usage is very high.
4. Procedure
Red Hat Linux is not capable of performing a tape boot when running on backup tape. However, it is
also possible to use your Red Hat Linux CD-ROM as a rescue disk. Red Hat Linux comes with several
different programs for backing up and restoring data. The utility programs tar, cpio, dump can be used
for data backup.
4.1. The tar utility is the archiving method of choice for sharing ad-hoc bits of source code and
files between systems. The tar implementation included with Red Hat Linux is GNU tar, one
of the more feature-rich tar implementations.
4.1.1. Using tar, backing up the contents of a directory by issuing a command:

tar <switch> <backup destination> <backup source>
Example:
tar cvf /mnt/backup/home-backup.tar /home/
To see the content of backup files:

# tar tf /mnt/backup/home-backup.tar
It will show the listing of backup file content.
8
Critical data should be defined by the user based on user requirement
Data Backup and Restoration Procedure - Linux Page 78

st
4.1.2. This command creates an archive file called home-backup.tar in

/mnt/backup/. The archive contains the contents of the /home/ directory.
4.1.3. The resulting archive file will be nearly as large as the data being backed up.
Depending on the type of data being backed up, compressing the archive file can
result in significant size reductions. The archive file can be compressed by adding a
single option to the previous command:
tar czf /mnt/backup/home-backup.tar.gz /home/
4.1.4. The resulting home-backup.tar.gz archive file is now gzip compressed2.
4.2. The cpio utility is a general-purpose program for moving data from one place to another and,
as such, can serve well as a backup program.
4.2.1. cpio reads the names of the files that needs to process via standard input. A
common method of generating a list of files for cpio is to use programs such as find
whose output is then piped to cpio:
find /home/ | cpio -o > /mnt/backup/home-backup.cpio
4.2.2. The following command creates a cpio archive file (containing all data in /home/)
called home-backup.cpio and residing in the /mnt/backup directory.
find /home/ -atime +365 | cpio -o > /mnt/backup/home-backup.cpio
4.3. Backup through DUMP utility
# dump> <level of backup> <backup destination> <backup source >

Example:
# dump -0uf /mnt/backup /dev/hda1
To see the content of backup file
# restore –tf <absolute path of backup file>
It will not restore the file, but only show the content of backup file.
Data Restoration Procedure
4.4. In order to obtain the backup files, they are required to be restored. To restore the files with
either tar or cpio, provide the following commands:
4.4.1. Restoration from tar backup
# tar <switch> <absolute path of backup file>
Example:
# tar –xvf /mnt/backup/home-backup.tar
Above example backup file is located at

st
/mnt/backup/home-backup.tar location from where it will be restored.
Note: while restoring from tar utility it will restore the backup from where the command is executed.
So first go at the location using cd command where the data backup needs to be restored,
thereafter execute the tar command for restoration.
4.4.2. Restoration from compressed tar backup
# tar –xzvf /mnt/backup/home-backup.tar.gz
4.4.3. Restoration from cpio utility
#cpio –icv < /mnt/backup/home-backup.cpio
4.4.4. Restore from Dump backup
#restore –rf <absolute path of backed up file>
Note:
 backup the content in output file
 restore the file from backup file
5. References
2
The .gz extension is traditionally used to signify that the file has been compressed with gzip. Sometimes
.tar.gz is shortened to .tgz to keep file names reasonably sized.

Name of the Document Hard Disk / Folder Sharing Procedure - Linux
Administrators
st
HARD DISK / FOLDER SHARING PROCEDURE - LINUX

1. Introduction
Hard disk / Folder sharing is a method of providing access to stored information, such as data,
documents, etc. to other users over the network. A physical Hard disk may include more than one
logical drives depending upon the configuration.
Sharing of Hard disk / Folders with other users on the network may pose a risk of unauthorized
disclosure, deletion or modification of data.
The Samba Server Configuration Tool is used to configure a Samba Server with which can share
files and / or printers with other computers which can be Linux or Microsoft.
2. Applicability
Linux1
3. Implication
Sharing with infected systems is a potential security risk.
4. Procedure
4.1. To start application on the desktop, go to main menu of the panel, click on System 
Administration  Server Settings  Samba.
Figure 1
1
Hard Disk / Folder Sharing Procedure - Linux Page 81

Name of the Document Hard Disk / Folder Sharing Procedure - Linux
Administrators
st
4.2. The Samba Server Configuration Tool is a graphical interface for managing Samba shares,
users, and basic server settings. It modifies the configuration files in the /etc/samba/ directory.
Any changes to these files not made using the application are preserved. The details of the
shared resources are added by clicking Add Share.
Figure 2
4.3. Any user access restriction can be added to this box.
Figure 3
5. References
Hard Disk / Folder Sharing Procedure - Linux Page 82

Name of the Document Limited User Account Creation Procedure - Linux
Administrators
st
LIMITED USER ACCOUNT CREATION PROCEDURE

1. Introduction
Linux operating system permits the creation of a user account for each person required to use the
system. The System Administrator can create either an Administrator account or an account with
limited privileges depending on the requirement.
Administrator account should be used for administrative activities only. Limited account should be
used for carrying out day-to-day activities.
This document provides steps for creation of limited user account.
2. Applicability
Linux1
3. Implications
Limited user cannot change client system settings and install software. With limited privileges some
programs may not run.
4. Procedure
4.1. One can add privileges to a user by making him a system group member. This needs a root
authentication. To create new users go to System  Administration  users &
groups.
4.2. Click on Add user. A popup will appear. Provide the user details.
Figure 1: User Creation

4.3. Click OK to save the settings.
5. References
5.2. Hard disk / Folder Sharing Procedure
1
Limited User Account Creation Procedure - Linux Page 83

Name of the Document Linux Operating System Hardening Procedure
Administrators
st
LINUX OPERATING SYSTEM HARDENING PROCEDURE
1. Introduction
The default configuration of Linux operating systems may have weak configuration which
can be exploited by a malicious user. To minimize the exploitation possibilities, operating
system needs to be hardened.
This document provides hardening procedure for Red Hat Enterprise Linux operating
system
2. Procedure
2.1. Securing SSH

2.1.1. Description
SSH (Secure Shell) is a protocol which supports logging into a remote system or
executing commands on a remote system, using an encrypted communication
between the two systems.
By default SSH is running version 1 and allowing direct root access to the system.
Disable the direct root access on the sshd_config file and use only protocol 2
which is more secure.
2.1.2. Solution
1) /etc/ssh/sshd_config
2) Change Protocol 2, 1 to Protocol 2
3) PermitRootLogin yes = no
4) Restart SSHD: /etc/rc.d/init.d/sshd restart
2.2. Disable Telnet

2.2.1. Description
In earlier Linux distributions the telnet system is enabled by default. Ftp, rlogin
and telnet are vulnerable to eavesdropping. It is recommended to use the secure
versions (sftp, scp, ssh).
However where telnet terminal is used, banner information should be hidden. For
security reason, it is recommended not to use the telnet terminal.
2.2.2. Solution
2.2.2.1. Modify /etc/xinetd.d/telnet

2.2.2.2. Change disable from ‘no’ to ‘yes’. This will disable telnet
2.2.2.3. restart xinetd: /etc/init.d/xinetd restart
Linux Operating System Hardening Procedure Page 84

