Audit - Auditing and Security and Disaster Recovery Plans

This Page Intentionally Left Blank
This book is printed on acid-free paper. @

Copyright 0 2001 by John Wiley and Sons, Inc. All rights reserved.
Published simultaneously in Canada.
No part ofthis publicationmay be reproduced, stored in a retrieval system or transmitted

anyinform or by any means,
electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107ofor 108
the 1976 United States Copyright Act, without either the prior written permission
of the Publisher, or authorization
through paymentof the appropriate per-copyfee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA
01923, (978) 750-8400, fax (978) 750-4744. Requeststo the Publisherfor permission shouldbe addressed to the
Permissions Department, John Wiley & Sons, Inc., 605 Third Avenue, New York, NY 10158-0012, (212) 850-601 I, fax
(212) 850-6008, E-Mail:P E ~ ~ E Q ~ ~ E Y . C O M .
This publication is designed to provide accurate and authoritative information in regard

to the subject matter covered. It is
sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional
services. If legal adviceor other expert assistanceis required, the servicesof a competent professional person should
be
sought.
Musaji, YusufaliF.
Auditing and security: AS/400,W,UNIX, networks, and disaster recovery plans/
Yusufali F. Musaji.
p. cm.
ISBN 0-471-38371-6 (cloth: alk. paper)
1. Electronic data processing-Auditing. 2. Computer security. I. Title.
~A76.9.A93M87 2001
005.84~21 00-064922
Printed in the United States

of America.
10987654321
This book is dedicated tomy g r a n ~ m o t h eMrs.
~ ~ulsumbai ~urbhai,
who taught me to sacrgce so I could grow.
Io my mot he^ Mrs. ~ a t i m a ~ u swho

a j i ,s a c r i ~ c e d h material
er
well-being so I could paymy school fees.
To my son, Ali Musaji, who taught me perseverance, patience, and

the m a ~ e l s ofl~~.
Io my w$e, ~ a oMusaji,
~ i for herlove, tolerance, and faith.
nd the big picture, see their roles within
it, continuo
resources from hackers and computer thieves, corporations neglected the physical security
aspects and as a result suffered financial loss from lack of physical security controls, thus
becoming easy gamefor crooks. In spite of this, physical security continued be toregarded
as being limitedto the perimeter controls and bodyguards at the front doors.
Theft or damage to information processing resources, unauthorized disclos~eor era-
sure of proprietaryinformation,andinterruption of support for proprietarybusin
processes are all risks that managers who own or are responsiblefor i n f o ~ a t i o nresources
must evaluate. Since physical access to information processing resources exposes a com-
pany to all of these risks, management must institute physical access controls that are com-
mensurate with therisk and potential loss to the company.
The objective of the physical security audit is to determine if mana~ementprocesses
have been implemented, are effective, and are in compliance with established ins~ctions
and standards as formulated in the company security policy. they ensure that the com-
pany’s information resources are protected from unauthorize
Chapters 3, 4, 5, and 6 discuss auditing the most advanced platforms:AS/400,
crosoft NT, and Unix.
M y are system concepts and architecture important to understand?
do not startby choosing a computer platform. They start by choosing map
ss needs. Becauseof this, the computer system is very often consideredfirst.
should the computer architecture matter? The accelerating rate of change of
e and software technologies necessitates that the system selected has been de-
signed with thefuture in mind. Do the platforms accommodateinevitab~e,rapid, and dra-
atic technology changes with m i ~ m u mrelative effort? Are the systemsfuture-oriented?
aradoxically, the characteristic of the most advanced design and technologyis subtle. It
a c c o ~ o d a t e sthe rapidly changing hardware and softwarecompo~ents-permitting one
to fully exploit the latest technologies.
Is the operating system conceived as single a entity? Are the facilities such as rela-
tional database, communications andnetwor~ngcapabilities, online help, and so on fully
inte~ratedinto the operating system and the machine?
Successful audits of computer platforms are intended to provide an analysisof the
computing and network hardware components with potential risks and reco~endations.
If the computing platformis not secure, neitheris the company’s data.
Chapter 7 continues the discussion of auditing networks. ~ o ~ o r a t i o deploy ns net-
works to lower the total cost of network ownership,m ~ i m i their ~ e return onin~estment,
provide seamless, enterprise-wide services, enable appli~ations,enhance their perfom-
ance, control network resources, speed up project implementation, and minimi~erisk and
riven by the rush to e-commerce, se rity has rapidly become a mission-critical

component of the corporate IT infrast~cture. protecting these mission-criticalnetwor~s
from corruption and intrusion, network security has enabled new business applicationsby
reducing risk and providing a foundation for expanding business with intranet, extranet, and
electronic c o m e r c e applications.
Therefore, network security should be a continuous cycle, consisting of establis~ng
a security policy thatdefines the security goalsof the enterprise, implementing security in
a comprehensive and layered approach, and auditing the network on a recurrin
sure that good network security is easier and more cost-effective, lso, network security
should ensure that no irregularities have developed as the network evolves, and the results
of the audits shouldbe used to modify the security policy and the technology implementa-
tion as needed.
i
Chapter 8 discusses auditing the disaster recovery plan. Large pools of shared data-
bases, t i m e - s h ~ nvast
~ , teleprocessing networks, t e l e c o ~ u ~ c a t i oconnections
ns to non-
company facilities, multiple distributed printers and systems, and thousands of users char-
acterize the state-of-the-art computer centers in corporations. Disruption of service or the
intentional orinadve~entdestruction of data could potentially bring business processes to
a halt.
Across this entire computer i n f r a s ~ c ~ rthee , Information Security (IS) processes
must be implemented to ensure the confidentiality, integrity, and availabilityof the com-
pany’s information assets. The responsibility for the implementationof an effectiveIS pro-
gram is assigned according to the company’s goals and objectives. Generally, this respon-
sibility is delegated to the information system because of its traditional role as Provider of
Service. However, ISis often not the Provider of Service for smaller systems thatexist at a
location. Regardlessof the organizational roles and responsibilities, corporate the informa-
tion officer (CIO)is responsible for the overall implementation.
With the emergence of disaster recovery planning, physical security is regarded as the
cornerstone to developing a viable disaster recovery plan, The pundits have suddenly pro-
ureka,” and the dawnof physical security as the foundation on which the disas-
ter recovery plan can be built has begun to take hold. Protecting assets from disasters is now
one edge of a double-edged sword with the other edge preventing losses from theft and hu-
man errors, which in fact pays partly if not wholly for the costs of disaster recovery plan-
ning. The auditbr must ensure that the computing environmentssuppo~ingvital business
processes are recoverable in the event of a disaster.
Auditing and Security has been developedfor IT managers, IT operations manage-
ment, andpractitioners and students of IT audit. The intent of this book is to highli~htthe
areas of computer controls and to present them to the reader in a practical and
pragmatic manner. Eachchapter contains usable audit programs andcontrol methods that
can be readily applied to information technology audits. As an added value, two presenta-
tions are available onthe World Wide Web.The first presentation is a proposalfor invest-
ing in a disaster recovery plan and the second is a firewall selection guide. Please visit
www.wiley.co~musaji.The user password is: auditing. These documents are in Power-
point format.
Yusufali. F.Musaji is the Founder, Director and Presidentof Mi’s Y, Consulting Inc., anIT
and Financial Consultingf m specializing in computer consulting. Yusufalihas a strong
computer science and financial background. He embraces full sthe
pect~m of financial, op-
erational, andIT disciplines requiredof a state-of-the-artorgani~ation.His functional and
technical areasof expertise include system development and implementation, project man-
agement, computer security and financial systems.
Yusufali F. Musaji is widely publishedin IT, financial, and securityj o u ~ a l re
s
ser Relations~ps,and has also developed numerous business continuity plans.
e holds a Bachelorof Computer Science from York U~versity,Toronto, Canada,
and is a C.G.A., CISA andCISSP.
information Security throu h Dynamic Culture
Information Securi~ ~anager-L~ader Roles
~ y n a ~Culture
ic Is a Prerequisite forG r o ~ h
Sustaining Culture for Process Improvement
~ o c u sInward
~ynamicCulture Overview
from IS ~anager-Leade~
Leadership ~ e e d e d
~ y n aCu~ture
~ i ~ Tra~sformation
eco~ni~ing ~aits
~esired ~ehaviors~ Win, ~xecute,Team If
~ y n a ~Culture
ic Self-Assessm~nt 11
~ o r and ~ sValues
Syste~s,Structures, and Processes
As~ump~ions
IS an age^ Leade~or ~anager-Leaders
~ o t aJob
l ~odel
~ u m a n R e s o u r c e s / ~ ~ p l Processes
oy~es
~an~g~r-~eaders Accounta~ili~
~ e w ole of the ~ a n a g e r
S~aredResponsibility for~ R l ~ m p l o y e e Processes
s
~oundational~ a i t and s A~ributes 26
Specific Skills Required by IS ~ana~er-Leaders 29
Personal Learning Sparks~rgani~ational Learning 2
~xecutiveSkills Versus~ a n a g e r - ~ a sSkills
ic 31
Conflict ~ e ~ o l u t i o n 32
~haracteristicsof ~ ~ r mConflict
al Resol~tionPlans 33
Conflict Awaren~ss 33
r ~ afor
t ~ositive ~esolution 34
36
38
40
41
ical Access Controls 42
the C o ~ ~ a lnst~llation
n y ~
43
An~lysisand Accept~nce 47
49
52
53
3
57
58
59
59
63
64
65
65
67
7
69
70
70
70
77
77
78
AS/400 System Concepts andArc~itecture
System Concepts
~ u lIntegration
l into the~ ~ e r a t i System
ng and the~ a c h i n
ased Operating System

Aut~orityParameter
A~plicationDevelopment ~001s (A~Ts~
System ~tilities
A~/400 ~~~~Y
Initial Pro~rams
~ a m i n g~omenclature
Libraries
Backup and Recovery

Auxiliary Storage Pools
journal in^
Commitment Control
Checksum Protection
~isk ~irrorin~
~edundantArray of Independent ~ i s k sAID^
Security
~ystemKey Lock
~ystem wide S e c u r i ~
Values
~ystemAuthority
~ s e~rofiles
r
roup Pro~les
Authori~ationLists
A ~ o pAuthority
t
~ r d eof
r Authority Checking
~ t h eSecurity
r Issues 111
~ystemValues 11
Summary 1
tiv
Operationa~Controls
~ r ~ a n i ~ a t i oStructure
nal
~rogramDevelo~ment, Ac~uisition,
and ~aintenance
Access to Data~ i l e s
usiness Continui~
General Controls
Computer ~ o o m
Set Auditoni it or and Audit Log Parameters
Turn Auditing On or Off
Select Users to be Audited
Select €vents to be Audited
Select System Calls to be Audited
Interpreting Audit Log Data
~ a n a ~ i Audit
n g Log Resources
Administering the Auditing System
Using Auditing in a Diskless~nvironment
Backup and Recovery in a Secure Enviro~ment

~ a c k u pSecurity Practices
Recovery Security Practices
~ountingand Un~ountinga File System
Shu~ingDown a System Securely
vir
Internetworking
over vie^
Devices
Con~rol Re9uire~ents
Different Typesof Networks

Local Access~ e ~ o r k
Wide Access~ e t ~ o r k
Internetworking Challen~es
0 ~ierarchyof etw works
OS1 Model
~ommunicatingData through €ncapsulation
OS1 Layer 7: Physical Layer
OS1 Layer 2: ~ a t Link
a Layer (TheVirtual ~ o r l d )
OS1 Layer 3: ~ e ~Layer o r ~
SI Layer4: ~ a ~ s p oLayer
rt
~onnection-Orientedand Connectionlessc et work
OS1 Layer 5: Session Layer
OS1 Layer 6: Presentation Layer
OS1 Layer 7: Application Layer
Audit ails 157
~ ID Authori~ation
~ r i v i l e g eUser 758
160
A ~ / 4 0 0Installed
165
168
4A.5 Other Objects 169

rams thatA d o ~Authority
t 76
~uthori~ation Lists 170
bject ~ e v e l ~ e c ~ r i t y 7 7’0
4A.6 ~tilities 170

171
1.7
Job ~escriptions 172
173
174
4A.8 ~ e ~ Q~Qnsiderations
rk 174
4A.9 ~ecurityAdministration 178

~ u ~Log
i t 178
IntrQduction 182
~ecurity ~e~erence oni it or 182
~ecurity ~ccount ~anager
~ ~ s c r e t i o ~Access
ary Co~tro~s 183
~ t ~ eat e tur res 184
~ecurityOverview
on ~rocessand User entity
~ ~ j e cand
t s ~ecurity 185
~er~is~ions 186
Access Control Lists 188
~ e s i g nea tu res 788
i
Access Control:Securi~ ~anagement

User Authentication
User Accounts
User ~ i g h t s
User Accounts, Groups, and
S~curi~
~lan#ing
erm missions §ummary
Policy Plannin~
Account ~ o i i c y 202
User ~ i g h t sPolicy
Aud~tPolicy
§yste~ ~olicies
Share Ptannin~ 07
Creating Shares 207
Creating a~ e t ~ o r k S~are 207
Se~ingFile SystemPerm~ssions
nag in^ Groups
§pecial ~ r o u p s
~ a n a ~ i User
n g A~~ounts 12
~ e t ~ o r k and
e d Local Users 2l2
~pecial ~uilt-In Accounts 272
Creating User Accounts 273
copy in^ User Accounts 75
~isablingand ~eletingUser Accoun~s 76
~ e ~ ~ mUser i n gAccounts 277
n v i r o n ~ ~Profiles
nt 217
~ o g o nScripts
~ome ~irect~ries
Creatin~User ~irectories
~ u m ~ a r ~
omains and Trust

Su~ported~ e ~ ~ sporto f k Protocols
A~acksand Defenses
Services that~nhaffceor Impact Security
eat tu res of Secu~i~y
Security Certifications
240
240
Introduction 336
336
336
339
340
tion ~ a n a g e~r e v i e ~
340
e ~ i n g a Secure S y s t e ~
~~ 3 4 ~
ecure System ~ a i n t ~ n ~ n c 344

Cre~ting~ r o ~ u ~ t ~ e Filesscri~~ion 344
V e r i ~ i File
n~ Syste~ Consistency 5
for Custo~i~ed ~ilesets 3 ~ 6
ing User Acce~sto System and Files 34

ss~ord Se~urity 34
File ~ e r ~ i s s i o n s 349
~rotectingKey S ~ ~ s y s ~ e ~ s 350
Criteria for ~ o ~ e s 350
e~urityConsi~erationsfor ~ e v i c e ~ i l e s 351
352
352
353
354
355
356
356
~ 5 6
357
363
...
111
P~ysicalAccess to System Unit 131
System Key Lock 137
~ystemConsole 132
Dedicated ServiceTools 732
Security Level 732
' AllowUserDomainObjects 133
~ a s s ~ o r d ~ o r mRules
a~ing 133
~ a x i m u mSign-On A~empts 134
Limit SecurityO ~ c eAccess
r 135
emote Sign-On ~ontrols 135
Limit umber of Device Sessions 135
Automatic Configuration of Virtual Devices 136
Automatic Confi~urationof Local Devices 136
A~ention Pro~ram 136
Violation Reporting and~ollow-Up 137
Default Public Access Authori~ 73
is play ~ign-Oninformation 139
Job ~me-Out 139
~ystem or ti on of Library List 140
User ~ ~ r t i of
o nLibrary List 140
l ~ ~ - S u p ~ lUser
i e d~r~files 147
Special UserPro~les 14I
User Profi~e~ 742
roup ~ r o ~ l e s 144
Li~raryAccess 1
ccess to D a t ~ 145
Access to ~rogramLibraries 1 4 ~
Authori~ationLists 746
Job ~escriptions 747
148
749
lniti~lProgram 149
C Support 150
Output ~ u e u e s 750
Sensitive Commands 151
a c ~ u pand ~ecovery 752
153
753
User Verific~tion 155
N ~ e ~ o r k i Topologies
ng 3
lmple~enting ~thernet 463
Token Ring 464
A ~ S I ~ j~istrjbuted
ber Data lnte~ace 46
464
N e ~ o ~ k l n ~ ~ ~ ~ c e s 464
Physical Layerlnte~ace 64
at^ Link Layerl n t e ~ ~ c e 465
asic l ~ t ~ r n e ~ o rDevices
kin~
CiIiClJ outer
Lab ~verview
Power Up and Basicouter Access UsingFlTP ~ e r v e r
A Look lnsi~e
Internet ~ F e r a t i n
System
~
irewall 474
What Is a irew wall?
curity Policy
o ~ m Internet
~ n Thre~ts
irew wall Arc~itectures 476
Stateful Inspection 477
Packet ~ilters 477
~ircuit-Level~ a t e ~ a y 478
Application~Levelatew way
Stateful InsFectionAdv~ntagesand ~ i s a ~ v a n t a ~ e s
hoosing a Firewall 479

Securi~ Audit 479
lving the ~uFeruser ~roblem 4
~nera/ Bac~groundInformation 4
~etworki~g
~onductingBusiness across the Internet
~onfiguratjon
~ e t ~ oAddress
rk an slat ion
~onitoring
NT i
~ecurity 486
~ e t w o Information
r~ Services 487
~ o c u ~ e n t a ~ heckl
i o n list 487
irew wall C ~ e c ~ l i s t
~ilters #89
ire wall Tests 490
Technical Audit Program 490

lnterna~and Firewa~lConfi~urationSecurity 490
~~i~
Introduction 493
merging Technoio~ies 493

~ n d " ~ sCompu~ing
er 493
~etwor~s 493
~tronic~ a t Interchange
a #94
494
Key Com~onentsof a Successful Disaster Recovery Pian 494

~ ~ n a ~ e mCommitment
ent andF u n ~ i n ~ 494
~ecoveryTeam 496
~ i s ~ s t erer pa redness 496
~ u i l d i an ~Case for Disaster
~ecovery 498
usiness l ~ p a Analysis
c~ 498
499
499
500
test in^ the Disaster Recovery Plan 501

501
~etting O~~ectives 503
De~~in the
g ~oundaries 504
Test re requisites 505
~yste~ ~o Checks
dule 507
~ n a l y ~the
i n Test
~ 510
uditing the Disaster Recovery Plan 512

eneral ~uestions 512
Documentation ~uestions 515
Plan ~rgani~ation and Assignments: For~-~ine-Point

Checklist 515
usiness ~rocessOwner 518
uppliers of u er vice 519
What drives revenue and profit in today’s economyis undoubtedly the mix of hardware,
software, and services. Often the di~erentiatorfor this mixis the highly skilled, motivated,
leading-edged employee whod e t e ~ i n e thes company’s competitiveness and its growth in
the marketplace. Growthis linked to satisfied customers whose loyalty is the foundation for
success. Thus, thefactor that d e t e ~ n e as company’s growth andits customer satisfaction
is the quality of its employees.
Employees arec o ~ t t e and d highly motivated when their work e n v i r o ~ e n tenable
s
them to go the extra for mile
their customers, their company, and their colleagues.is This what
builds a network of d y n ~ employees
c who strive tobe the best at providing valueto their
customers. Simil~ly,what mobilizes the employees to understand the elements of the secu-
rity cultureand to see its relevance to the company’s business success as well as their own per
sonal success are the dedicated ~ o ~ a t i Security
o n (IS)mana~er-leaders.It takes dedicated
S mana~er-leadersto guide the~ a n s f o ~ a to ~ ao dynamic
n security-conscious culture.
Employees continueto be a company’s greatest asset, perhaps more so now than ever
before. That’swhy IS manager-leaders must not allowthe urgency of their daily workload
to take precedence over the impo~anttime needed for the employee aspectsof their roles.
ollowing are five factors thatcon~ibuteto customer satisfaction:
. Image
,
. Value
f these, imageis considered tobe four times moreimpo~antthan anyof the other factors,
Image is a composite of four e loyee-related issues:
. Highly skilled employees whoare committed to excellence.
loyees who are responsive and helpful and who take charge.
. A company thatis customer oriented and easyto do business with.
. A company you can trust.
~ u l ~ l l i ncustomer
g satisfaction on thesefourissues, e s p ~ i ~ l y ~ i r stwo,
t is very de-
m nt processes are world class.It is not them

S, rather it is the employee
It is i m p o ~to~ di~erentia
t
o share responsi~ilityfor their collectives u ~ c e s ~ .
IS manager-leade~roles,
at is the missio~of IS m
ow does their~ i s s i o nrelate toa c
would a security-conscious culture/co~pa~y
look like?
n ~ o ~ a t i dynamic
on culture
oles versusjobs and titles
d ~ t u expectations
~ e
ny success~l
business s ~ a t e is
~ geared
y tow
orations-attributed to failure to an sf om cultures in conjunction with
ffo~s-has been high.
-shap~dchart in E ~ i b i 1.2,
t shows the four factors that must be present for
be effectively im~lemented.It is not enoughto only have reengi-
processes willfail without the accompanying changes job in ac-
oring methods, andnoms and values embedded in the
intangible cultural factors below the surface depicted by the
ered processes as the visible tip of the iceberg above the sur-
ods and ideas on employees will not work, especiallyif the
e than halfthe reengineered efforts have failed
the cruciali m ~ o ~ a nof
c ethe cultural factors belowthe sur-
to squander their huge investments in the new processes if
estment is dismal. ~onse~uently, attention to cultural un-
S is b e c o ~ i mandatory.
~g
e word t r ~ n s ~ o r ~isi nintended
g to capture both the journey and the needfor dy-
lture. This requires modeling the new culture in the way
res new relations~ps,and adds value inthe evolv-
loyees ”+ ~ a t i s ~ e d ~ u s t o ~ e r s .
ts from a dynamic c u l t ~ e ~ m p l o y e ecustomers,

s, and the share-
ange the e ~ t e ~en~ironment
al unless you
t is becoming increasinglya p ~ ~ etonthe t
e success of employees and the success of the organization are
e n s ~ ~ that
n g employees are seen as drivers of the organization,
ustomers and investors, is pivotal to creating d y n ~ work c en-
e ~ p l o y e esatisfaction a central driver in the organization d e ~ a n d as
to your customer^.^'
eir ~ i s c r e t i o n a ~ ein r t t~atbot^
~ ogoals
nd ~ ~ ~ the
i ~c oi ~z~ ea nsuccess.
y ~ s It is this “voluntee~sm”
S of IS m~ager-leaders that enable the

these roles, and whya~entionto empl
points that provide the outline
of a d y n ~ culture:
c
”
ribe a “ d y n a ~ i c c ~ l t ~ r e / c o m:~ The
a n y ~ee-layered
viors, noms and values, and assumptions-provides a
ired dynamic culture.
ent
pliance, A dynamic culture/company unleashesthe pot en ti^ of employees who are com-
to clear, relevant, andmeaning~lpurposes that they have helped shape.
mployees will committo the new dynamic culture when four factors arein place:
~ Z ~ rStaff members
i ~ :understand what
nthe is-the character-
istics of the culture areclear to them andthey ate them to others,
eZev~nce: StdT members see the relevance
ynamic culture to
the
com-
'S business success-they see how it wi z the company'scustomers
elp the c o ~ p a n ygrow.
~ ~ i Staff
~ g members
; see the personal m e ~ i n gof the new
what it means to thempersonal~y,and they canget excited about it.
~nvozve~ent:Staff members want to be, and are, involved in the shaping and de-
ployment of the new dynamic cul~re-without involvement9 noco~mitment.
it is impractical to involve everyone in shapingl a e-scale change, theirchos
r~sentativesmay be involved. Giving employees the choice to be involved is the key
point, evenif they choose not to be.
The need shouldbe for everyone, especiallyIS manager-leaders, to help § u s t ~ the
n jour-
ney and notslip back-to be comfortable reinforcin ,evolving, and nurturin
culture/company. In summary, I manager-leaders enable the dynamic culture that gener-
ates a dynamic company9 producing highlysatis~edand loyal customers that fuel company
growth.
Transfo~ationis about change. There are man mo els that describe S

change and organizational change.The Change
that are ah e l p ~ context
l for cultural change.
tural change as follows:
den ti^ needs. This phase is su~portedpush
~ h a s Ie; theth
of
external
the
environment. There iscom-
also
hethe
pany9shuge investment in reengineerin
state” willbe described
manager-leaders also touches on the follow in^:
owever, given that real

culture transfo~atio
quire much iteration.
hase 2 suggests thatif we want

a d y n a ~ culture/com~any,
c we
would look like.
T r a n s f Q ~ nany
g or~ani2ationto a
rogress can appear to be unattai~able-
complishe~a step ata time. The
Lure is made up of behaviors, norms and values, and as
to bring to the surfacenorms, values, andassum~tions
namic culture/com~any.(See Exhibit 1.
he most obvioussi
r l e ~ and
~ e valuable
les on m a ~ a g e ~ e n t ,
izations. To help understand these behaviors in the cont
are o r g ~ i z e daround the three foundationalo
and team.
ynarnic company has six core elements as shown i
dynami~ cul~re/company uzzle are as follows:
Its employees arean energetic global te

It leads in creating valuefor customers.
wins thro~ghtechnolo
t builds share~oldervalue.
It is involved with our~ o ~ u n i t i e s .
a
t expects teamwork, integrity, respect,
S on the right things.

t is invigorat~dby work that helps it wi
It works by p~nciples-not rules.
t is proud of its products and services.
t uses what it sells.
Its employees are diverse.

S and leverageshowled
1s accounta~le.
cons~icuouslyshares credit for results,
oyees earncom~etiti~e
pay and benefits.
ecurits comes fromits success withits customers.

t bas choices to make in~alancingits work and personal priorities.
ts l e a ~ e create
~ s and c o ~ u ~ c aa twinning
e strategy.
ts lea~ers~ a l k
the talk
loyees need to demonstrate in

a dynamic culture.
itment; concern for the truth even when it’s un-
o-workers; ability tocapitalize on

ositive ~ s w eto~ the
s c ~ e ~ k l i sthe
t , foll
n ascale of 1 to 5, with 1 be w- e r f o ~ ~ can

e being
” % n a ~ i c ~ ’ ~ sthe
s e en-
ss
#in objectives * Established
* Examples
1, Focusing on winnin~creatingbestcustomervalue * Targets
* Results
Putting
2. customer ~ i r s ~ c o ~ p secondunit
any third 4 Accoun~~bility
3. Setting aggressive targets
4. Insisting on results
5. Holding employees accountablefor their

com~tments
Execute 0 ~ e s t ~ c t u ~ n g /and
s ~ scale
ze
* Flatterorganization
6. Showing concernfor quality and productivity * “Fit in fast” checklist
* “Fit for you” card
7. Using and beingloyal to the company’s products * Delegation of authority
0 Skills process
8. Co~municatin~listening
efEectively 4 Skills focus
4 ~rofessionalcareers
9. Welcoming the truth * Expert professions
* Job news
10. Capitalizing on change
* Globalprocesses
* Workloadstudy/module
1l. Showingdisgust with bureaucracy
to skills
12. Putting never-ending attention
improvement
13. C o ~ i t t i n to
g being a process-managed business
14. Modeling a worwlife balance
Team * Diversitycouncil
0 Diversitytraining
15.W a ~ n the
g talk on respect, integrity,t e ~ w o r k , * Flexible work options
and excellence * Team implementations
* Teamsymposiums
16. Valuing diversity * Teambased rewards
* 360-degreefeedback
17. Sharing and leveraging knowledge * Peer recognition
* Roles versus job
18. Acting unburdenedby b o u n d ~ e s
19. Empowering individuals and teams
20. Energetically buildingcross-functiona~global

teamwork
o you focus on w i n n i n g ~ being
n the leader in creating the bestfor
value
your cus-
orners, using technology, integrated solutions, and services?
Are you visibly puttin the customer firs~company secon~unit third inall decisions?
Are you involved with your co~unity?
e you driven bya c o ~ o vision

n of your purpose?
o you insist on results versus
effort?
o you earn competitive pay and benefits based on personal and company
results?
Do you hold employees accountable for their c o ~ t m e n t s ?
Do you showb once^ for quality and productivity?

Do you havea fierce loyalty tothe company’s products and services?
o you proudlyuse what you sell?
o youpracticeoutstanding co~munications~istening with custo~ersand col-
leagues?
Do you elc come the t ~ t heven
, when it’s unpleasant?
Is provocative inquiry encouraged?
Do you capitalizeon change and quickly adopt new jobslroles and structure?
e you open to new ideas?
o you show disgust with bureaucracy?
Do you h o w what to do and do it?
o you work continuously to improve your skills?
Does your management andmeasu~ementsystem support you becominga process-
managed business?
e you modeling worldlifebalance?
Do you work onthe right things?
re you invigoratedby your work?
Are you making intelligent choices about balancing your personallife p ~ o ~ t i e s ?
o you model respect, integrity, teamwork, and excellence personally?

o you expect respect, integrity, teamwork,and excellence from your colleagues?
o you value diverse, dynamic colleagues?
o you share and leverage~ o ~ l e d broadly?
ge
. Do you act unburdened byb o u n d ~ e of
s place or thought?
o you conspicuously sharecredit for results?
G. Do you willingly help othersin your global c o ~ p a n y ?
Are you empowe~n individuals and teams?
by ~ r i n c i ~ l enot
s , rules?
you ener~eticallyand visibly dis~layin cross-~nctional te~work?
iscussions
with
othersin the CO valuable to assess
and to decide what c
he three c o m ~ t m e n t of
s the n o m categories
. Execute
. Team
The four values are
The result in^ acronym helpsr e m e ~ b ethat

r
spect and excellence,may appear to have the
reinforces the need to engage in dialogue to
u~derstoodby all.
o ~ ~ a n i require
es systems, stru~tures,and ~rocessesto o
these include thefollo~ing:
agement and measurementsyste
archical or tea~-basedS
hese are strong levers toaffect behavior since they

culture, oftenim~licitly.They
en syste~s9 st~ctures,
S, cultural transfo~ati
tions are like 44givens,’9 and

in that res
he ~ a r ~ e t ~islthe
a c drivin
e
t the core, a c o ~ ~ a depe
ny
with a ~ i ~of bu-
i ~ u ~
ever lose s i ~ hof

t its s t r ~ t e g~i ~i s i o ~ .
arly when they work as
Id be re~ectedin the
more di~lcultto dis-

about them-it’s
our unconscious9 built-
nclude latent biasesand
ct on a~proachestoward team-
er~
the terns Z e ~ ~and
n many co~panies9 ~ ~are ~used
g interchan
e r
business processes.
1
ne Set of ~ s s ~ ~ t i o ~ s
ABOUT H U NATURE
~
Employees basically dislike work, are lazy, need * Employees basically love being challengedby
to be coerced and controlled, and prefer tohave meaning~lwork, and are energized when they help
superiors make their decisionsfor them. make decisionsdecting their work environment.
ABOUT TRUST
e Trustistied to positionpower;superiorsarenot * Trustwo~hyemployees who displaycharacterand
questioned becausethey must have good reasons competence, andwho encourage and open two-way
for their actions or views. dialogue earn trust.
ABOUT M O ~ A T I O N
Extrinsic “carrotsand sticks’’ are what motivate e Intrinsic satisfactionis what motivates employees-
employees. rewards are “hygiene factors.”
ABOUT TIME! FR.AME
e Short-termsurvivallsuccessisparamount; we can * Long-term surviva~successis paramount; webaseour

save ourway to profits; daily~uctuationsof the actions on the lifetime valueof customers and on
stock price affectmy mood. principles; trends in customerand employee
satisfaction affectmy mood.
ABOUT ~ T C O M PEE ~ ~ O N
~ ~
Internal competition brings out the best in e Internal competition destroys teamwork, inhibits
employees and should be encouraged to stimulate sharing and leveraging knowledge, and demora~zes
high performance; reward systems should promote team members; reward systems should promote
trying todo better than peers. collaboration.
T e ~ i n o l o g yin the area of leadership andm ~ a g e ~ ecan

n t be a semantic minefield. Thou-
sands of articles have been written about managers, leaders, and executives.There has been
an explosionof books, videos, and speeches about leadersh,especially in the last fifteen
years. Unfo~unately,most authors areless than crisp in defining th
ever, drawingfrom the essenceof what the expert^'^ say, thefollo
overall distinctions between leading and managin
eading is setting the ~irectiQn;
s aging is getting there.
* Leading focuses on the ZQng-ter~ hQrizQn;managing focuses on sho~-termbottom
line.
Leading e ~ ~ Z ~ y emanaging
es; processes, systems, ands t ~ c ~ r e s .
* Leading is coac~ing,e ~ ~ o ~ e r i n g , f a c i l i t ~ t i ~ gmanaging
, s e ~ i nisg ;~lanning,con-
trolling, directing.
Leading is doing the ~ i gthings;
~ t mana
* Leading change, ~ e ~~ aer aed istatus
g~ ~ms ; quo, within
paradigms.
~~ituationally
with earned power based on co~petence;m ~ a g i n gfrom ap-
iness of innovation; m ~ a g i n g
craves order.
w directions; managing demands proof.
ing relies on control.
?” ;managing is asking “
gmentstothese characte~stics. do notneed either

leading or ~ ~ a g i nrather
g 9 we need both as shownEinx ~ b i 1.9. t
The label ‘‘com~leteleader” for the person that embodies a rich blend of both lead-
ities is preferred. The term co~pZete~ a n a g e would
r be equally
blend of leadin and managing is further reinforcedby the quote at the
eo The Powerof ~ s i o n :
Vision wit~outaction is only a dream;
Action without visionis just passing the time;
Vision with action can change the world.
m the ‘6com~leteleader” label in Exhibit 1.9, it is noted that the term
ing, managing, and doing.The working de~nitionof l e a ~ e r s is ~p
“ t ~aeb i l i ~to e~ectivelyS directionand ~ o d einterpersonal
l behaviors ( ~ a d i n g ~ ,
a l i g ~ ~ a n business
a ~ e an
loyees processes to a c c o ~ p ~ i desired
s h business re-
n ~ ~ i nand g ~contribute
, ers son ally to de~iredbusiness results ( ~ o i n g ~ . ~ ~
Administrator Complete
Leader
A~dicato~ Dreamer
HIGH
ws that varying degrees of leading, managing, and doing skills are

is, leadership is the umbrella tem-leading, managing9 and doing
are ~ u ~ s eoft scredible leadersh ibit 1.10 alsoindicatesthatleadership is expected
outthe organi~ation-it ust theprerogative of senior mana~ersandexecu-
me employees may assume the role of a leader temporarily,in a given situation.
nent leaders, such asin senior positions or on some teams.
In all
nts that will ensure business success are the same.
The conc~usionis that “ c o ~ p l e t e m ~ a g earer s ”required to lead and “complete
lead-
ers” are required to ma nag^. In termsof the typicalor~anization,“manager-leader” applies
\
\
\ \
\ \
\
\
\
\
\
\
\
\
\ \
0% \ \
\ \
t
i
es are, at least situ-

\ \
\
\
~ligningthe culture with the desired direction and strate

sults for the orgmization
~ e a d i n gby e ~ a ~ p l e / ~ e aday
dinto~day, This role consists of
sonal leaders~p in hundreds of daily “momentsof truth’’ with in
leading, ~ ~ amd ~ doingg roles.