Administrators
st
2.3. Creating an SU group

2.3.1. Description
Since direct root access to the system from SSH and telnet is disabled, privilege
user group needs to be created. Privilege users should be assigned “su” command
to gain root privilege on the system.
2.3.2. Solution
2.3.2.1. Usermod –G wheel username /etc/pam.d/su

2.3.2.2. Uncomment the following line
#auth required pam_wheel.so use_uid
2.4. Securing History

2.4.1. Description
Secure .bash_history to avoid deletion or redirection to /dev/null from the
user. This will prevent user from deleting or cleaning the last typed commands into
the system.
2.4.2. Solution
2.4.2.1. chattr +a .bash_history (append)

2.4.2.2. chattr +i .bash_history
2.5. Using Welcome Message (Banners)

2.5.1. Description
An appropriate login message must be displayed to the user when he/she tries to
login to the system. This file should contain warnings about inappropriate and
unauthorized use of the system. It should also warn users that th eir sessions and
accounts may be monitored for illegal or inappropriate use.
Displaying appropriate warning messages when users access a system will assist in
processing computer crime cases and will also act as an effective deterrent.
2.5.2. Solution
2.5.2.1. Delete /etc/redhat-release

2.5.2.2. Edit /etc/issue and /etc/motd files with statutory warning
and add the following banner to be displayed:
This computer system is for authorized users only. Individuals using this system
without authority or in excess of their authority are subject to having all their activities
on this system monitored and recorded or examined by any authorized person,
including law enforcement, as system personnel deem appropriate. In the course of
monitoring individuals improperly using the system or in the course of system

Administrators
st
maintenance, the activities of authorized users may also be monitored and recorded.
Any material so recorded may be disclosed as appropriate. Anyone using this
system consents to these terms.
2.6. Specify TTY Devices Root is allowed

2.6.1. Description
The /etc/securetty file specifies which tty devices the root user is allowed to
log on. Disable any tty which is not required by using # at the beginning of the
line.
2.6.2. Solution
2.6.2.1. /etc/securetty
2.6.2.2. Leave only two connections:
tty1
tty2
2.7. Choose a secure password

2.7.1. Description
The /etc/login.defs file defines the site-specific configuration for the shadow
password suite. By default the minimum password length is 5 characters. One
should set it to 8 for stronger passwords.
2.7.2. Solution
2.7.2.1. /etc/login.defs
2.7.2.2. Change PASS_MIN_LEN 5 to PASS_MIN_LEN 8
2.8. Changing SSH Port

2.8.1. Description
Changing SSH port to use a different port number from the default gives more
security and preventing brute force attacks and potential hackers from hitting directly
to the default port.
2.8.2. Solution
2.8.2.1. /etc/ssh/sshd_config and change Port 22 to the users port

2.8.2.2. restart SSH service
/etc/init.d/sshd restart
2.9. How to secure

2.9.1. Description
The system is secured when it prompts the user for root password even when the
user boots the system in the single user mode. This can be achieved by adding a
single line to the /etc/inittab file.

Administrators
st
2.9.2. Solution
2.9.2.1. /etc/inittab
2.9.2.2. ~~:S:wait:/sbin/sulogin
This instructs the init to prompt for the root password by
executing the 'sulogin' program.
2.10. Configure Password Policy

2.10.1. Description
Password policy is required to control user password characteristics including
password minimum length and password aging.
Users may use weak passwords or may not change passwords on a periodic
basis, such user accounts will be compromised and can lead to unauthorized
access.
2.10.2. Solution
2.10.2.1. Edit /etc/login.defs file and set the following password
configuration
S. Attribute Description Safe

No Value
1 minlen Minimum length of password 8
2 lcredit Minimum number of lower case letters 1
3 ucredit Minimum number of upper case letters 1
4 dcredit Minimum number of digits 1
5 ocredit Minimum number of other characters 1
6 PASS_MAX_DAYS Maximum number of days before password should be 45
changed.
7 PASS_MIN_DAYS Minimum number of days before a password can be 0
changed
8 PASS_MIN_LEN Minimum length of password (8 for root user) 8
9 PASS_WARN_AGE Number of days before the client system issues a 7
warning to change the password
Table: 1
2.11. User Locking after 5 retries

2.11.1. Description
This policy will lock the user account if user try to login defined times continuously
and will automatically unlock after define times.
2.11.2. Solution
2.11.2.1. /etc/pam.d/system-auth

Administrators
st
2.11.2.2. Add the following line at number 2

auth required pam_tally.so onerr=fail deny=5
unlock_time=21600
2.12. Disable the GUI login

2.12.1. Description
There is usually no reason to run X Windows on a dedicated server machine,
such as a dedicated web server. This action disables the graphical login, if
present, leaving the user to login via SSH or a local text-based console. Even if
the GUI login screen is deactivated (going back to run level 3), unprivileged users
can still run X Windows by typing startx at the shell prompt. Doing so assumes
the xfs service is running (which must be accomplished by root)
In Red Hat Enterprise Linux, there are two predominant runlevels for operation.
Runlevel 5 boots directly into X Windows, so as to allow graphical login or easy
use of specialized X terminals and other convenient graphical tools. Otherwise,
for normal text-based console login, runlevel 3 is desirable. GUI login is activated
or deactivated by changing this runlevel in /etc/inittab.
Note: runlevel 3 allows a user to run X Windows (assuming the xfs service is
running) by typing:
startx
2.12.2. Solution
2.12.2.2. id:5:initdefault: ( change the value 5 -> 3).
2.13. Allow SSH from listed users

2.13.1. Description
The ssh can be allowed to be accessible only by specific users.
2.13.2. Solution
2.13.2.1. /etc/ssh/sshd_config
2.13.2.2. Add the following line
AllowUsers user1 user2
2.14. Add Banners for SSH

2.14.1. Description
Pre login banner is used for sending a warning message before authentication
may be relevant for getting legal protection or just give out information to users.
The contents of the specified file are sent to the remote user before
authentication is allowed. This option is only available for protocol version 2. By
default, no banner is displayed in the latest version of Linux/UNIX.

Administrators
st
2.14.2. Solution
2.14.2.1. /etc/sshd/banner
2.14.2.2. Add the banner content in the above file.
/etc/ssh/sshd_config
2.14.2.3. Add
Banner /etc/ssh/banner
2.14.2.4. Restart the service
/etc/init.d/sshd restart
2.15. Disable Ctrl+Alt+Del

2.15.1. Description
By default CTRL+ATL+DEL is enabled to reboot the machine functionality in the
operating system. This function allows any user (malicious) to reboot the client
system.
2.15.2. Solution
2.15.2.2. Add the following line
#ca::ctrlaltdel:/sbin/shutdown –t3 –r –now
2.15.2.3. Save the change and restart init service for the change to take
effect
/sbin/init q
2.16. Remove Non essential services

2.16.1. Description
By default number of services is available in Linux. Some services are not
necessary to client system operation and should be disabled. As the vulnerabilities
found in unused applications / services can be used by malicious users to gain
unauthorized access
2.16.2. Solution
2.16.2.1. Ntsysv –level 35
2.16.2.2. Enable only sshd, gpm, xfs, sylog, sysstat.
2.16.2.3. Login as root and run the setup command.
Setup  System Services  Chose the relevant ones 

Run Tool and check which services are enabled in the client system
Below is the list of services that needs to be enabled on the client system, other
services can be disabled if not required.