,
effect”-every action of a
the mmager-leader whois ~ m s f o ~ an

n gorg
a. Coach (which, in turn, requires ~ o ~ s i ~ e r a t i
b. Change
agent (whichrequires ~ o ~ u n
~ o ~ i t ~ e n t )
c. CoElaborator (whichrequires ~reativity,
~ a g i business
~ g pr~cesses.This role consists of
anaging c o ~ t m e ntot the defined waysof doing things
~hallengingbusine§§ processesthat do not support the delive
lutions to satisfied customers
ma~ing ~nancials
~nitiatin~ required improve~entsto achieve businessresults
There is an ac~owledgedparadox that reenginee
but once major new processes are operation^, they
cludes i ~ p l e ~ e n t i n g c o n t i n u o ~ s i ~ p r o vand
e~ent§
of the business.
Eoyees processes. This role ensures that the five
manage~entprocesses, described later,are e ~ ~ c t i v eexecut
ly
S role consists of ~ e ~ oS ecific
~ i tasks,
n ~ alone or
d to as “employees leaders” and “process
their time andthe focus of their

anager-leaders that do notfit in the abovecategories.
rnore effective in the next six months with a different
aders enable them to accorn lish their rnission of trans-

xhibit 1.12 shows how the roles contribute
to the t ~ e n t ybehaviors of a ~ y n a ~ c c o~tlined
~ l t u ~earlier.
e
Win
I
"
1. Focusing
on w i n n i n ~ ~ r customer
e avalue
tbest
i~g H H H H M
1 2. ~ u t t i n gcustomer ~ s ~ c o msecondhit
p ~ y third H H H M
I Execute
"
I 9. Welcoming the truth M H L L
Capitalizing 1 10. on change H H M L
1
Modeling 14. a worldlife
balance L H L M
I Team
Walking
talk
15.
the on respect,
integrity,
teamwork,
Mand H H H M
excellence (the 'RITE9values)
17. Sharing and

knowledge
leveraging M H H M M
1 18. Acting unburdened by boundaries M H H L M

1 19.E~powering
individu~s
M teams and H H H L
Energetically
20.building
cross-functional/global
teamwork H H H ' H M
)~mployeesprocesses merit more explanation because of their
are processes, there are consistent steps thatconstitute the best
esses, therefore, involves ensuring that the steps are
the goalof the resulting acronymof which

R ’ than those who strive
to make it Better.
~ ~ l r e~s o n~ r ~~This
~ se . process consists of
* Inco~oratingplanning for the right level of resources directly into the business
processes.
0 Making sure the approp~atestaffing solutio~~rocess is used, based on the work
that needs tobe performed.
* ~ n d e r s t ~ d i when
n g to staffinte~allyand when touse external resources and fol-
lowing the appropriate policies and processes when doing so.
* Recruiting and hiring employees using s~ll-basedcriteria and reflecting on the
di-
versity in the marketplace.
0 Ensuring the optimum balance of employment options, both full and part time, and
respecting diverse needs.
\ \
ø sing employee development processes the way they are intended.
siness needs to add to stafEng levels and to release employees
from the business and doing both with sensitivitygood
and judgment.
i s i o ~ ~ s s i o ~ ~ a l u e s / o b j e c of
t i vemployees
es with the objectives
of
loyees to theirnew work environment,

reating an environment that accommodates each individual’s diverse needs and
esires so that they are engaged and energized.
nvolvement issues with em-
the unit as a whole.

he necessary complementof skills to serve
uppo~ingand foste~ngthe ~ndividualSkills Plans (ISPs) of unit members.

A s s i ~ ~ developmental
ng activitiesto employees that align with these skills plans.
odeling theway by visibly using theSkills tools and enhancing personal skills.
ssessing p e ~ o ~ a n against
ce the plannedc o ~ ~ e n twiths , the help of feed-
ack from others.
n s u ~ n gperformance is rated equitablyand fairly within and among related units.
ompen~ating em~loyees fairly and equitably by establishing their correct

job lev-
els and followingthe compensation guidelines.
unicating ande ~ p l ~ n i the
n g totalset of compensation programs, in an open
responsive ~ a n n e r .
electing a p p r o ~ ~ arewards
te and t ~ l o ~ recog~tion
ng to the stated preferences
of employees.
o~icitinginput from the unit colleagues on who should be recognized, and how.
advanta~eof the full range of formal awards offeredby the organizations.
special attentionto the simplest, most valued, and most underestimated of
all recognitions-a sincere “thankyou.”
ager-leader is defined as “a person whose job includes accountability for

manage~entof employee processes andlor business processes” to achieve
business results, This accountabilityis n o r m ~ l yaccompanied with a shared responsibility
l attain~entof the b ~ s i n ~results,
ss
oyees in ~ ~ cases.
n y
managers need tobe network-savvy practitioners not
job hol
sense.
elationships built on trust are vital.
The f ~ a g ~ e n t a ~oifothe
n t~a~itional
~ a n a ~ e ~job
e namong
t several
mental tothe new c o n s ~ c t , E x ~ pofl specialized
es mana
~ e s o ~ r c e c o o r ~ iThis
n a t operson
~ is often not aman
has the responsibility to deploy employees with valu
~ ~ ~ j e c t / ~ r o p o s a l l e a ~ e ~This
/ ~ aperson
n a g eov
~
work. Employees movefrom project to project, so
during the course of the year. Some are knowledg
and others are not, depending on n athe
~ r of
e the p
someone whois steeped in their discipline, can

know what associationsto join, and so on. In S
Elsewhere, it’s less formal. This role builds the
Proce~ses’~ role.
~ e ~ s o n a l ~ e v e l o ana
p ~ eage^
n t An individual who ove~sees
with employment, transfers, assessment and evaluation, intro
ucation, handling increases, and so on. Theyensure that all five
This phenomenon of splitting management

they move to a virtual, project-basedconstruct, S
ome TeamLeaders (TLs) and their teams have

in which they share or assume many mana
true when the TL‘s business and technical
ay-to-day basis and the manager-leade~sspan of suppo
new and working with a teamthat is in its early stage o
ager-leader may need to be more involved. This spectr
c m be seen inExhibit 1.14.
Exhibit 1.l5 shows how the fra~mented mana~
cific to Team” statement under the TL role in the ch
of defining a one-size-fits-all role for TLs thro
derfully diverse set of team implementations t
bl~eprints.The team leader might be the ‘
ties
HIGH
0 l 2 3
~ager-Leader Team leader/ Team leader/
does the task, doesthe task, team does team does
without with the task, the task,
team leader/ team leader/ with Manager- without ~ a n a g e r -
team input team input LRader input Leader input
described in this chapter.
to ensure that new processes are

ith ~ a n a ~ ~ r - l e a to
~ eacco~plish
rs
ain accountability for the ~rocesses
n n i n ~of any job is the personal~aits/att~butes

of the
1
dGR EE RC L FRT
issio~values/objectives
* U ~ d e ~job s linkages-busin~sslpersonal
t ~ ~
* Establish specific objectives
I ~ ~ t ~360-degree
r ~ n input
e sources,~ e c h ~ i c s
* Gather ~ e ~ f o data-~60-de~re~
~ ~ c e input
* ~ e t e ~ i overall
n e evaluation
* Adclress c o ~ ~ tissues/oppo~unities
~ e ~ t
* ~ ~ t e ~a i ~n e~ ~a co~ o~w l~e di~ ~~e n~t e

* Deliver a c ~ n o ~ l e d g m e n t ~ n g o i n g
Role
Legend:
MGR = ~o~le-Holding
~ ~ a g e r RC = Resource Coor~nator A = Accoun~ble(ensure
it is done;
EE = Employee PTL = Proposal Team has a u t h o to
~~ delegateit)
TL = Team
Leader PRTL = Project Team Leader R = Responsible (does it)
emonstrate the courage of your convictions.
trive togrow and improve.
e the initiative and lead

the way.
alance personal needs.
onsider them as “gating

factor^^^^
anies look for the desiredtraits W

them by the time theyjoin or~anizations
some blend of rehiring n~tureor
celebrated, and valued in rei~orcing
a cultural environment.
attributes are important,how can theybe developed and improved?To answer

1.16compares wayson how both skills and ~aits/attributesmight be improved.
should hastento acknowle~gethat ways to improve both skills and traits/attrib-
utes are very similar. ~ e l e c t i is
o ~i m p o ~ ato ~ tboth. F u n d ~ e ~tot both ~ l is some formof
~ n ~ i ~ s eand ~ i ~n t e r ep e~r s ~o n~~ lc~ ~~i ~ ~ ~ c e . is~ ~ ep re hr iaethe
~nscmajor
e contribu-
tor in both ena as, given high-~ualityfeedback and aclimate that motivates oneto ch
improve. The personal desire to chan e and continuouslyim~roveoneself is esse
for lasting learning to occur.
Skills Selecting, tr~ning,mentoring,
coaching,
reading,
studying,
practicing,
applying the
,personali~edfeedback from assessment tools
T r ~ t s / ~ t ~ b u t eSelecting
s employees with the desiredtraits; receiving 360-degreeinput; reflecting on
~ ~ ~andothers’
~ being
~ coached
n and/or
~ mentored
e s by rolemodels;
being r e ~ ~ for ~ disp
e d traits; receivinghonestfeedbackandcoachingwhen
the desired traits are not exhibited;
personali~edfeedback from assessment tools
3
-~acilitateorganization change 2
uild shared c o ~ t m e n t 3
* 3
~om~unication-presentation 3
-Com~unica~ions-written 3
* Leaders~p(not key because it is coveredby the other key skills) 3

* Create client-driven vision 3
-Co~~any visio~~ssio~strategy 3
evelop c o m o n go~s~ategies/plan 3
1
* Apply business conduct ~uidelines 3
* Encourage a l e ~ n i n gorganization 3
* ~ l i ~ n ab~iers/inhibiters
te 3
* Coaching 3
* g go ti at ion 3
* ~nte~ersonal
communication 3
* Fac~litatemeetings 3
* Risk awareness/t~i~g 3
* Understa~dglobal ope~a~ions
siness initiatives
* Apply basic financial concepts

* ~rgani~dtio~business
assessment
* ~ p l e m e nHR
t processes 3
* Recruit employees 3
* Release employees from the business 3
~ ~ i n v o l v e / ~employees”)
~~age
* Delegate tasks/responsibi~ties 3
z e foster skills development”)

( “ e ~ ~ h a s iand
* Use skills dev~lopmentprocess 3
* Give career advice 3
3
( ~ ‘ ~p e~ ~ ao r ~m ~e of
c eemployees”)
(“ackno~ledge
employee con~butions”)
-Analyze problems/situations
-Client relationships
-~uality/proble~
prevention
--Apply project ~ a n a ~ e m epractices
nt
* Internal supporttools
s ’ with a wider b
shows e ~ e c ~ t i v ejobs
ers. The skill tem~latesfor ~ r s t - l i man
~e
r, the~xecutives’ski1
The e x ~ e ~level
t e ~of ~ r o ~ c i e n for
c y an exec~tiveis hi
ecutives are moreencom~assin
e proficiency levels are as follows:
oficiency: No skill.
Expe~ence: None.
vel l:
oficiency:
Limited
skill.
xperience:
None.
vel 2:
~roficiency: Limited ability to perform. Has general, conceptual knowledge only.
Expe~ence: Very limited.
Level 3:
:
~roficiency performwithassistance.Hasappliedknowledge.
Expe~ence: performedwithassistanceonmultipleoccasions.Hasperformedinroutinesituations
vel 4:
oficiency: Can perform without assistance. Has in-depth knowledge. Can lead or direct others in performing.
Expe~ence: Repeated,
successful.
Level S:
oficiency: Can give expert advice and lead others to perform. Is sought by others for consultation and
leadership. Has comprehensive knowledge with ability to make sound judgments.
Expe~ience: Extensive, co~prehensive.
er scope implied in the skills for executives than for first-line man-
ers because of the larger size of the organizations and business results
for which they are accountable.
manager-leaders be involved inconflict resolution?

ecause conflict in any endeavor that requiresthe interaction of two or more disci-
or, for that ~ a t t e rrninds
, is inevitable. A s the complexity of security increases, the
ood of differences in opinion and approach increases as a function of the numberof
d the ~ o u noft time requiredby the employees in their involvement
or after i~plementationof projects. Nomally, these conflicts arise during imple-
ion becauseof people’s natural resistance to change, scheduling pressures, or initial
ulty of the systemto support existing reportingcriteria or func~onality.
at should the IS manager-leaders look for in conflict resolution strategies? The
rs thisimpo~antquestion.
com~onentsin e n ~ ~ r i nr o ~ u c t i v ~ e m ~ l o ~ edu
es
t in c o ~ ~ ir~solution
ct will set
critical step in buildingconflict resolution strategiesis a formal declaration to the
members of the probability of conflict
anisms being established to c
amounts to ‘6flushin
sibilit of hidden agendas or toke
that conflict is inevitable
on, the employees involv
or concern to remain buried, which often allows di~lcultiesto fement and blow out of pro-
conflict resolution
complete issue res
. A discussion of the qu~ity-o~ented bene~ts

of conflict resolution.
tions the team as a whole can
mdce individual contributions
olution.
an organized procedureis designed and willbe implemented inor-
der to allowall t e r n members to achieve their personaland cu~ulativegoals.
stablish the attitude and approach that both thete

hen, presentthe structured planfor enactment
guidelines to be followed durin
To validate theimpo~anceof the resolution tasks, e plan should be presented at the
beginning of the project as a formal, written struc~re. ople n o ~ a l l yoperate comfo~-
round rules are clearly defined and und ood by all players at the outset.
elines, the misconception of different s t a n d ~ dfor
s different peo-
all team members o c o ~ o ~ a bcom~unication
le ground with
ult task and is depe ent on the quality and integ~tyof leader-
perience has always indicated that lip service is usually the case.
can be repercussions, whichis the main reason whyconflict
n theory but improbable in practice and why it fails to secure
the desired results.
n the verbal co~ponentof the conflict plan,the team leader should pay specialat-
to the use of “”I” statements asa positive toolfor c l ~ ~ c a t i oofnthe conceptof or-
nized,structured conflict resolution.onflict is alwaysintegr d with emotion~ity,
en if it is couched in totally professional, business-directed tern
feel,’, or “”Im confident that our approach to resolutions will
ng a personal emotion^ co~ection.
mation (e.g., twelveor more p~icipants),it is more bene~cialto
r than to have the project team leader assume duties the of logging,
~ o n i t o ~ nand
g documenting
, each issue that
arises.
am leader is the
appro-
priate
individual to
present the issue resolution
struc
oordinator
should
then
n the mec~anicsand steps being usedto ensure complete reso~ution.The ideal issue
natorshould be a teammemberwithhighcomp d credibilitywith the
other teamme~bers.
ted that may have a
~ i n a t o ~a’ tst ~ n t i o ~ ,
ssive silence shouldbe employe
to the viewpoint and inp
’or inter~ptingshould be allowed, so that
o state their viewpointop
d by each person sho
estions shouldhelp t
to elicit and e x a ~ n
is to avoid presen
other person’s perspe
ution of the u~derlyi
L should e bec
be employed
reserved moreby what is
ponse body language means using open., r
mework. The questions to be

conflict disc~ssionare as follows:
e relative importanceof the issue to each dissenti

a discussion to a successful conclusion
so
odated by the other party.
this may be the solution
e conflict orthe i~sue-causingpractic

of this p~ticulartopic)? It
find the solution than to fi
hat would be affected by a change in each relatived e p a ~ m

of people involved has been resolved,
the de
ms, or tech~iquesthat would be
at is the view from the top?This should be a “best guess” relative

to
that ay be pr~sentedby ma~agementconcerning theissue at han
e ~echanismsthat
t e ~ i n e dthat the considerations
-approximately the same numbe
lowing question should be asked:
point and concernor to maintain cooperationWI
or depart~e~t(s)?
rcise of examinationdiscussion,whenfocused CO
ly by facilitating systeminte
practices, raising the levels of c
creasi~gthe levelof c o ~ p a n yloyalty and employeec o ~ t m e n t .
bear in mind that thisis a review for the auditor. Depending onthe nature of
the resolution processmay require far more sophisticated procedures such as
nflict resolutioncan be addressed.In such a case, it becomes the audi-
to comunicate the existence of such tension inthe workplace. In all
g how conflicts are managed and resolved adds value to the client’s man-
anies need IS manager-leaders. They need IS manager-leaders who are

o m ~ ~ toe their
d transformation
to a dynamicculture and who inspire that
ent in others. They need IS manager-leaders who coZZ~~o~ate with their global
they pursue their customers’ long-term loyalty and the attainment of their
siness results. They need IS manager-leaders who understandthe big picture,
ithin it, continuously improve their skills, and coach and mentor others’
need dynamicIS manager-leaders who know how and when tolead, man-
d are role modelsfor a dynamic company’s core values. Dynamic IS man-
er-leaders enable dynamicorga~zations!See Exhibit l 19 for a s u m a r y of the IS man-
*
l
fine the security policies, practices,and procedur~s
ducts to support these policies and practices, it is
evaluate, select, and i ~ p l e ~ eproduct
nt s ~ c ~ ~ t y
ative procedures andfor appropriate controls in application syst~ms.
ation was processe
ired technical ex-
crooks. In spite of this, ~ h y s i s~curity

c ~ ~ continued
y ~ u ~ atd the
s front door.
hich in retrospect paid

s ~ oinclude:
~ l ~
escription of the controlled accessed areas within the p r e ~ s e sw9
trolle~access areas are,md what they contain.
denti~cationof risks ( ~ r e a t sand
) conce~ about their likelihoodof
ontrols to guard again$t ese risks and the costs associated if measurable.
sks that are being tolerated and accepted andthe risk analysis.
e physic^ security plan withits accompanying ~ocumentationis a sensi
that contains detail~d infor~atio~about the compa~y9s ris~con~ol meas~res
has to be in a neatlycompar~entalizedform so that youdo not have toobtai
owever,inpracticeaynot be the case,and
ce the computerm
f u l in the cornan 'S risk analysis whenp l ~ ~for i its

~ disaster
g r
con~actsfor disaster re cove^ services an
nd expe~ence conce~ing the pitfalls that
the i ~ ~ o r t a n of
c ejudgment in review
hasized. This is because the issues
ractice~,and protections~aredifferent for practically e
ifferent from or mization to organization because the ri
e~uently9 always remember to be astu
your risk assum~tionswhen evaluatin
any theoretical model. No amount of theoretical owle edge is a substitute for real-world
experience that corn keeping your eyes and ears open and mostly
~ n albeit
~ skepti, r the inexperience^, bear inmind that audi
the information to be obtaine the course of your work
r judgment about risks and m before jumping to any
conclusions.
Are thei~ormationassets protectedf o ~ i t o u s l yor by design? The physical secu~typlan

should contain the measures taken to rotect the i n f o ~ a t i o nassets.
us eth hods of protectin and restricting access toinfo
ze the risks of loss. The main methodsof restricti
eter controls such as fenced b u i l ~ i nsites,
~
he perimeter of the facilities
identi~ed,risks explored, and the method of secu~ngthem implemented.
nce the corn uter facilities are p d from u~authorizedaccess9subse~uent ~easures

essential areas into controls ' er
~ i ~ ebas
r e n t need-to-have a on
of protection given to thesec o n ~ o l l eaccess
~ areascan range fromfull protection and close
,e,, tightly secured areas) to
l i ~ t e protection
d (i.e., loose~y se
ally, companies have divided internal spaces into two or three
have established standards that dictate the kind of e a~ordedto each
nated controlled areas. For example
rs must have an alarm
system,
owner or equivalent level executive.
imum, thisins~ectionsho
ness requirementsfor access to
access these areas.

one 2 areas are located within
from the outsideat all times,

st be restricted to only those
au
Access is controlled to limit entry to perso
procedures vary, depending on the level of
all cases, only persons on the approved
For Zone 1 and Zone 2 areas, personsall
son are considered to have one-time authorized access.
Persons with authorized access to a controlled access area must have
ness requirementfor access. The owner is expected
constitutes a business requirementan
tion was made.The Zone 1 area own
mining valid business requirementsfor access to the Zone 1 area an
access based on these criteria. Individuals who haveroutine access to
and who do not meet the documented c
Access authorization mustbe reviewed as follows:
* For Zone1 area the accesslist is to be verified and signed (
by the class ownerat least every six months. Persons with
removed from the accesslist on a timely basis.
0 For Zone 2 area the re
However, persons wh
implicitly throught e ~ n a t i o nof emp
list on a timely basis.
e :The definition of ti~eZyis subjectto int~rpretation,butin
fic standard it will generally be defined as “at the earliest
forded by management control processes.”
Emergency exits for Zone 1 area must h
For both safety and security reasons, the alarms must operate on e
and alarm events must initiate investigative action. Period
gency exit alarms are functioning should be p e ~ o ~ and ed
area owner mustensure that thereis an annual reviewof all em
For Zone 1 area an accurate, currentlo
flects the visitor name, time of entry,
purpose of the log is to provide a historical record of access andis
trol tool. Therefore,there should b
If a badge exchange process is used,
the control over theissuing, retriev
nonroutine accessto Zone 1 area must be retained for the current
Proper operationof the Computer AccessS
responsibility of the CAS service provider.
area owners (e.g., malfunctioning d
curity or the CAS service provideri ~ e d i a t e l y .
To ensure that system integrityis effective and to avoid compromi

controls provided in the system, the installation must assume res
mation processing resources that are housed within the computer
These physical access controlrequire men^ are app~cableto the
and midrange environments. The m ~ environment
~ includes
~ e
aster consoles (i.e,,~ t e r a c ~ dev
ve
without havin~ iclen~~cation and
s include thefollow in^:
onnectio~media, suchas wiring, ~beropticsand wirelessco~nections
ri~~eral ~include:
evic~s
nnection for p ~ n t ~and
r s plotters
er ~ ~ ~as used e ~ ~ c e
services on behalf of
e and valueof the service p r o v i ~

er
I Tele~~one
lines x I
t
Systems that are essenti~lto supporting High
Zone
Area 1in
or an office
room that
vital business process is lockedwhen unattended
All network c o ~ u n i c a ~ i control

on High
Zone
Area lin
or an office room
that
units regardlessof system service is locked when unattended
being supported
All n e ~ o ~ k co~~~nication High

Zone
Area 1in
or an office
room
that
control its is lockedwhen unattended
VPe B Area
Medium
Zone 2
Type c AreaZone Low 3
ecision has tobe made on whether toi lement protective measures or as-
sume the risk with the associated e x p o s ~ e . order to demons~ate
ical access control process, managers responsible for computing facil
tain the follow in^ minimum documentation:
ntification of the area,its use, the levelof i n f o ~ a t i o nsuppo
equipmen~se~ice, and the level of control required.
The means of communicatinlevel of i n f o ~ a t i Q n s u p ~ o ~ e
provisions andrequire~ents
~ ~ ~ The ~ tinformation
e : s y s t e ~ senvironment is continually
erefore, risk analysis should becQme an on~oingprocess thatis
cted and reevaluated on a periodic basis ensure to that thecost assQciated with
im~lementationis ac~evingthe projected benefitsto
timate decisionof what riskto accept and what risk to
ement, risk analysis requires a total team effort.
in~ividualswho can help to evaluate the risk.
ons within the precedin

to review the site’s process
and d e t e ~ n ife addichanges to these ~uestionswe requiredto ade
temal systems range from l

of ~ersonal com~uters.
A
ronments, the i n f o ~ a t i o n s e c u ~process
ty must be implemented to
rocesses have been

on assets orequipment est
efer to the secu~typolicy for details

volvement with this document.
i n t e ~ aolr restri~te
requires approp~at
n s revalidated ona re
i ~ ~ t i oare
st:
tected by sec~redspace.
r inclusion in yours ~ ~ l e :
a samplefor c ~ e naccess t au~oriz

ess list v e ~ ~ c a t i o n ~ eby rfo~ed
sure that valid ~ ~ s i ~re~uirement
ess for access c
t h o ~ ~ a t i is
o nreviewed in accordance with
ments. For n o n - ~ ~ ~ c o n t r o
stems are considered
If volume is suf~cient,~ o m ~ ~ t ~ r
hoc mode to verifye
e sexits are s ~ c ~ r
sure that all e n ~ ~ cand
access levelm e c h ~ i s m ,
hese con~olsare not applicableto individual§con troll in^ their own
eir ~croproces§orsince the c~stodialrelationship does not exist.
neffective con~olsover po~ablest0 e media could result inloss of or un

cess to stored data.
rocedures that allow tape removal without owner

ap
,media placed incust

§~ountedfor bu§iness ,contains i n f o ~ a t i o n
for records retention,or c o n t ~ n
le stor~gemedia may not be removedfrom the controlof

from the owner of the data. The desi~nationof data as
dication that the owner has approved its being mov
tional sched~le.
dia av~labilityin case recovery
trol process applied to media placed und
ackups area prerequisite for any compute^

ackup tapes is extremely vulnerable since
checks and balances and protection to prevent unau
After thei n f o ~ a t i o nis written on a backup
tape, it
ical possession of the tape. For this reason, bac~up
uters t ~ e ~ s e l ~ e s .
guidelines for backup ~rotectionare:
ackups should not be left unattended in a comp
ntmst backups to only bonafide and bonded m
nsure backuptapes are sanitized be€ore b
ackups shouldbe stored at an OR-site stora~e
rified toensure that they contain vali

that a sampleof backup tapes be checked at least once a ~ o n t to
h en
The data storedon the backup tapes should

you encrypt the backup of a file systemyou
~ f o ~ a t i stored
Q n onthe backup willbe us
media separationis not possible, then
entory Control process desc~bedin
e movement of media to andfro
accounted for by means of trans mitt^ records or equivalent
media mustbe ad~nisteredin away that prevents unauthori
dard label processing, controlled use of bypass labelprocess~ng
ustodians of storage media are responsible for implem

and p e ~ o ~ani accurate
n ~ inventory reconciliationof t
brary at leastbiannu~ly.The custodial m e ~ i alibrarian
process with at least one person not directly i
reconciliation must be able todemon st rat^ the
inventQry (priorend in^ inventory)
ort of the custodial mediali-
ion and suppo~ing docu~e~tation

e) mast be r e t ~ n e dfor a
ation is rocessable i n f o ~ a t i o n r e m ~ n i from

n g prior use (e.g., deleted
esidual con~dentialdata must be made ~ ~ e a d a b l e
often c o n t m
~ ~e ~ o ~
o n approp~atecontrol se uences. A s a re-
red i n f o ~ a ~ with
sensitive ~ o ~ ~ ist~ ie o~ ~ucopied ~ ~into t such

l ~ local
being aware of it and conse~uen~y not ~ r o ~ it.~ n g
ation faster than p ~ n t e r scan p ~ n it,
t printers are
ing whenthe printer is

rs, and fax machines
ta on the tapes have been

co~pletelyerased.
es o v e r w ~ t ~
then ~
enti
lated for that p ~ i c u ~disk num-

a r drive’s model
r a n ~ o mn ~ m ~ e r s .
,the tape can be deg
W what they are doing. Info
v~rsionsof operating syste
in ~astepaperbaskets
ia inclu~ing inve~tory
ressable info~ation rem~ni~
the po~ablestorage m
esses all po~ablestorage media h
t u ~ i storage,
n ~ ~ and~ e s t ~ c t i o n .
ntrols to ensure that bypass lab
from u n a u t h o ~ ~ euse.
d ~ ~ pre l e
ia ~ansactionsto ensure that pr
view the ~ ~ e c t i v e ~of
ess
tape remo~alprocedur
processes, and proceduresfor m
posal or nonpropriet~use,
ed a classification or labeled to iden-
controls ensure accountability for the
and thati n v e n t o ~
records c o m p ~ to
e phys-
rtable storage medialibr
these invento~es,select
ach inventory entry,
ve
so, select a sample of portable

correctly on the i n v e n t o ~recor
tively to prevent unauthorized access to

a is kept (e.g.,the tap
trol re~uirements(e.
classi~eddata is st0
ti~cationif r e ~ u ~ e d .
and reconciled to the previous i n v e n t o ~at

liations have beenpe~ormedwith appro
liation records maintained (for libraries containing data
,an invento~of all p ~ r t ~media

bl~
fy that ~ v e n t con~ols
o~ exist.
rized copying, damage,dest~ction,or

by the f o l l o w i ~ ~ :
in a locked facility.
rasing obsolete data.
or securely disposin~of console lo
physic^ access to theco~putingfacilities.

You have now secured the
hat are theessential services required for the computers tob
levels?
ow will you provide these essenti~services?
ow will you maint~nthese essential services?
ow will ~ o oni
u it or ~ e e s ~ $ e net i ~
services?
out a doubt, the essential services are
puters require care and p on it or in^ like all complicated devices

sical a d en~iron~ental c~nditions to operate at opti
fail in unexpecte~and often undes
y contin~eto operate,albeit e~atically, pain~lly pro~uci
g valuable data. (For more i n f o ~ a t i o nabout essential
xhibit 2.5 for more infor~ationabout risks
The powersupply can be blownout.at protection doyou have?

ven if the power surge doesn't destroy the i n f o ~ a t i o non your
'on inaccessible until the computer systemis repai
I Cabling X X X
I Telephone x x I
People X X x x
ower surges fatally shorting out the

utside andinside saboteurs
ndalism
Electrical noise is usually generate

can also come from fans and even
ations in the power supply. For exa
electrical outlet as a ~orkstation
tion’s power supplyor even causi
by other factors.No matter wh

dent in. c o ~ p u t esystems.
r Vib
out of their edge connectors
can come outof align.ment
The control requirem
There should be no
d installedfor e
etective re~e~tive orrective
Fire A l m s Fire procedures
Emergency extin~uishers
drills
detector
Smoke
Fire
~aintenance CO2
Water, dry-pipe
Halon
Sprinkler heads
Disaster recovery plans
Ins~ance
~ ~ r i ~ g
~ i r i ceilings
trays,
nSmoke
~detectors
regulations
Rules
andSprinkler
heads
regulations
Rules
and Cleaning
~~ntenance
Maintenance Vacuum cleaning
Mainten~ce
Dust covers
Alms ~aintena~ce Vacuum cleaning
very
saster
cutoffs
Automatic
powertraceboard
Circuit
carrying voltage and a
trace
carrying
ground
Water
Detectors
I Insurance
1
hould be kept at least five feet from the largeco~puters,cables,

~ a n s ~ t t e such
r s as cellular te~ephon~s, w ~ ~ e - t a l ~and
es,
nic devices cm causecomputerstomctionwhentheyare
l ~ a n s ~ i ~can e r cause
s ~ e ~ a n edn t
c ~ a r ~ine ssome sealed fire extin
rotecting the physic^ access to the telephone
computer to which the telephone line and its mode^
lines include:
ct~hysicalaccess to the t e l e ~ h
secure. All junction boxes should
d in an electrical conduit, pull
1 areas.~ ~ t ~ dwho
e r gain
s p
spoof in^, as thisis called, the

further c o m p r o ~ s ethe comp
all the pe~inentin
only tothe system
the users are connected can be c o m ~ r o ~ i s e d .
b he t ~ l e ~ h o nline
e s ~ o unot l ~ al
telephone can bep r o g r a ~ e dto
i n c o ~ telephone
n~ calls to an0
ber that has been p r o g r ~ e td
ing their u s e ~ a m e sand pass
their calls to your modem line.
Use lease^ line w ~ e ~ e s e c ~ ~ i ~
vided by the phone company.

or receive calls. As such, it all
does not allow~ y o n to
e dial
more expensiv~than regular li
cost justified, Leased lines also provide fa
~ a n s ~data
e r much faster than
e controlre~uirementsfor water are:

e mounte~on all floors i
well as on those adjacent to the area,
ter detectors should be ~ o u n t e undern
d
and also aboveit.
o a l a r ~ slocated
, at
should sound an alarm; the second a l m shoul
be in the basementsof buildings inar-
revents this buildup. Computer rooms should not

the dischargeof which destroysi n f o ~ a t i o nand
hich in many casesit does. Conversely, the com-
is causes condensationon the c o m ~ ~ t e r ’ s c i r c u i ~ ,
short causes too much current be pulle~
to through
ibly melts it. Shortsdama~ethe electrical circuits
ling too much current throu
ative h u ~ d i t yof the computer room should be be-

t, which depends on ~ theb i e nroom
t tempera~re.
ty a l m that should ring when the h u ~ d i t yis out
r the air-conditionin
reventative m~ntenance.
he c o n ~ o l req~~eme~ts
irements for re-e~tinguishing e ~ u i ~ m eare:

nt
to ~umansbut does not cause environmental degra-

though disks, tapes, and
p~ntoutsthat arein the op
at the comp~ter’spower be automatic~~y shut o
r-based sprinkler system.It keeps water

,and it is safer from disa§t~r§~ t e ~ n
Q O ~ of~ the
Y computer room.
rol re~uirementsfor smoke dama
eads need to be positiQnedin the

above the suspended
er e ~ u i ~ ~but
e nalso
t rele
o a good conductorof
ust cov~rsshould be used wherever~ o s s i ~ l e ,
ient temperat~earound thec

'S i n t e ~ acooling
l s y s t e is
~~na~le
Conversely, if the t e ~ ~ e r a t u r e
en it is turned on, causi
ters operate optimall~from 10" to 3
ways be referred tofor ideal t e ~ ~ e r a
e r a ~ r control
e are:
t can be connected
n u ~ b e r to
s advise
S, ~~ntinuously o r recordthe c o ~ ~ u t~e 0r 0 ~ ’ s

~ o ~ i tand
rvices ~ersonnelto obtain infor~ationon. environ~en-

viron~en.ta1controls and the f ~ n c t i o and
~ s ~rocedures
ce logs to verify that~reve~tative ~ainten~nce

is t ~ n ~
.
otor ~ e ~ e r a toverheat?
or
.
a
.
.
.
(t
.
bo causes break-ins?
bo writes computer viruses?
ho steals passwords?
h0 causes vandal is^^?
o can be no~orious~ r e a t s ?
Is it aliens from outer space?
tentional orinadve~entactions. The greatest threats are

or e ~ h ~ ubut ~ from
e s men and women,as fraud indic
The level of physical access privileges granted is based on. the cl

people need to be grouped into di~erentc sses com~ensurate
which is based on their need to h o w or on scretionary access c
e f e ~ s ~ ~ r u s t e ~ ~ o ~ ~ ~ t e r S y s t ~ ~ ~ v a l u ~
access control as “a ~ e ~ ofn restricting
s access to objects base
jects and/or groups to which theybelong. The controls
a subject with a certain access p e ~ i s s i o nis capable of passin
ne techni~uefor increasin~accountability in security ad~inistrationis to dis-

tribute security-rela d respon.sibi1ities a ~ 0 n . gdifferen
fficer is responsible for overall S
for the physical security and the
implementation of the logical controls. ond duct control

m ~ a ~ e m e responsible
nt for the computin~e n v i r o n ~ ~
,data~aseadministration);
processes and the physic
The security policy must ensure that mana ment awareness of all physical ace
co~putingfacilities, i n t e ~ a systems,
l and ta can be demonstrated and that
Various classes of m~agementpositions.
monitors auditing policy.

hich users and events are audited.
e secure password system.
privileges on publicfiles.
user accounts.
ems for sensitive security programs.
0 I m p l ~ l ~ e naudit
t s in^ procedures.
Inspects and analy~esaudit logs.
* ~ ~ ~ n i s tgroup e r sand user accounts.
0 Repairs d ~ a g e user d files and volumes.
Updates system software.
* Sets sys~emconfiguration p~ameters.
Collects various system statistics.
0 ~ l y file permissions.
~ e r i o d i ~scans
Deals with invalidsuperuserattempts and invalid network requests.
0 Installs security-relev~tsoftware.
erforms routine~aintenancesuch as backups.
Installs system upgrades.