Administrators
st
S. No Service Description Remark

cron is a standard UNIX
program that runs user-
specified programs at periodic Cron is used to run
scheduled times. Vixie cron routine maintenance
1 Crond
adds a number of features to tasks such as log
the basic UNIX cron, including rotation
better security and more
powerful configuration options
The dump file can be
Save dump file if previous
used to troubleshoot
2 Diskdump system crashed and initialize
the reason for the
diskdump module
system crash
Required to set the
Activates/Deactivates all
client system
3 Network network interfaces configured to
configuration during
start at boot time
boot up
SSH should be use to
replace clear text
4 Sshd OpenSSH server daemon
based telnet/rlogin and
ftp
Syslog is the facility by which
many daemons use to log Syslogd is required to
5 Syslog messages to various client log client system and
system log files. It is a good security related logs.
idea to always run syslog.
Table 2
2.17. Store Passwords in encrypted format

2.17.1. Description
Passwords are used to securely login to users account. The security of the user
passwords can be implemented system wide by enabling MD5.
Passwords can be retrieved if they are stored in weak encryption format.
User accounts are vulnerable to attacks and hence the passwords should be a
stored in a secure format.
2.17.2. Solution

Administrators
st
By default, during installation of RHEL, the option for encrypting the password using
MD5 is enabled. Ensure that it is not been altered in the following location
System  Authentication  Authentication Configurations 

Enable shadow password and MD5
2.18. Configure password for single user mode

2.18.1. Description
Linux provides a mechanism for client system maintenance via Single user
mode which is typically started when the system is booting.
This allows a malicious user at the console to bypass any client system protection
and move into run level 1 as root and change system settings.
2.18.2. Solution
2.18.2.1. Edit /etc/inittab file to have entry as shown below.
id:5:initdefault:
~~:S:wait:/sbin/sulogin
2.18.2.2. Save the changes and restart the service:
[root]# /sbin/init q
2.19. Set a Password to the BIOS and Disable boot-up from BIOS
2.19.1. Description
By default BIOS on any client system is not configured with a password and boot-up
may be set to any of the devices like CD / DVD, floppies and external devices.
Configure the BIOS to disable booting from any devices and set a password to
protect these settings.
Booting from the BIOS may result in malicious software or virus being run from the
removable devices. Setting a password to the BIOS will prevent users from entering
single user mode or changing settings at boot time.
2.19.2. Solution
Set a password for the GRUB bootloader. Generate a password hash using the
command /sbin/grub-md5-crypt. Add the hash to the first line of
/etc/grub.conf as follows:
password --md5 passwordhash

Administrators
st
2.20. Block Non essential user accounts in the Client System

2.20.1. Description
Managing user and system accounts is an important aspect of the Linux Operating
Environment security. A default installation carries several accounts. Some client
system accounts may need to be modified or deleted.
Non-essential user accounts increase the likelihood of compromise by providing

malicious user with more user accounts to check for security holes.
2.20.2. Solution
Check /etc/passwd file for all user accounts in the client system. Accounts that
can be safely disabled or deleted are:
Non-essential accounts
Lp Sync Shutdown uucp ftp
games Nscd Gopher operator nobody
Halt News Adm

Table 3
2.21. Disable Remote Root Login

2.21.1. Description
Root user should not be permitted to login from a remote console. The login
command is part of the authentication process to access a local Linux Operating
Environment account. Any action requiring direct login to the client system using
‘root’ should be restricted to the local console.
Login to the client system through telnet session can reveal the clear text password
of root user. Allowing remote login for root also enables a malicious user to attempt
access to the client system leading to system compromise.
2.21.2. Solution
In /etc/securetty file, verify that all the terminal parameters are present, so that
root cannot establish telnet sessions through those terminals
[root@localhost root]# less /etc/securetty

vc/1 tty0 tty11 tty22

Administrators
st

vc/11 tty10 tty21
Table 3
Ensure that /etc/securetty file contains the list of all terminals from where root
is not allowed to remotely login.
2.22. Restrict access to the critical files

2.22.1. Description
In Linux OS /etc/passwd, /etc/shadow and /etc/group files are most
important files. The permission on these files should be secured.
If a malicious user has access to passwd file, he can create user in that file.
Malicious user can alter the MD5 hash of the root password with a known hash in the
shadow file to get into the client system or he can add a newly created user under
root group in the group file.
2.22.2. Solution
Change the owner of the following files to the root
2.22.2.1. /etc/passwd
2.22.2.2. /etc/shadow
2.22.2.3. /etc/group
Change the permission using the following commands:

2.22.2.4. Cd /etc
2.22.2.5. chown root:root passwd shadow group
2.22.2.6. chmod 644 passwd group
2.22.2.7. chmod 400 shadow
2.23. Configure SSH for Remote Administration

2.23.1. Description
SSH is a program to log into another computer over a network, to execute
commands in a remote machine. SSH is also used as a secure channel for data
transfer over the network.
If SSH is not enabled, data transfer may be in clear text, which can be sniffed over
the network.

Administrators
st
2.23.2. Solution
If SSH is required, ensure the SSH configuration file /etc/ssh/sshd_config
includes the following lines:
PermitRootLogin no
Protocol 2
Also limit SSH access to a subset of users. Create a group called sshusers and
only add the users that require remote access. Then, add the following line to
/etc/ssh/sshd_config:
AllowGroups sshusers
Restart the service so that these changes take effect.
2.24. Limit the use of su and sudo command

2.24.1. Description
Upon typing the su command, the user is prompted for the root password and after
successful authentication it provides with a root shell prompt. Once logged in via
the su command, user gets absolute administrative access to the system.
The sudo command offers another approach for granting administrative access to
users. When a trusted user precedes an administrative command with sudo, he /
she is prompted for a password. After authentication the administrative command is
executed as a root user.
A malicious user can compromise the system by using these commands.
2.24.2. Solution
To restrict the user that can su it is mandatory to add users to the special
administrative group called wheel. To do this, type the following command as root:
usermod -G wheel <username>
Next open the PAM configuration file for su, /etc/pam.d/su, in a text editor and
remove the comment [#] from the following line:
auth required /lib/security/pam_wheel.so use_uid
The use of sudo command must be restricted to limited users only. Only authorized
users entry can be added into /etc/sudoers file.