Pedoms dump analysis.
* Writes p r o ~ ~ a m
that
s conform to security criteria.
* Uses the computer resources.
sed when there is no longer a b~siness justi~cation (e.g., at

ent) in a timely manner.
has to be current. At a ~ n i m u mthere
, must be an annual
rivileges and a quarterly process to assist inthe removal
igned to employees who have separated or retired. All
must be identi~ableto an i n ~ i v i d ~(e.g.,
a l a ~ a n a g e may
r have
ee physical access privileges). Physical access controls
pancies, and the security standards s h o ~ l dstipulate the
I Operator Tasks
y with which owning mana ers should review the nonregular employ
ld ensure that effective
eir i n f o ~ a t i o nsecurity respons

vider of Service senior executive approval shouldbe de
used in a~ositionwhere systemcontrols c
res for completeness?a s s i ~ n m eof ~ tresp
.,who a u t h o ~ access
~ ~ s to a user to the CO
ow resources areidenti~ed(e.g., who ownsa dataset, minidisk,or sub

ow users are“ ~ a p p eto~ resources
’ (e.g., whoa u t h o ~ ~users
e s to or
1 and unsuccessful) that
controls have theyd e t e r ~ n e dare re~uired).

ures shouldade~uatelyaddress control points specificto
cess to the computin~facilities and resources.
ctive physical access privile
. l' t
le to an owner.
eview documentatio~
vent ~ n a u t h o ~ ph
ze~
procedures ~escribin
at here^ or obtaine~.
cedures existto ensure that onlyautho~ze

cilities, thatis, the ph~sical sec~rity
view proce~uresoutlinin access to the controll~d
physical secu~typlan ( ,,c o ~ p ~ tfacilities,
er c
room, tape library9 forms storage area9
iscussions with them a n a ~ e ~ eonftthe c o ~ p ~cen
~er
lowing environmental controlchec~ist:
all entry pointsto the computer~acilitiessecur~
ow are they secured (i.e., electronic access control
2. Are these e n t r ~ c e s m o ~ i tby.
o r ae central
~ s~ste~?
during power failure?
ter room maintained duringshifts?
nauthorize~ ~ersonnel?
cility record violatio~ atte~pts?
d to reportallknown intentional andin-
eness of the access control system.
sical security measures have been

~ i n howe to access these pr
locks, and electronic control
of the ~hysicalsecurity pl
ative ~ r o c e d ~for
es c
ys are issuedand who can autho~zec
the computer enter, ~ o c u ~ ean
nt
g. Accounting for all security keys,
h. Verifying that security keys have o y been issued to autho~zedusers.
3. Select a sample of twenty-~vepersons hav sec~ritykeysand
authorization is appropriate basedon their j
. Select a sample of fifteen employee te~nations/resignations/transfersand verify
e sec~ritykey return proced~reswere followed.
. Verify that the security system can placetime and day rest~ctionson specific ac-
S cards andis able to logically deactivate access cards.
in and review the access log and verify:

aff movements in the building are recorded.
b. Violation attempts are recorded and investi
rocedures exist to ensure that visitors’ access
to the computer centeris con~olled.
S, maintenance personnel, cleaning crew, consultants, contractors, vendors, and oth-
ers who have temporary accessto the computerfacilities and its contents are, ina nutshell,
outsid~rswho posethe same if not greater risk than those in the outside world because they
are now inside the guarded territory and withp e ~ s s i o nEvaluate
. the risks of theft from
these people withtemp or^ access and d e t e ~ i n what
e detective and preventive controls
are available. At very
the least, no one from the outside shouldbe allowed u ~ e s t ~ cphys-
t~d
ical access to the computer and network equipme~t.
btain and review visitor sign-in procedures.
discussions with the management of the physical security, complete doc-
ument and assessthe adequacy of
a. Visitor sign-in and escort procedures
rocedures for maintenance personnel
3. Select a sample of twenty-five visitors over a two-week period and verify that sign-
in procedures were followed.
escorts requiredto a c c o m p ~ yvisitors aroundthe computer center?
t visitors wait in an outside lobby for their escort to arrive?
isitors have to present anyI to pick up their temporarycardkeys?
d. Are visitors requiredto sign in?
e. Are visitors required to signout?
visitors treatedthe same as ordinary visitors with respect to:
g. Are visitors res~ictedfrom the p r e ~ s e after

s n o ~ aworkin
l
h. Are repair or maintenance personnel employedby ~ u ~ p l i e~r se ~ i tentry
t e to
~
critical areas onlyafter proper identi~cation?
c o m ~ ~ tise ra valuable ~ o ~ ~ oand d yet
i t ~
y for a thief to steal it or steal from it the
i s h or, ~ o r s still,
e the s y s t e ~ ’ s
own accounts* forwarding e-mail; c h a ~ ~ i n
ise r e ~ o v i n gaccess
1s quite sudden and dr~matic.Someone may show
a security guardwaitiwith a box contain-
ready been deleted,
ser’s office phone number is no longer
on in ~nancialservice indus-
ses with a low-cost, ~ g h - p e ~ o r m a ncomputing
ce
0 clients, with secure connections to the ~nte~et.
*Offers d e p ~ e n t and
s small businesses a robust solutio^ that is
to i ~ p l e ~ e nand
t , cm u~grade to morethan ~ u a d ~pep l ~
del 73Q/74Q;~ n t e ~ r i s e - c l a s s p e ~ oin~ a an cage
e able, a ~ o r ~ apackage.
~le
res eight-way or twelve-way processor confi urationss~ecifically
tuned for increasedprocespowerandmemory.
0 1’70servers designedfor exceptional price and per-
o wor~oads.The first serversin the industry built just for
a variety of computin~ enviro~ents, i~cluding desktop

omino servers, and Java servers, can be a challen
1400 provides a simple solution to this complex task.
0 0 simplifies PC s u p p o ~by prov
~ ~ / 4 greatly
ndows PCs. No special hardwareor software is re
print~rssimply show up in their Network Neighborhood. For
y tightly integrating hardware, sofiware, ~ d ~ l eand ~ the

~ eoperating
, system,
/400 providesa co~binationof power,flexibility,and eas thatcanhelprunthe
operationssmoothly.Thisdesignalsomakes it possible for tokeepabreastwith
create a more manageable information

t e c ~ o l oy infrastr~ctureby consolidating
/~OOewith its seamless s u p p o ~
for
ogical p ~ i t i o n i nlets
~ you run multiple indepen
ce§§ors, memory, anddis~s-within a singles y m ~ e t ~
server consolidation, business unit consolidation,
ed clusters, as well for
as suppo~in
otecting your business
fro
not run on earlier
and to reduce the
.All i~stancesof these objects are stored
processor (which itself can be com~risedof twelve separate proces-

written to any U 0 device. That re-
ar ~croprocessordedicated to that U 0 device.
application progra~.
storage access times.
ntinues with executing anothera ~ p l i c a ~ opro- n
econds ( second). This designprovides the
in the c o ~ e r c i a l ,ans sac ti on-based environ-
computing, and oneof the main characteristics
it is U 0 intensive rather than compute intensive.
nefit of outstan~ingp e ~ o ~ a n in c ethe business environment,
an elegant methodof int~gratingdiverse environmentsinto a sin-
on a card9which enables
O unawareof underlying hardware characteristics be-

an A ~ / ~ Oare
so unaware of the ch~acteristicsof any storage devices on
concept of single-level storage means that the knowledgeof the

the hardware storagedevices-
e storageis auto~aticallyman-
work withobjects (see the next section on object-based op-
ss. No user interventionis ever
ss the numberof bytes

~,~099551,616. There-
1,616 bytes, or 18.4 ~uintillion
bytes. To put this into morem e ~ i n gtems, ~ l it is
~mately 6 trillion miles
e enables another ex
stence means that the
tem forever. An ordinary machine requires
tern if the i n f o ~ a t i o nis to be sharedor if i
objects is extremely impo~antfor future sup
to continue to exist evenafter their creator
to exploit this characteristic of object per
mechanism that requires them to store their
all the attendantp e ~ o ~ a nimplications.
ce
Logicalpartitioning is also for companiesthatwanttorun

serverworkloadsin a single Q system.Logicalp
formance of an AS/4OQ system tobe flexibly allocat
tems havea p r i arti ~ it ion
~ with all resources initi
agingsecondary p ~ i t i o n
processors, memory, andi
only an initial progr
put output processors
operateindepende
L A N ~ A Nfaciliti
munications betw
14.00 is licensed oncefor the entire system by
number of pa~itions.Li
V4R4 must be installed on
partition.
As the p e r f o ~ a n c eof an ente~riseclass server gr

that p e ~ o ~ a n to c erun multiple workloads indepe
has becomec o ~ o n p l a c in e the mainframe market
Typically, separate partitions are usedfor test rele
ple business units orcompan~esfrom a single server.
The AS/4QQ’simplementation is an adaptati
with flexible and granular allocation of system resourc~s.The
plementation introduces both the flexibilityto a1
speed internal c o ~ u n i c a t i
Logical p ~ i t i o ~ n( g
stances or p ~ i t i o n s(each
metric multiprocessingA
can now be a ~ ~ e s s in e da single machine
to achi
solidation, mixed production and teste n v i r o ~ e
system values can be set in
a difFerent primary orsec0
rogram must be restri
to
authorized
personnel. can also be
used
to
perform
S an interactive screen-design tool that allows

e, and maintain a~~lication screens and menus.
,numeric, a l p h ~ u m e ~and
c ) di
utes
(e.g.,
color, flash, nondispl
sensitive
help.
These features
be used to limit application~rogram-dependentdata validation. Therefore,
tion reviewsit may be ne cess^ to e ~ a ~ screen
n e sourcemem~ers.
implications, arediscusse~in
ities listed ~reviously,many S
utilities, productivity aids,t r ~ n i n gtools, and other system S
uti~tiesor ~ a c ~ a gintroduce
es additio~alsecurity c o n c e ~ s . U ~ programs
lity andopera tin^
system functions that are of interest to a~ditorsare as follows:
at facilitates the creation and maintenance
to ~ ~ ~ ~ o ~ersonnel.
rized
s i m ~ l i ~database
es in~uiryprocedures.
allows
users to interac-
tivelyspecify criteria for the e~~action, summ~zation, and resenta at ion of database
erating randomnum~ers(
ty parameterfor each user (
nter Function (APF)is a utility that allowstb.

codes, createslogos, and createsbar graphs.
trol impact,
Within the user profile, ~an

niti~ P andlor
r o g r an
~ Initia
on to the system, th
can display a series
ment, or a control
mandatory menu.
This control f e a ~ r is
e
be inapprop~atefor many
A u ~ o ~ist designated
y as
es
ta d to all
of system
after images of changes,
,all entries stored in thejo
abase so that it will bein the same state as
it was
,all the transactions
isk space andj o ~ a l need

s to be
he command to review thej o u receivers
~ ~ on the system is
hen a single ans sac ti on updates multiplefiles, there is a risk that dataCO
crash before all the files are updated.~ o ~ ~ tCO~ e n t
should the s y s t e ~
t e c ~ i ~ utoe srecorddata until the transaction
is compl
data c o ~ p t i o by
n e~suringthat the transactionis CO
atabase is updated pen-nanently.
ecksum protection uses ana1

e data residin~on several othe
use the redundantdata to reconst~ctthe data to
store the entire system. This savesa considerabl
ever, use approximately 1596 of ~ e m toom ~ a g eThe. cost of ch
time utilized andaddition~ldisk storagespace,
S method of protection stores duplicatedata on separate disks. hould One of the disks
,processing continues usingthe mirrored disk.The cost of this 1 el of protectionis that
all write operations are d licated and av~lablestorage is halved. This option is utilized
when it is critical for the systemto be up and~ n n i n gUse
. of this option results in increased
perfon-nance for read operationssince there are two places to read i n f o ~ a t i o nfrom.
7 disk units offer redundant m a y of independent disks (

uses data detection and correctiontechni~uesin such a m ~ n ethat
r if one of
e con~gurationfails, the system is able to reconst~ctthe data and continue
the disk is repaired or replaced.
his operationis similar to checksum, but the performance impact is i
checksum) ~ o u g hardware
h f e a ~ r e on
s the disk unit.
400, a level of security canbe chosen to meet

a customer’s needs.
inimal s e c ~ t y passwords
~ ~ o are used, an any user can p e r f o ~ any
asswords are used, but users can erf0n-n any function.
ste
1. Manual 3. Secure
2. Normal 4. Auto
Yes NO NO
Auto IPL Yes Yes NO
Remote P L No S NO
Power Switch(Off) Yes NO NO
Power Switch (On) Yes Yes 0
PWRD~NS~S Yes Yes Yes
Run Dedicated Service Yes No No

wity officer may set the
= 10,20,30,40,or SO). in
almost
all
cases,
ed from the factory with the
stem value containsa list of libraries allowed to contain user do-

.'These object types are user
strict the objects of type *

which is a temporary objectat level 50, and, there~ore,can-
l data between users.
rd f o ~ a t t i n goptions. Theseoptions can. help improve

ords more difficult to guess. assw words can be con-
g an egective combination of the following options:
:~ontrolsthe ~ n i m length
u ~ of a password.
m a ~ i ~ ulength
m of a password.
asswords from being the sameas any of the previ-
to ten installation-defi~edcharacters that cannot ap-
Forces each character in the

new password to be di~erentfrom the
ame positionin the old password.
acters from being usedmore than once wit hi^ a pass-
revents a user from specifyinga password with numbers(0 to 9)
:~mplementsa password validation programto perform additional
l new passwords have at least one numeric character.
ds for user profiles to expire by using the system value

m number of days that a password is valid.
hed for a password, the system auto~atically
user to select a new pa
vent usersfrom ch
number of days un
value
can be overri n~ivid~al’s
user
profile eter er (
with needsdi~erentfrom the system value.
It is possible to prevent users wi
number of workstations accessi~leby users with specialautho~ty.
tion is sent with an automaticsi~n-on.

system value specifiest
attention key.
security r e ~ u i r e ~ e n t s .
is used to display to
tion (e.g.,date of last sign-on, number of invali
~ a s s ~ oexpires,
rd if less than seven days)i
If a job is inactive for a specified number of ~ n ~ t e s

tomatica~l takes action bas
>*
specifies the system portion of

ects in the syst~m
e d before anyl i b r ~ i e sin the user portionof the
s ~ a r c ~ first,
ortion of the ~ i b r list
a ~have been
at is either a t t ~ ~ to
h the
e~
ere are eight~pec~c u ~ aore~d vt i e s
~ that
thorities. To work withan object, a user must have
ct ~uthoritiesare:
remove users and theiraut~oritieson a

list of users authorize^ to access anobj
ata Authorities. Theyare use
rities. The user can
The usercan run a p or display the o ~ j e ~ t ’ s

is prevented from ch
ect an ~ities
derive
theto
stern A u t ~ o ~ t i e s .
A
x x X X X X X
x x x x x
x x
No system authorities given
uthority e~plicitlyprevents a user or a group of users from accessing the

ified, no other autho~tiescan be g r ~ t toe the~ object
ns should set the public access p a r ~ e t e for
r produc-
o assure that onlye~plicitlygranted accessis
al g r ~ t i n g
of access basedon public access.
It level of authority thatis granted if access to an objectfor a

up has not been explicitlyg r ~ t e dor denied access.This de-
thority library parameter
X command that was
after creation.The
the system, control the objects they can access, control

how the system appears to them is their user profile.
user’s ability to access objects on the systemis allowed or denied based onthe in-
user profilecontain^ the i n ~ o ~ a t i about
on
of a group profile) andthe objects the user or group
0 security, a “useris anyone using the system, both
ers, system op~rators)and end users (e.g.,
on of the A ~ / ~ Ooperating
O system,each user pro-
a user’s pro-
of the user’s capabilities are defined within
s profile also defines the user’s work
enviro~ent
l menu, ~ ~ i secondary
~ u m storage, user prior-
disable the user
as possibleand the user profile deleted.
may be of i ~ t ~ r etos t
0 operating system does not auto
profile and password. Therefore
among ~roupsof individu~s.
duces user accountability. Thus, sharing of us
should be dis~oura~ed.
If a numberof users on the system. requi

members of one group profile.This m.etho
thorities by con~olling multi~le users at th
A group profile is a user profile
thority to multiple users. This is accomplishedby
~ individualuse
file level and thena s s i g ~ neach
up profiles is that th
to have the same levelof access to an

ject in a group profile and then assi
one of the users requires a different level
of
adminis~ativel complex wi
An au~orizationlist is a m.eans ofspeci

files. The a u ~ o ~ z a t i olist
n feature is us
user profiles (and their associated autho~ty)that can access
t~orizationlist. Two key features of an authorization list are
to each user is independent of other users on
to allobjects securedby the list.
shown in Exhibit3S .
S
Users may be assigned di~erentaccess rights. All users are assigned the same access rights.
all
ned the same access rights for A user (as part of the group) may have a different access
objects secured by thelist. right for each object secured by the group profile.
Users may be listed on multipleautho~zationlists. Users can only be assigned to one group profile.
Objects can onlybe assigned to onea u t h o ~ z a ~list.

io~ Objects can be secured by multiple group profiles.
Objects mustbe ex~licitlyadded to the Objects are authorized automaticallyto group members
authorizati~nlist. when created by a group member if up setto do so.
on the screen.
~ ~ e t eand
r sEvents
Authority failures are logged.
Object create operations are logged.
Object delete operations are logged.
Actions that affect job

a are logged.
Object move and rename operations are logged.
Changes to the system

dis~butiondirectory and office mail actions are logged.
~ b t a i ~ i nauthority
g is logged.
from a program that adopts authority
~ystemintegrity violations are logged.
~ ~ n t i an spooled
g file and sending output directly to a printer
are logged.
Restore operations are logged.
ecurity-related operations are logged.
Using service tools are logged.
Actions performedon spooled files are logged.
Use of system manage~entfunctions is logged.
ybelogged on a system~idebasis by including o e

s y s t e ~value.
Forthis
logging
to
take
place, the L
as one of its p~ameters.See xhibit 3.6 for parme-
ged on an individual user basis by includi

user profile p~ameter.For this logging to
as one of its p ~ a m e t ~ rSs .
value for the

Sdetermines
~ystemvalue contai~sthe p ~ m e t e *
r
user profile p ~ a ~ e tand

e r the
all users accessingcritical objects on the
meters and Events
Command strings arelogged,
Object create operations are logged.
Object delete operations are logged.
Actions that affecta job are logged.
Object move andr e n ~ n operations

e arelogged.
Changes to the system dis~butionrecto^ and oEke mail actionsare logged.
Obt~nin~ a from ~ adopts autho~tyis Logged.

u ~ oarpi r~o g r that
Restore o~erationsare logged.
ecu~ty-relatedoperations are logged.
Using service tools are logged.
Actions pe~ormedon spooledfiles are logged.
Use of system management~ n c ~ i o are

n s logged.
Vdues and P ~ a ~ e t e ~ s
None None Nolle
None Change Change and Use
C ~ ~ g e Change Change
Change andUse Change and Use Change and Use
r the following protocols:
LC ( ~networks)
~ ~ N
The following c o ~ u ~ c a t i facilities

on are a v a i l a ~W
l~
OS1 ( O ~ e n S y s tlnterc
e~s
c o ~ u n i c a t ewith other
'onal s t a n d ~ dorgani~ation.
s
rity level.
e distributed until the target system becomes

a~aila~le,
in any of the three scenarios d e s c ~ previo~sly.

~e~
the s i ~ n - contro~s
0~ in efYect
00 c o ~ u ~ c a twith
e s other
the system. The n e t ~ o r kat-
n ordinary workstation
ts has exceeded the
L indexes, stored ~rocedures,user-

abase e n h a n c e ~ e ~ t s )
n networksecurity (TC
d a ~ ~ l i c a t i oand
ial~ ~ t h oand
~ t the
y
ossible v ~ l ~ are:
es
all function autho~ty
no theabove
with
user * y. The default
value is
-one secu~tysystem values are listed in alphabetic^ order.

ison of unctions at di~erent securi~levels.
allowed
domain
ttention-~ey-han~ling p r o g r a ~is used by the user.

perational Assistantis used. The program specified willbe exe-
ttention-~eyduring an interactive job.
n ~ e non
t the specificre~uirements.
e t e ~ i n whether
e audit in^ is performed on the system. Itis
the opera tin^ system. It serves toturn the fQllo~ing attrib-
user profile parameter.

objects by means of the Change Document *
d, the Change Object Auditing (

ed for users by means of the Cha
ossi~levalues are:
ting of user actionsor objects is perfo
ed for objectssp by means of the
ctions
specified
the
in L sys-
individual user profile ~arameter,while using the
ecific re~uirements,
system valueis reset to
m value d e t e ~ n e thes ~ e ~ u e n wi c y which new auditj o ~ n aentri

l
om ~ e m toodisk. ~ This will enablethe stem ad~nistratorto control
of audit i n f o ~ a t i o nthat couldbe lost if the system endeda b ~ o ~ a l l y .
The system d e t e r ~ n e is based on i n t e ~ asystem
l per-
formance. A number between1 r au-
ill determine the n u ~ b eof
dit journal e n ~ e that
s can accumul written to auxiliary
e number, theless impact there willbe on systemp e r f o ~ ~ c e .
value: ~ependenton the specific re
nes the type of events recorded in
nts asspeci~edby the system value

a1 users based on the user profile
paramet~r
ese include oneor more of the following:
bject create operations are logged.

Object delete operations are log
Actions that affect job
a are lo
Object move and rename operations lo are
Changes to the system distribution directory and
o
b t ~ n i n gauthority froma progr

tegrity violations are 1
Printingaspooled file and se
estore operations are logged.

related operations are logged.
ice tools are logged.
Actions performed on spooled files are logged.
Use of system ~anagementfunctions is log
e c o ~ e n d e value:
d ~ e p e ~ d eon
n tthe specificre~uirements.
The systemvaluedetermines the devicename of theconsole. It is r e c ~ ~ ~ at

e the
console be located in a secure physical environment.
ossible values are:

The publicmay view but not change the created object.
The public may change the created object.
The public may perform any functionon the created object.
0 The public is specifically excluded from
~ e ~ o any
~ n g
efault value: *
d
hanging the parameter to a differenta u ~ o ~will
t y not chan
ing objects created with the authority as defined
by the existin
'This system *S the auditing

value for a new obj
the library is system
e value is also
the
default
uments withoutfolders. Possible values are:
* o auditing is performed for the object.
* ~uditingis based on the user profile
~ a r a ~
file accessing the object.
ect is changed, an auditjournal entry is written.
of the object is changed, an auditj o u ~ a l e ~ist ~r yr i t ~ e n .
ndent on the specific r e ~ ~ i r ~ m e n t s .
alue in minutes that aninterac~vej

n on to the system within th
sconnected, but users will be bro
e time thata jobwill r ~ m disconnected.

~ n
t on the specificre~uirements.
tio on is not displayed.
the time thata jobis inactive.
s action to be t n by the S stem when

e t e ~ n e the
system valueis reached.
econdary jobs, andor group job(s) is ended. Thein-

group job(s) is disconnected. The
actually endsthe disco
ecific re~uirements.
ines the action takenby th
empts as s ~ ~in the c i ~ ~ ~
Possible values are:

he n u ~ b eof
r i n c o ~ ~ c t s i ~ n - o n isa unlimite~.
tte~~ts
ossible v~luesare:
It.
A value of 1 to 365 This represents the number of days before a password ex
efault value: "N
ecommended value: 30or higher
This system value canbe used to prevent a userfrom specifying a password with numbers
(0 to 9) next to one another (e.g., 12345). Possible values are:
* 0 Adjacent n u ~ b e r are
s allowed.
1Adjacent numbers are prevented.
ependent on the specific requirements.
Specifies up to ten installation-defined characters that cannot appear

in a password (e.g.,
A,
).Possible values are:
P e r ~ tany
s available character to appear in a password.
Up to ten restricted
characters, A throughZ,0,9, #, $,@, and --.
d Dependent onthe specific requirements.
e c o ~ e n d e dvalue:
30 or higher ( set values: 10 equals low secu-
rity, and 50 equals high security.)
/400e is brilliant inits architecture. There are many examples of where AS

the
architecture has deliveredon its promise of making the most advancedtechno1
and continuo~slyavailable to its cust
tomers to give Internet access to exis
T ~ o u g ah product known H as
S can access and runAS1400 application
crosoft WindowsNT, firewall, and Lotus
All customer solutions require a range of hardware and software products from a variety
of
vendors. The AS/400, through inte~ratingthese mixed environments, simplifies the task of
managing them. The~ S / 4 0 can 0 move fromCISG processor technology to RISC proces-
sor technology witho~t eding to recompile programs. r o g r a ~ sare saved off the
systems, restoredon the SG systems, and run as full 64-bit applications.
chines reco~pilationis necessary (sometimes somerew~ting),and the resultingp r o ~ r ~ s
do not fully exploitthe 64-bit hardware.The AS/4OO's fu~re-o~iented arc~itecture has en-
l'
10 0 30 50
User profile created automatically. Yes No No No No
User profile name required. Yes Yes Yes Yes Yes
Password required. No Yes Yes Yes Yes
Active password security. No Yes Yes Yes Yes
Active initial program and menu securityLNTCP No Yes Yes Yes Yes
Active limit capabilities. No Yes Yes Yes Yes
Active resource security. No NO" Yes Yes Yes
Users have access toall objects. Yes Yes No No No
Security auditing available. Yes Yes Yes Yes Yes
Programs may not contain restricted instructions. Yes Yes Yes Yes Yes
~rogramsmay not use unsupported call interfaces. No No No Yes Yes
Enhanced hardware storage protectionis available. No No No Yes Yes
l i b r is
~ a temporary object. No NO No No Yes
NN system value determines the libraries Yes Yes Yes Yes Yes
where the objectsWSRSPC, *URDX, and USRQ may be created.
r s validatedfor user domain

Pointers inp ~ ~ e t eare No No No No Yes
programs running in systemstate.
Enforcement of message handling rules between system No No No No Yes

and user state programs.
A program's associated space cannot be modified directly. No No No Yes Yes
Internal control blocks are protected. No No No Yes Yes

*At ~ 5 E ~= ~ R l ~securityis active but may not be effective since default"RLLOBJ Special A u ~ ~ o is~ granted
20, resource ty on
user profile creation.
e rapidly changing hardware and software tec~ologiesin its stride. This same
tecture will continueto serve its users wellby enabling its customers to con-
tinue to deploy the very latest technologies while causing themini mu^ possible dis~ption
to their work.
1400 ~chitecturehas another advantage besides speed: it makes the
nt of data and applications easier. Why? e it lets AS1400 assign a unique,
addresstoeverypiece of dataandappinsidethesystemusing a tech-
el storage. Imagine what would happen if you were mayor of a town
that had 10,000~ u i l d i ~ an
g s state law re~uiredyou to identify them using~ree-digitad-
dresses and no street names bviously, you couldn't give every ~uildingits own address.
ine how d i ~ c u litt would beto deliver mailor respond to e
leve it or not, manyof today’s mode^" servers face a si
assign a unique addressto every object in memory or on dis
g r a m ~ e r have
s found clever waysto work around these pro
p r o ~ r a ~ time,
n g added complexity, added costs, and err0
sin~le-levelstorage lets ~ ~ /mark ~ OeveryO object, whether
age, witha unique, permanent address.This reduces the tim
developandenhance ap~lications.It S the entire system mn mo
pecially when~ n n i n gmultiple tasks.
oftware failures. As one custo
eneral ~rotectionFault.”
A s y s t values
~ ~ report,
ment should be designed to provide segregation between
ns, systems and applications p r o g r a ~ i n g a, data control. Often in midrange
installations, there are a limited num~erof personnel, and control concerns
he segregationof duties.
trols thatmay address or monitor alack of segregation of
cess to production objects

is limited to read-only
by using in-built sys-
ccess to source production programs and compilers

is restricted using in-built sys-
tted only with ~anagement’s
istory logis reviewed by managementfor unauthorized useof

tern ~ r o g r a ~utilities,
s, and compilers, ~ n u s activity
u ~ is logged by user and/or
ect and is investigated.
are restricted to an initial program and/or an initial menu
capabilities and attention-key-handling areset to prevent

program a n ~ oanr initi~lmenu.
of last change, are compared periodically to
sole is limited to authorized
he modemseither are turned

al security features, such asdial-
f no in-house program. development , of purchased softwareor third-

is p e r f o ~ e duse
rs may provide an appro~riatesegregation of duties in the IS
ng controls thatmay address or monitor a lack of segregation of

ser and IS d e p ~ m e n t are:
s
ssigned aninitial program andlorinitial menu that restricts options avail-
es and attention-key-handling areset to prevent

difying theirinitial program andlor an initial menu. Management
rs from accessing~ r o d u c t i odata
~ files by using system security
of reconciling inputs and outputs (e.g., use

of batch controls, re-
nt of authorizing and entering transactions, are responsible

for
r~con~iliation
and review procedures.
Access violations are investigated promptly by appropriate management personnel,
he security officer profile is assigned to only one individual and Special
ned to a limited number of management personnel who have sec
urity ~ n c t i o n may
s be p e ~ o only ~ efrom~ a limited numberof terminals.
ublic Authority to production data files is *
are
assigned an Initial ~ r o g andlo r ~enu limit in^ accesstoonly
~ n c t i o n necessary
s to perform their work.
Limited ~apabilitiesand atte~tion-key-handlingare set to
sonnel from modifying their Initial ~ r o g r andlor
a~ anInit
to the systemis controlled after business hours ~ o u g the
h use of automated
and c o ~ u n i c a t i o nlines c o ~ a n d s .
.,dis~ettes,tapes) is r ~ s ~ c t etod a u t h o ~ ~ e d
system is p r o g r a ~ e dto cancel or deactivate interactivejobs (i.e., t e ~ n ases-

l
)if there is a specified periodof inactivity.
01Control rights are lirnite to appropriate au-
uthorization to use restore commandsis limited toa~propriatepersonnel.

se of data-altering utilitiesis restricted to authorize^ personnel and from production
nv~ronm~nts, and their usageis closely monitore~.
obs are executed duringschedule^ time frames, and deviations from scheduled pro-
nizations are placing more reliance on i n f o ~ a t i o nprocessing facilities to s u p p o ~

critical business applications. heref fore, it is important to ~ ~ n t athei nav~labilityof
this information and the associated processing facilities and to be able to promptly restore
critical i n f o ~ a t i o nprocessing systems in the eventof an interruption of service.
tional controls related to business contin~ityinclude:
rocedures should be in place to regularly measure and assessthe impact of inter-
rupted i n f o ~ a t i o nprocessing on the business.
sponsibilities should be assi ned and contingency plans pre-
nction and userd e p ~ m e n t s .
ontingency plans shouldbe documented and tested to ensure timely, con~olledre-
covery of critical i n f o ~ a t i o nsystems.
n-site and off-site backup for critical information and materials shouldinsti~ted.
be
should be developed, and preve tive measures should be
age and mitigate the impact on the usiness froma disaster or
he systeme n v ~ o ~ eisnadequately
t secure.
bserve the adequacyof e following requirements in the computer room(roomrequire-

ments depend on size an se of the A~/~OO(s)):
azard detection toolsand eq~ipment
~otectionfrom risks of water d ~ a g e
bserve the physical a su~oundingthe system unit and evaluate whetherit resides in a
,access by unauthorized individualsis restricted).
ter with its peripherals located?
hat physicalsecu~tymeasures are used to reduce or prevent access?
Are visitors (nonco~puterroom personnel) ente~ngthe computer room requiredto
out and bea c c o ~ p ~ e d ?
00 is eq~ippedwith a four-position ystem Key Lock. Each of the positions al-

lows for a different levelof system control.
is not set to manualor normal, and thekey to the~ y s t e m

is ~ ~ n t a i n in
e da secure location.
e t e ~ n whet~er
e the ~ y s t e m y Lock is in the auto or secure position.
y is maintained ina secure location.
here is the key to the System y Lock maintained, and who has access toit?
hat procedures are use~followedwhen the position of the
chan~ed?
hat is the positionof the
he system consoleis situated ina physic~lysecure location. Certainr e s ~ c t and

e ~ sensi-
e d this
e d from the systemco~sole.All jobs s ~ b ~ i t tfrom
we opera~onscan be p e ~ o ~ only
0, and it can be usedto control jobs and spool files. The
on to the system console, even if the profileis disabled becauseof
at is the value of
S the device specifiedin the
Ts) are not usedto provide accessto sensitive data,
with the assistance of the client,o