Administrators
st
2.25. Login success or Failure records

2.25.1. Description
Syslog facility is used to log system activities. Syslog daemon receives log
messages from several sources and directs them to the appropriate location based
on the configured facility and priority. It can be used to capture all successful and
failed logins.
Malicious login attempts cannot be monitored.
2.25.2. Solution
Check if the following line is present in /etc/syslog.conf file. The same needs
to be created if found missing:
authpriv./var/log/secure
Check if secure file is present in /var/log folder and verify the permission on the
file.
Add the following entry to /etc/syslog.conf for capturing syslog events sent to
LOG_AUTH. This contains information on unsuccessful login attempts, successful
and failed su (switch user) attempts.
authpriv./var/log/secure
Use TAB key to separate auth.info from /var/log/secure and not space.
Create /var/log/secure by executing the following commands
# touch /var/log/secure
# chown root /var/log/secure
# chmod 600 /var/log/secure
2.26. Removing unnecessary Software Packages

2.26.1. Description
A very important step in securing a Linux system is to determine the primary

function or role of the Linux server. It is very critical to look at the default list of
software packages and remove unneeded packages or packages that don't comply
with the security policy. This leads to lesser packages to update and maintain when
security alerts and patches are released. For example, Apache or Samba should
not be installed in the system if it is of no usage. Also, it is a good practice not to

Administrators
st
have development packages, desktop software packages (e.g. X Server) etc.

installed on production servers. Other packages like FTP and Telnet daemons
should not be installed and if required there should be business justification for the
same. However SSH/SCP/SFTP can be installed and used instead.
2.26.2. Solution
To get a list of all installed RPMs, run the following command:

rpm –qa
To know more about a particular RPM, run:

rpm -qi <package_name>
To check for and report potential conflicts and dependencies for deleting a RPM,
run:
rpm -e --test <package_name>
2.27. Patching Linux Systems

2.27.1. Description
Building an infrastructure for patch management is another very important step to

proactively secure Linux production environments. It is recommended to have a
written security policy and procedure to handle Linux security updates and issues.
For example, the security policy should detail the timeframe for assessment,
testing, and rollout of patches. Network related security vulnerabilities should get
the highest priority and should be addressed immediately within a short timeframe.
For example, a security procedure should detail the process for assessment,
testing, and rollout of patches. The assessment phase should occur within a testing
lab, and initial rollout should occur on development systems first.
A separate security log should detail what Linux security notices have been
received, when patches have been researched and assessed, when patches have
been applied etc.
2.27.2. Solution
For Red Hat systems it is recommend Red Hat Network (RHN) for patch
management. For secure environments one may consider Red Hat's Satellite
solution. For more information, see Red Hat Network Architectural Overview.
2.28. Detecting Listening Network Ports

2.28.1. Description
One of the most important tasks is to detect and close network ports that are not
needed.
2.28.2. Solution

Administrators
st
To get a list of listening network ports (TCP and UDP sockets), run the following
command:
# netstat -tulp
Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/
Program name
tcp 0 0 *:auth *:* LISTEN 2328/xinetd
tcp 0 0 localhost.localdomain:smtp *:* LISTEN
2360/sendmail: acce
tcp 0 0 *:ssh *:* LISTEN 2317/sshd
From the output confirm that xinetd, sendmail, and sshd are listening.
The current Red Hat Linux distributions sendmail is configured to listen for local
connections only. Sendmail should not listen for incoming network connections
unless the server is a mail or relay server. Running a port scan from another server
will confirm that (make sure that permissions are given to probe a machine):
# nmap -sTU <remote_host>
Starting nmap 3.70 (http://www.insecure.org/nmap/) at 2004-

12-10 22:51 CST
Interesting ports on jupitor (172.16.0.1):
(The 3131 ports scanned but not shown below are in state:
closed)
PORT STATE SERVICE
22/tcp open ssh
113/tcp open auth
Nmap run completed -- 1 IP address (1 host up) scanned in

221.669 seconds
#
Note that the above nmap command can take a while. However if the UDP port
scan (without the option "-U") is removed, then nmap will finish the port scan
immediately. Also if it is run on the local machine it will complete very fast. Also
note that nmap might not show all listening network sockets if a firewall is being
used to block ports.
From the output above check that the xinetd daemon is listening on port auth
(port 113) for IDENT. Also check that sendmail is not listening for remote incoming
network connections, see also Securing Sendmail.
Another method to list all of the TCP and UDP sockets to which programs are
listening is lsof:

Administrators
st
# lsof -i -n | egrep 'COMMAND|LISTEN|UDP'
COMMAND PID USER FD TYPE SIZE NODE NAME

Sshd 2317 root 3u IPv6 6579 TCP *:ssh (LISTEN)
Xinetd 2328 Root 5u IPv4 6698 TCP *:auth (LISTEN)
sendmail 2360 root 3u IPv4 6729 TCP (LISTEN)
127.0.0.1:smtp
2.29. Kernel Tunable Security Parameters

2.29.1. Description
The following list shows tunable kernel parameters one can use to secure the Linux
server against attacks.
For each tunable kernel parameters; command that needs to be added to the
/etc/sysctl.conf configuration file to make the change permanent after
reboots. To activate the configured kernel parameters immediately at runtime, use:
# sysctl -p
2.29.2. Solution
2.29.2.1. Enable TCP SYN Cookie Protection
A "SYN Attack" is a denial of service attack that consumes all the

resources on a machine. Any server that is connected to a network is
potentially subject to this attack.
To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file
and add the following line:
net.ipv4.tcp_syncookies = 1
2.29.2.2. Disable IP Source Routing
Source Routing is used to specify a path or route through the network

from source to destination. This feature can be used by network users for
diagnosing problems. However, if an intruder was able to send a source
routed packet into the network, then he could intercept the replies and the
server might not know that it's not communicating with a trusted server.
To enable Source Route Verification, edit the /etc/sysctl.conf file

net.ipv4.conf.all.accept_source_route = 0
2.29.2.3. Disable ICMP Redirect Acceptance
ICMP redirects are used by routers to tell the server that there is a better
path to other networks than the one chosen by the server. However, an
intruder could potentially use ICMP redirect packets to alter the host's

Administrators
st
routing table by causing traffic to use a path not intended.
To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file

net.ipv4.conf.all.accept_redirects = 0
2.29.2.4. Enable IP Spoofing Protection
IP spoofing is a technique where an intruder sends out packets which

claim to be from another host by manipulating the source address. IP
spoofing is very often used for denial of service attacks.
To enable IP Spoofing Protection, turn on Source Address Verification.

Edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.rp_filter = 1
2.29.2.5. Enable Ignoring to ICMP Requests
To ignore ping requests in Linux, edit the /etc/sysctl.conf file and

add the following line:
net.ipv4.icmp_echo_ignore_all = 1
2.29.2.6. Enable Ignoring Broadcasts Request
To ignore broadcast requests in Linux, edit the /etc/sysctl.conf file

net.ipv4.icmp_echo_ignore_broadcasts = 1
2.29.2.7. Enable Bad Error Message Protection
To alert about bad error messages in the network, edit the

/etc/sysctl.conf file and add the following line:
net.ipv4.icmp_ignore_bogus_error_responses = 1
2.29.2.8. Enable Logging of Spoofed Packets, Source Routed Packets,

Redirect Packets
To turn on logging for Spoofed Packets, Source Routed Packets, and

Redirect Packets, edit the /etc/sysctl.conf file and add the following
line:
net.ipv4.conf.all.log_martians = 1
2.30. Checking file permissions and ownership