It passwords to ensure that they have
T and to ensure th S are well
controlled.
ave the default passwordsfor
security levelis set at a sufficient level

he s y s t e ~ to provi
s report to ~ e t e r ~ ~ e
o a list of l i ~ ~ ~tha
i e s
red to change their password at least
once a quarter?
e history or audit logs reviewed
for possible password violations?
ID and password?
S each user have a unique user
port tod e t e ~ n the

e following:
p ~ ~ e thas e rbeen changed from "N
to a reasonab~enumber of days.
a new password to be different from the previous32 pass-
words is activated (i.e.,
N) parameter is not lower than5.
parameter is greater than8.
ation p r o g r is
~ used, ensure that the additional validation checking per-
sult in users being forcedto use pass~ordsthat c o n f o to ~ a f o ~ athat
t
assword validation program has a security risk that
v~idation progra~ during inputof a new password.
owing parameters have been set to ac o ~ ~ ~ i n a tthat
i o n reasonably prevents
number of unsuccessful sign-on attempts is not set too high. When the max-
of unsuccessful sign-on attemptsis reached, the user IDis revoked and/or
at is the valueof
ho is authori~edto change the valueof
value onthe system values report and determine if the maximum

et to a reasonable number.The ma~imumnum-
sful attempts. In addition, determine whether
iews allunsuccess~lsign-on attempts.
ew the client's follow-up procedures

value on the system values report to
er of unsuccessful sign-on atte
parameter has been chang

n on to any workstations
* What isvalue
the of ?
* Is this value ever changed?
value on the system values
parameter has been set 1.toVerify that chan
parameter has not been chan

unauthorized accessto the system via a remote workstation.
* What isvalue
the of ?
* Is there a need fo rs to signon to the system?
Obtain the value ofthe p a r ~ e t efrom
r the system
se g h toS
display station p a s s - ~ o ~ users
If users to access the system, the value
to preventus
parameter has been changed
ing on to more than one
wor~stationat a time.
* What is the value of

* In what kind of situations do users need to sign onto more than one
time?
n to multiple~orkstations?
values
to the
at is the value of
at is the valueof
s i ~ a t i o do
~ §v i ~ u adevices
l nee
ured auto~~tica~ly?
on the S st^^ valu~srep
ete er has been set to a v
t is the value of
t ~ ~ that
~ the
n e
hat is the valueof

he system will write security-related events to e history journal and also to the audit
journal if it has been activated.
olations are reviewed in a complete and timely man-

and followed up on
Allap~ropriateactivities are bein
urnal has been activated.
f e a ~ r activated?
e
ow often andby whom are history logs/audit j o u ~ a l reviewe
s
at security-related events are being recorded for users of the system?
e followed when a security violation is noted?
cted fromunautho~zedaccess an
ogging of specific users’ activiti
Is there a need to monitor the use of and changes to specific objects by users?
Is there a need to m o ~ t othe ~ c by S
r useof andchanges tos p ~ c i objects
eview the settings to the following system values onthe system
eva~uatethe appropriatenessof the settings:
the parameteris set Eo ei

L. It should be set to *
if either specific user and/orall user activityis be-
appropriate to satisfy the needs

of the or-
.If the organization’s se-

ly preventing any further
it journal, the p ~ ~ e t e r
.Such a recommendation should only be made af-
ences of such a setting.
S uate the settingsinexistenced deter~inewhichobjectsand
ed. Ensure that activity loggi meets the organization’s secu
xamine thedocu~entation suppo~ing the regular reviewof the history(

or audit journal. Determine if the review is des d for detection and
u n a u t h o ~ ~ access
ed attempts,unauthori~eduse
unscheduled processing.
0 m~agement’sassistance, a t t e ~ p t * on to
sensitive
objects U
userprofiles.Reviewthehistory ( log or audit journal for
attempts.
btain the access authority the to audit and historyjournals and j o u ~ a
ensure that access to themis approp~atel~ restricted.
e t e ~ i n which
e system users have been assigned* the
temine that it is approp~atefor these users to be given
move auditing values for both user profilesand objects
that relate to audit logging,
Use the Display User Profile (
taining all user profiles. With
utility to print a sampleof this file. For the sample of use
ter has been changed from

is a r e ~ u ~ r e ~that
e n tan
ser accesses a specific
logging
will
take
p * ,even
though
user
profile
thepa-
LVLp ~ ~ e thas
e rbeen c h ~ g e from
d the default setting
twelve avai~ablevalues if additional monitoringof indi-
e appropriat~nessof the para~eterset-
tings and ensure that the p~ameter settin~s meet the needs of the or~anization’s
security r e ~ u i r e ~ e ~ t s .
* ts on thesystem, usethe c o ~ to de~ d
alue is approp~ateso th
user profile parameterif the c

the user profile parameter is set to
To ensure that auditlog
the object, the setting
ry may be developed to help pe
UT is set to a value that does not

created objects.
ho authorizes changes to
for production programs and files been
chan es to this system valueare authorized.
that thein~vidualaccesses allowed are appropriate.
r been set to 0, preventing the displayof si

p a r ~ e t e has
mation.
hat is the valueof

0 Are
users
instructed
when
es the sign-on
information
indicates
that
ID, or when the date
unsuccessful sign-on attempts have been made using their user
of last sign-on is inco~ect?
eter on the system values report and ensure that it has

been set to 1.
Unattended t e r ~ n a l are
s bein timed out; thus no opportunity is created for an unautho-
rized userto gain access to the systemby way of an active but unattendedwor~station,
0 Are inactive jobs cancele~disconnected?

After how many ~ n u t e is
s an inactivejob cancele~disconnected?
After how many minutes is a disconnected job canceled?
hat is the valueof
What is
value
the of ?
What is the valueof
view the s y s t e ~
values report to
p ~ a m e t ehas
r been set
will function like an *
sure because theli-
o a ~ t h o ~ z e s c ~toa n ~ e s
list are authorize^.
The user o ~ i o n othe

f librar list is s e ~ c ~ e
~ i n e the access to the

c o m ~ a n ~ , ~ e t e rwhether
en appro~riatel~restric
eness, ~ e ~that
i ~allych
user p o ~ i o n the
o f library list are a ~ t ~ o ~ ~ e ~ .
The passwords for thesix-supplieduserprofileshave
supplied user profiles are not used as user or group profiles.
* Have the passwords for the
Determine thatthe passwords for

~ ~ o ~ l e
ser profiles using the

-supplied user profileis set to*
User profiles with certain special autho~tiesprovide unlimited access to vi

pects of the AS/400. Users do not have accessto profiles wit
levels of access greater than required
by their job function.
* What users have been assignedSpecial A u ~ o ~ t i e s ?

* Do all users with Spe
their job function?
Review all responsibilities of individuals assigned the (
Special Authorities for ap
used as a group profile, use the

field is not set to * .If it is, discusswiththese-
n for the setting andw h e ~ e the
r p r o ~ l eis still neces-
will be disabled but are
still valid for process in^, such
the objects createdby the user profile.

at the e~ployee’sInitial Progr
gned does not allow the
not be set if not use

If audit loggingis being used, referto the section on historylogs and auditj o u ~ a l s
in
what
audit
procedures
need to be carried
out
on
the and
parameters.
ityofficer may define a groupprofile for a group of esamecapabil-

n a user is assignedto a group,theuser is giventheritiesdefined in
the group profile. Therefore, the authorities assi~nedto the group should be appropriate
for
all g r o ~ p ~ e ~ b e r s .
of access by a group profile greater than those required

Users have not been granted levels
to perform theirjob function.
at policiesand procedures are usedfor the a s s i g ~ ~ eof

n tindivid~alsto
up embers ship reviewed on a periodic basis (or when transfers, te
or pro~otionsoccur)?
Are the access rights assigned to the group reviewed on a periodic b~sis?
e group profile passwordsset to *
splay Authorized Users (
group profiles. For aS
ects authorized by usi
rfom the follo~ingaudi
ew reasonableness of
objects authorized
4 Check that group p
parameter is set to
epeat the audit stepslis
profile ~ a r ~ e t eare
r s appropriatefor the g r o ~ pprofile.
ted levels of access greater than those required to p

function.
Which libraries contain sensitive information?

S the public authority to these libraries appropriate?
o is authorized to access sensitivelibraries?

Using I,
obtain a list of all li client i n f o ~ a t i o nsystems
staff,asce~ainthe si object and source libraries
braries and willbe installation specific.The following standard sys-
hat access authorities to them
,as well as any p r o g r ~ n g
d e t e ~ n the
e following:
blic Authorityis no higher than*
Usershave a maximumauthority o tosystemandutilitylibraries(except
m e r s have a ~ a x i m u mauthority
system
and
utility libraries,
o production objectlibraries,
to production source libr *
n data libraries
source libraries.
Note
that
or
an i n t e ~ aprofile
l without a password, such as uld
be
the
owner of libraries.
Also,
note
that
most
vendor-written so ,and data
libraries will have an owner that may also be a group profilefor end users. This means that
userseffectivelyhaveauthorityover endo or-written ects, and thereforeaccessto
usersmust be controll ugh pac~age-basedcontrols (e res~ctionofmenuoptions).
fault public
access is set to (if the
data.
Users are not granted levels of access greater than those required to perform
job func~on.
their
W are user access rightsd e t e ~ n e dand granted?

hat default levelof public accessis granted to users?
W is production data segregated from test data?
w are programmers preventedfrom testing programs in prod~ctivelibraries in a
live environment?
eview andeval~ate
same profile to access the s y ~ t e ~ ) :

e t e ~ what
n ~ objects the ~ r o ~ l ~
object i d e n t i ~ previo~sly,
e~ use
rofile is allowed read-onlyaccess.
at policies and procedures are used
for crea
ow are authori~~tion lists del
Are authori~ationlists reviewe
ist ofsensitive
authori~ation
the lists on
theser lists, obtain a listing of all use ilities as-
d to these lists and verify the appro
A job des~riptionrepresents a otential se

name s~ecifiedin the
o n su
job ~ e s c r i ~ t i can
p~ameterof the job description.
y using job descriptions, users can not obtain
Is the security level30 or lower?

Are job descriptions used to grant acces
hat proce~uresare follo~edto establi
Are job descri~tions reviewed on a regu
riptions on the syste
level curity 30 or rity

a obtain and list of de-
e the user profile parameter
1400 opera ti^^ system allows a prog

feature allows a user who
system authorities as the
authority could run a
Therefore, the program adopt
uthority feature, users cannot obt

data files and~ r o g r ~ s .
rocedures are followed to
authori~ethe useof Adopt ~ ~ t h o ~ t y ?
systems are lly removed when the

ed to avoid to redefine accessau-
lders for ( t e m ~ o r ~ lnone~istent

y) files and usethis ca-
they sho~ldnot have.
lders r ~ ~ o v in
e da timely manner?
)c o ~ a n to
d list all
m136 mode and Au
access ~arametertotheCreate
e unless this authority is revoked by

is ~ansferred.In certain si~ations,
ners should be revoked. For example, a
en thepro~ramis reviewed
e da production
~ a n s f e ~ to
ority to ~roduction pro~rams
are t r ~ s f e ~ into
ed ownership
e also transferred to a
le?
re objects owned at the user levelor the group level?
hat procedures are followed when ownershi
Who assumes ownershipof owned objects whenan own
~dentifyprocedures p e ~ o by~ installation
~ d ~ersonnelto ensure that c
ership of an object does not CO r o ~ s installation
e securi
ewing user profiles, incl
C C ~ S Sto sensitive utility pro

ata andlor programs and compilers,is ap
hat users have access to sensitive utilities?

1s the use of sensitive utilities log ed andfol~owedup?
Are all S re~uired to produce
audit
trails?
access p ~ ~ e t1se r
ed by installa~onpersonnel
ned to user profilesor are not

c o ~ a n d or
s other objects
Users do not have accessto the operatin
ich usersare able to accessthe CO

ich users havelimite
Are the c o ~ a n d listed
s onusermenus for their job functions?
hich c o ~ a n d can
s limit the capabili
th the client’s assist~ce,use the
er pro~leshave bee
re may be pe~ormedon a
Evaluate the proprietyof the Initial Program assigned based the on individual user's
job function. Review the Initial ogram assigned, usually a menu9to
options allowing the user to access p r o g r a ~or
s data files con~ictwith th
regation of duties conventions.
eview the limited capabilitiesp ~ ~ e tand e rve fy that it has a setting
users have been granted the use of a d d i ~ o ncomm~ 'I verify that the CO
a p p r o ~ ~ aca~abilities*
te
a ~crocomputer
upport is the utility program that allows users to use instea
mal'' workstation to access an AS/400. For PG upport to p e ~ functions,
o ~
~ a n s f e ~ i of
n ga data file, PC Support ignores menu security.
G Support users do not store their ~ S / 4 0 0

password in a C file that can easily be
*The installation has secured production programs and data files usin
lists or Specific Authorities.
* ~ S / 4 0 files
0 are secured in thePC environment.
* Users are not able to bypass security by using the submit remote CO
(
PC Support usersare not able to freely download and upload data files.
upport used to transfer files?

o has access toPC
Is secured data stored
data uploaded to the ~ S / 4 0 0 ?
hat datais downloaded?
elect a sample of microco
and production data files.
in which it resides has been set to *
Users do not have accessto sensitive and confidential

~ a t while
a it is he1
sensitive or con~dential info~ation in spooled fileson the system?
ave user^ been assigned * Lspecial authority that gives them access to all in-
rmation contained in output queues?
re the contents of output queues restrictedto authorized users?
tem are used to print sensitive and
con~dentialin-
om the client, review the following output queue parameters:
nsure that thepara~etersettings are appropriateto achieve the desired levelof se-
queues that hold spooled filescont~ningsensitive and con~dentialin-
ensitive systemc o ~ ~ d s .
eview the authorities over the following sensitive c o ~ ~ dusing

s , the
at such c o ~ a n d are
s appropriat
~ ~ s c ~ i p ~ i ~ n
Add Authorization List Entry
upport User toDistrib~tion
Change Autho~zatio~ List Entry

edicated Service Tools~ a s s ~ o r d
atabase File (using D W )
hange Network Attributes
C h ~ g Object
e Ownership
lear Logical File Member

Clear Library
Create Authority Holder

Create Authorization List
p procedures for critica~vitalinformation andm
rary listin~sto ensure that

l i b r ~ i e are
s being saved.
:Saves all ~on§ystem li~rarie§.
ified).
cannot be saved via
users outof the
At least a whole syste

tion’s backup scheme.
eview backup retenti
A listing of the backu
where (e.g., copy of tape index o
content of each tapeis easily dete
Verify that j o u ~ a l i n g( c o ~ t ~ econtrol-
nt
Verify that off-line b

curity no longer ap
for the AS
be Access Control Facility
Verify that only authorized individuals

either have
:This capability requires
(to change a user pro~le),an
security
the
used
byofficer or someone
with the
authority
unless
access
the
to S been
additionally
re-
s must be accou~tableto individuals (i.e., if a
rofile is p e ~ i t t e d each
, in~ividua~ in the Group ofile must be authorized). If a
,especially one ~ n ~ i with n g adopted authority, used to perform this function,
individualscanruntheprogram. ~rograms~ n ~ n
under the program owner’s user profile.
e d 1 Authorization Test
done concurrently with the~ ~ v i l e g user
of this test is to verify that those individu~ tually p e ~ o ~ i n ~
tasks have the responsibilityensure to that appro~~ate manage~ent
ation for the business need exist.
with the users authorized to

users. The list of privileged
. .
The s~ecification of the
/400, there is a user pro~le.This profile may contain the following

nsure that pa§§wordinte
in the systern values.
eview the § y § t e values

~
speci~edin the systern v
Ensure that there is appro riate control for the use o f “ s h ~ e d

esour
stern.
out ~ o c ~ ~ e nprocedur~
ted controls.
tain the proceduresfor man

tion
userof the ~ the
a u ~ o r i to e ~u
nsure that all objects on the systern have a responsi
e the n u ~ b e r objects
R e t e ~ n if of owned by
e Determine if procedures for findingvalidowners for allobjectsowne
N are adequate.
e: Object ownership canbe viewed using the
Allresources on the AS/400 are called objects.The system m~ntainsthe followin

of information onallobjects:
wner (a useror grou
ublic Authority(*
Specific Authority (individual users or groups)
~uthorizationList
bject Type (file, user profile,p r o g r ~library,
, andso on)
This information identifies the object owner; any individuals authorize to access publicly,
speci~cally,or through anautho~zationlist; and the type of object.
Sound security policy un-
requires that all resources be protected from general access
less explicitly required, withformal docu~entationof the businessjustification for all ex-
ceptions (e.g., system broadcast functions). This implementation relieves not only owners
from there~uirementto identifythe highest classificatio~level of their
the supplier of service organization fromthe requirement to “scan,,for
tial data.
Objects on an AS1400 cannot exist without an o ~ n e rFor
.
not be deleted untilall objects ownedby that user are deleted o
~ircumstancesmay arise in which the system cannot dete
stance, the system assigns ownership to the default owner (
owned by a useror group profile.
Verify that the access method

is effective.
W the system values, system exits used, and group

s t ~ c t u r for
e
for a sampleof objects.

group, user, and autho
e: Also ensure that appropriate control mechanis
Location onf figuration List and
Directory) are usedfor c o n ~ o l l i nac~
corporate backbone network.
f applicable, obtain from~anagementa regis
siness case seems reasonable. Follow wi up
owners. Reviewthe object access authorizationsfor the exceptions andcritical sy~temre-
sources.
bjectauthorizationscan be displayedusingthe UT cornand. AU-
t h o ~ z a t i olists
~ can be dis la edusingthe Lcornand. Systemvaluescan be dis-
Lcommand.
of controlling access toor exclusion from

C specific or list authorization. Specificau-
on. List autho~zationis a
irements for system values,

eview the exception list
n onlybe in one group. Usersrnay be on multiple authorizationlists. Mem-

list can have different
object can have a sin-
s a mem er.
the basic authorities have been given separate names. They are as follows:
ted access tothe data in the object.
:Allows no access to theobject or its data.

he autho~zationsearch order is as follows:
asic autho~zation)
a u t ~ o ~for
t y the object
authority for the a u ~ o ~ z a t i olist
n associated with the object
:The first authori%ation entry found, matching the user andobject, is taken. There rnay
e otber ~ a t c h e of
s hi her or lower authority, but they are not used.
that ade~uateaudit trails are generatedand audit trail histories are maintained to pro-
a n a ~ e m ~andlor
nt legal with
s u ~ ~ i edocumenta~on
nt for security incident follow-up
and resolution. The re~uirementfor a documentation retention period should be documented
in the~ f o ~ a t i o ~
Audit trails are maintainedi
which
controls secu~ty-re1 ng j o u ~ a lAny
. user
alter cannot a j o u ~ a entr
l ~ ~ ~ l i c a tdesign
ion
t ~ a overa~l
n s y s ~ se e~c ~ r i ~ .
ince the use of journals is relate
auditor needs to understand the site’s
l the activityof the S
tten toj o u ~ aall
tem audit save andrestore information9authorization failures, deleted objects,or security-
related functions.
and is c u ~ e ~The
t,
istrative a u t h o ~ t y ~ ’
of the access con-
trol system:
dministrativeauthority is therivi at is general1usedinthe er-
of ad~ing,del et in^, and a1
e individual own in^ a us
not have the job responsibility of strati on^, they arestill considered to
have this privilege and mustCO ireme~tsfor its authorization.
/400 attributes, as escribed ~reviously,can often e co~sideredas the re-
~ ~ i r e m e noft ssystem su
ccess to componentsof the ntrol systemis not considered “privi-
in the explicit sense of the te ever, by the potential ability to circum-
he access control system itself, with access to these components should
e ma~agement autho~~ation for eac

~ e nwith
t follow-u~control assess ent i ~ t e r v i e ~ (with
s ) the system security owner
as necessary.
eview
written justi~cationsfor lon
an
two
weeks) and s h o ~ - t(less
e~
than two weeks) use. Lon
e~ergencyor s h o r t - t e ~
esi~nee.
the ~ a n a g e ~ e n t a ~ t h o ~and
~ a business
t i o n rationalefor p r o g r a ~ s ~ n n i n
to ~ r o g r a owned
~s by
e ~anage~ent autho~-
~ o ~The~ d .
ith adopteda ~ t h o ~ t y ,
thorities are not
to all s y s t e ~
resources.
and other users’jobs.
strator orofker
com mies will survive, and even then, only by rest~cturin
usiness. The laurels will go to those companies with
adapt themselves tothe changed industrylmdsca~e.
Successful auditsof ~ n f o ~ a t i o n
analysis of the physical environment
potential risks and recommend
The objective of the au

sary to successfullyp an age
bility for all services relate
mounts, andso on), the ope
that ~uaranteesoptimum
infras~cture,specify
audit
will
The stan~ardsi stablish a com-
puting e n v ~ o ~on ~ an t
and creases the availab
ing will be brought into
I
The following isa list of reports that have audit significance. They can be printed and used to audit the AS/400 platform:
* All Libraries On The System

* Library Save And Restore formation
* A Specified Library Description
* All The Objects In A Specified Library
* The LibraryList For The User SignedOn
The Basic Information From
An Object’s Description
* The Full ~ f o r ~ a t i From
o n An Object’s Description
* Service Info~ationFrom An Object’s Description
* Users AuthorizedTo A Specified Object
* Access ranted By An Authorization List

asic I n f o ~ a t i For
o ~ A User Protile
* Display AllParameters For All User Profiles
* Au~orizedUsers In User Profile Sequence
* Authorized UsersIn Group Profile Sequence
ions On The System
* AI1 Devices On The System

* Program Info~ation
* P r o ~ a That
~ s Adopt The Owner’s Authority
* AuthorityHolders
Date Of Last Change For All Programs
In A Library
ystem Statistics
* Disk Statistics
* ActiveJob Statistics
* NetworkAttributes
4 C o l ~ a n Infor~ation
d
* Local ~ardware
* IBM Software Resources List
162
166
169
170
171
173
175
179
ote ~ ~ s i ~a e~ s~ s1 i ~ a tmn.
io~s
is r e c o ~ ~ e 3nmax
~ e ~ ~
s not effectivefor users
~ i n i 6 ~characters
u ~
be the same as previousones,
The fol1owing value is r e c o ~ e n ~1.e ~ :

that may notbe used. Valid
more than once.
me of the validationpr
andensurethat it does ow someusersto
is found to be onero~s.
e t e r ~ i n if
e the syste ity to linnit access to worksta-
tions for profiles wi special authorityis being
thority cannot sign onto any display

orized to the display station.
autho~tycan sign on to any dis~lay
a ~ t ~ o r ifor
t y objects createdin a library:
s y s t e value
~ takes
)for the libraryis set to *
is recommended, but clientm
this change becauseall
(e.g., device descripti
normal operation.
e systemwide attention"k:ey-handling program:
.No attention-~ey-h~~ling
program.
user-w~tienprogram that will handle the attention inte
2.10 ~ e t e ~ isystem
the
n evalue ,which d e t e ~ i n e whether
s objects
that are security-sensitive
t may be restored to your system

by a user with a proper
ty-sensitive objects, such as system state pro

be restored to the system.
System state objects may be restored to the system.
:Objects
adopt
auth
that ' theto
the however,
ifended; es pro nd
the value should beset to
o reflect IT anduserdment org~ization,

ensu~ngthat appropriate segregation of duties is maint~ned. file att~butesand special
autho~tiesshould reflect users' business functions.
profiles oup 3.1 by ente~ngthe CO
This willlist all group profile names and user profile ~ a ~within
e s each group
of users. It willalso list at the bottomany user profile
3.2 Evaluate each group profile to ensure that it represents a common group of users
with the same or similar business~nctions.
Where group profiles are used, ensure that the group profiles
to prevent anyunautho~zedsign-on.
3.3 Check:thatthefollowing supplied profileshavehad t h ~ iori
r
changed:
User Pro le
lease of QS/400V3
password
3.4 the that
passwords heck following
forenthe
securely,
stored
changed,
are and are on1 neers:
Ori inal assw word
3, heckthat the passwords for ilityhavebeenchanged or that the

~ ~ / 4 key
0 0is held by the and thatthe key lock is in the “Nomal”
position.
Passw rd
* For service representati~eor operator to use functions that

do not
3.6
nsure that usersare members of appropriate groups relatedto their business

~~nctio~s.
3.6.2 assword E~piration~ n t e ~ a l )
ecific interval has been set for *
the system default specified in

3.6.3
.The secu~tya ~ ~ ~ s t ~ a t o r
.4 pecifies which user profile is the ownerof objects createdby this user
3.
the i~itialmenu, the
er c m change all the values in the user profile with the

will prevent user
a from dropp
aborts. Ensure that users have
User profile can be used.

:User profile cannot be used.
and so on must beset to
)
~ ~ p r o p r i aaccess
te a u t h o ~should
t~ be d e ~ ~ ate the
d l i ~levr ~
data files and programs are ~ r o t e ~from
t ~ du n a u ~ o ~access
ze~
4.1
ibraries that willbe searched when the system
for which a library name has not been
ex~licitly
nds withthe correct name.
L d e t e ~ i n e the
s initial s~ttingsof the system
e c o n ~ o l p r o c e ~from
u r ~ sthe implementationof new
programs or files from ~ e v e ~ o ~ mtoe n~roduction
t
y of a ~ r o ~ u c t i oorno * * users
security
omise ad by priate
grams should beres~ictedto autho~zed
se the integrityof ~ r o d ~ c t i osystems.
n
~ ~ any programs
o to review ~ dthat adopt the author
.~ c c e s to
s the query ~ e ~ n i t i o should
ns be ~ r ~ v e n t e d .
security-related c o ~ a n usin
~ s
nistrators haveuse of
rities are usually requiredto exe-
c m use thisc o ~ ~ a n ~ .
nds should be*
6.
ority of work in the system is d e t e ~ i n e by

d job desc~~tions.
S for a sample of production job

y n a m e / n ~ of
~ ejob description)
~~~ to obtaina listing of the job desc~ptions:
na~~/job ~esc~~tion)
7.
7,
7.
7.7
7.
7.
7.10
.1
of network filesfor the receiving
ay, cancel, or receive thejob stream into a database
the input stream was
using the values in the

to display the system
arameters are:
means allow any address.
e userto whom it was sent.
sure that the user profile does
e t e ~ i n ehow
s the system
meter is as follow *
C requests from remote
,but they are controlled
ort is actually used.If it is not,
co~munic~tions ~ h PC
network entry~ o u which
user can use the“ s u b ~remote”

t command facility without hav-
active wor~stationdis lay emul~tionactive.
8.4.
d e ~ n ethen
~ , the subsyste~
target system allows the source
user ~ ~ e c i in~ the
e dc o ~ u n i c ~ -
e ~ send a u
then the sources ~ s t will
ill be under the authority of this user
8.
syste~ allo~s ~ccess ~ith
.6
.S.7
.5* is s ~ e c i ~ and t y is 30,then no ~ a s s ~ o r are

e d the s e c ~ ~level ds
the first available vir^^ device that has been

con~g~~ed
is not set to 0 be-
urces are ~ e c o ~ d in
e d the auditmd
S sho~ld be revie~edon a reg-
e ~ that control audit l o ~ ~ i n

s ~ s t valu~s
( s y s t e ~value)
E ~ i b iS.t 1, in which
le for enforcing all access val-
thority. In this way, the S
validation code, and itis the only copyof that

S ensu~esthat all ~ r o t e c t i o
is~provided uni-
rovides services for valid at in^ access to ob-
that will be used
d ~ thatn session.
~
s c r ~ t i o n access
a~ c o ~ t ~(
o~s
control who can accessr ~ s o ~ r c e s
be the File Name, data it cont~ns,and the
Network shares
object has anACL that

thority to access that object.
e logon process defines the to the

user
can access.~ e ~ i s s i odefine
ns the oper
often, the operationsthe programs can performon
~ i n d o wNT
s manages access controlby ass
ogy, an access token is the
security identifiers (which are
to whichthe user belongs.
manager on the computers h ~ n g
cess control list of the requested object.If o
rity token matches an access control
access. For example, suppose a user
members of the e n g i n e e ~ ~do
g
member of the engineeri
dows NT assigns the user an ~ccessto n (i.e., a representa~onof

group to whichthe user belo
compares the individual S
cess control list (locks) to
to access the object.
'
I'object, they containatt~butes
to the system and~rovidetheir s e ~ i c e s .
Utes in the accesst o ~ include:
e ~
S represent in^ the l o ~ ~ e d - ouser's

n group me~berships
e r ~ s s i o n s a l l o ~for
e dthe user
ue s~curity identi~ers for each user roup in the ~ s eaccounts

r
S are uni~ue,if annt or
t retain the same
er be repeated, so the syste
other.
and accessco~trole n t ~ are

~ scov-
a l l o ~the
s speci~c
S
if the user is a t t e ~ ~tot10i ~ ~
. The ~ a s s ~isobr ~ 1.
S
None None No access to files and

directo~es
Llst Not specified List directory contents

Change tosubdirec~ories
No access to files unless
granted explicitly
Read List directory contents

Change tosubdirecto~es
Read data from files
Rdd WX Not specified Create subdirecto~es

Create files
No accessto e~isting
files unless granted
explicitly
RWX RX List directory contents
Read data fromfiles
RWXD List directory contents

Chan~eto subdirectories
Delete subdirectories
Create subdirectories
ead data from files
Create and modify files
Execute programs
Delete files
All All Alldirectory ~ e ~ s s i o n s

All filep e ~ ~ s s i o n s
Change p e ~ i s s i o n s
Take ownership
is the only file s y s t e that

~ slh
that treats each file and

e sstored with the object, sac
a ~ ~ ~thatt are
of an object orpart of ~ l o w to
~ daccess an object (as
ncept, there are additional levels of control.
a user’s identit?,i s th
ill facilitate a c c ~ s to
s
i ~ p a c tan^ types of s ~ s t~e n~~d~ ube addresse~

~ t
and awareness ~ ~ o ~ r a ~ s .
the account exists, the ass~o~

is drun th
for the session. Changes to a user’s
.Fromthe console
a n o n y ~ o logon
~ s to the ince the acco~nti a ~ e ~ -
case it is a c c i d ~ ~ t a l l y ~ e e nThe
a~~ed.
S if it is ena~led and has no ~ a s s ~ o r d .
,and groups shouldbe created to give users
gn p e ~ s s i o n to
s groups and allow access
em m e ~ b e rof
s the appropriate groups. Groups nare o ~ a l l based
y on
ani~ationfunction^ units (marketing)
ating shares because p e r ~ s s i o n scan be as-

s the groups already exist.
ires that consistent and coherent n

ention has the~ollowingthee charac
stand. If users don’t understand
the n a ~ n convention,
g they
n a ~ n convention
g should b able to c o n s t ~ can
t object
r users, the name may incl e their full name and func-
nter, the name may include the model number and con-
cation inthe build in^, and the kind of work the printer
have obvious and meaningful relationships with

sent printers, then a ~ e should
s CO
erJet I11 ~ ~ n tone rthe oor). If objectsareuser
n e JAS
to ~ e t e ~ i that c o ~ e s ~ o n to
d sJohn A.
co~ventionsthat producem~aningfuln ~ e for s objects is fairly easy;

conventions that translate easily in both directions
is more difficult.
uring resources fromunauthori~e~

access. There are two ap-
rs are allowed m ~ i ~ pu em ~ i s s i o nto access information

S in which i n ~ o ~ a t i should
on notbe availa~leto them.
wher~inusers are allowed to access only thei n f o ~ a t i o nthey need to
.The nature of the organization and the work it ~ e ~ o r m s

thod to choose. For example, gove~mentsfollow the pes-
because access to their i n f o ~ a t i o ncould pose a security risk to their
,most medium to small businesses use theo ~ t i ~ s tapproachic because
at would be useful to anyone o~tsidetheir or~ani~ation.
revents access to the shared directo~regard~essof o ~ eallo~ed
r per~issiolls.
Allows viewing of c o ~ t ~ n files

e d and dir~ctories,loading of files, and execu~n
~ s s i o n plus
s creating,d ~ l e t i nand
~ , c ~ ~ ~contained
i n g directories and files.
s c ~ ~ file
p e r ~ s s i o n plus g s~y snt e ~ e ~ i s s i o and
n s takin
Prevents any access to the directory and
level full control.
Allows view in^ and browsing the direct
or directoryp e r ~ i s s i o ~ s .
nes access
ined per-
securing files. Use the
t use file system secu-
Id be reservedfor sharing h ~ de- ~

s s u c as
~ e ~ t i r he
licy,
r in
iversal s ~ c u r i t ~ s e t tfor
i n ~user
s ac
e forced toc h ~ ~ ~
ass~ordsa userm ~ srQtate

t amo~~.
~ i ~ u assw
r nword assword
Agenever
expires
Expires in x days
Allow changes immediately

Allow changesin x days
elmit blank
password r dleast six ch~acters
~ a s s ~ o at
At leastx c h ~ a ~ t e r s
assw word Uniqueness o not

keep
password
history b ~assrwords
e ~ e ~ten
e m e ~ b exr passwords
Account Lockout N o account lockout Account lockout selected

Accou~tlockout
A~countLockout Lockoutafter x bad logonattemptsLockoutafterthree bad l o ~ o n

attei~pts
Account Lockout eset count afterx ~ n u t e s

~o~rs)
Lockout ~uration rever

(until a d ~ nunlocks)
. Select
forever
uration n ~ n u t e s
Forcibly
disconnect
remote
elected Tied to logon hoursspeci~edwhen
users from sewer when
logon Not selected user account was created
hours expire
Users must log on in order to Selected Select

change password
Not selected
*Sixty days would be ap e ~ i s s i b l epassword change rate onlyif strong passwordsare imple~ented.Strong passwordsmay only be imple-
mented under~ i n d oNT ~ s4.0 at the domain controller. Strong passwords may be i~plementedusing the p sr;R II.dl I program available
under service pack2 oftVindows NT 4.0. The strong passwords providedby p ~ s s f i l t . ~arlel further describedin the section on password
filtering.
~ i n i s ~ ~ tori oban
Access this computer from network Adminjstrators, Everyone
Add workstations to domain No default group

ack up files and directories Administrators, Backup Operators, Server Operators
~ h a n g the
e system time Adminjstrators, Server Operators
Force shutdown froma remote system Administ~ators,Server Operators
Load and unload device drivers Ad~nistrators
Log on locally Account Operators, Administrators, Backup Operators, Print

Operators, Server Operators
anage
auditing
security
and log Ad~njstrators
Restore files and directo~es Adminis~ators,Backup Operators, Server Operators
Shut down the system Account Operators, Administrators, Backup Operators,

fint
Operators, Server Operators
e ownership of files or other directories Ad~nis~ators
~ocesses(such as la~nching ap~lications)
nt from the other policies in that they are managed

thr
, which
was in~oduced in ~ ~ d o wWs 4.0.
conve~entway to edit system policies that were previ
Files private to membersof the
Admin department
~ s t ~ l applications
ed to be run
from the server
C ~ ~ m ~ n to
public
Files e domain
v e ~the
o n in
e
lneerin~ Files private to theEnginee~ng

global group
Finance Files privateto the Finance global

group
Files private to theM ~ k ~ t i n g
global group
Res~arc~ Files private to the Research

global group
Applications that can be installed

off the network onto local computers
temp Files used by Windows NT and No access is necessary.

server resident software This directoryis not shared.
User ~ o n t ~ nfor
e r subdirectories
private to each user
The system directory containing No explicit accessis necess~y.

~ i n d o w NT
s This directory is not shared.
directory is now shared in

onsarenotavailable
in the~ i for that

~ drive.
~ o ~
t ~ e nint an or-
each ~ e access.~ This ~ ~

S
e ctio
Local Members can administer domain user and group

accoun~s.
Local Members can fully administer

the server and the domain.
Local embers can bypassfile security to archive files.
Global Members cana d ~ n i s t edomain

r accoun~sand computers in the domain.
Global st rights to all domain resources.
Global of this group.
All domain users are part
Local embers have Guest access
to the domain.This group shouldr e ~ a i n
empty.
Local Members can administer domain printers.
Local A special goup for directory replication.
Local Members can administer domain servers.

Local Server users.
in the input box,
users are a c c o ~ tatta

s
o not have an account.
uest
cco~nt~
in these
t in u n ~ o w npasswords. As with the
field displays asterisks.
are both checked.
t ical users.
count, butit cannot be set.
S the user can log on to the network
ion date and theacco~nttype.
User accounts aread~nisteredwith the

tive tool.
The follow in^ illustration showsthe process of creatin

lustr~tio~sin this chapter assume that you have alre
thesystem,deleteeuser’saccount instea
p e ~ s s i o n sso
y all user preferences and ,
stem beforedel~tingthe account.
The process for del et in^ a user accountis as follows:
environment profiles allow the change of so

e users that arelog
file location basedon the c u ~ e nuser t or to mapa drive letterto a user’s
a s e ~ eifr the person is log~ingon to a network.
User e~vironmentprofiles also allow y
es as each user logs on. This batch
drive ~ a p p i n go
sr for any other p
not use user environment profiles S
less the profile somehow dependson the user’s name, The
od for ~ n n i n g p r o gautomatically.
r~s
r.
in the text box. Replace the
(S
c ~ ~ aatnew
e sh and the user direc-
etween ~ o l u ~duri
es
cure environ~ent.
ng up too much space.
th function works
220 WINDOWS NT SERVER: SECURITY FEATURES
Profiles
User profiles control Windows NT features such as desktop colors and settings, program
groups and start menu settings, and network connections. Because these settings are dif-
ferent for each user, storing them separately allows users to customize and control their
Windows NT environment. Bob will always log on to the same environment, even if Susan
changes her wallpaper.
Local
Windows NT stores each user’s settings in special directories contained in the Profiles di-
rectory under your Windows NT System W INNT-ROOT directory. Each user’s local profile
is stored in a subdirectory named after the user. These directories contain all user-specific
settings. A special directory called All Users stores the settings that are global to all users.
Each profile contains many subdirectories. Applications such as Word and Excel
store user preferences in the Application Data subdirectory so that shared copies of these
applications can maintain different customized features for each user. NetHood contains
persistent network connections. Many other directories may exist and contain other settings
such as Start menu programs and program groups.
Roaming
Roaming profiles are stored like the local profiles, except that they are stored on a Windows
NT Server. Storing one profile on the server, instead of storing a local profile on each of the
Windows NT computers that you use, means that changes to your environment will be in
effect for all the computers you use rather than just the one on which you made the change.
When specifying a roaming profile in the user settings for your user account, the pro-
file is downloaded from the server every time you log on. Changes you make are then sent
back to the server so that they will still be in effect the next time you log on and download
the profile. Windows NT profiles affect only Windows NT. Logging on to a Windows 95
computer will not bring down the Windows NT roaming profile.
You may want each user’s home directory to contain the user’s profile. The
%username% environment variable can be used when creating User Directories to
automate this process (see the list discussed earlier on the steps to create a user directory).
To create a roaming profile, follow these steps:
1. Select Start -+Programs -+ Administrative Tools + User Manager for Domains.
2. Double-click Administrator.
3. Click Profile.
4. Type \\name-of-your-server\winnt\profiIes in the User Profile Path input box.
(Replace name-of-your-server with the share name of your server and replace
winnt with the name of your Windows NT directory share name.) If your Windows
NT directory is not shared, use the following path: \\name-of-your
server\c-drive-share\winnt\profiIes .
5. Click OK to close the User Profiles window.
6. Click OK to close the User window.
SUMMARY 221
7. Close the User Manager for Domains.

8. Log on as Administrator on another Windows NT machine in the domain to observe
the results.
SUMMARY
Just as providing service to network users is the primary purpose of a network, creating a
coherent, secure, and useful user environment is the primary function of network adminis-
tration. Windows NT Server creates such an environment by using group accounts, security
permissions, user rights and policies, and network shares.
Effective groups make administering large numbers of users easy. Rather than as-
signing permissions to individual users, you can assign rights to groups and simply indicate
membership in different groups for each user. Windows NT will manage the combinations
of rights for users with multiple group memberships.
Security keeps resources from being exposed to unauthorized access. An optimistic
security policy allows maximum access to information and secures only specific informa-
tion. A pessimistic security policy secures all resources and grants access only where nec-
essary. Both approaches are valid, and the choice will depend on the physical security en-
vironment. Windows NT supports two types of secured resources: network shares and file
system objects. File system objects provide more control over security than shares do.
When resolving conflicting file system and share restrictions, Windows NT chooses the
most restrictive permission.
Policies are the general security characteristics of Windows NT. Policy changes af-
fect the entire system, not just individual users or groups. Windows NT implements four
types of policies: Account Policies control access to user accounts, User Rights permit or
restrict security-related activities, Audit Policy controls the auditing of user activity, and
System Policy controls all other security-related system settings.
Setting specific permissions for many users of a network can be an error-prone and
time-consuming exercise. Most organizations do not have security requirements that
change for every user. Setting permissions is more manageable with the security groups
concept, in which permissions are assigned to groups rather than to individual users. Users
who are members of a group have all the permissions assigned to that group. Windows NT
implements two types of groups: those local to the machine and those global to the domain.
Global groups are stored on the primary domain controller and replicated to all backup do-
main controllers.
User accounts allow you to control security on a per person basis. Every person who
accesses a Windows NT domain receives a user account through which identity is estab-
lished to the network and by which permissions to resources are granted. Windows NT also
provides two types of user accounts: accounts local to the machine and accounts global to
the domain. As with groups, global accounts are stored on the primary domain controller
and backed up to the backup domain controllers. User accounts can have logon scripts,
home directories, and roaming user preference profiles to allow users to work comfortably
at any computer in the network.
DOMAINS AND TRUST
A domain is a set of computers with a central security authority, the primary domain controller
(PDC), that grants access to a domain. Usually a domain also contains one or more backup
domain controllers (BDCs) that provide distributed authentication services to continue
authentication services in the event of failure in the PDC as well as load balancing for au-
thentication services. As a rule many types of systems may join a domain, but the PDC and
the BDC must be Windows NT systems because of the compartmentalized security they can
offer.A domain can be set up to ease viewing and access to resources, to share a common user
account database and common security policy, and to allow administrators to enforce a com-
mon security stance across physical, divisional, or corporate boundaries. Once users are au-
thenticated to the domain, using either the PDC or a BDC, they can gain access to the re-
sources of the domain, such as printing and file sharing, or access to applications across all of
the servers within the domain. This concept of a domainwide user account and password elim-
inates the need for every machine to provide its own authentication service. Instead, the au-
thentication processes are passed through to the domain controllers for remote authentication
against that user account database. This allows machines to be dedicated to servicing indi-
vidual applications or programs without the overhead of authentication.
The primary function of the PDC is to maintain the security database. A read-only
copy of this database is replicated to each BDC on a regular basis to maintain consistency
in the environment. Because of the importance of maintaining the security database on the
PDC and BDC, strict logical and physical access controls should be implemented.
Trusts are one-way relationships that can be set up between domains to share re-
sources and further ease administration. These relationships allow a user or groups to be
created only once within a set of domains yet access resources across multiple domains.
There are a number of trust models used to configure domains. The first is the single do-
main model with only one PDC and, by definition, no trust relationships (see Exhibit 5.10).
The next model is the master domain model for companies who desire centralized se-
curity administration. In this configuration, all domains, known as user or resource do-
mains, trust the master domain. The master domain maintains security resources for all of
the domains within this structure. This configuration can support up to 15,000 users. There
is one trust relationship for every domain that trusts the master domain (see Exhibit 5.11).
The multiple master domain model is designed for larger organizations that desire
some centralized security administration. With more than one master domain, administra-
222
DOMAINS AND TRUST 223
Exhibit 5.10 Single Domain Model
Exhibit 5.11 Master Domain Model
Exhibit 5.12 Multiple Master Domain Model
tion needs increase as a result of the need to create all network accounts on each master do-
main. The two master domains in this case trust each other, while the resource domains have
one trust relationship with each of the master domains (see Exhibit 5.12).
Finally, there is the complete trust model. This is designed for larger companies that
desire totally decentralized security administration. This configuration presents considerable
o m ~ nhave
s two-way trust relationships with each other. This concept essentially
er-to-peer domains (see Exhibit
5.13).
tocols but alsois compliant

.One of the top considera-
cols to install and use.Pro-
or challenge facedby operating system vendorsis how to m&e a secure, stan-

product while possibly relying on old, insecure protocols.This has been an on-
r all operating system vendors.Essenti~ly,Windows NT does not attempt to
esses inany protocol,.~ o m p e n s a t controls,
~g such as theuse of link- or applica-
tio~-level enc~ption,may be a necessary additionfor secu~ty-conscious organi~ations.
oss business and indus~yincreases, WindowsNT Server has come under

ny than ever regarding possible security flaws and holes. Exhibit 5.14 exam-
ous attacks on the Windows NT Server operating system and the defenses put
ts to mitigate them.
has been vulnerable to various Denialof Service (DOS) and other at-
attempt to retrieve sensitive i n f o ~ a ~ or
o nattempt to gain access with per-
those that the attackers own. To provide a secure environment, Mi-
the formof patches and service packs. After being notified of the
rosoft issues fixes. Exhibit 5.14lists some of the more widespread
entified and the associated fix that has been released.
Anonymous User Connections (red button) is used Insert key into registry that prevents the anonymous
to gain informationreg~dingthe administrative user from making a network connection to the server:
account and the network shares that are available.
t.1KLM~~1stem\CurrentControI
~e~trict~nonYImou~*
D
Value: l
Remote Registry Access attemptsto gain access to Remote registry access is prevented in Windows NT
the registry, either to retrieve passwords or to change Server version 4.0by the additionof a Registry key.
system settings. This key is presentby default in a new installation of
Windows NT Server 4.0 but is not presentby default in
Windows NI?Workstation 4.0. It mayalso not be
present in a computer that has been upgraded from
Windows NT Server 3.5 1.
WI(LM~ystem\CurrentControISet\ControI
~ i p e ~ e ~ e r ~ ~ l n r e ~
Password Theft and Crackingis an attempt to capture SAM by applying
Increase password encryption in the
hashed passwords and crack them in order to gain the featuresof SP3. Remove onymous access to the
further accessto a system. system and tighten registry security.
Weak and Easily Guessed Passwords Enforce a strong password policyfrom the domain
controller usingp~ssfllt.dll.~ ~ s 5 f i i t . d
isl available
l
from Service Pack2 onward.
Rollback may be used as a Trojan horse, and

it should
be deleted from all systems.
con~gurationback to installation settings.
GetAd~n-The GetAdnnin program was recently A security hotfix to patch both GetAdmin and the
released from a Russian source. GetAdmin allows a follow-on issuehave been released byMicrosoft.
regular user to geta d ~ n i s ~ a t i rights
ve on the
local machine.
A follow-on to GetAdmin that may bypass the

hot fix has just been released.
Services running under System context couldbe Run Services as accounts other than system wherever
used to gain access to the registry and other parts possible.
,I
of the system as"
Unsec~edFilesystem access using eithera DOS-or Physically secure the server to prevent access to the
~inux-basedtool gives accessto the NWS file diskette drive.
system without any security controls,
Server Message BIock(SMB) NetBIOS access. Apply Service Pack and

3 disable TCPand UDP ports
These access ports that are required for file sharing 137, 138,and 139 on any server connected to an outside
may present an access path, especially when exposed network.
to the Internet orwhen used in conjunction with
a
Unix server~ ~ n n i the
n g Samba toolset.
ttac efense
Denial ofService
Telnet to unexpected ports can lead

to locked systems Apply Service Pack 2 or 3.
or increasedCPU usage. Telnet expects connections to
By default, WindowsNT does
be made to port 23 only.
not support a telnet daemon.
The Pingof Death (large ping packet). An attack that This problem was resolved in SP2.
has affectedmany major operating systems has also
been foundto affect Windows NT. The Ping of Death
is causedby issuing ping packets larger than normal
size. If someone wasto issue the pingc o ~ a n d ,
(> 64 bytes), theTCP,”
specifying a large packet size
stack will cease to function correctly. This effectively
takes the system off-line until rebooted. Most
imple~entationsof ping will not allow a packet size
however, Windows‘95
greater than the 64-byte default;
and NT do allow this exception and can therefore cause
or be vulnerable to such a system denial.
A recent versionof this problem has affected A new hot fix has been released, post-SP3, called the
Windows NT Server version4.0 SP3 systems that icmp-fix.
run IIS and are exposed to the Internet. This was due
to a fragmentedand improperly formed ICMP packet.
‘SW?’ Hood Attack-A flood of TCP connection Service Pack 2 provides a fix to this vulnerability.
requests (SYN) can be sentto an IIS server that
contains “spoofed” sourceDp addresses. Upon
receiving the connection request, the IIS server
allocates resources to handle and track new the
connections. A response is sent to the “spoofed”
none~stentIP address. Using default values, the
server will continue tor e t r ~ s m iand
t eventually
deallocate the resources that were set aside earlier
for theco~nection189 seconds later. This effectively
ties up the server, and multiple requests can cause the
IIS server to respond with a reset to all further
connection requests.
Out of Band Attacks-Out of Band (OOB) attacks, in Apply Service Pack and
3 the subsequent OOB-fix.
which datais sent outside the normal expected scope,
have been shown to affect Windows W.The first OOB
attack was identified after Service Pack 2 (SP2), and a
patch was released that was also included in SP3. This
attack caused unpredictable results and sometimes
caused WindowsNT to have trouble handling any
network operations after one of these attacks. Since
the releaseof SP3, another problem has been identified
network driver that caused Microsofr
networking clients to remain vulnerable to variationsof
the OOB attack, coming from the Apple Macintosh
environment. The OOB attack crashes theTCPm
protocol stack, forcing a rebootof Windows N T . A
subsequent hot fixwas released to counter this attack.
fense ~ e p ~ m e n tArpanet,
’s which was first created in the
traffic was allowedon it for the first time. With commer-
cial use and the subse~uentdevelopment of the hypertext transpo~protocol andthe World
b that usesit, companies began to connect their corporate WANs to the Internet.
visible co~ectivityand accessibility to corporate networks by large numbersof
people have createda number of changes incorporate views of data security. The primary
one of aw~eness.In y short time,nontec~icalpeople started talking about
They also started as about the security of their connections. The hype and
misinfo~ation su~ounding the Internet’sfeatures and risks have created the need for tech-
nology solutions and education about technology and security. Anyone can become a con-
tent publisher almost overnight. Sharing data with employees, strategic p ~ n e r scustomers,
,
and even competitors has become very easyto do. Naturally, this introduces or enhances
the risks to an organi~ation’sdata.
he addition of Internet Information Server (11s) to the base ndows NT operating sys-
ndows NT Server with new functionality as well as exposing Windows
sks of the Internet. 11s is integrated with the Windows NT operating
alternative to expandNT Servers toWeb servers for in~anetand the
udes standard TCPm servers for FIT and Gopher. ThisWeb client-
a method toutilize Windows NT to provide i ~ o ~ a t i to
o npeople on
the internal n e t ~ o r kas well as on the terne et.
ell-known security risks associated with the Internet, and IIS al-
ws NTto be exposed to them. However, becauseisIIS coupled with Windows
Server, it allows for the use of the security features found in the operating system.
applications and protocols have been developed ain~ ean m pto
t limit
S. A few of these applications and protocols have been explored in
sections as an exampleof icrosoft’s role in Internet tec~ologies,As always,
any system exposed to the Internet should be protected using multiple layers of security.
erver offersfeatures such as site filtering, access control, requestlog-

ging,multipleInternet pr support,caching,andremoteadministration.Thisapplica-
tionalsointegrateswiththeWindows NT operatingsystem. The ProxyServer is an
optional product, not included with the base operating system.
The Proxy Server assists in preventing network penetration by masking the internal
network from other external networks. Client requests can be verified tobe sure that they
are coming from the internal network. I packets with destination addresses not defined are
sing computers on theinternal network. This helps to prevent spoof-
can limit accessto specified network addresses, address ranges, sub-
net masks, or Internet domains. The Proxy Server provides two levels of activity or secu-
g. ~ser-levelauthentication is provided between the client and Proxy Server.
lines and the
~nte~et, eliminates the need ensive, leased-line
Or se-de~icated c o r n on servers because can be used over
is a combination of the c o n ~ g ~ a t i of
o nhardware and so
are five subtrees in the registry.
es and their purposes areas fo
eps all the con~gurationi n f o ~ a t i o nfor the specific
eps each user's i n f o ~ a t i o nwho has ever logged on the m a -

chine.
ins info~ation pertai~ngto the
Contains i n f o ~ a t i o npertaining only to the c u ~ e n t
ns i ~ o ~ a t i o n p e tor t the
~ ~ nhard
g
changes hardware the user is chan~ingthe reg
t-end tools to change the registry rather than
c o ~ because~ d the us
elp prevent users and othersfrom causing problemsfor

alues, inadvertently or otherwise. All users must have readac-
of the registry in order to function in the Windows
NT environment
o change all registry valuesor make new registry entries.
The registry supportsthree types of access p e ~ s s i o n s :
ers can edit, create, delete, or take ownershipof keys.
read any key value but makeno changes.
Users canbe granted oneor more of ten specific rightsto a spe-
cific key. These ten specificrights are listed in Exhibit5.15.
Query Vdue Read the settingsof a value entry in a subkey

Set Vdue Set the value in a subkey
Create Subkey Create anew key or subkey within a selected key or subkey
Enu~erateSubkeys Identify all subkeys withinkey

a or subkey
Notify Receive audit notifications generated by the subkey
Create Link Create symbolic linksto the subkey(s)
Delete Delete selectedkeys or subkeys
Write DAC Modify the discretionary access control list

(DAC) for thekey
Write Owner Take ownership of the selectedkey or subkey
Read Control Read securityi n f o ~ a t i o nwithin selected subkey
techni~uesshould be used for securing the registry:

isable remoteregistryediting by verifyingexistence or creating: ~~~
ecure the root keysas shown in Exhibit 5.16.

as shown in Exhibit
ecure registry subkeysto limit the accessof the Everyone group
.l6 using the following keys and subkeys:
egistry Key efadt Setting
HK€Y-LOC~L-~~CHI~E Administrators:
Control
Full Adminis~ators:Full Control
System: Full Control System: Full Control
Everyone: Read Everyone: Read
HKEY-CL~55€5-RO~T Administrators:
Control
Full Administrators: Full Control
Creator/O~ner:Full Control Creator/O~ner:Full Control
System: Full Control System: Full Control
Everyone: Read Everyone: Special Access (defined
following)
HKEY-USEFI5 ControlAdministrators:
Full No Change
System: Full Control
Everyone: Read
HKEY-CURRENl-U5ER Adminis~rators:
Control
Full No Change
User: Full Control
HKEY-CURRENT-C~NFIG Ad~nistrators:Full Control No Change

(Windows NT 4.0 only) System: Full Control
User: Full Control
* Allow special access only to the Everyone group with only four of
ns: Query Value, Enumerate Sublceys, Notify, and Read Control.
*
NG: Using the Registry Editor incorrectly can cause serious, systemwide prob-
lems that may require reinstallationof Windows NT. Microsoft cannotg u ~ a n t e ethat any
problems resulting fromthe use of the Registry Editor canbe solved. Use this tool at your
own risk.
Windows NTis designed to provide an operating system that could be used in many types
of implementations, from local application servers and LAN file servers to r e ~ o t eaccess
n e t servers. WindowsNT has f ~ a ~ rfor
servers and~ t e ~ e ~ i n t r aWeb e ss e c ~ t desi~ned
y
to providethe user with choicesof a limited or extensive control implementation, depend-
ing on the business needs. Exhibit5.17 lists the features and their descriptions that either
control or implement security,
The LSA is also referred as the security subsystem and is the
heart of the WindowsNT ewer subsystem. TheLSA provides the
following services:
* Creates access tokens during the logon process

* Enables Windows NT Server to connect with
third-p~y
validation packages
0 Manages the security policy
* Controls the audit policy
* Logs audit messages to the event log
The SAM maintains the security account database. SA
user validation services that are used by the LSA. SAM provides a
security identifierfor the user and the security identifier
of any
groups that the useris a member of.S
Kernel.
The SAD contains informationfor all user and group accounts in a

central location. It is used
by the SAM to validate users. Duplicate
copies of the SAD can reside on mu~tipleservers dependingon
whether a workgroup or domain model is implemented and the
type of domain model implemented. Passwords stored in the SAD
are stored using a 128-bitc ~ p t o ~ a p h i c a lstrong
ly system key.
SIDSare createdby the security accountm ~ a g e during

r the logon
process, They are retired
when an account is deleted. If an account
name was created with the same name as an account that was
previously deleted, theSEI created will bedi~erentfrom the§ID
associated with the deleted account.
The SRM is the WindowsNT Server component responsible for

enforcing the access validation and audit generation policy held by
the LSA. It protects resources or objects t'rom unauthorized access
or modification. Windows NT Server doesallow not direct access
to objects. TheSRM provides services for validating access to
objects (files,~rectories,and so on), testing subjects (user
accounts) for privileges, and generating the necessary audit
message. TheS W contains the only copy of the access validation
code in the system. This ensures that object protection is provided
uniformly throughoutWindows NT, regardless of the typeof
object accessed.
Discretionary access controls provide resource owners the ability

to specify who can access their resources and
to what extentthey
can be accessed.
Access tokens are objects that contain

infor~ationabout a
particular user. When the user initiates a process, aofcopy
the
access tokenis permanently attachedto the process.
ACLs allow flexibility in controlling access

to objects and are a
form of discretiona~access control. They allow users to specify
and control the sharingof objects or the denial
of access to
objects. Each object'sACL contains access control entries that
define accessper~ssionsto the object.
The interactive logon process is ~ i n d o wNT
s Server’s first line of
defense against unauthorized access. In a successful l
process flows fromthe client system to the server sys
exposing the user’s passwordin clear text overthe network. The
entire logon processis described inan earlier section entitled
“Logon Process.’’
Y The Windows NT ServerEegistry is an access~controlleddatabase

containing configurationdata for security, applications, hardware,
and device drivers. The registry
is the central point for storing
these data. The registry contains all user profile information
as
well as the hashed user password.
Windows NT Server auditing features record events to show
which users access whichobjects, the typeof access a~empted,
and whetheror not the attempt was successful. Auditing can
be
applied to:
* System events suchas logon and logoff,file and object access,

use of user rights, user and group management, security policy
changes, restarting and shuttingdown the system,and process
tracking
* File and directory events suchas read, write, execute,delete,
changing permissions, and taking ownership
* Registry key access to subkeys
* Printer access events suchas printing, takingfull control,
deleting, changing permissions, and taking ownership
* Remote AccessService events such as authentication,
disconnection, disconnectiondue to inactivity, connection but
failure to authenticate, connection but authentication time-out,
disconnection due to ans sport-Ievel errors d ~ n the
g
authentication conversation, and disconnection due to inability
to projectonto the network
* Clipbook page events such as reading the page, del
contents of the page, changingpe~lissions,and ch
audit types
* Events of significance canbe sent to a pa
security and systems staff
S Three logs record system-, security-, and

a~plication-related
events:
1. The system log recordserrors, warnings, or information

generated by the Windows NT Server system.
2. The security log records valid and invalid logon attempts and
events related to the useof resources such as creating, opening,
or deleting filesor other objects.
3. The application log records,errors, w ~ i n g sand
, info~ation
generated by application software, suchas an electronic mailor
database app~ication.
ibit
The size and replacement strategy can be modified for ofeach

the
logs. Each logged event’s details can
be displayed.
roeess solation Windows NT was designed to provide process isolation to prevent

individual processes from interfering with
each other. This is
accomplished by providing each process with its own memory
space withno access to any other process’s memory. This
segregation of memory is also designedto prevent data from being
captured fromthe memory space.
There is an option to overwrite an individual user’s swap

or
temporary diskspace after logout to prevent anyone from reading
that user’s temporaryfiles and data.
User Aecou~t~ e c ~ r i t ~ User account security policies are managed through the user
manager and consistof account policies and user rights policies.
* Account policy controls theway passwords must be usedby all

user accounts. The major account policy controls include
mini~umand maximum password age,~ n i m u m password
length, password uniqueness, forcible disconnection beyond
logon hours, and account lockout.
* User rights policy allows the granted user to &ect resources for
the entire system. The basic rights offered by Windows NT
Server include access from a network, backing up, changing the
system time, remoteforcible shutdown, local logon,ana aging
the audit and security log, restoring
files, shutting down the
system, and taking ownership of objects. Windows NT Server
ais0 contains many advanced rights.In total, there are twenty-
seven rights that may be assigned to users.
Windows NT Server offers two built-in accounts: the Guest