2.30.1. Description & Solution

Administrators
st
2.30.1.1. Default umask
The umask (user file-creation mode mask) command is a shell built-in

command which determines the default file permissions for newly created
files. This can be overwritten by system calls but many programs and
utilities make use of umask.
By default, Red Hat sets umask to 022 or 002 which is fine. If the name of
the user account and the group account is the same and the UID is 100 or
larger, then umask is set to 002, otherwise it's set to 022, check
/etc/bashrc for bash shells.
$ id
uid=509(test)gid=510(test)groups=100(users),510(test)
context=user_u:system_r:unconfined_t
$ umask 0002
$ # id
uid=0(root)gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),
10(wheel) context=root:system_r:unconfined_t
# umask 0022
#
Example how umask works:
$ umask 000
$ touch file1
$ ls -l file1
-rw-rw-rw- 1 oracle oinstall 0 Dec 26 19:24 file1
$ umask 002
$ touch file2
$ ls -l file2
-rw-rw-r-- 1 oracle oinstall 0 Dec 26 19:24 file2
$ umask 022
$ touch file3
$ ls -l file3
-rw-r--r-- 1 oracle oinstall 0 Dec 26 19:25 file3
$
For the bash shell the setting of umask in /etc/bashrc. The
/etc/bashrc file is for system-wide aliases and functions and is invoked
by ~/.bashrc.
2.30.1.2. SUID/SGID Files
When the SUID (set user ID) or SGID (set group ID) bits are set on an
executable, it executes with the UID or GID of the owner of the executable
rather than that of the person executing it. This means that e.g. all

Administrators
st
executables that have the SUID bit set and are owned by root are
executed with the UID of root. A good example is the passwd command
that allows ordinary users to update the password field in the
/etc/shadow file which is owned by root.
But SUID/SGID bits can be misused when the SUID/SGID executable
has a security hole. Therefore, one might want to search the entire system
for SUID/SGID executables and document it. For example, ensure that
code developers don't set SUID/SGID bits on their programs if it's not an
absolute requirement. Very often one can use workarounds like removing
just the executable bit for world/others. However, a better approach is to
change the design of the software if possible.
To search the entire system for SUID or SGID files, run the following
command:
find / -path /proc -prune -o -type f -perm +6000 -ls
The -prune option in this example is used to skip the /proc
filesystem.
2.30.1.3. World-Writable Files

World-writable files are a security risk since it allows anyone to modify
them. Additionally, world-writable directories allow anyone to add or delete
files.
To locate world-writable files and directories, run the following command:
find / -path /proc -prune -o -perm -2 ! -type l -ls
The "! -type l" parameter skips all symbolic links since symbolic links are
always world-writable. However, this is not a problem as long as the target
of the link is not world-writable, which is checked by the above find
command.
World-Writable directories with sticky bit such as the /tmp directory do not
allow anyone except the owner of a file to delete or modify it in this
directory. The sticky bit makes files stick to the user who created it and it
prevents other users from deleting and renaming the files. Therefore
depending on the purpose of the directory, world-writable directories with
sticky are usually not an issue. An example is the /tmp directory:
$ ls -ld /tmp
drwxrwxrwt 18 root root 16384 Dec 23 22:20 /tmp
The "t" mode, which denotes the sticky bit, allows files to be deleted and
renamed only if the user is the owner of this file or the owner of the
directory.
2.30.1.4 Unowned Files

Administrators
st
Files not owned by any user or group might not necessarily be a security
problem in itself. However, unowned files could pose a security problem in
the future. For example, if a new user is created and the new users
happens to get the same UID as the unowned files have, then this new
user will automatically become the owner of these files.
To locate files not owned by any user or group, use the following
command:
find / -path /proc -prune -o -nouser -o -nogroup
2.31. Checking Accounts

2.31.1.1. Checking for unlocked accounts
It is important that all system and vendor accounts that are not used for
logins are locked.
To get the list of unlocked accounts in the system, check the accounts that
do not have an encrypted password string starting with "!" or "*" in
the /etc/shadow file.
If the account is locked using passwd -l, it will put a '!!' in front of the
encrypted password, effectively disabling the password. If the account is
locked using usermod -L, it will put a '!' in front of the encrypted
password. Most of the system and shared accounts are usually locked by
default by having a '*' or '!!' in the password field which renders the
encrypted password into an invalid string.
Hence, to get a list of all unlocked (encryptable) accounts, run:
# egrep -v '.*:\*|:\!' /etc/shadow | awk -F: '{print
$1}'
Also make sure all accounts have a 'x' in the password field in
/etc/passwd. The following command lists all accounts that do not have
a 'x' in the password field:
# grep -v ':x:' /etc/passwd
A 'x' in the password fields means that the password has been shadowed,
i.e. the encrypted password has to be looked up in the /etc/shadow file.
If the password field in /etc/passwd is empty, then the system would not
lookup the shadow file and it will not prompt the user for a password at the
login prompt.
2.31.1.2. Checking for unused accounts

Administrators
st
All system or vendor accounts that are not being used by users,
applications, by the system or by daemons should be removed from the
system. Use the following command to find out if there are any files owned
by a specific account:
# find / -path /proc -prune -o -user <account> -ls
The -prune option in this example is used to skip the /proc filesystem.
If one is unsure that an account can be deleted, remove the account using
the following command:
# userdel -r <account>
Without the "-r" option userdel will not delete the user's home directory
and mail spool (/var/spool/mail/<user>).
2.31.1.3. Single User Mode Password for root
Some admins suggest to add the following line to the /etc/inittab file
to ensure that a root password is required for Single User Mode logons:
~~:S:wait:/sbin/sulogin
At the GRUB or LILO prompt one can instruct the boot loader to alternate
the init program by using the boot params "init=/bin/bash". This
will lead at a root shell prompt without a password.
2.32. Restricting su Access to System and Shared Accounts

2.32.1.1. Restricting su Access to root, oracle, and postgres Accounts
Create a new group for each set of users that are allowed to su to the root,
oracle, and postgres account:
# groupadd rootmembers
# groupadd oraclemembers
# groupadd postgresmembers
Add all users who are allowed to su to the root, oracle, and postgres
account to the new member groups created above. The following
requirement will be configured:
- Only admin1 should be able to su to root, oracle, and postgres.
- Only oracledba1 should be able to su to oracle.
- Only postgresdba1 should be able to su to postgres.
- No one else on the system should be able to su to any account.
# usermod -G rootmembers adminuser1
# usermod -G oraclemembers oracleuser1

Administrators
st
# usermod -G postgresmembers postgresuser1
It is noted that there is no need to add adminuser1 to the other member

groups. Instead, one can give users in the rootmembers group
automatically su access to the oracle and postgres account without
adding them to the oraclemembers and postgresmembers groups.
Considering the root admins as an exception. They should not be added
to all member groups on the system.
Next add the three authentication lines to the /etc/pam.d/su file as
shown below:
auth sufficient lib/security/$ISA/pam_rootok.so
auth required /lib/security/$ISA/pam_stack.so
service=system-auth
auth sufficient/lib/security/$ISA/pam_stack.so
service=su-root-members
auth sufficient/lib/security/$ISA/pam_stack.so
service=su-other-members
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_stack.so
service=system-auth
password required /lib/security/$ISA/pam_stack.so
service=system-auth
session required /lib/security/$ISA/pam_selinux.so
close
session required /lib/security/$ISA/pam_stack.so
service=system-auth
session required /lib/security/$ISA/pam_selinux.so
open multiple
session optional /lib/security/$ISA/pam_xauth.so
These additional authentication lines specify that nobody should be able to

su to any account unless at least one of the PAM services, su-root-
members or su-other-members, returns Success. The control flag
sufficient means that a success will bypass the remaining
authentication modules and overall success is returned for the
authentication part. Failure means that the failed authentication PAM
service is ignored. If both authentication PAM services fail, then the last
authentication module pam_deny is invoked which will deny all requests
for any available authentication module. This will cause the authentication
part to fail for the su command.
Next the new authentication PAM service configuration files

/etc/pam.d/su-root-members and /etc/pam.d/su-other-
members need to be created.

Administrators
st
The file /etc/pam.d/su-root-members referenced in

/etc/pam.d/su should read like:
group=rootmembers
auth required /lib/security/pam_listfile.so item=user
sense=allow onerr=fail file=/etc/security/su-
rootmembers-access
The file /etc/security/su-rootmembers-access referenced in

/etc/pam.d/su-root-members should read like:
root
oracle
postgres
The control flag required which is specified for both modules means that
both modules have to return Success. Otherwise this PAM service will
return Failure to the "su" PAM service configured in /etc/pam.d/su.
The first line returns Success only if the user is in the rootmembers
groups. The second line allows only access (sense=allow) to those users
specified in /etc/security/rootusername, which is root, oracle, and
postgres - these are the only users that will be accepted as a user
argument to su. The item=user argument instructs pam_listfile that
the entries in /etc/security/rootusername are usernames. If an
error occurs, such as an unreadable configuration file, access is denied
(onerr=fail).
NOTE: Once su access to root is working for users in the rootmembers,

it is recommended to avoid making any changes to the /etc/pam.d/su-
root-members file in the future. Making a mistake in this file could
revoke access to root for all users on the system. That is why the two
PAM service files, /etc/pam.d/su-root-members for users in the
rootmembers group, and /etc/pam.d/su-other-members are
created.
Next the file /etc/pam.d/su-other-members referenced in
/etc/pam.d/su should be created and read like:
auth sufficient /lib/security/pam_stack.so service=su-
oracle-members
auth sufficient /lib/security/pam_stack.so service=su-
postgres-members
auth required /lib/security/pam_deny.so
If one of the two PAM services returns Success, it will return Success to
the "su" PAM service configured in /etc/pam.d/su. Otherwise the last

Administrators
st
module will be invoked which will deny all further requests and the
authentication fails.
Next the PAM services "su-oracle-members" and "su-postgres-
members" have to be created.
The file /etc/pam.d/su-oracle-members referenced in
/etc/pam.d/su-other-members should read like:
group=oraclemembers
oraclemembers-access
The file /etc/security/su-oraclemembers-access referenced in

/etc/pam.d/su-oracle-members should read like:
oracle
The file /etc/pam.d/su-postgres-members referenced in

/etc/pam.d/su-other-members should read like:
group=postgresmembers
postgresmembers-access
The file /etc/security/su-postgresmembers-access referenced

in /etc/pam.d/su-postgres-members should read like:
postgres
Now verify that adminuser1 can su to root, oracle, and postgres.

No one else should be able to su to root. oracleuser1 should be
able to su to oracle only, and postgresuser1 should be able to su to
postgres only. No one else on the system should be able su to any of
these accounts even if they know the password.
2.33. Preventing accidental denial of service

2.33.1. Description
Linux allows setting limits on the amount of system resources that users and groups
can use. This is also very handy if bugs in programs accidentally use up too many
resources, slow down the machine, or even render the system unusable. The
incorrect settings allow programs to use up too much resources which made the
server irresponsible for new connections or local logins (e.g. a program uses up all
file handles on the system). This could become a security issue if someone is

Administrators
st
allowed to use up all resources and causes a denial of service attack. Depending on
the environment one should review resource limits for user accounts and groups.
2.33.2. Solution
1. For setting or restricting system resources for an Oracle user account, check for
a list of system resource settings with /etc/security/limits.conf. Also
check for the default settings for the resource.
Most shells like Bash provide control over various resources like the maximum
allowable number of open file descriptors or the maximum number of processes
available to a user. To see all shell limits, run:
ulimit –a
For more information on ulimit for the Bash shell, see man bash and search
for ulimit.
2. Setting "hard" and "soft" limits might not work properly when someone login to
oracle using a SSH session. It should work if it is logged in as root and su to
oracle. Resource limits should also work if the application is started
automatically during the boot process. But if the problem is experienced then
changes in the resource limits /etc/security/limits.conf are not applied
when logging in through SSH. Then try to set UsePrivilegeSeparation in
/etc/ssh/sshd_config to "no" and restart the SSH daemon by executing
/etc/init.d/sshd restart. Unfortunately, privilege separation does not
work properly with PAM on some Linux distributions. But also note that turning off
privilege separation is not really recommended since it's a valuable security
feature that has already prevented exploitation of SSH vulnerabilities.
For example, to change the number of file handles or open files that the Oracle
user can use, edit the file /etc/security/limits.conf as root and make
the following changes or add the following lines, respectively:
oracle soft nofile 4096
oracle hard nofile 63536
The "soft limit" in the first line defines the number of file handles or open files that
the Oracle user will have after login. If the Oracle user gets error messages about
running out of file handles, then the Oracle user can increase the number of file
handles like in this example up to 63536 ("hard limit") by running the following
command:
ulimit -n 63536
The "soft" and "hard" limits can be set higher if necessary. It is not recommend
setting the "hard" limit for nofile for the oracle user equal to
/proc/sys/fs/file-max. As the oracle user uses up all the file handles, then
the whole system will be out of file handles. This could mean that one won't be able

Administrators
st
to initiate new remote logins any more since the system won't be able to open any
PAM modules which are required for performing a login.
One should ensure that pam_limits is configured in the file
/etc/pam.d/system-auth, or in /etc/pam.d/sshd (for SSH),
/etc/pam.d/su (for su), or /etc/pam.d/login (local logins and telnet) if it is
not enabled for all logins, or if /etc/pam.d/system-auth does not exist like on
SUSE. This is the PAM module that will read the /etc/security/limits.conf
file. The entry should read like:
session required /lib/security/pam_limits.so
Login to the oracle account again since the changes will become effective for new
login sessions only.
$ su - oracle
$ ulimit -n
4096
$
It is important to note that the ulimit options are different for other shells.
The default limit for oracle is now 4096 and the oracle user can increase the
number of file handles up to 63536:
$ su - oracle
$ ulimit -n
4096
$ ulimit -n 63536
$ ulimit -n
63536
$
To make this change permanent, add "ulimit -n 63536" (for Bash) to the
~oracle/.bash_profile file which is the user startup file for the Bash shell on
Red Hat Linux (to verify shell run: echo $SHELL).
To check this, copy/paste the following commands for the oracle's Bash shell:
su - oracle
cat >> ~oracle/.bash_profile << EOF
ulimit -n 63536
EOF
2.34. Search for SUID or SGID files

To search the entire system for SUID or SGID files, run the following command:
find / -path /proc -prune -o -type f -perm +6000 -ls
To remove the setuid/gid bit for files do:

Administrators
st
chmod u-s (file)

or
chmod g-s (file)
Only on the following files:
o /bin/mount
o /bin/umount
o /usr/bin/chsh
o /usr/sbin/adduser
o /usr/bin
o /usr/bin/chage
Also be sure to chmod 0 all the r-tools in /usr/bin. These are /usr/bin/rcp
/rsh /rlogin, /telnet.
Then do ls –al (file) to confirm that suid/gid has been removed.
2.35. Secure /tmp and /var/tmp

To run cPanel provide through /scripts/securetmp. It will remount the

'/tmp' and '/var/tmp' as 'noexec'.
If cPanel does not runs with /tmp permissions, then provide the following:
root# ls -al /
If the following appears

drwxr-xr-x 5 root root xxxxx mon xx xx:xx /tmp
then it is required to chmod the /tmp directory to 1777 in order to set the sticky
bit.
chmod 1777 /tmp
If the cPanel is not running, then manually mount the filesystems as non-
executable. If the user has a separate partition for /tmp, then simply remount it
with noexec, nosuid options.
Also edit /etc/fstab with this options and type “mount –o remount
/tmp”. Then create a symbolic link from /var/tmp to /tmp (“ln –s /tmp
/var/tmp”). Also backup any of the files in /var/tmp and move them to
/tmp.