account andthe Administrator account. These accounts were
created for specific uses and are
by default membersin a number
of default groups. The Guest account is disabled
by default.
The user properties feature allows the administrationof user

accounts, passwords, password policies, group membership, user
profiles, hoursof logon, the workstations from which the usercan
log on, and the account expiration date. In addition, password
filtering canbe i~plementedto increase the strength of password
security policy.
User profiles enable the Windows NT server to structure and

manage the user’s desktop operating environment and present the
identical environment without regard to the workstation. file
This
is loaded on logon. The user profile
editor allows disabling Run in
the file menu and disabling the Save Settings menu item, shows
common groups, changes the startup group, locks program groups,
restricts access to unlocked program groups, and disables
connecting and removing connections in the print manager.
Home directories can be assigned to each user for storage

of
private files.
on logon by a user. They provide the
Logon scripts are executed
network administrator with a utility for creating standard logon
procedures.
Groups allow an administrator to treat large numbers

of users as
one account. Windows NT Server utilizes two types
of groups in
its tiered administration model:
* Local groups are defined oneach machine and can contain both
user accounts and global groups. Windows NT supplies a
number of built-in local group accounts.
* Global groups are defined at the domain level and can contain
only user accounts from the local domain but not from trusted
domains. Windows NT supplies several built-in global group
accounts.
In a WindowsNI7 network environmentit is possible to implement

two different network models:
the workgroup modelor the domain
model.
* The workgroup model allows peer-to-peer networking for

NT
machines thatdo not participate in a domain. Each Windows
machine that participatesin a workgroup maintains
its own
security policy and SAD.
* The domain model isan effective way to implement security
and simplifya d ~ ~ s t r a t i oinna network environment.
The
domain allowsthe sharing of a common security policy and
SAD.
Feat~re ~esc~ption
The domain model establishes security between multiple domains
through trust relationships. A trust relationship is a link between
two domains causingone domain to honorthe authentication of
users from another domain. A trust relationship between two
domains enables user accounts and global groups to be used in a
domain other thanthe domain where these accounts are located.
Trusts canbe uni- or bidirectional and
require the p~icipationof
an ad~nistratorin both domains to establish each directional trust
relationship.
Windows NI7 Server provides domain authenticationservice
through the useof primary and backup domain controllers.
If
ain Controllers communications to the primary domain controller break, the
backup domain controllers will handle all authentication.
A
backup domain controller may be promoted toa primary domain
controller if necessary.
eplication Windows NI7 Server uses replication to synchronize the SADs on

various servers. This process is automatic. Replicationis not
restricted to the SAD but can be used to create and maintain
identical directory treesand files on multiple servers and
workstations. The replication feature contains a security toolto
control the import and export of files and directories.
The server manager tool enables the following types
of
adminis~ativeactivities:
e Display the member computersof a domain

e Select a specific computer fora d ~ i n i s ~ a t i o n
e Manage server properties and services, including start and stop
services, and generate alerts
e Share directories
e Send messages to systems
These adminis~ativefunctions requirea d ~ n i s ~ a t i access.
ve
TFS NTFS is the more secureof the two writablefile systems

supported by Windows NT Server. NWS is the only file system to
utilize theWindows NT file and directory security features,
is a log-based file system that offers recoverability in the of
event
a disk fault or system failure.
The nextmajor release of the operating systemwill provide an
option for file-level encryption.
"he legal notice featureis provided to strengthen the legal liability

of in~vidualswho may attempt to access a system withou~
authorization. The feature displaysa message to the user &er the
C T ~ L ~ ~ L keystroke
T ~ ~ E combination
L during the logon process.
When the legal notice appears, the user must acknowledge the
notice by selecting theOK button in the message box presented.
Windows NI?Server has fault tolerance features that be canused

alone orin combination to protect data frompot en ti^ media
faults. These features are disk
~ ~ o r i ndisk
g , duplexing, disk
striping with parity, and sector hot-sparing.
The Tape Backup enables backing up and restoration of files and

directories. Backups can be full, incremental, d i ~ e r e n t icustom,
~,
or on a daily basis for those files changed on the of daythe
backup.
The lastknown good con~gurationfeature allows the restoration
of the system to the last working systemcon~guration.When
used, it discards any changes to thecon~gurationsince the last
working system configuration. This featureis automatically
updated after any system boot.
The emergency repair disk allows the restoration of the system to

its initial setup state. The emergency repair disk can beif used
system files are corrupt and the useris unable to recover the
previous startup configuration. Securing thee~ergencyrepair disk
is of utmost importance since it contains a copy of key pieces of
the security accounts database.
The Ul?S feature allows for the connection

of a batte~-operated
power supplyto a computer to keep the system ~ n n i n gduring a
power failure. TheUPS service forWi~dowsNT Server detects
and warns users of powerfailures and manages a safe system
shutdown when the backup power supply is about to fail.
E ~ h i ~5.17
it ( ~ o ~ ~ ~ ~ e ~ )
Net~orkMonitor The Network Monitor allows examination of network traffic to
and from a server at the packet level.
This traffic can be captured
for later analysis, making it easier
to troubleshoot network
problems.
Task M a n a ~ ~ r The Task Manageris a toolfor monitoring application tasks, key

performance measurementsof a WindowsNT Server-based
system. Task manager gives detailed
i n f o ~ a t i o non each
application and process running on the workstation, as well as
memory and CPU user.It allows for the terminatio~of
applications and processes.
The performance monitor tool enables monitor

the in^ of system
capacity and prediction of potential bottlenecks.
Network Alerts Alert messages can be sent to designated individuals. These

messages can report on security-related events, such as too many
logon violations or performance issues.
This set of encryption APIs allows developers to develop

applications that willwork securely over nonsecure networks such
as the Internet.
~oint-to-Point~ n n e l i n ~ P P V provides away to use public data networks, such as the

Internet, to create virtual private network connecting client PCs
otocol (PPTP) with servers. PPTP provides protocol encapsulation
and
encryption for data privacy.
~istribu~d Co~ponent Windows NT 4.0 includes DCOM, formerlyknown as Network

OLE, which allows developers and solution providers to use
Object Model( ~ C O M ) off-the-shelf and custom-created OLE components to build robust
distributed applications. Most i~portantly,it utilizes Windows NT
Server’s built-in security.It addresses a problem that was
frequently associated with OLE applications trying to run as
services under Windows NT: Windows NT Server’s built-in
security did notlet OLE servicesc o ~ u n i c a t between
e
applications because most applications are launched from a
desktop running a different security context from the services.
Using DCOM, WindowsNT 4.0 now allows c o ~ u n i c a t i o ~
between different security contexts.
The Windows NT diagnostic tool is used toe x ~ n the

e system,
including i n f o ~ a t i o non device drivers, network user, and system
resources.
Services A d ~ n i s t r a ~ o ~ The Service Manager enables the access and administration

of
network and operating system services.
Feature esc~ption
(
emote Access Services The M S administration tools control the remote connection
environment.
A d ~ ~ i s t r a t i Tools
on The following tools are used in M
theS config~ationand
ad~nistrationprocess:
* Network Settings enables the installation

and configuration of
network softwareand adapter cards andthe ports inw ~ c they
h
reside.
* Network Con~gurationcontrols theRA§ inbound and outbound
protocols as wellas encryption require~ents.Each protocol has
subsequent dialog boxeswith con~gurationand control features.
* The Remote Accessa d ~ i n i s ~ a t i otool

n enables~onitoringof
rts, a~inistrationof remote access permissions, and
on of any callback require~ents.
nte ITS is mWindows

add-on
to NT 4.0. Integration of TISNT
with 4.0
of NT 4.0 Server securityand directory
allows IIS to have full use
services. The integration supports logging server
trafik to NCSA
Common Log File Format as well as any ODBC database. IIS
provides Web, FTP, and Gopher services to the Windows NT
system.
the TCPfiP protocol and IP address
Windows NT Server supports
format. The TCPlIPCon~gurationtool ad~inistersTCP/IP as well
IP routing, tradition^
to theG2 security standard.
t wrote a series of ~ a n u a l so omputer security over the

different colorof cover. This nbow Series” of manuals
how to desi n, build, choose, analyze, ando rate a trusted system,
cember 1985 and discussedW criteria to use toev
uals were subse~ue~tlyroduced that expanded the generalterns used mn
.Theyare
the
Redbook,
which int book with
relationto
S, and the Blue book, which book with rel~tionto
sub~yst~ms.
book divides security into four S
hile class Ais verified protectio
and C2, controlled access prot
follow in^ ~eas-~ecurityAccouPolicy, c~me~tatio~-
fines
what a system
must
able
to
be do i r e ~ e n t of
s that
a system is evaluated agai~stthese crit

n is created and used for the ev~uatio
the appropriate level of securi
S of resource isolation.
ilure, access con-

e s ~ s t e mto enforce access controls toob-
3ce~ification,the source code
of the systemis available for review as well as
alldevelopment process. Some of the critical concepts
to understmd are:
Out of the box many operating systems (including ndows NT) are considered in-
secure,
0 C2 compliance may or may not meet an organization’s security need.
0 A C2-level security configuration (this includes no floppy drive andno network con-
nectivity) may be impractical or inappropriate to use in many organizations.
There are other controls such as physical and ~onitoringcontrols that must be ad-
dressed for compliance but are not operating system components.
Av~lability,which is often critical in mmy corporat~ environments, is not oneof the
criteria for C2 ce~ification.
0 An organization must assess the level of risk ~ssociatedwith the data they are at-
tempting to protect, have a policy in place to define what security is appropriate
level
in their environment, and have monitoring controls in place d~termine
to if the policy
is being complied with.
Using thesecrit~ria,a c o ~ p a n y capp~opriately
m decide if the level of secu~tythey
have implementedis too much, appropriate, or needs additional controls, such linkas
level crypto~raphybetween a client and a server. In this t, the question is not “is
product C2 certified” but
“will
this
operatin lone or with additional
M or t h i r d - p ~ ytools, meetthe security need
Cowarts, R.Windows lW4.0 Se~er-~orkstation ~nleas~ed. Sams ~ b l i s h i n g1997.

,
.~igratingto Windows ~ 4 . 0Duke
.
W., et al. ~indowslW Sewer 4: S e ~ u r iTrou~les~ooti~g,
~, and
Windows lW Sewer 4 ~ n l e a s ~ e d .
Grant, G., et al. Troubleshooting with Microsoft:G
dows NT ~ ~ g a ~ i n e .
Karanjit, S. Windows W Sewer ~rofessional
Corporation. Windows NT ~or~sta~on
W4.0: ~xplorethe N ~ weat tu res.
S NZ’ S e ~ u rIssues.
i ~ So~arsoft Corp.
Sheldon, T. ~indowsNT S e ~ u~~a ni d~~ o o k .
Sutton, S. A. Windows N ~ S e ~ u r i ~ Trusted
~ u i d eSystems,
. 1997,
Microsoft Security(www.~icrosoft.co~sec~rity)
sk
1 System
All
servers
the
domain
in Older
servers,
such
All
as W~ndowsNT and 3.5
Configurationshould beWindowsNT 3.51 WindowsNT3.5orLANLAN ~ a n a g e servers
r
orhigher;no LANManagerManager,maysubjecttheshouldbe e l i ~ n a t e dfrom
orWindows W serversWindows NT environmenttothe domain orupgraded
previous to version
3.5 l undue
security
risk. i~ediately.
should exist within the
domain.
1 System
latest
Microsoft
The service Current versionsof the Obtain the latest service
Configurationpacksand hot fixesshould operating system contain pack and hot fixes from
be installed and properly processing and security ~icrosoftand properly
configured. enh~cements.Service packs install and configure the
Service packs and hot fixes correct bugs thathave been service packand
should be reapplied after c o ~ u n i c a t e dto Microsoft. appropriate hot fixes. The
each new software If the versionof the operating latest service packfor
inst~lation. system is not current, there is Windows NT3.51 is5, and
an increased risk thatan the latest service packfor
unauthorized user may be able Windows NT4.0 is 3.
to exploit weaknessesin the
operating system. Certain
service packsand hot fixes
require systemad~nistration
intervention such as the
running of an application or
the manual entryof a registry
key into the registry.
1 System The “system key” optionsof The systemkey feature of Enable the syskey option
Configuration Service Pack3 (SP3) should Service Pack 3 provides
be implemented. stronger encryptionof the
SAM database. Enabling this
option decreases the risk that
password hashes will be
cracked if obtained.A utility
has been released that can
extract the Windows NT
password hashes even with
syskey implemented;
therefore, this risk is only
mrtiallv mitigated.
T~chni~u~s
Upgrade allLAN Manager and Verify, through discussion with the Verify, t ~ o u g discussion
h with the
Windows NT 3.5 servers to company and physical inspection, company and physical inspection,
Windows NT version 3.51or that each severis running the that each severis ~ n n i n the
g
higher. Windows NT operating system Windows NT operating system
version 3.S1or higher. This version 3.51 or higher. This
document is only applicable and docu~entis only applicable and
effective for said versions. effective for said versions.
During specific server reviews, refer
file to verify the version

of the
operating system.
rowse the Microsoft home page Determine, by searchingthe

and download the latest service Microsoft home page, the latest
pack. ~dditionaliy,view available available service pack and hot fix hotf~x.txtfiles to ensure that
hot fixes and determine which are versions. Ensure that appropriate appropriate service packs and hot
necessary to install on target patches are installed on each fixes have been applied. Confirm
systems. Install the service pack Windows NT server. Confirm that that procedures exist to update
and applicable hot fixes on a test procedures exist to update service service packs and hot fixes as new
machine to ensure compatjbility packs and hot fixes as new versions versions are released and new
with existing applications. Ensure are release and new software is software is installed on the system.
that the hot fixes are installed
in installed on the system.
the correct order by referring the
to Refer to guidance material and the
hot fix documentation and install Mjcrosoft home page to determine
only after thorough testing. the latest service pack version and
hot fixes available.
Determine, through discussion with

Ensure the system key options are Determine, through discussion with the networkad~inistrator, if this
installed by reviewing the setting the networka d ~ n i s ~ a t oifr this, option was considered. If syskey was
of the ~ ~ L ~ ~ y s t e m \ C u r r e noption
t was considered. If syskey was d e t e r ~ nto e ~be viable in this
d e t e ~ n e dto be viable in this instance, examine the
boot registry key. Ensure, in a test instance, verify that the proper c~~~ern~rne~.
environment, that this feature is option is set in the registry: Isa.txt file and ensure the value
co~patiblewith all installed ~~L~ystem~urrentControiSet\
applica~ions.After testing and ControlU5~~ecureboot. Ensure
installation, update the repair disk. that sufficient regression testing to 1.
Note thatSP3 will no longer be occurred on a machine outside of the
uninstallable. production env~onment. Verify disketteis protected, if used.
Choose one of the three methods Verify the choice of the key storage. Verify knowledge of boot password
for storing the system key: for the key.
* obfuscated key on machine
* obfuscated key on diskette
* password protected key at boot
1 System
The Primavy
Domain
Running
applications
on a PDCs
should
utilized
be
ConfigurationController(PDC)shouldnotPDCopensthePDC to any forauthentication and
be utilized for other purposes vuln~rabilitiesthatexistinrelatedservicesonly.
except those directly related that application. Additionally,
to authentication, suchas if the PDC is used for other
address assignment or name purposes than authentication,
lookup. there is an increased risk that
the server may not possess
enough resourcesto perform
both functions adequately.
1 System System services shouldbe If services are allowed to No services should have
Coll~guration running undera secured interact with the desktop the “Interact with the
started,
there
are
context.
they
when is desktop” check box
an increased risk that domain checked. Services should
resources may be not run undera global
compromised. In addition, if account but rathera local
the service is compromised, account. Accounts created
the service will be running to run asa service should
with too much authority. not be allowed certain
rights such as LogOn
Locally unless required.
2 Networking
Workstation
and
time
Restricting
users
based
on ~orkstationand
time
restrictions
should be workstations
andtime
reducesrestrictions
should
be
enforced when possible.
the risk that
unauthorized enforced when possible
for
access will be obtained. These typical domain users.
controls shouldbe enforced
for users that utilizeonly one
workstation during set hours
of the day.
~om~liance Assess~ent
Tech~ques
Ensure that allPDC servers are Verify that thePDC is onlyused for Verify that the PDCis only usedfor
only performing authentication. authentication by p e r f o ~ n the
g authen~cationby reviewing the
following steps: <servername>.5ervic
l. Open server manager. ensu~ngthat only authentication
2. Select the PDC and choose related services are installed and
Services. ..from the started. Also,review the
computer pulldown menu. <servername>.pulist.txt file to
3. Review each running service to ensure only authentication-related
determine if it is usedfor a processes are running.
purpose other than
authentication. Allowable applications include
DHCP, WINS, and DNS.
W e n services are startedthey Verify that services cannot interact Verify that services cannot interact
should not have the allow service with the desktopby performing the with the desktopby revi~wingthe
to interact with desktop option following stepsfor all servers in Services Report portionof
selected. Open server manager for scope: <senrername>,uJinms~.~t and
each server in question. Open l. Open server manager. noting any services with a Service
services from the computer 2. Open 5ervices. . fromthe Account Nameof anything other
pulldown menu. Double-click on computer pulldown menu. than Localsystem or any services
each serviceand verify the settings 3. Double-click on each service with a ServiceHag of Interactive.
for LogOn As. and verify that theAllow
services to Interact wlth the
~esktop option is not selected.
When enteringnew users orto Verify the user Logon hours by Verify the user Logon hours and
change existing users perform the performing the following steps: workstation restrictionsby reviewing
following steps: l. Open User Manager. <servername>.users.txt and
l , Open User n nag er. 2. Open u5er Properties by d e t e r ~ n i n gwhether workstation or
2. Open theUser P r o p e ~ ~by es double-clic~ngon the time restrictions are enforced for any
d~uble-clic~ng on the users
username. system. on the
usernarne. 3. Click the Hours button.
3. Click theHours button. 4. Verify that the hours listed in
4. Select the appropriate time Blue meet corporate standards.
and click theAllow and 5. Click the Cancel button to
Disallow buttons as close.
appropriate. 6. Click Logon To button.
5. Click OK to confirm changes. 7. Verify user access by stations.
6. Click LogonTo button.
7. Verify user accessby stations.
3 Networ~ng Users
should
forcibly
be Having
users
automatically
Enable
th
disconnected from servers disconnected
system
from
the acco~~t cl
when their login hours whentheir time expiresfeature in account
policies,
expire. ensures that network
resources will not be accessed
unless the user is specifically
authorized for access during
those hours.
User All users and groupsin the If users and groups exist An inventory of users and
M~agement domain should be known within the domain that are not groups should be
and documentedby the known or documented, there performed periodically
group responsiblefor is an increased risk that the and checked against an
maintaining the Windows security of the domain may be approved listing of users
NT environment. compromised. and groups. If “rogue”
users or groups are found
they should be investigate^
~mmediately.
User All user and directory Certain versions of non-

Management management should be Windows NT native administration tools
performed through Windows administration tools should be used to
NT native tools. (Windows 95) create user administer users and
accounts and user home groups and create
directories in an insecure directories.
manner.
User All user accounts should Requiring all users to have Add an applicable and
Management have an applicable, descriptions and full names informative full name and
informative full name and minimizes the possibility that description to each user
description. an extraneous, unneeded user account.
accounts willbe created. Such
a user could bypass system
administration and be used for
unfavorable purposes.
~ o ~ ~ l i a Assessment
nce Compli~ce ~e~fication
~ech~ques Tech~ques
Enable the Forced account Verify that the Forced account Verify that the Forced account
Dlsconnect feature in account Disconnect feature in account Disconnect feature in account
policies by p e r f o ~ n the
g policies has been enabled by policies has been enabledby
following steps: p e ~ o ~ i the
n g following steps: reviewing c5ervern~me>.
1. Open U i e r ~ a n a g e r . 1. Open User Manager. pollcies.txt and ensuring that the
2. 2. Choose Select Domain. .. “Force logoff when logon hours
the user pulldown menu. from the user pulldown menu. expire” controlis imple~ented.
3. 3. Enter theAuthen~cation
omain in the Domain: box. Verify that logon hours are set for
4. Click OK. 4. Click OK. users.
5. Select account from the 5. Select Account. ..from the
policies pulldown menu. policies pulldown menu.
6. Select the~ o r c i ~ l y 6. Verify that theForcibly
is connect remote users dlsconnect remote users
from server urhen logon
hours expire check box has
7. been checked.
8. Close User ~ a n a ~ e r . 7 . Click OK.
8. Close User Manager.
Document all users and groups in Compare user inventory with an

the domain.Verify that all users actual employee list fromHuman Compare user inventory with an
are presently employed with the Resources and verify that all users actual employee list from Human
company by obtaining a list from are current employees. Also Resources and verify that all users
Human Resources. determine if there are procedures in are current employees. Also
place to periodically check the users determine if there are proceduresin
and groups in the domain against place to periodically check the users
this listing. and groups in the domain against
this listing.
Utilize native Windows NT Determine, through discussion with

adminis~ationtools to administer the network administrator and Determine, through discussion with
users and groups and to create physical reviewof the system, the network administrator and
directories. which tools are used to administer physical reviewof the system,
the network. Ensure that all tools which tools are usedto administer
are designed specificallyfor the network. Ensure that all tools
Windows NT. are designed specificallyfor
Windows NT.
When creating users, fill in the
full Verify that all users havefull names
ame and Description fields for and descriptions in the appropriate Review cservername>.users.txt
the new account in the User fields by viewing the usersin User and verify that all users have
Manager. Manager by performing the applicable andfull names and
following steps: descriptions.
1. ChooseSelect Domaln. ..
from the user pulldown menu.
2. Enter the Authentication
omain.
3. Click OK.
View all users and verify that

they
have full names and descriptions.
No. C a t ~ ~ o r ~ Control Objectives Risk
3 User Naming conventions should Having all users with the Name all user accounts in
Management be established and followed same naming convention accordance with
for all user accounts. increases network security, as established n ~ i n g
Naming conventions should users can easilybe identified conventions.
cover end users, contractors, and accounts that do not
consultants, and vendors. adhere to the naming standard
are easily identified. Setting
up temporary accounts for
con~actors,consultants, and
vendors with an identifiable
naming convention allows
these accountsto be easily
identified and purged if
warranted.
3 accounts
User
User
should
only Having all user accounts Remove all user accounts
Managementbeenteredinthe centrally administeredby from resource domains,
Authentication Domain’s domain increases network servers, and workstations
PDC and noton security because resource and move them to their
workstations
or
servers.
allocation
can be controlled. respective au~entication
The only accounts that should domain.
exist outsideof the domain,
on local workstations, are the
built-in Guestand
Administrator accounts.
Name all user accounts in Verify that all users are named in Obtain a copy of the company’s user
accordance with established accordance with corporate policy by naming conventions and ensure they
naming conventions. viewing the users in User ~anager are being enforced on all user
by performing the following steps:
t m ~ i .n..
4. C h o o s e 5 ~ l e~~ o
&om the user pulldown menu. Note whether then a ~ i n g
5. ~ u ~ e ~ t i c a ~ o ~
conventions providefor the ability to
identify employees, vendors, and
6. temporary IDS.
7. View all users and verify that
they have been named in
accordance with corporate
policy.
Move all user accounts from the Note whetherthe naming ~ern~me>.~sers.txt
resource servers to the conventions providefor the ability to and ensure that end user accounts
authentication domain by identify employees, vendors, and are only created in the
performing the following steps: temporary IDS. Authentication Domain.
1. Open User ~ a ~ ~ ~ e Verify r . that there are no user
2. Choose Select Domain. .. accounts on each server and
from the user pulldown menu. wor~stationby performing the
4. Click OK.
5. Double-clic~user account.
6. Write down all visible
info~ation. the
Enter
3. server
on
7. Close user information. name.
8. With the user account 4. Verify that the only accounts
highlighted select Delete listed are the Default
from the user pulldown menu. Ad~nistratorand Guest
9. Click OK. accounts.
10. Repeat steps 5-9 until all 5. Repeat steps 2-4 until all server
and workstations have been
1s. .. verified.
enu. 6. Close User Manager.
12.
13.
14. Select Neu User. .from
m
the userpulldo~nmenu.
15. Enter all user information.
16. Click Rdd.
17. Repeat steps 14-16 until all
ain ~ontro~ler
~ e ~ ~ ~ t y
ory ~ o ~ t r~o~lj e c t i v e s sk
3 User
Any
account
Inactive
not
that
has accounts
often
are Disable allaccounts that
~ a n a g e ~ e n t loggedintotheauthenti-used by intruders tobreakinto have not been logged into
cationdomain for an network.
a If a useraccount in accordance with
extendedperiod of timehasnotbeenutilized for some corporate standards.
should
be
disabled.
time,
the
account
should
be Industry guidelines state
disabled untilit is needed. that if an account has not
This minimizes the possibility been used for 90 days, it is
that an unauthorized user will inactive. Enablean
utilize the account. account only after being
contacted by, and
verifying, the useris
appropriate.
3 User
Accounts of individuals who
Having
outstanding
accounts
Delete
unneeded
all
~anagement are
no
longeremployedor
that
are no longer
neededaccounts,
including
vendor
do
not
need
their
accounts
increases
the
risk of accounts, t e r ~ n a t e d
deleted.
be
should unautho~zedemployees,
access. and
contractors.
~o~~liance ~ssess~ent ~ o ~ ~ Ve~ficatio~
~ ~ n c e
Tech~que~ T~c~ni~ue~
Disable stale user accounts by Verify that all inactive user accounts Verify that all inactive user accounts
performing the following steps: have been disabledby performing have been disabled by reviewing
l. At the command prompt, issue the following steps: <servernarne>.user5;.txtfor
the net user<User Name> 1. At the command prompt, issue accounts with a“ T ~ u e ~ a s ~ o g o n
command for each user. the net user<User Name> Time” that exceeds the corporate
2. Note the last login time.If the command for each user. policy.
account has not been logged 2. Note the last login time. If the
into in a specified periodof account has notbeen logged
time (in accordance with our into in a specified period of time
best practices), this account (in accordance with corporate
should be disabled. policy or out best practices), this
3. Disable the accountby issuing account should be disabled.
the net user<User 3. Verify through the useof a tool
Name./~ct~ve:no> when the last valid logon time
was.
Note: If a user often authenticates
to aBDC rather than the PDC,
then this proceduremay not
provide the true last logon time.
Remove unneeded user accounts Verify that there are no unneeded Verify that there are no unneeded
from the authentication domain
by user accounts inthe authentication user accountsin the authentication
performing the following steps: domain by p e r f o ~ i n gthe following domain by obtaining a listingof
steps: recently departed employees from
2. Highlight the unneeded 1. Open the User ~ a n a ~ ~ r . the HR department and ensuring that
account and selectDelete 2. Review the list of users. the former employee’s account have
from the user pulldown menu. 3. Discuss these users with the been removed or disabled from the
3. Repeat until all unneeded network adminis~atorand Authentication domain. This
accounts have been removed. human resources to determine information can be found in the
approp~ateness. appropriate < s e ~ e r n a m ~ ~ .
users.txt file.
No. Cate~o~ Control ~bjectives isk
3 default
User
The
Administrator
The ~ d m i n i s ~ a tGuest
and
or Rename the default
ManagementandGuestaccountsshouldaccountsareknowntoexist Administrator and Guest
be assigned a strong on all WindowsBIT systems. accounts. Assigna strong
password and renamed Consequently, they are one of password to both the
immediately after the first accounts that an accounts. Addan account
installation. intruder will altemptto use. named “Adminis~ator”
The A d ~ i n i s ~ a taccount
or on and assignit no user rights
Windows NT has all system and no group
rights and therefore shouldbe memberships. Having an
the most protected account on account named
the system. If these accounts Administrator with no user
are not renamed,all an rights will aid intruder
attacker would have to detection by writing to the
accomplish is brute force audit log.
guessing a password.
Depending on other system
settings, this might be easy to
achieve in a relatively short
period of time without being
detected.
EN
Co~pliance Assess~ent Co~pli~ce Ve~~cation

TechNques Tech~ques
Rename the default accounts by Vetify, with the network Review <servername>.users.~t
performing the following steps: a d ~ n i s ~ a tand
o r physical and ensure the default
Ad~nistrator
1. Using User ~ a n a g e r inspection, thatthe Administrator and Guest accounts are renamed.
highlight the Rdminlstrator and Guest accounts have been Also ensure the accounts have been
account. renamed and assigned strong assigned a strong password by
2. Choose the rename option passwords. executing LOphtcrack against the
under theUser pulldown <servername>.passusd.txtfile if
menu. A cracking program canbe used to permitted.
3. Enter a new account n ~ e , determine if passwords exist and
which conforms to corporate how strong they are.
standards, in theChange box.
4. Click RK to confirm changes. Some companies may not allow
5. ~ouble-clickon the password cracking programs tobe
run. In thatcase you may have to
6. accept the word of the system
manager regarding password
d strength.
7. S.
8. Choose NeuJ User from the
User pulldown menu.
9. Enter A~~inistrator in the
Username box.
10. Enter a full name in
e .
11.
12.
PassuJord boxes.
13.
that the User Must
e PassuJ~rd atnext
box is not selected.
14. he PassuJord
Never
Expires check box.
15. Click the Groups box.
16. groups
the
under
Of: box.
17. Remov~ button.
18. Click the OK button to confirm
changes.
19. Click the Close button.
ain ~ontroll~r
~ecu~ty
0. Cate~ory Control Objectives sk
3 default
Guest
account
The
User The Guest account is known Disable the default Guest
Management
should
be
disabled to existon all WindowsI W account on all Windows
immediately after systems. Consequently, it is NT systems. The account
installation. one of the first accounts that should remain disabled at
an intruder will attempt to all times.If the Guest
use, If enabled,an attacker account is needed for any
will attempt to loginas the types of services (i.e.,
Guest and compromise the printing), definea new
system. account for that function,
By default, Windows NT 4.0

disables this account;
however, a blank passwordis
set.
3Replicator
account
TheUser The Replicator account
Management
should
be
adequately If the directory replicator should have a secure
secured. account and password used by usemame and password
this account are not and should notbe allowed
adequately secured, thereis an to override default
increased risk that the securitypassword policy. The
of the domain may be Replicator account should
compromised. be a member of the
Replicators group.
(The Replicators group

will not have “logon
locally” or ‘‘access this
computer over the
network” userrights-
only “Log on as service.”)
Co~~liance ~eri~cation
Tech~~ues Techniques
Disable the Guest account by Verify thatthe Guest accounthas Review <seTVername>.usefs.txt
performing the following steps: been disabled by performing the and ensure the Guest account
is
following steps: disabled.
1. Open User Manager.
2. Disable the a 2. Double-click on the Guest
account.
3. Verify that the Rccount
Oisa~led check boxis selected.
changes.
Rename the Replicator account Verify, through discussion with the Review <servername>.users.txt
and secureit by performing the network ad~nistratorand physical Replicator account security settings
following steps: inspection, thatthe Replicator and ensurethe account hasa
account has been renamed and di~lcult~to-guessusername, belongs
assigned a strong password. Also only to the Replicators group, and is
ensure that the Replicator account is not overriding default account
2. Choose the rename option only a member of the Replicators policies. Also ensure the account has
under the User pulldown group. These can be accomplished been assigned a strong password by
menu. by performing the following steps: executing LOphtcrack against the
3. Enter a new account ~ ~ , User ~ a n ~ g e r .
el. Open <sen/ername>.passlud.txt file,
which conforms to corporate 2. Verify that an account named if permitted.
standards, in theChange box. Repl~cator does not exist.
4. Click OK to confiim changes. 3. Double-click on the renamed
5. Double-click on the Replic~toraccount,
Replicatoraccount. 4. Click on the Groups button.
5. Verify that this account is only a
member of theReplicators
group.
7. Ensure that the User Must A cracking program can be used to

determine how strong the password
for this accountis.
Expirescheck box. Some companies may not allow

9. Click the Groups box. password cracking programsto be
10. Select all groups under the run. In that case you may have to
ember Of:box. accept the word of the system
11. Click the Remove button. manager regarding password
12. Add the Repllcatoraccount strength.
to the replica tor^ group.
13. Click the OK button to
confirm changes.
14. Click the Close button.
rima^ ~ o m a i nCo~trollerSecurity
ry Control Objectives Risk
3 User
Automatic
logon
options for There is an increased risk that
Ensure
the
value of the
~anagement servers
should
be
not an unauthorized
user
may AutoA
enabled. knowledge of a usernarne
gain registry key is to
set 0.
and password for the domain
as the use of this option
embeds the password of an
account in the registryin clear
text.
3 User The default

values
Even
for if automatic
the logon
Ensure
that the
~anagement automaticlogonshould not option is disabled, the default Def~ultPa
present.
password
may
be still exist in the Def~ult~~ d
registry.An unauthorizeduser Def~ultD~
may gainaccesstothis key registrykeys do not exist.
and compromisethe system.
ti0
Ensure the valueof the

txt and ensure the value
set to0 by p e r f o r ~ nthe
~ following ~ U t ~ ~ ~ m ~ nisLseta to
g 0.
an
2. Select the hive:
N~~inlagon.
3. Determine if the value of
dm~nLogonis set to 0.
4. Close r e g e d t ~ ~ .
Ensure that the Verify that the DefaultPassuJor~, Review <sen/ernamer.uJlnlogon.

txt and ensure the values
DefaultU~erNam~,
do not exist by performing the DefaultPass~ord,and
keys do not existby p e r f o r ~ n g following procedures: DefaultDo~ainNameare blank.
thefollowinrocedures:
2, Select the hive
N~~~nlogan.
N~Winlagan, 3. Verify that the keys mentioned
3. Delete the keys mentioned above do not exist.
above.
o. C ~ t e ~ o r ~ ~ontrol Risk
3 Anonymous
User
Credentials
Null
The
that
users
Logon Add the regisbykey
~anagement connect with
the
Null
gives
individuals a method of Re5tr~ct~nan~mau5 to
Credentials Logon shouldbe procuring every share and the ~ ~ L ~ ~ ~ 5 t ~ m \
denied access to all systems username that existson the
in the domain. system. In addition, group Cafltrai\L5~\po~ion of
members~pscan alsobe the registry. The valueof
Null session pipes should be discovered. With his this setting should be1.
disabled. info~ation,
can attackers
start brute force guessing Review the values on the
passwords and attemptto null session restrictions
compromise the system. registry keysin the
~KL~~~5tem\Curr~nt
Note: Some softwaremay not C a n t r a l 5 ~ t 5 \ ~ e ~ i c ~ 5 \
function after these changes. f i a n m a n s e ~ e ~
Additionally, the abilityto ~arameterportion of the
change passwords may be registry.
lost. Ensure compatibilityby
testing. Also, users may be
unable to proactively change
their password.
Com~liance ~s§e§sment
Techniques Technique§
Add the registry key Verify
registry
the
thatReview
key cservern~m~>.i
n o n y m o u ~to the R e ~ t r i ~ t A n o n y m has
obeen
uensure
~ the
value
ystem\CurrentControl\ added to the~ ~ L M ~ y s t e m \
ontrol\LSA portion of the furrentControl~et\ControlUSR
registry by performing the portion of the registry by performing