Administrators
st
Check for the MySQL socket, as it might be required to be recreated. After creating
the symbolic link, remove the MySQL socket and recreate it:
root@server [~]# mount -o rw, noexec,nodev,nosuid,remount
/tmp
2.36. Corn Permissions

Restricting cron/at to authorized users by creating the cron.allow file. The
cron.allow file only controls administrative access to the crontab command for
scheduling and modifying cron jobs
echo root > cron.allow
echo root > at.allow
echo nobody >> cron.deny
echo nobody >> at.deny
chown root:root cron.allow at.allow
chmod 400 cron.allow at.allow
The system crontab files are accessed by only the cron daemon (which runs with
superuser privileges) and the crontab command (which has setuid to root).
Allowing regular users to read or modify system crontab files can lead to
elevated privileges. Therefore, do the following countermeasures:
chown root:root /etc/crontab
chmod 400 /etc/crontab
chown -R root:root /var/spool/cron
chmod -R go-rwx /var/spool/cron
2.37. Setup ftp with no shell access

A) To setup vsftp server with no shell access to users. Users can log into ftp but
not ssh.
After installation of vsftp server change in vsftpd.conf:
2.37.1.1. Turn off anonymous users with following command
anonymous_enable=NO
2.37.1.2. Turn on local users with following command

local_enable=YES
2.37.1.3. Users should be able to write

write_enable=YES
2.37.1.4. Don't give access to port 20 so turn this off

connect_from_port_20=NO

Administrators
st
2.37.1.5. chroot everyone

chroot_local_user=YES
B) Disable shell access to ftp user:

Edit the file /etc/shells and add the line /bin/false:
echo "/bin/false" >> /etc/shells
Then change the shell of the user to /bin/false with following command
usermod ftpuser -s /bin/false
Also one can restrict the commands that user can give.
To upload/download files and don't let any users to delete the files add following
line:
cmds_allowed=PASV,BINARY,PUT,GET,PWD,STAT,TYPE,NLST,CWD,SIZE,
MDTM,SITE,UTIME,REST,RETR,STOR,LIST,ASCII,RETR,QUIT

Name of the Document Password Enabling Procedure - Linux
Administrators
st
PASSWORD ENABLING PROCEDURE - LINUX
1. Introduction
A password is a secret word or string of characters that is used for authentication of a user. It is
imperative to enable the passwords on the client systems at various levels to achieve an appropriate
level of security. Passwords at different levels of the client system act as a deterrent to users with
malicious intent.
If passwords are not set, unauthorized users may gain access to the client system.
This document provides steps to enable the password at 3 levels on the client system. These levels are
as follows:
1.1. BIOS – During boot-up process.
1.2. Operating System – To logon to the operating system.
1.3. Screensaver – To resume the client system from an idle state.
2. Applicability
Linux
3. Implication
After applying these settings, users will have to supply passwords at 3 different levels on a client
system.
4. Procedure To Enable Password on the BIOS

4.1. Configuring Supervisor / Setup Password by the Administrator
4.2. Switch on the client system and Press the F2 key, before the Linux screen, to enter the BIOS.
(This key may vary depending on the make of the BIOS)
4.2.1. A BIOS screen as shown below appears.
Password Enabling Procedure - Linux Page 112

Administrators
st
Figure 1
4.2.2. Using the right arrow key, go to the Security tab. (refer: Figure 2)
4.2.3. On the Security Tab, use the down arrow key to go to Set Setup Password9 and press
Enter key.
Figure 2
4.2.4. A window to set the set Setup password appears.
4.2.5. Enter the desired password.
9
In some version of the BIOS, this may be referred to as “Set Supervisor Password”

Administrators
st
4.2.6. Using the down arrow key, go to the User Setup Access and set the access level of the user
from default Full Access to Limited Access.
Figure 3
4.2.7. Press the F10 Key to save and exit from the BIOS.
Note: By configuring Limited access in the User Setup Access window, user would be able to set
only the user password and change the date and time option in the BIOS.
4.3. Configuring the BIOS password by the User

4.3.1. Switch on the client system and Press the F2 key, before the Linux screen, to enter the BIOS.
(This key may vary depending on the make of the BIOS)
4.3.2. A BIOS screen as show below appears.
Figure 4

Administrators
st
4.3.3. Using the right arrow key, go to the Security tab.

4.3.4. On the Security Tab, use the down arrow key to go to Set User Password and press
Enter key. (refer: Figure 5)
Figure 5
4.3.5. A window to set the user password appears.
4.3.6. Enter the desired password and press F10 to save and exit.
4.3.7. This Configuration will result in a password prompt each time the client system boots-up.
4.4. Boot Loader Passwords

The following are the primary reasons for password protecting a Linux boot loader:
a. Prevent Access to Single User Mode — if an attacker can boot into single user mode, he
becomes the root user.
b. Prevent Access to the GRUB Console — if the machine uses GRUB as its boot loader, an
attacker can use the use the GRUB editor interface to change its configuration or to gather
information using the cat command.
4.4.1. Configure GRUB by adding a password directive to its configuration file. First decide on a
password, then open a shell prompt, log in as root, and type:
/sbin/grub-md5-crypt
4.4.2. When prompted, type the GRUB password and press [Enter]. This will return an MD5 hash of
the password.
4.4.3. Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the file and below the
timeout line in the main section of the document, add the following line:
password --md5 <password-hash>
4.4.4. Replace <password-hash> with the value returned by /sbin/grub-md5-crypt

Administrators
st
4.4.5. The next time you boot the system, the GRUB menu will not let you access the editor or
command interface without first pressing [p] followed by the GRUB password.
4.4.6. However, the above steps do not prevent an attacker from booting into a non-secure operating
system in a dual-boot environment. For this one need to edit a different part of the
/boot/grub/grub.conf file.
4.4.7. Look for the title line of the non-secure operating system and add a line that says
lock directly beneath it.
Warning
You must have a password line in the main section of the /boot/grub/grub.conf file for this to
work properly. Otherwise an attacker will be able to access the GRUB editor interface and remove the
lock line.
4.4.8. To have a different password for a particular operating system, add a lock line to the
stanza followed by a password line.
Note: The steps in this procedure may change depending on the BIOS version. Please refer the BIOS
manual for more information.
5. Procedure to Enable password on the Operating System
The password can be changed for user and group accounts. A normal user may only change the
password for his/her account; the super user may change the password for any account. The
administrator of a group may change the password for the group. The command passwd changes
account information, such as the full name of the user, user's login shell, or password expiry date and
interval.
5.1. Set or change user password

5.1.1. Type passwd command as follows
$ passwd
5.1.2. Changing password for user ABC

(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
5.1.3. The user is first prompted for his/her old password, if one is present. This password is then
encrypted and compared against the stored password. The user has only one chance to enter
the correct password. The super user is permitted to bypass this step so that forgotten
passwords may be changed.
5.1.4. A new password is tested for complexity. Passwords should consist of 6 to 8 characters
including one or more from each of following sets:
 Lower case alphabetic
 Upper case alphabetic

Administrators
st
 Digits 0 thru 9
 Punctuation marks
5.2. Change for any user

5.2.1. Login as root user, type the command to change password for user ABC:
# passwd xyz
5.2.2. Enter new UNIX password:

Retype new UNIX password:
passwd: password updated successfully
Where,
ABC - is username or account name.
5.3. Change group password
5.3.1. When the -g option is used, the password for the named group is changed.
For example change password for group sales:
# passwd -g sales
5.3.2. The current group password is not prompted for. The -r option is used with the -g option
to remove the current password from the named group. This allows group access to all
members. The -R option is used with the -g option to restrict the named group for all
users.
6. Procedure to Enable the Screensaver Password
Please refer System Idle Timeout Configuration Procedure.
7. References
7.1. Security Policy for User.

Name of the Document Remote Login Disable Procedure - Linux
st
REMOTE LOGIN DISABLE PROCEDURE - LINUX

1 Introduction
Remote Assistance allows access to the client system from another system over the
network.
This feature can be exploited by an attacker to gain un-authorised access to a client

system.
This document provides steps to disable remote access and remote assistance to the client
systems.
2 Applicability
Linux1
3 Implication
After applying these settings the users of client systems cannot gain remote access to
other client systems and accept remote access invitations.
4 Procedure
4.1 To gain access to a remote user's desktop, the user's environment must be configured to
allow remote access. There are different levels of access that a desktop user may grant to
another, ranging from simple viewing of the user's desktop, to gaining complete control of
the desktop.
The different levels of access are configurable through Applications (the main menu on
the panel)  Preferences  Remote Desktop.
Note: By default this option is disabled
Figure 1
1
Remote Login Disable Procedure - Linux Page 118

Name of the Document Remote Login Disable Procedure - Linux
st
4.2 If the check boxes are enabled un-checking the same will disable the remote access.
Figure 2
4.3 With the above access permissions, the administrator should be able to gain complete
access to the user's desktop.
5 References
5.1. Security Policy for System Administrator.
Remote Login Disable Procedure - Linux Page 119

Name of the Document System Idle Timeout Configuration Procedure - Linux
st
SYSTEM IDLE TIMEOUT CONFIGURATION PROCEDURE

- LINUX
1. Introduction
System Idle Timeout is a configuration setting which forces the user to re-login after a
stipulated period of inactivity.
If a client system is not configured with system idle timeout, the client systems may be
misused leading to data theft or destruction.
This document provides steps for enabling system idle timeout configuration.
By default the screen-saver lockout is set to 10 Min with a password protection. One can
change the lockout time as per his preference.
2. Applicability
Linux1
3. Implication
After applying this setting, users will be forced to submit a password after a stipulated
period of inactivity.
4. Procedure
4.1. Right click on the desktop, select Properties
4.2. Click on the Screen Saver Preferences
Figure 1
1
System Idle Timeout Configuration Procedure - Linux Page 120

Name of the Document System Idle Timeout Configuration Procedure - Linux
st
4.3. Set the time after which screensaver should appear. (Recommended is 10
minutes).
4.4. Select Activate Screensaver when computer id idle and Lock Screen when
screen saver is active
4.5. Click the Close button at the bottom to save the settings.
5. Reference
System Idle Timeout Configuration Procedure - Linux Page 121

Standard Operating Procedures Ver 3.0 Jan 2014

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Standard Operating Procedures Ver 3.0 Jan 2014

Uploaded by

Copyright:

Available Formats

Standard Operating Procedures

Cyber Security Group

Cyber Security Group

ASSET MANAGEMENT PROCEDURE

Assets, if not maintained properly, might be stolen or misused.

Asset Management Procedure Page 1

2.4.2. Software: Software which is used to support / facilitate operations

3.1. For Network devices / Network Security devices

3.2.2. Information Security Officer

Asset Management Procedure Page 2

3.2.3. Chief Information Security Officer

Annexure Template Name

Asset Register Template

Asset Management Procedure Page 3

REMOVABLE MEDIA BOOT UP DISABLE PROCEDURE

5. Instructions for Changing BIOS Settings

Removable Media Boot Up Disable Procedure Page 4

6.5 First Boot Device Settings

6.6. Press F10 key to save configuration and exit.

Removable Media Boot Up Disable Procedure Page 5

ACTIVE CONTENT CONFIGURATION PROCEDURE

Active Content Configuration Procedure – Internet Explorer 9& 10 Page 6

Active Content Configuration Procedure – Internet Explorer 9& 10 Page 7

5.4 Choosing web content zone

5.12 In the Security Settings box make the following selections:

Active Content Configuration Procedure – Internet Explorer 9& 10 Page 8

5.12.1 Download signed ActiveX controls. This option determines

5.12.2 Download Unsigned ActiveX controls. This option

Active Content Configuration Procedure – Internet Explorer 9& 10 Page 9

5.6.3 Initialize and script ActiveX controls not marked

5.6.4 Run ActiveX controls and plug-ins. This option determines

Active Content Configuration Procedure – Internet Explorer 9& 10 Page 10

Active Content Configuration Procedure – Internet Explorer 9& 10 Page 11

ANTIVIRUS MANAGEMENT PROCEDURE – WINDOWS 7

This document provides necessary steps for:

All above procedures are meant for following Antivirus Solutions:

4. Procedure To Verifying the presence of Trend Micro Antivirus software.

Antivirus Management procedure – Windows 7 Page 12

4.1.2. Check settings for security -> Virus Protection.

4.1.3. If settings for Virus Protection is OFF, report it to System

Antivirus Management procedure – Windows 7 Page 13

4.2.2. Double click on Trend micro Antivirus icon as shown in

4.3. Updating of Antivirus pattern files

Antivirus Management procedure – Windows 7 Page 14

Antivirus Management procedure – Windows 7 Page 15

4.4. Reviewing presence of updated virus pattern files

4.4.1. Click on component versions option. (refer figure8):

Antivirus Management procedure – Windows 7 Page 16

5. Procedure Verifying the presence of Symantec Antivirus software

5.1.2. If settings for Virus Protection is OFF, report it to System

Antivirus Management procedure – Windows 7 Page 17

5.2.2. Double click on the Symantec AV icon as shown in figure 2,

Antivirus Management procedure – Windows 7 Page 18

5.3. Updating of Antivirus pattern files

5.4. Reviewing presence of updated virus pattern files

5.4.1. Click on Open Symantec Endpoint Protection.(refer figure 5):

Antivirus Management procedure – Windows 7 Page 19

Antivirus Management procedure – Windows 7 Page 20

AUTO COMPLETE DISABLE PROCEDURE – INTERNET

Auto Complete Disable Procedure – Internet Explorer 9& 10 Page 21

4.3. Click on the Settings button in the Autocomplete section.

Auto Complete Disable Procedure – Internet Explorer 9& 10 Page 22

4.6. Click on the OK button on all windows to confirm the settings.

Auto Complete Disable Procedure – Internet Explorer 9& 10 Page 23