the following steps:
2. Select the key ~ K L ~ ~ y ~ t e m \

CurrentControl~et\
Control\LS~.
3. Verify that the registry key
RestrictAnonymour:RE[;__D
~ 0 R O : ~isxlisted.
l
In addition, verify that the Null
Sessions Accesshas been restricted
by performing the following steps:
1. Open r e ~ e ~ t 3 ~ .
7. Enter 1 in the Data: box. 2. Select the hive
8. Click OK. M~ L M ~ S l E M \
CurrentControlSet~eric
In addition, verify that the Null LanmanServeNJarameters.
Sessions Access has been
restricted by p e r f o ~ n gthe
following steps: is set to 1.
4. Close r e ~ e ~ t 3 ~ .
CESS is set to 1.
the default.
Sk
4 PasswordThe
maximum password age Without forcing
users to Set the m ~ i ~ u ~
~ a n a g e ~ e n t shouldbesetinaccordancechangepasswords,therisk password age in
withcorporatesecuritythatapasswordwillhavean accordance with corporate
standads andguidelines.unlimiteduseful life after security standards and
guidelines.
Industryguidelinesstate 60 increased.
days. ~ d uguidelines
s ~ state
60 days.
4 Password
The ~ n i ~ password
u m Having an adequate
password Set the m i n i ~ u m
Ma~agement length
should
beset
in
length
increases
the
difficulty
password
length in
accordancewithcorporaterequired to guessapassword.accordancewithcorporate
and standards
security and standards
security
guidelines. guidelines.
Industry ~uidelinesstate 7 Industry guidelines state7

characters. characters.
4 PasswordThe ~nimum password

age
Having this feature
enabled
Set the ~ n i m u m
~ a n a g e l ~ e n should
~ besetinaccordancepreventsauserfromchangingpasswordagein
with corporate security theirnewpasswordbacktoaccordancewithcorporate
standards and guidelines. the original password, thereby security standards and
bypassing
password
theguidelines.
Industry guidelines state3 uniqueness control,
days. Industry guidelines state3
days.
ssessment Compliance ~ e ~ ~ c a t i o n
Techni~ues
For all servers, set the maximum For all servers, verify the maximum Review <se~ername>.
password age parameterby password age parameter by policles.txt for compliance with
performing the following steps: pe~ormingthe following steps: corporate polices relating to
1. Open User ~ a n a g e r . maximum password age. Ifno
Select the Account. .Option corporate policy exists, use60 days
under the Policies menu. as a baseline.
Ensure that thePassword
xpires in X days radio
e. This shouldbe set in button is selected. View the
accordance with corporate number of days for the
standards. Maximum Password Age.This
3. Click OK to confirm changes. should be set in accordance
with corporate standardsor our
best practices.
Industry guidelines state 60 days. Click OK to exit.
For all servers, set the~ n i m u m Industry

guidelines state 60 days.
Review <se~ername>.
password length parameter by policies.txt for Compliance with
performing the following steps: Forallservers,verifytheminimumcorporatepolicesrelatingto
l. Using User Manager, select passwordlength
parameterby
minimumpassword length.
If
no
the Rccount. .optionofthe performingthe
followingsteps:
corporate
policy
exists,
use 7
Policies menu. Open User Manager. characters
baseline.
a as
Select the Account. ., Option
under the Policies menu.
Ensure that the A t Least X
This should be set in Characters radio button is
accordance with corporate selected. View the number of
standards. characters required for the
3. Click OK to confirm changes. Minimum Password Length.
This should be set in
Industry guidelines state7 accordance with corporate
characters. standards or our best practices.
Click OK to exit.
Industry guidelines state 7

characters.
For all servers, set the minimum For all servers, verify that the Review <se~ername>.
password age parameterby minimum password age parameter policies.txt for compliance with
performing the following steps: has been set by performingthe corporate polices relating to
l. Usi following steps: minimum password age. If no
the 1. Open User Manager. corporate
policy
exists,
use 3 days
the 2. Selectthe Rccount. ..Option asabaseline.
2. Ent under the Policies menu.
the 3. Ensure that the Rllow
Thi Changes in X days radio
accordance with corporate button is selected. View the
standards. number of days for the
Minimum Password Age.This
should be set in accordance
with corporate standards or our
Industry guidelines state 3 days. best practices.
4. Click OK to exit.
Industry guidelines state 3 days.

262 APPENDIX 5 8
Windows NT Primary Domain Controller Security Review Program
No. Category Control Objectives Risk Control Techniques
4 Password The password uniqueness Requiring unique passwords Set the password
Management should be set in accordance prevents a user from recycling uniqueness in accordance
with corporate security old passwords that may have with corporate security
standards and guidelines. been compromised in the past. standards and guidelines.
Industry guidelines state 6 Industry guidelines state 6

passwords. passwords.
4 Password The Service Pack Having a high degree of Enable passfilt so that not
Management Enhancement, passfilt, password strength decreases just lowercase letters are
should be implemented to the likelihood of passwords required for passwords. Be
enforce strong password being guessed by intruders. aware that with Windows
controls. 95 companies, passfilt
does not enforce case-
sensitive passwords.
Additionally, the error
messages produced by
passfilt are often unclear
so administrators must
stay alert. Finally, know
that administrators can
create their own dll with
their own password rules.
APPENDIX 5B 263
Implementation Techniques Compliance Assessment Compliance Verification

Techniques Techniques
For all servers, set the password For all servers, verify that the Review <se we mame>.
uniqueness parameters by password uniqueness parameters policies. txt for compliance
performing the following steps: have been set by performing the with corporate polices relating to
1. Using User Manager, select following steps: password uniqueness. If no
the Account. . . Option of Open User Manager. corporate policy exists, use 6
the Policies menu. Select the Account. . . Option passwords as a baseline.
2. Enter the number of under the Policies menu.
passwords for the Password Verify that the Remember X
Uniqueness. This should be Passwords radio button is
set in accordance with selected. View the value entered
corporate standards. in this field. This should be set
3. Click OK to confirm changes. in accordance with corporate
standards or our best practices.
Industry guidelines state 6 Click OK to exit.
passwords.
For the PDC, enable passfilt by Industry guidelines state 6 Review <servername> Isa. txt to
performing the following steps: passwords. ensure the value Notification
1. Open regedt32. Packages contains the passfilt.dl1
2. Select the Key HKLM\ For the PDC, check for passfilt by entry.
System\CurrentControI\ performing the following steps:
Set\Con tro I\LSA . 1. Open regedt32. If the Notification Packages
3. Edit the Notification 2. Select the Key HKLM\ value contains an entry of
Packages value name. System\CurrentControI\Set\ FPNW CLNT.d II, inquire with the
4. Add passfilt to the Value Contro I\LSA . company if this is required for
name. 3. View the Notification connectivity between NT and Novel1
Packages value name. servers. Also, ensure that the
FPNWCLNT.dl1exists within the
system path and is properly secured.
Ensure that the FPNWCLNT.dl1is

the proper size, date, and version
based on the service pack and any
hot fixes that are installed.
ontrol ~bjectives Sk ~ontrolT e c ~ n i ~ ~ ~ s
Password
4 Theaccount
lockout
feature
Lockingout
accounts
after a Enable
the
account
lockout
~anagement should be enabled,andthespecifiednumberoffailedfeatureandset the
related parameters shouldbe login attempts decreases the appropriate parmeters in
set in accordance with risk that user accounts will
be accordance with corporate
corporate security standards compromised through brute security standards and
and guidelines. force attacks. guidelines.
Industry guidelines state 3 Industry guidelines state3
bad logon attempts and to bad logon attempts and to
reset the counter after 1,440 reset the counter after
minutes. Accounts should be 1,440 minutes. Accounts
locked forever or until an should be locked forever
administrator manually or until an administrator
unlocks them. manually unlocks them.
Password
4 The resource kit utility, The Administrator account is Enable passprop’s
~anagement passprop, should be utilized susceptible to an infinite ~ m i n l a ~ ~ afunction.
ut
to enable lockout on the number of password guesses
Admi~stratoraccount overa over a network connection
network connection. unless passprop is
implemented.
Regardless, Administrators
should not be able to “access
this computer from the
network,” but thisis a good
supplemental procedure.
Password
4 The password for the The renamed Administrator Require that the password
~anagement Administrator account account oneach server is the for the Administrator
maintained oneach server most privileged account on account on each serveris
should be changed in the system. Therefore, extra changed periodically and
accordance with corporate care should be taken withits is unique for all servers.
standards and guidelines and use. Changing the password
be unique across all servers. periodically limits the useful
life of any compromised
passwords. Requiring unique
passwords on different
systems limits the exposure to
the system if one
adminis~atoraccount is
compromised.
~ o m p ~ a n ~c es s e s s ~ e n t
~ec~~ques
For all servers, set the account For all servers, verify the account Review
lockout parameters by performing lockout parameters by performing <sENernam~>.polici
the following steps: the following steps: compliance with corporate polices
I. Using User Manager, select 1. Open User Manager. relating to account lockout.IC no
2. Select the ~ c c o u n t ...Option corporate policy exists,use the
under the Policies menu. following as a baseline:
2. Ensure the Account Lockout 3. Ensure the ~ c c o u nLockout
t * Industry guidelines state 3 bad
option is enabled. radio button is selected. logon attempts andto reset the
4. Verify the settings for Lockout counter after 1,440 minutes.
After Bad Logon ~ttempts, * Accounts should be locked forever
Reset Count After Minutes, or until an administrator manually
and Lockout Duration. These unlocks them
settings should be set in 1,440 minutes equals 24 hours.
settings shouldbe set in accordance with corporate
accordance with corporate standards or our best practices.
standards. 5. Click OK to exit.
4. Click OK to confirm changes.
Industry guidelines state3 bad Industry guidelines state3 bad logon

logon attempts and to reset the attempts and to reset the counter
counter after 1,440 minutes. after 1,440 minutes. Accounts
Accounts should be locked forever should be locked forever or until an
or until an ad~nistratormanually ad~nistrator manual~yunlocks
unlocks them. From thec o ~ a n d them.
prompt, type passprop/
a~minlockout. Verify that pa55prop has been used Review <SEN
to enable lockout of the passproP.txt to ensure the
administrator account overa Adminis~atoraccount lockout
network connection. control is enabled.
From the command prompt, type
P ~ ~ ~ and
P ~view
O the
P results.
Change the passwords on the Verify, with the network Review <servername>.users.txt
Ad~nistrator-levelaccount by administrator and administrator and ensure the A d ~ i n i s ~ a t o r
performing the following steps: equivalent users, that Administrator- accounts are required to follow
1. Using the User Manager, level account passwords are being default account policies. Also review
open the user account that changed in accordance with cservername>.passuJd.itxtand
requires a change of password corporate security standards andare ensure theAd~inistratoraccount
2. Enter the ~e~ passwo unique across all servers. password hashes are unique across
both the PassuJord and the servers.
Confirm PassuJor~fields. In large multidomain
3. Click OK to close the User implementations of WindowsN T ,
ProPE~ies. this maynot be a practical policy.
An alternative might bea different
password within different domains.
ectives
4 Password Default passwords supplied Application default passwords Change all default
Managem~nt with software packages are widely known and application default
should
be
changed upon typically
initial
targets for passwords upon
installation.
attacks. applications.
installation
of
The
that risk
unauthorized access willbe
obtained is increasedif these
passwords are not changed.
4 Password
Privileged
user
passwords
Distribution
privileged
of Only distribute privileged
M ~ a g e m e n t should
not be widely account
passwords
multiple
to account passwords to users
dis~ibuted. the weakens
users who require this access for
effectiveness of a stringent a legitimate business
password policy and reduces purpose. Each user with a
user accountability. privileged account should
have a unique ID and
password.
4 Password
User-level
overrides
user-level
If ofoverrides of
manage men^ passwordpoliciesshouldnotpasswordpoliciesareallowed, Change Pas5ward and
be enabled for any user there is an increased risk that Password Never
accounts except for service unauthorized accessby users Expires user overrides of
accounts. will be obtained. the default password
policy.
4 Password
All
new
user
accounts
should Requiring new users to Require all new user
Managementberequiredtochangetheir change their passwordupon accounts to change their
password on first logon, login ensures that the password on &st logon.
There should not be generic temporary password will not
or predictable passwords usedbe in use. Additionally, by
as a new default. Each new having users create their own
account should be created passwords, the chance of their
with a unique and diEcult to remembering their password
determine password. is significantly increased.
4 Password
Controls
should
be System adminis~a~ors should Write down the
Managementimplemented to ensurethe provide a mechanismto Administrator password,
A d ~ ~ s t r a tpassword
or is obtain the Ad~nistrator place it in a sealed
available for emergencies. password inthe event of an envelope, and keepit in
emergency to reducethe risk secure locations, on and
of significant downtime. off site, in the event
it is
These passwords should be needed in an emergency.
stored on and off site. They
should residein a physically
secure location.
Change the passwordson the Verify, with the network
a p ~ r o p ~ aaccounts
te by ~ d ~ n i s t r a tand
o r through physical and ensure thatany default accounts
p e r f o ~ i n gthe following steps: inspection, that default application are required to follow default
passwords have been changed in account policies. Also review
accordance with corporate security <sen/ername>.pa~suJd.txland
standards. ensure that these default accounts’
password hashes are unique across
servers.
Properties.
Implement a procedure for Review the account password Review the account password
distributing privileged account distribution procedure.Verify that dis~butionprocedure. Verify that
passwords to only users who privileged account passwords are privileged account passwords are
require this accessfor a legitimate distributed onlyto those individuals distributed only to those individuals
business purpose. with a legitimate business need for with a legitimate business need for
such access. such access.
For all servers, disable the userFor all users, verify that the user Review csen/ername>.u
overrides of default password overrides of default password and ensure there areno end user
policies by performing the policies have been disabledby accounts that are allowed to override
~ol~owing steps: p e r f o r ~ n gthe fo~lowing
steps: default account policies.
1. Open User ~ a n a g e r .
open the user account. 2. Double-click on the user
account.
3. Verify that the User Cannot
Change Passu~ordand the
options are not enabled.If P a s ~ w o r dNever Expires
they are enabled,they should options are not checked.
be unchecked to disable them. 4. Click OK to exit.
3. Click OK to confirm changes. 5. Repeat for all users
For all new users added to the Verify, with the network Inquire with the company regarding
PDC7 require that they change admi~strator,that the User Must the proceduresfor creating new user
their password on initial login by Change Password at Next accounts. Determineif the accounts
pe~ormingthe following step: Logon box is checkedwhen new are required to change their
1. When creating a new user accounts are created. password on &st logon. Also review
with the User ~ a n a g e r ~ t i l i t y , the <sen/ername>.users.txt for
re the User Must users who are required to change
their password on next logon.
Establish a procedure for keeping Verify, through discussion with the Verify7 through discussion with the
the A d ~ n i s ~ a tpasswords
or network administratorand network administratorand
written down and ina secure inspection of written policies, thata inspection of written policies, thata
location. Establisha second procedure exists for the storage and procedure exists for the storage and
procedure for obtaining the retrieval of the ad~inistrator retrieval of the administrator
passwords in the eventof an password. Verify that this procedure password. Verify that this procedure
emergency. is followed and that the passwordis is followed and that the password is
stored in a secured location. Ensure stored ina secured location. Ensure
that the retrieval processis known to that the retrieval processis known to
seconda~/e~ergency second~y/emergency
administrators. administrators.
ain ~ o n t r o ~ Sec~rity
er
No. ~ate~ory Control Objectives Risk ~ontrolT e c ~ n i ~ ~ e s
5 Group
The
Users
local
group
Both the Users
local
group
Add the Domain
Users
~anagement should only
contain
the
and
Domain
Users
global
globalgroup to the
Users
Domain Users global group groupare
built into the
local
group.
from the PDCof the system. All domain users are
Authentication Domain. by default membersof the
Domain Users global group.
There is no need to have
additional accounts inthe
Users local group, and doing
so increases the risk that a
local system resource will be
abused.
5 Group
user
accounts,
All with
the Having all user accounts Remove all user accounts
~anagement exception of thebuilt-in contained within global from local groups and
accounts of Guest and groups increases network move them to a respective
Administrator, shouldbe in security by simplifying global group,
global groups only. Global admi~stration.User accounts
groups should be assigned to should never appear in local The renamed
local groups. groups or have Access Administrator account
Control Lists (ACLs) withany should be the only user
The renamed Administrator object. account inthe
account shouldbe the only Administrators local
user account in the group.
Ad~nistratorslocal group.
Com~~ance ~eri~cation
~ech~~ues Techni~u~s
Add the Domain Users global Verify that the Domain Users global Review cservername>.groups.txt
group to the Users local group
by group is listed in the Users local and ensure the only end user
performing the following steps: group by performing the following accounts in the Users local group are
1. steps: those accounts contained within the
2. Choose Select Domain. ,. 1. Open User Manager. Domain Users global group from the
from the user pulldown menu. 2. Chooseselect Domain. . Authentication Domain.
3. Enter theserver n ~ intoe from the user pulldown menu.
the Damain box. 3. Enter theserver or workstation
4. ame into the Domain box.
5. Double-click on the Users 4. Click OK.
Lacal Graup. 5. Double-click on the Users
6. Domain users should be Local Group.
present. 6. Verify that Domainusers is
7. If domain usersis not present, present as a member of Users.
click theAdd button. 7 . Click Cancel to close.
8. Select theAuth~ntication 8. Close User ~anager.
Domain in the List Names
Frarn:box.
9. Highlight theOornaln Users
Global group.
10. Click theRdd button.
11. Click OK to confirm the
changes.
32. Click OK to close theLocal
Group ~ r o p e ~ ibox.
es
13. Close User ~anager.
Remove alluser accounts from Ensure that all user accounts are Review <servername>.groupf;.txt
local groupsand move them toa members onlyof global groupby and ensure that all end users
respective global groupby performing the following steps: accounts assignedto local groups are
performing the following steps: 1. Open User Manager. done so by the useof global groups.
1. Open User Manager. 2. Choose Select Domaln. .
2. Double-click on the from the user pulldown menu.
appropriate Local Group. 3. Enter theserver orworks~tion
3. Domain users should not be name into theDomainbox.
present. 4. Click OK.
4. If domain usersis not present, 5. Double-click on the Users
click theAdd button. Local Group.
5. Select theAut~enti~at~on 6. Domain users should be present.
Domain in theLlst Names 7 . Click Cancel to close.
From: box. 8. Close User Manager.
6. Highlight the Domain Users
GIabal group.
7. Click theAdd button.
8. Click OK to confirm the
changes.
9. Click OK to close theLocal
Graup ~ r o ~ e ~box.ies
10. Close User ~anager.
ory ~ o n t r o~l b j ~ ~ t i v e s Sk
5 Group
User
accounts
should be Global
groups
simplify
Create
global
groups
the
in
Management
logically
grouped
through
network
administration by Authentication Domain
theuse of globalgroups in cont~ninglogical groups of andadd all applicableuser
the Authentication
Domain.
users.
Users
should
be
accountsto
these
groups.
grouped accordingto similar
job functions, department, or
access requirements.
5 Group Naming conventions should Global group names, which Name all local and global
Management be established and followed can be easily identified, groups in accordance with
for allglobal and local established
network
simplify na~ng
groups. Global groups ad~nistration.This increasesconventions.
should have different namingsecurity because nonstandard
standards than local groups. groups can easily be
identified. Groups shouldbe
named in sucha fashion that
the typeof group, group
purpose, and/or department
could be identified.
5 Group
Each
group
should
have a Requiringall
groups
have
to Add an applicable
and
~anagement descriptionprovided by the descriptions ~ n i m i the
~ s info~ativedesc~p~ion
for
application or business possibility
that
extraneous, allgroups.
manager. unneeded groups will be
created. Such a group could
bypass systemadminis~ation
and be used for unauthorized
activities.
Tec~~ques
Create global groups according to Verify, through discussion with the Inquire withthe c o ~ p a n yregarding
corporate policy and access needs network a d ~ i n i s ~ a t and
o r review of procedures for grantingusers access
and add all applicable users written policies, that global groups to resources. Ensure that these
accounts to these groups. have been created and are utilized in procedures requirea ~ ~ ~ s ~ to a t o r s
accordance with corporate policy. add end user accountsto global
Ensure compliance with said groups (in the Authentication
policies through physical inspection Domain), global groups to local
via User Manager. groups, and local groups to resource
permissions.
Name all groups in accordance Verify, through discussion with the Obtain a copyof the company’s
with established naming network a d ~ n i s ~ a tand
o r reviewof group n ~ n conventions
g and
conventions. written policies, that all groups are ensure that they are enforced on all
named in accordance withcorporate local and global groupsby
policy. Ensure compliance with said examining the
policies through physical inspection <se~@rname>.grRup
via User Manager. Note whether the Note whetherthe n ~ i n g
naming conventions distinguish conventions ~stinguishbetween
between local and global groups and local and global groups and provide
provide for the abilityto identify for the abilityto identify employee,
employee, vendor, and temporary vendor, and temporary groups.
groups.
For all servers, providean Verify that all servers have an
applicable and informative applicable andinfor~ative and ensure thatallgroups havean
description for all local groupsby description for all local groups
by applicable andi~ormative
p e ~ o r ~ the
n gfollowing steps: p e ~ o ~ then gfollowing steps: description,
1. Using User ~aflag@r, open 1. Open User Manager.
the appropriate Local GfRUp 2. Double-click on the Local
Group name.
2. 3. Verify that an applicable and
informative descriptionexists in
the D ~ s c r i p t ~ obox.
n the D~~criptiRfl box.
3. Click OK to confirm the 4. Click OK to exit.
changes. 5. Repeat for each local group.
ain ont troll er ~ e c u ~ t y
Risk Control Techniques
5 Backup
Operators,
The
Group The Backup Operators, Server Add the authorized global
~anagement Server
Operators,
Account Operators, Account Operators, groups to the Backup Op-
Operators, and Print and Print Operators local erators, Server Operators,
Operators local groups groups have several privileges Account Operators,and
should only contain global associated with them, such as Print Operators local
groups that are authorized the ability to log on to groups on each server in
for this purpose. systems interactively. the Authenticationand Re-
Therefore, caution shouldbe source Domain and any
exercised when adding users workstations in the net-
to these built-in groups. work environment.
Having only global groupsas
members of these groups
helps to ensure that the groups
will be properly restricted.
5 Group
special
The
group
Everyone Using the special group Replace references to the
~anagement shouldnotbeused.Using Everyone isvery broad and special group Everyone
specialized groups will allow could inadvertently allowan with Domain Users or
the Administrator tohave intruder to gain access to Domain application
better control over files
and system resources. groups.
directories.
If more broad group naming is Note: Certain applications,
Note: Certain applications, required, the Authenticated as well as the Windows
as well as the Windows NT Users groupmay be used as a NT system directory, will
system directory, will not substitute for Everyone. not function without the
function without the Everyone group in the
Everyone group in the ACL. ACL. This is more
This is more appropriatefor appropriate for data
data directories. directories.
Add the authorized globa Verifythat
theauthorizedglobalReviewthe <servernam
to the Eackup Operators, groupsaremexnbersoftheBackup ~ r ~ u ptxts and
. ensure that only
Operators, Account Operators,and Operators,
ServerOperators,authorized
users
are
members of
on
Print Operators local groups Account
Operators, and Print
these
groups.
each serverin the Authentication Operators local groupson each
esource Domain andany server in the Authentication and
worksta~onsin the network Resource Domainand any
env~onmentby p e ~ o r ~ the
ng workstations in the network
following steps: environment by performing the
l, following steps:
l. Open User Manager.
from the user pulldown menu. 2. Choose Select Domain. ..
3. Enter thes e ~ e name
r in the from the user pulldown menu.
3. Enter theserver namein the
4. D ~ m a ~box.n:
4. Do~ble-clickon the Backup
5. C l p e r ~ tlocal
~ r group,
6. Select theautho~izedglobal 5. Verify that only authorized
global groups are listed.
7. 6. Click the Cancel button.
Click theCl# button, 7. Repeat steps 4-45 for the Server
9. Re eat ste S 4-43for the Clperator5group.
10.
estrict default group access to Verify, with the network Review < s ~ r v e r n a m e ~ . p e r ~ s
application and system files and a d ~ n i s ~ a t othat
r , the special group <drive lett
directories by p e ~ o ~ i the
ng Everyone has been replaced with special group Everyone is not
following steps: Domain Users or Domain allowed access to any fileson the
l. Open the ~ i n ~ o NT
ws application groups. system.
Explorer.
. Right-click on the file or If more broad groupnarning is
directory to set the security required, the Authenticated Users
per~ssionsand select the group may be usedas a substitute for
properties option. Everyone.
security p e ~ i s s i o n that
s you
select on all files and
subd~ectoriesunder the
selected directory, while the
that all files containedin the

directory have the selected
security per~ssions.
roup has access that you
want to remove, doso by
~ i g h l ~ g ~ tthe
i n gapplicable
group and clicking
omain ~ o ~ t r o ~~l e er c u ~ ~
No. Cate~o Control Objectives Risk Control T e c ~ ~ ~ ~ e s
5 Group
Other
than
the
built-in
global
Global
groups
simplify
Delete
global
all groups
Managementgroups, no global
groupsnetwork a d ~ ~ n i s ~ a tby
ion (other
then
the
default
should exist outside of thecontaininglogicalgroups of globalgroups)contained
authentication
domains. users.
There need to
is no in resourcedomainsand
create
global
groups on re-createthemin
the
resourcedomains.Doing so AuthenticationDomain.
only decreases the ability of
the network managerto
effectively manage the
network.
emave button. "he special
group everyone's permissions
should be removed from all files
and directories on the system.If all
users require this access, it should
be granted to theUsers Local
Click theAdd button to

include thea~plicablegroups
to be grantedpe~issions.
When you have selectedall
the applicable groups, click
Grant theTgpe of Access

for each groupby ~ghlighting
he
hese
Pefmlss~ansshould be set in
system standards.
Click theCIK button to confirm
these changes.
After the security permissions
have been changed, click the
OK button to close the fileand
directories propertieswindow.
ote: Certain appl~cations,as well

as the WindowsNT system
directory, will not function without
the Everyone group in the ACL.
This is more appropriatefor data
directories.
Deleteallglobalgroups(other Ve~fy,throughdiscussionwiththe Review the < s e ~ ~ r n a m e > ,

thenthedefidultglobalgroups)network ad~nistratorand physical groups.txt and ensure no global
containedinresourcedomainsandinspection,that no globalgroupsgroupsexist in nonauthentica~on
exist
re-create
thethem
in resource
in the
domains.
domains.
Au~enticationDomain.
Sk
5 Group Access Control Lists (ACLs) In WindowsNT, only local Utilize local groupsto
Management for filesand directories groups should be granted grant p e ~ i s s i o n to
s files
should only specify local rights to resources. All users and directories.
groups as having access. should be placed in global
ACLs should not specify groups, and global groups
individual user accounts or should be placed in local
global groupsas being groups. This ensures that the
granted or revoked access. environment hasa s ~ c t u r e d
method of adminis~ationand
decreases the possibility that
users will be granted
excessive rights.
6 File
System The WindowsNT File NTFS associates permissions All File Allocation Table
Access and System (NWS) should be with each file and directory. (FAT) or High
~anagement used on all partitions. Using these permissions, P e r f o ~ a n c eFile System
Additionally, there should be different levelsof access can (HPFS) partitions should
no unformatted spaceon the be granted or denied to be converted to the
drive. different groupsof users. Windows NT file system
Under NT,file access is based (NTFS).
solely on file permissions.
HPFS is not supported
under WindowsNT 4.0.
Any file systems in that
format would haveto be
converted during the3.51
to 4.0 upgrade.
6 File
System Application and system Granting excessive Set the default permissions
Access and directories should notallow permissions to applications for users to beas
Management Write, Delete, Change could leadto their abuse or restrictive as possible on
Permissions, orTake deletion. application directories.
Ownership to users. The Remove all permissions
built-in special group should for the built-in special
have no permissions. group of Everyone. If
these typesof permissions
are needed, create new
groups that contain the
appropriate usersand have
the requiredpe~issions.
6 File
System Data files shouldbe stored in Data files shouldbe placed in Separate application files
Access and segregated directories separate directoriesto help from data files.
Management external to the application prevent the changingof
and system directories, directory permission levels
possibly in the data owners’ that may accidentally flow
home directories, or the down to executable program
applica~on-specifieddata files. Itis also good practice
directory. to separate data from
application files in order to
grant the appropriate level of
security for each type of file.
plianee ~ssessment
niques
Implement a procedure to utilize Verify thata procedure exists to
local groups for granting ensurethatpermissions for files and <drive letter>.txt and ensure that
p e ~ i s s i o n sto files and directoriesareonly grated to localonlylocalgroupsaregrantedaccess
directories. groups.
Makecertain,
through
files
to and
directories.
discussion with the system
ad~nistrator,that this procedureis
followed.
Open Disk Administrator viewto Verify that theNWS file systemis Review the <s
the partition informationand file being used and that there is no <drive letter>.txt and ensure that
system for all drives. unformatted or nonpartitioned space drives revieweduse the ~ F ?fileS
by performingthefollowingsteps:system a d thatthere is no
Issue
the
followingcommand to 1. Open Disk ~ d m i ~ i ~ t r ~ t a r . unformattedor n o n p ~ t i o n e dspace.
convertthe FAT p ~ i t i o n to
s 2. View thepartition infor~ation
S: At thecommandpromptandfilesystem for alldrives.
enter the following command:
Implement a procedure to set Determine, with the network Determine, with the network
default pel~issionsfor users to be ad~nistrator,the appropriate (most a d ~ n i s ~ a t othe
r , appropriate (most
as restrictive as possible on restrictive) levelof permissions for restrictive) levelof p e ~ s s i o n sfor
application directories and to application and system directories. application and system directories.
remove all permissions for the Verify that this levelof access is Verify that this level of access is
built-in special group Everyone. granted. Ensure that the special granted by reviewing
If these typesof p e ~ i s s i o n are
s group Everyone hasno file system
needed, create new groups that permissions. Under certain
contain the appropriate users and circumstances, ensure thatnew ensuring that end users are not
have requiredpermissio~s. groups are createdto manage allowed excessive permissions to
relaxed permissions. application filesand directories.
Under certainc~cumstances,ensure
that new groups are createdto
manage relaxed permissions.
Impleme~ta procedure to place Verify thata procedure exists to Verify thata procedure existsto
data files in separate directories ensure thatapplica~onand data files ensure that application and data files
from the application and system are segregated. Ensure, through are segregated. Ensure, through
directories. physical inspection, that application physical insp~tion,that application
files and data files are located in files and data files are located in
separate directories oron separate separate directories oron separate
drives. drives.
Control Techniques
6 File ~ystem Certain directories

that If unautho~zedusers gain Restrict accessto sensitive
Access and contain sensitive Windows access to sensitive system Windows NT directories
~ a n a g e ~ ~ nNTt system files shou~dbe files, they could executea (listed in the
secured (these directories are Trojan horse or createa denial implementati~nchecklist).
listed in theimplementatio~ of service on the P I X .
checklist).
~ N p l e r n e n ~ ~Techniques
on CoNpliance As§e§sment
~ech~que§
Restrict access to the following Verify that permissionson the
directories by performing the following directories comply with
following steps: the recommendationsby performing
1. Open the WindowsNT the following steps:
Explorer. 1. Right-click on the directory in
2. Right-click on the file or Explorer. Directories:
directory to set the security 2. Choose Properties. C:\
permissions and select the 3. Select the Security tab. C:\uJi~nt\
Properties option. 4. Click the Permissions button. C:\uJinnt~yst
5. Compare the current C:\uJinnt~y~
The following directories should permissions to the
be secured: reco~endations. Reco~~ended Pe~issio~s:
6. Repeat for all listed directories. Ad~nistrators Full
Control
C:\ Server
Operators
Change
c:\uJinnt\ Directories: Read Everyone
C:~innt~y~tem3~ C:\ Creator/Owner
Full
Control
C:\uJinnt\ ControlFullSystem
C:\uJinnt~ystem3~
The following permissions should C : \ u J i n n ~ y s t e m 3 ~ r i v e r s
be set:
Reco~~ended Pe~issions:
Ad~nistrators Full Control Ad~nistrators Full
Control
Server Operators Change Server
Operators Change
Everyone Read Read Everyone
Creator/Owner Full Control Creator/Owner Full
Control
System Full Control
ControlFullSystem
3. Click the Permissions
button of the 5ecurity tab.
4. Select the Replace
Permissions on
5ubdirectories. and the
Replace Permissions on
Existing Filescheck boxes
as appropriate.The Replace
Permissions on
5ubdlrectorles will place the
security permissions thatyou
select on all filesand
subdirectories under the
Existing Fileswill ensure
that all files contained in the
security permissions.
these changes.
6. After the security permissions
OK button to close thefile and
ry ~ontrol~ ~ j e c t i ~ e s
6 File
System The c : ~ l n n ~ y s t ~ mIf unauthorized
~ ~ \ users gain Restrict access to the
Access and canfig directory contains the access to this directory,they c:\wi
Manage~ent SAM, audit files, and other could view the audit filesor canfi
registry files. These should attempt to get access to the prevent unautho~zed
be secured from SAM if theycrash the server. access.
unautho~zeduse.
Verify that permissionson the Review the <servername>
by following directory comply with the c ~ e r r n ~ < ~ drive y~te~
S: reco~~endations by performing the Ietter>.txt and ensure the following
l. Open the ~ i n d o w N
s" following steps: permissions are in place for:
Explorer. l. Right-click on the directory in
2. Right-click on the file or Explorer. Directory:
directory to set the security 2. Choose ~ r o ~ e r t i e s . C:\uJinn~ystern3~~~nff~
'sions and select the 3. Select the 5ecurlty tab.
rties option. 4. Click the ~ e r r n i s s ~ o button.
n5 ~e~omme~ed Pe~issi~ns:
5. Compare the current Ad~inistrators Full
Control
The followingper~ssionsshould permissions to the List Everyone
be set: recommendations. CreatodOwnerFull
Control
ControlFullSystem
6. Repeat for all listed directories.
Ad~nistrators Full Control
Everyone List Directory:
Creator/Owner Full Control C:\uJinnt\systern3;?\rronflg
System Full Control
~ecommended Pe~issions:
3. Ad~nistrators Full
Control
List Everyone
4. Creator/Owner
Full
Control
ControlFullSystem


these changes.
e been changed, click the
button to close the file and
rimary ~ o r n a~i o~ ~ t r o l l ~ r
o, C ~ t ~ ~ o r y Control ~ ~ j e c t i v ~ Sk
6 File
System
The c : ~ ~ n n t ~ ~ sIftunauthorized
~ r n ~users ~gain
Restrict
access to the
Access and spool directorycontainstheaccess to thisdirectory, they ~ : ~ I n n ~ ~ ~ t ~ r n
Management printer
drivers
and
files.
could
gain
access to printer spool directory to prevent
These
should be secured
settings
and
drivers.
unauthorized
access.
from unauthorized use.
6 File
System
The
replication
directories
unauthorized
If users
gain
Restrict
access
the
to
Access and contain login scripts, access to these directories, re~licationdirectories so
Manage~ent policies, and other user- they could gain access to user that only authorized users
sensitive data thatis data,
policies, and login
have
access.
replicated among servers. scripts. That type of
These should be secured information could contain
from unauthorized use. password information or be
replaced with Trojan horses.
."
mplemen~tionTechni¶ues Compliance Assessment Compliance Verifica~on

Techniques TechNques
Restrict accessto Verify that permissionson the Review the <servername>.
c:\luinnt;\system3~~pool by following directory comply with the perms<system drive letter>.txt
performing the following steps: recommendation by performing the and ensure the following
I. Open the WindowsNT following steps: permissions are in place for:
Explorer. 1. Right-click on the directory in
2. Right-click on the file or Explorer. Directory:
directory to set the security 2. Choose Properties. C:\luinn~y~em3~pool
permissions and select the 3. Select the Security tab
Properties option. 4. Click the Permissions button. Recommended P e ~ i s s i o ~ s :
5. Compare the current Administrators
Full
Control
The following permissions should permissions to the Print
Operators
Full
Control
be set: reco~endations. Read Everyone
6. Repeat for all listed directories. CreatorlOwner
Full
Control
Administrators Full Control ControlFullSystem
Print Operators Full Control Directory:
Everyone Read C:~inn~ystem3~pool
CreatorlOwner Full Control
System Full Control Recommended Pe~issions:
Administrators
Full
Control
3. Click the Permisslons Print
Operators
Full
Control
button of the fjecurity Readtab. Everyone
CreatorlOwner
Full
Control
rmissions on ControlFullSystem
bdirectorles and the
place Permissions on
sting Flies check boxes
as appropriate. TheReplace
P e r ~ l s s i o n son
Subdirectories will place the
security permissions that you
select on all filesand
place Permissions on
sting Files will ensure
5. Click theOK button to confirm
these changes.
OK button to close the file and
Restrict access to replication Verify that permissionson the Review the <servername>.
directories by performing the following directories comply with perms<system drlve letter>.txt
following steps: the reco~endationsby performing and ensure the following
l. Open the WindowsNT the following steps: permissions are in place
for the
Explorer. 1. Right-click on the directory in following directories:
2. Right-click on the file or Explorer.
directory to set the security 2. Choose Properties. Directory:
Permissions and select the 3. Select the Security tab. C:\luinnt\system3~epi
Propertles option.
Control Objectives
~mplemen~tiQn Tec~ni~uesCQmpliance Assessment
Tec~niques
The following directory 4. Click the Permlssions button. Recommen~edPermissions:
permissions should be set: 5. Compare the current Ad~nistrators Full
Control
permissions to the ServerOperatorsFullControl
~:\winnt~ystem3~epl reco~endations Read Everyone
6. Repeat for all listed directories. Creator/Owner
Full
Control
Ad~nistrators Control
Full ControlFullSystem
Server Operators Full Control Directory:
Everyone Read C:\winnt\system3~~epl Directory:
CreatorlOwner Full Control
System Full Control Recommended Permissions:
Administrators
Full
Control Recommended Permissions:
C:\~innt\system3~epI\ ServerOperatorsFullControl Administrators
Control
Full
import Read Everyone Server
Operators
Change
CreatodOwner Full
Control Read Everyone
Administrators Full Control
ControlFullSystem Creator/Owner
Full
Control
Server Operators Change ChangeReplicator
Everyone Read Directory: Network No Access
CreatodOwner Full Control C:\winnt\systern3~~epl\im~ort ControlFullSystem
Replicator Change
Network No Access Rec~mmendedPermissions: Directory:
System Full Control A d ~ ~ s t r a t o r s Full
Control C:\winn~y5tem
Server
Operators Change
C:\winnt\system~~epl\ Read Everyone Recommended Permissions:
export Creator/Owner Full
Control Administrators
Full
Control
ChangeReplicator Server
Operators
Change
Ad~inistrators Full Control
Access NoNetwork CreatodOwner
Full
Control
Server Operators Change
ControlFullSystem Read Replicator
CreatodOwner Full Control ControlFullSystem
Replicator Read Directory:
System Full Control C:\winnt\system3~epI\E?xport
3. Click the Permissions Re~omme~ed Pe~issions:
button of the 5ecurlty tab. Administrators
Full
Control
4. Select the Replace Server
Operators
Change
Permissions on CreatodOwner
Full
Control
Subdirectories and the Read Replicator
Replace Permissions on FullSystem
Control
Existing Files check boxes
as appropriate. TheReplace
Permlsslons on
5ubdirectories will place the
Existlng Files will ensure
these changes.
OK button to close the file and
6 File
System
The c : ~ i n n ~ ~ unauthorized
~If ~ ~ users
rgain
Restrict
access
the
to
Access and directory contains a backup access to a backup copy of the ~ : ~ i ndirectory n ~ ~ ~ ~ ~
~ ~ a ~ ecopy~ of ~the nSAMt and needs SAM, they canrun a so that only authorized
to beprotectedagainstpasswordcrackerandpossiblyusers have access.
unauthorized
access.
guess
user
passwords.
6 File
System The default system shares Windows NT creates special Document the default
Access and for tile systems shouldbe ad~n~strative-level shares by shares and their
Mana~ement disabled and re-created default thathave preset directories.
under standard share security levels. These shares
security. The default admin provideaccess to therootDisablethem pe~anently
level shares are:C$, D$. .. level of each NI'drive and the if they are not required.
and Admin$. NT system root directory.
Re-create new shares to
those directoriesif needed
with appropriate
permissions.
"
es
Restrict accessto c : \ ~ i n n t ~ e p a i rVerify that permissions on the

by pe~ormingthe following steps: following directory comply with the p ~ r m 5 < 5 g s t edrive
~ letter>.~t
l. Open the WindowsNT recommendations bypedorming the and ensure the following
Explorer. following steps: permissions are in place for:
2. Right-click on the file or 1. Right-click on the directory in
the security Explorer. Directory:
and select the 2. Choose Prope~ies. C:~~nn~epair
tion. 3. Select the Securitg tab.
4. Click the Permissions button. Recom~ended Pe~issions:
The followingpel~issionsshould 5. Compare the current Adminis~ators Change
be set: permissions to the
recommendations.
Ad~nistrators Change 6. Repeat for all listed directories.
Directory:
C:\~inn~epair
Reco~mended Per~issions:
A d ~ n i s ~ a t o r s Change
as appropriate. TheRep1
~ ~ ~ i r e c t o will
r i e splace the
subdirecto~esunder the
ermissions on

these changes.
6. After the securityper~ssions
K button to close the file and
Disable the shares in the registry Verify the existenceof the default Review <s~wername>.~hares.
shares by checking theShare button txt to ensure only authorized users
under the Server Manager. are allowed access to the shares.
2. Select the Keg
If none exist, verify the registry
key
by checking the valueof the
~wices\LanmanSeweh
5. Change value to0. The value should be0.

6. Click OK.
Create new shares to these points

if necessary,
o m ~ nont troll er ~ e c ~ ~ t y
No, Cate~o~ Cont~olObjectives Risk
7 Sensitive Permissions on shares must Shares allow usersto access Set the default~ e ~ i s s ~ o n s
System not allow Write, Delete, resources remotelyon the for the default group Users
Privileges and Change Permissions, or Take network. ~onsequen~y, care in accordance with
Utilities Ownership to the special should be takenwhen permissions seton the files
group Everyone. Permissions granting share rights.In within the share. The built-
on shares shouldbe particular the default system in special group
equivalent to thep e ~ i s s i o n s groups should not be granted Everyone’s access should
on files within the share. permissions thatwould allow be removedon all share
members of these groupsto permissions.
abuse the system.
Com~liance ~ssessment C o m ~ l i ~Verification
ce
Te~hniques Techniques
Restrict share permissions by Verify that share permissions are Review <se~ername>.shares.
pedorming the following steps: properly restrictedby performing the txt to ensure only authorized users
1. Using the Server Manager, following steps: are allowed accessto the shares.
highlight the applicable server 1. Open 5erver Manager. Permissions should onlybe granted
and select the shared 2. Highlight the applicable server to groups. The special group
directories option under the and select the shared directories Everyone should notbe allowed
Computer menu. option under theComputer access to the share.
2. Highlight the shareand view menu.
its propertiesby selecting the 3. Highlight the shareand view its
Propert~esbutton. properties by clicking the
3. Click on thePermiss~ons Propertles button.
button to view the Users who 4. Click on thePerm~ss~ons
have accessto this share via button to view theUsers who
the network. have access to this share via the
4. Click the Add button to network.
include the applicable groups 5. Verify that only appropriate
to be granted accessto this groups have been granted access
share and select the groups to this share.Verify that the
you wish to grant access to. special group Everyone does not
When you have selected all have access.
the applicable groups, click 6. Click the Cancel button to
the OK button to confirm these close.
additions. 7. Repeat for all shares.
5. Grant theType of Access for 8, Close 5erver Manager.
each groupby high~ghtingthe
applicable group and selecting
the access from the Tgpe of
Access box. These
Permlss~onsshould be set in
system standards.
6. If the special group Everyone
has access to the share, this
access should be removed by
highlighting the memberand
clicking theRemove button.
7. Click the OK button and then
the Yes button to confirm
these changes.
o ~ ont troll
~ eri ~ e c~ u ~ t y
isk es
7 Sensitive Access to sensitive system If useraccountsaregrantedRemoveuseraccess to

System utilities should be removed access to potentially sensitive system utilities that do not
Privileges from all users who do not utilities, there is an increased require this access for a
and Utilities require this accessfor a riskthattheusermaygainlegitimatebusinessuse.
legitimate business use. i n f o ~ a t i o nthat could be used
to compromise the securityof
the domainor perform actions
that may affect the security
and productivity of the
domain.
8 ~ ~ n t e n a n c e If standard user profiles are If standard profiles are Move all standard user
and used they should be utilized they should resideon profiles, if implemented,
Operations maintained on the PDC. the PDC, where their access to thePDC in the
can be controlled and changes Aut~entica~ion Domain.
can be monitored. Having
standard user profileson local
systems can easily, lead to
their modification, and/or
abuse.
~ o ~ ~ l i aA§§e§s~ent
nce ri~cation
Tec~ni~~es
For all servers, disable the ability Verify, through discussion with the
for normal users to access sensitive network administratorand physical
n g inspection, that sensitive system
system utilitiesby p e ~ o ~ i the and ensure the sensitive system
following steps: utilities are properly restricted. utilities are properly protected.
1. Open the Windows NT
Explorer. Sensitive utilities include:
2. Right-click on the utility to be
restricted and select the
Pal~dit.~x~
User Managerfor Domains
Server Manager
4. Click the Add button to Resource kit utilities
include the applicable groups Auditing tools
to be granted security
pe~issions.
5. Select the groupsyou wish to
add to the security
permissions. m e n you have
selected all the applicable
groups, click theOK button to
confirm these additions.
6. Grant ihe Tgpe af Access
for each group by highlighting
These per~ssionsshould be
set in accordance with
corporate system standards.
7. If the special group Everyone
or the group Users have
p e ~ i s s i o n to
s the utility, they
these c h ~ g e s .
OK button to close the file
properties windo~s.
ove all standard user profiles, if If standard profiles are used, verify, If standard profiles are used, verify,
i~plemented,to the PDC in the through discussion with the network through discussion with the network
authentication domain. ad~inistratorand physical administrator and physical
inspection, that all such profiles inspection, that all such profiles
reside in the Authentication Domain reside in the ~uthenticationDomain
and obtain the applicable policies and obtain the applicable policies
and procedures. and procedures.
0. Y
8 ~ ~ n t e n a n c e Windows NT’s screen saver Enabling theWindows NT Enable the Windows NT

and should be enabled with the screen saver with the screen saver with the
pera at ions password protection feature password protection password protection
turned on.M e n not being ~ n i ~ z the
e schances thatan feature active.
used, accounts should be unattended servers and
logged off from the system workstations will be broken
console. into.
9 Fault A disaster recovery plan Without a properly con~gured Establish a proper backup
Tolerance should be setin accordance and tested disaster recovery rotation planin accordance
Backup and with corporate security plan, the system is open to with company policy. The
Recovery standards and guidelines. extended downtime. registry mustbe backed up
using a ~ r d - backup
p ~ ~
tool or the regback utility
from the resource kit.
Backups should be cycled
through an off-site storage
location along with the
copies of the emergency
repair disks.
9 Fault An uninte~uptedpower Not using a W S will make An ~ t e power

~ p ~
Tolerance supply must be used with all the system more open to supply thatis fully
Backup and Windows NT PDCs. This corruption and will increase compatible with Widows
Recovery will provide power for the the riskof losing user data in PIT should be used. Ushg
system to be shut down in the eventof a power loss. Widows PIT-compatible
the eventof power loss or UPS will allow for a graceful
degradation. shutdown of the Widows
PITsystem, ~ m i the~ g
amount of system file
c o ~ p ~ and
o ndata loss.
l0 Physical Two copies of the The Emergency Repair Disk Create two copies of all
Access Emergency Repair Disk contains criticali n f o ~ a t i o n critical WindowsNI?
should be made with each referencing users andfile systems’ Emergency
placed in a physically secure system details.This Repair Disk. Store one
location. i n f o ~ a t i o ncould be copy on site and another at
de~mentalif an unauthorized a secure remote location.
user obtainedit. Two copies
of the disk shouldbe made:
one for on-site storage and
one for off-site storage. Both
copies should be located in
physically secure areas.
Com~liance ~ssessment
~~ch~ques
Enable the native Windows NT Verify that policies existto mandate
screen saverby p e r f o ~ i n gthe thatpasswordprotectscreensavers txt and ensurethevalues
following steps: areenabled on allmachines.Attempt screen§aver~ctiveand
l. Right-click on any blank area to disable the screen saver on a
of the desktop. r a n d o ~ yselectedmachineandtheto 1,
2. Select thePrope~ie5 option. PDC by moving the mouse or
3. Select theScreen Savetab pressing akey on the keyboard.
of the Display Prope~~err Verify that you are promptedfor a
box. password.
4. Select a screen saver from the
pulldown box.
5. Click on the Pa55w~rd
Protected check box and set
an appropriate time to enable
the security featureof the
screen saver.
6. Click OK toclose theDl5play
P r o ~ e ~ ibox.
e5
Note: Be sure to run RDISWS Inquire with the company regarding Inquire with the company regarding
before backups are createdso that policies and procedures for updating policies and procedures for updating
the Repair directoryis up to date. of the Emergency Repair Disk on of the Emergency Repair Disk on
periodic basis. Check the file dates periodic basis.Review the
in the repair directory to assure
they <~e~ername>,dir<5y~t
are not outof date. drive>.txt and ensure the dateson
the files in the< ~ y ~ e ~
drive>:~innt~epair are current.
NIA Inquire with the company regarding Inquire with the company regarding
the controls in place to mitigate a the controls in place to mitigate a
loss of power. If the serveris loss of power. If the serveris
protected by an individual U P S , protected by an individual UPS,
inquire whether the UPS is inquire whether the UPS is
integrated with Windows NI’ i n t e g r a t ~with WindowsNT
operating system. Then, ensure that operating system. Then, ensure that
the PDC is connected to a the PDC is connected to a
functioning U P S system. functioning W S system.
Run RDISK and click“Create Ensure that a procedure is in placeto Ensure that a procedure in is place to
~ e p a i rDirrk.” create, update, physically secure, create, update, physically secure,
retrieve, and utilize the Emergency retrieve, and utilize the Emergency
Reminder: RDISK only creates the Repair Disk. Verify that the Repair Disk.Verify that the
default i n f o ~ a t i o non the disk Emergency Repair Disk exists, is not Emergency Repair Disk exists, is not
when the /S switch is not used. out of date, and is physic~ly out of date, and is physically
secured. Ensure that proper secured. Ensure that proper
individuals are aware of the recovery individuals are aware of the recovery
process. process.
m y ~ontrol~ ~ j e c t i v e s es
11 Au~ting, If network managers are It is important to note that If theWindows NT system

Logging, and being used, SNNlP should be SNMP should not be run with is equipped withSN
Monito~ng installed in a secure fashion. the defaultc o ~ u n i t yknown ensure that the access to
as“public.” This wouldbe a this service i n f o ~ a t i o nis
potential security breach. The limited to daily monito~ng
S ~ database
P of errors and and alert w ~ i n g to s
alertsmust be protected if management.
used in the Windows NT
environment becauseit can
contain informationon host or
router operating systems,
network interfaces, address
translation, and protocol
software. This i n f o ~ a t i o ~
could be used to compromise
an environment by “spoofing”
or “denial-of-service.”
11 Auditing,
Auditing should be enabled A hacker
might
be
trying to Enable
auditing
for
logon
Logging,andforLogonandLogoff.guessa user’s
password
and
and
logoff, for both
Monito~ng success
system.the to accessgain and failure.
Without auditing, this might
go undetected.
1l Auditing,Auditingshould be enabled
Without auditing
on
files
andEnableauditingfor
file
Logging,and for FileandObjectAccess.objects,hackersmighthave and objectaccessfor
~onito~ng time
enough to figure out a
success and failure.
way around compensating
controls. For example,
hackers might tryto access
files they do not have read
access to. In addition,it is
possible to detect a virus
outbreak if write access
auditing for program files,
.dl1extensions, is enabled.
C o ~ p l i ~Assess~ent
ce
Tech~ques
Remove the default community Verify that the defaultcom~unity Inquire with the company whether
“public” and input the correct “public” is not being used by SNMP is being used to monitor the
n g following p e r f o ~ n gthe following steps:
name by p e ~ o r ~ the server. IfSNMP is being utilized,
steps: 1. Open Control Panel. inquire whether thec o ~ u n i t y
1. Open Control
Panel’s 2. Double-click the~ e t ~ o r ~ name has been changed from
applet. “public” to adi~cult-to-guessname.
2. 3. Choose the1Servlces Tab.
3. 4. Double-click theSNMP service.
service. S. View the community settings.
4. the
“public”
Disable 6. Click OK.
com~unityand enter the
5.
Enable the~uditiugfor system Verify that Auditing has been Review <senrername>.policies.
logons and logoff by performing enabled for system logons and logoff txt to ensure auditingis enabled for
the following steps: by p e r f o ~ i n gthe following steps: successes and failures for logons and
1. Using the User Manager, 1. Open User Manager. logoffs.
select theAudlt option from 2. Select the Fiudlt option from the
Policies menu.
3. Ensure the Audit These
Events button is selected. Events radio button is selected.
3. Enable both theSuccess and 4. Verify that both theSuccess
and Fallure check boxesfor
Logon and Logoff auditing
option. option have been selected.
4. Click the OK button to confirm S. Click theOK button to exit.
these changes.
Enable theAuditi~gfor file and Verify that Auditing has been Review <servername>.policies.
object accessby performing the enabled for system file and object txt to ensure auditingis enabled for
following steps: access by p e r f o ~ n gthe following successes and failures for file and
1. Using the User Manager, steps: object access.
select theAudlt option from 1. Open User ~ a n a g e r .
the Policies menu. 2. Select theAudit option from the
Policies menu.
ents button is selected. 3. Ensure the Audit These
Events radio buttonis selected.
Failure check boxes forFile 4. Verify that both theSuccess
and O b ~ ~Access
ct auditing and Failure check boxes for
option. File and Object Ficcess
4. Click theOK button to c o n k n auditing option have been
these changes. selected.
5. Click theOK button to exit.
omain on troll er ~ecurity
0. Cate~ory Control isk Control ~ e c h ~ ~ ~ e s
1l Auditing,Auditing failures should be A

user
might
try
taking
Enableauditing for Use of
Logging,andenabled for UseofUser ownership of filesthey do notUserRights failure only.
~ o n i t o ~ n g access
Rights.
have to intoorder edit
them. Or, a user who
somehow got physical access
to a PDC might try logging in
locally, Without auditing,
these events might not be
detected.
l1 Auditing, Auditing shouldbe enabled If a user is granted access Enable auditingfor User
Logging, and for User and Group above what they deserve,it and Group~anagement
~onitoring ~~agem~nt, would be important to know success and failure.
who made those changes.
Without auditing User and
Group ~ ~ a g ~ m eit nwould
t,
be impossible toknow within
Windows I?".
l1 Auditing,
Auditing shouldbe
enabled If changes
are
made
to
the
Enable
auditing for
Logging,andforSecurityPolicyChanges.SecurityPolicy,whereusersSecurityPolicyChanges
~ o ~ t o r i n g failure. and success to access
are granted
resources they should not
have been,it is important for
an ad~nistratorto be able to
determine who made those
changes.
~o~~liance ~ssess~ent
Tec~ni~ues
Enable the Auditingfor Use of Verify that Auditing has been
User Rights byp e r f o r ~ n gthe enabled for Use of User Rights by txt to ensure auditingis enabled for
following steps: performing the following steps: failures for Use of User Rights.
l. Using the User Manager, 1. Open User ~ a n a g e r .
2. Select the Audit option from the
2.
Events button is selected.
3. 4, Verify that the Failure check
box Use of User ~ i g h t s
auditing option has been
4. Click the OK button to confirm selected.
these changes. 5. Click the OK button to exit.
Enable the User and Group Verify that Auditing has been
Management byp ~ ~ o r the ~ n g enabled for User and Group txt to ensure auditingis enabled for
following steps: ~ ~ a g e m eby
n tpe~formingthe successes and failures for User and
l. Using the User Manager, following steps: Group ~ a n a g e ~ e n t .
1. Open User nager er.
2. Select the A ~ d ioption
t from the
2.
3.
3.
4.
4. Click the OK button to c o n ~ r m

these changes.
5. Click the OK button to exit.
Enable the Auditingfor Security Verify that Auditing has been Review < s ~ ~ e r n ~ m e ~ . ~ n l i ~ i e
Policy Changes bype~ormingthe enabled for Security Policy Changes txt to ensure auditing is enabled for
following steps: by p e r f o ~ i n gthe following steps: successes and failures for Security
l. Open User ~ ~ n ~ g e r . Policy Changes.
2. Select the Audit option from the
3.
d.
4.
auditing option. auditing option have been

4. Click the OK button to confirm selected.
these
changes. 5. Click
the OK button
exit.
to
ll Auditing? Auditingshould be enabled Only authorized users
should Enableauditing for
Logging?and for Restart, Shutdown, and have the capability to change Restart, Shutdown, and
~ o n i t o r ~ n g System. the stateof a system. This System for success and
activityshouldbeespeciallyfailure.
scrutin~zedon all servers.
l1 Auditing, Auditing shouldbe disabled Process Tracking will not help Do not select successor
Logging, and for Process Tracking. much in determiningany failure for Process
onito~ng breaches.
security It is more
Tracking.
useful for debugging a
program that doesn’t function
correctly. If used, Process
Tracking will generate
thousands of audit entries in a
few seconds, thereby flooding
the log.
C o ~ ~ l i a nAsse§§~ent
ce
Techniques Techniques
Enable the Auditingfor Restart, Verify that Auditing has been Review <sen/ername>.policies.
Shutdown, and System by enabled for Restart, Shutdown, and txt to ensure auditingis enabled for
pel~ormingthe following steps: System by p e ~ o r ~ the
n g following successes and failures for Restart,
l. Using the User Manager, steps: Shutdown, and System.
select theRudit option from l. Open User Manager.
the Policies menu. 2. Select the Rudit option from the
2. Ensure the Rudit These Policies menu.
Events button is selected. 3. Ensure the Rudit These
3. Enable theboth the Success Events radio button is selected.
and Failure check boxes for 4. Verify that both theSuccess
Restart, 5 h u t ~ o and
~~, and Fallure check boxes for
5ystem auditing option. Restart, S h u t d o ~ n ,and
4. Click theOK button to confirm System auditing option have
these changes. been selected.
5. Click theOK button to exit.
Disable auditingfor Process Verify that Auditing has been Review <sen/ername>.policies.
T r a c ~ n gby performing the enabled for Restart, Shutdown, and txt to ensure auditingis not enabled
following steps: System by performing the following for successesand failures for
l. Using the User Manager, steps: Process Tracking.
select theRudit option from 1. Open User Manager.
the Policies menu. 2. Select the Rudit option from the
2. Ensure the Rudit These Policies menu.
Events button is selected. 3. Ensure the Rudit These
3. Deselect both th ess Events radio buttonis selected.
and Failure che S for 4. Verify that both the Success
the Pracess Tr and Failure check boxes for the
auditing option. Process Tracking auditing
4. Click the OK button to confirm option have been deselected.
these changes. 5. Click theOK button to exit.
~ o ~ t r~o~lj e c t i v e s Sk S
11 Auditing, Logs containing auditing Audit logs may contain Logs should be secured to
Logging, and i n f o ~ a t i o nshould be sensitive info~ationabout prevent them from being
~onitoring secured. the system and can be used toviewed or deletedby
compromise the system.In unauthorized individu~s.
addition, if logs are unsecured
it would be possible to delete
them in order to eliminate an
audit trail.
11 Auditing, All audit files shouldbe Having all reviewed audit filesAfter audit files have been
Logging, and archived and purged in archived and purged ensures adequately reviewed in
~onitoring accordance with corporate that if they are needed they accordance with corporate
standards.
will be
standards
the
available
guidelines,
and
atand
sametimeguaranteesthatallauditfilesshouldbe
unauthorized users
cannot
archived
andpurged.
pursue the audit files to
identify system patterns.
~ o ~ ~ l i aAssessment
nce ~ o m ~ ~ a Ve~fication
nce
Tec~niques Tec~~ques
The Auditorsand System groups Verify that permissionson the Review the < s e ~ e r n a m e > . ~ e r m s
should haveFull Control of the following files comply with the <system drive letter>.txt and
following filesand no other reco~endationsby performing the ensure the following:
permissions should be specified: following steps:
1. Right-click onthe file in Explorer. Files:
2. Choose Properties. c:~inn~ystem3~~nf~g\
3. Select the Security tab. ~~PEVENT.Em
4. Click the Permissions button. c:\uJlnnt\Eiystern3Stconflg\
5. Compare the current permissions 5ECEVENT.EVT
to the recommendations. c:\Luinnt\l3ystem3~config\
6. Repeat for all listed files. SYSEVEN1.M
Note: The System groupis a built- Files: Reco~~ended Pe~issions:
in special group,and the Auditors c:\uJinnt\l3ystem32\config\ Read Auditors
group will needto be createdby an ~PP~ENT.EVT System
groups
Change
administrator. c:\Luinnt~ystem3~~onfig\
SECEVENT.Em
c:~innt\Eiystem32\confl~\
SYSEVENT.EVT
Reco~mended Per~issions:
Read Auditors
System
groups
Change
Review the audit filesin Ensure that policies exist to archive Ensure that policies exist to archive
accordance with corporate and purge audit files. Verify, through and purge audit files. Verify, through
standards and guidelines. Properly discussion with the network discussion with the network
back up the audit logsand then ad~nistrator,that these procedures ad~nistrator,that these procedures
purge them from the system. are followed. are followed.
omain Contro~er~ecurity
No. C a ~ ~ o ~ Objectives
Control Risk Co~trolT e ~ h ~ i ~ u e s
11 Auditing,
Auditing of sensitive
system
Auditing
access to sensitive
EnableWindows NI'
Logging, and and application filesand system and application files native auditing featureon
~onitoring directories shouldbe and directories increases the all sensitive systemand
unauthorized
and
application
that
chances
enabled.
files
accesstothesystemwillbedirectories.
detected and terminated in a
timely manner.
~ l e r n e n ~ ~Techniques
on C o ~ ~ ~ aAssessrnent
nce Co~~li~ce ~er~cation
Tech~ques Techniques
Enable WindowsNT native Verify that the Windows NT native Review the
auditing feature on all sensitive auditing feature has been enabled for <servemame>.perrns <system
system and application filesand all sensitive systemand application drive letter>.txt and ensure the
directories. Identify these files and directories by performing sensitive system files are being
directories per the corporate the following steps: audited for the following actions:
standards. In addition, the l. Right-click on the directory in
following Windows NT system Explorer. Directories:
directories and files within should 2. Choose Properties. Those stated in the best practices,
be audited: 3. Select the Security tab. plus
4. Click the ~uditing button.
5. Compare the current audit
settings to the
recommendations.
6. Repeat for all listed directories.
The following items should
be Directories: ~ecommendedSettings:
audited: Those stated in the best practices, Write: Select Success& Failure
plus Delete: Select Success& Failure
Write: Select Success& Failure Change Permissions: Select Success
Delete: Select Success& Failure & Failure
Change Permissions: Select Take Ownership: Select Success&
Success & Failure Failure
Take Ownership: Select Success&
Failure
Reco~mendedSettings:
Write: Select Success& Failure
Delete: Select Success& Failure
Change Permissions: Select Success
& Failure
Take Ownership: Select Success&
Failure
Objectives Control ry Risk Control ues
12 Auditing,
Auditing of sensitive
system
Auditing
access
sensitive
to Enable ~ i n d o wNT
s
Logging, and registry keys should be system registry keys increases native auditing featureon
Monitoring enabled. the chances that unauthorized all sensitive system
access to thesystemwill be registrykeys.
detected and terminatedin a
timely manner.
Verify that the Windows NT native
audi~ingfeature on allsensit~ve auditing feature has been enabled for
system registry keys. Identifjr these all sensitive system registry keys
by
keys per the corporate standards, performing the following steps: portions of the registry are being
In addition, the followingkeys 1. Open r ~ ~ ~ d t ~ ~ . audited for the following actions:
should be audited:
u ~ i t ~.n.from
~ , the Irltys:
Those stated in the best practices,
4. Compare the current audit plus
settings to the
reco~endations. ~ K L ~ ~ 5 T E ~
The f o l ~ o ~items
i ~ g shoul~be 5. Repeat for all listed keys. ~ K ~ ~ D ~ W ~ ~
audited: HKCR
Kf2Y.S:
Set Value: Select Success Those stated in the best practices, ~ e c o ~ ~ e nSettings:
ded
Failure plus Set Value: Select Success& Failure
Create Subkey: Select Success Create Subkey: Select Success&
Failure Failure
Create Link: Select Success & Create Link: Select Success &
Failure Failure
Delete: Select Success& Failure Delete: Select Success& Failure
Write DAC: Select Success& ~ e ~ o m ~ e nSettings:
ded Write DAC: Select Success&
Failure Set Value: Select Success& Failure Failure
Create Subkey: Select Success&
Failure
Create Link: Select Success &
Failure
Delete: Select Success& Failure
Write DAC: Select Success&
Failure
Control ~ e c h n i ~ ~ e $
1l Auditing, The event viewer should be If events a e ove~ritten The event viewer should
Logging, and allocated sufficient spacefor before they can be reviewed, be allocated adequate disk
~onitoring audit logs. there is an increased risk that space to store allaudit
continuous unautho~zed logs. The disk space
activity may go undetected. needed should be based on
size of the domain and
review intervalsof the
audit logs.
12
Security
Unauthorized
individuals
There is an increased
risk
that Set the winreg registry
Ad~nistration shouldnotbeallowedto an unautho~zeduser maykey ~ e ~ i s s i oto
n scomply
Activities
remotely
edit
the
registry.
gain
knowledge
about
the
with
corporate
standards.
PDC anddomainandevenIndustryguidelinesstate
attack the system with denial that only Adminis~ators
of services or Trojan horses,if have full control.
they can access the registry.
Set the amountof space thatis Verify that suflcient space is
being allocatedby performing the allocated for log filesby performing
following steps. the following steps: MaxSize and ensure adequate disk
1. Open Event Viewer. space is allocated
2. Select Log ~ e t t i n g .~..from
the Log pulldown menu. Log: Security
3. Select appropriate logfile in the g ~ : M B (Overwrite after
~ e t t ~ n5-10
Set the log settings according to C ~ fornLo ~
~ Settings ~14 days)
corporate standards. The following box.
are industry guidelines: 4. Compare current settings to the
recomtnended settings.
5. Click Cancel. 14 days)
after 14 days) 6. Close Event Viewer.
System: 1-2 MB (Overwrite after Log: Application
14 days) Log: Security Settings: 1-2 MB (Overwrite as
Application: 1-2 MB (Overwrite Settings: 5-10 M B (Overwrite after needed)
as needed) 14 days)
ote: If a log is setin the above
3. Click Close. Log: System manner, for example, Security Log
Settings: 1-2 h4B (Overwrite after 5MB, 14 days, the log can be filled
ote: If a log is set in the above 14 days) the firstday, and no events would be
manner, for example, Security Log logged for the next13 days.
5MB, 14 days, the log can be filled Log: Application
the first day, andno events would Settings: 1-2 MB (Overwrite as Log sizes should be based on the
be logged for the next 13 days. needed) system including then u ~ b e of
r
users if logon and logoffis going to
Log sizes shouldbe based on the Note: If a log is set in the above be tracked.
size of the system including the manner, for example, Security Log
number of users if logon and S M B , 14 days, the log can be filled
logoff is going tobe tracked. the firstday, and no events would be
logged for the next 13 days.
Secure thewinreg registry key by Verify an appropriate security setting

performing the following steps: on the winreg registry key by
1. Open rege~t32. performing the following steps:
2. Select thekey ~ ~ L ~ y ~ e m \
CurrentControl5et\Control\ 1. Open regedt32.
2. Select the key ~ ~ L ~ y s t ~restricted
m \ to only authorized users.
CurrentControl5et\Control\
3. ecurity I 5ecure~i~e5e~er~ ~ e ~ o ~ ~ e n ~ e d S e ~ t i ~ ~ :
per mission^ fromthe pull- WinReg. Administrators: Full Control
down menu bar. 3. Choose Permissions. ..from
4. The permissions shouldbe in the Security pulldown menu.
accordance with corporate 4. Compare the permissions to the
standards. recommended settings.
5. Close regedt3~.
Industry guidelines state:
~ d ~ n i s t r a t o rFull
s : Control R e ~ o ~ ~ e n Setting:
ded
Administrators: Full Control
on ves sk
12 Security Partsof the registry run With its default permission Set the
A d ~ i ~ s ~ a t i oprograms
n at startup should levels, any locally logged on R ~ f l ~ f l registry
ce keys
Activities ured to not allow user can change the value of permissions to comply
u ~ a u ~ o users
~ ~toe dedit the ufl key topointto a withcorporatestandards
the list of programs.Trojan
horse
program. This or
industryguidelines.
Trojan horse can be anything
from malicious code to a
program that, when run as
a d ~ ~ s ~ aequivalent,
tor
dumps the password hash.
I ~ p l e m ~ n ~Tech~ques
tio~ Comp~ance~ s s e s s ~ ~ n t Comp~anceV e ~ ~ c a t i o n
Tech~ques Tech~qu~s
Secure theRun and Runonce Verify an appropriate security setting Review < 5 e ~ e r n ~ r n e > . r u n . ~ t
registry keysby p e ~ o ~ i the
ng on the Run and R u n ~ n c registry
e and ensure the following:
following steps: keys by performing the following
l. Open regedt32. steps: KqS:
2. Select the followingkeys l. Open regedt32. H K L ~ ~ O ~ W ~ R ~ i c r ~ 5 o ~ \
inde~ndently : 2. Select the appropriatekey. Windours\CurrentVersion~un
3. Choose Perrnlssions. from
H K L ~ ~ O ~ W ~ R ~ i c r o s the o ~Security
\ pulldown menu. H K L ~ ~ ~ W ~ R ~ ~ ~ c r o ~ o
Windour~CurrentVersion\Run 4. Compare the permissionsto the Windours\CurrentVersion\
r ~ c o ~ e n d settings.
ed Run~nce
o ~ w ~ R ~ i c r o 5 o f n5. Close regedt32.
Windows\CurrentVer5i~n\ ~ e c o m m ~Settings:
~ed
Run~nce Kt?J)s: Creator Owner: Full Control
~ K L ~ O f f ~ ~ ~ ~ i c r oAdministrator:
5 o ~ \ Full Control
3. Choose Securitg I Windours\CurrentVersion\Run System: Full Control
P ~ r r n i s s i o n from
5 the Everyone: Read
pull-down menu bar. HKL~O~W~R~~crosoft\
4. The permissions should be in Windour~CurrenWer~ion\
accordance with corporate unOnce
standards.
Reeomme~edSettings:
Industry guidelines state: Creator Owner: Full Control
Administrator: Full Control
Creator Owner: Full Control System: Full Control
Administrator: Full Control Everyone: Read
Everyone: Read
5. Close r e ~ e d t ~ ~ .
ry Control Objectives Risk Co~trol~ ~ c ~ ~ i ~ ~ e
12 Security Parts of the registry contain If an unauthorized user could Set the registry keys’
A ~ s ~ a t i o sensitive
n systemi n f o ~ a t i o n read these registry keys, they (listed in the
Activities like performance data, the might gain access to sensitive i ~ p l e ~ e n t a t i ochecklist)
n
logonprocess, and securitysystemresourcesor be abletopermissionstocomply
info~ation.Theseregistrylearninformationaboutthewithcorporatestandards
configured
should
bekeys to
industry
guidelines.
or
PDC.
not allow unauthorized users
to edit the listof programs.
12 Security Certain registry keys should If an unauthorized user could Set the registry keys’
A ~ s ~ t i o ben secured to prevent read these registry keys, they (listed in the
Activities unauthorized access to the might be able to launch a implementation checklist)
PDC’s configuration.
denial of service
attack
permissions
or comply
to
upload a Trojan
horse.
with
corporate
standards
or industry guidelines.
Secure the following registry keys Verify that appropriate security
settings exist on the following and ensure the following:
registry keys by performing these
Keys:
independently: HKL~O~UJAR~lCRO~Om
UJIndolusN~urrentVerslon\
Pe~Lib
the 5ecurity pulldown menu. HKL~oft~are~icorso~\
4. Compare thepe~issionsto the Windolu~N~CurrentV
r e c o ~ e n d e dsettings.
Set\C~ntroI\LS
WKLM\Syste~\CurrentControI
S e ~ e ~ i c e ~ a n ~ ~ n 5
WindolusN~CurrentVersion\ Shares
R e c o ~ ~ e n d esetting^:
d
Creator Owner: Full Control
Wini~gon Ad~nistrator:Full Control
Everyone: Read
4. The p e ~ ~ s s i o should
ns be in
accordance withcorporate Reco~~ended Set~~ngs:
standards. Creator Owner:Full Control
Ad~nistrator:Full Control
I ~ ~g ~si ~t e ~~ state:
i~es System: Full Control
Creator Owner: Full Control Everyone: Read
Everyone: Read
5. Close r
Secure the following registry keys Verify that appropriate security Review ~ ~ e ~ e r n ~ m e > . h k i m . t x t
settings exist on the following and ensure the pel~ssionson the
registry keys bype~ormingthese values
steps:
indep~ndently: HKCR (all subkeys)
3. Choose Permissions. ..from HKL~O~WARE

the 5ecurIt.y pulldown menu.
4. Compare the per~ssionsto the H K L ~ ~ ~ U J R R ~ ~ l C ~ O ~ O
recommended settings. RPC (and all subkeys)
5. Close regedt.3~.
PC (and all subkeys) HKL~~O~WAR~lCRO5Om
Windo~sN~CurrentVefsio~\
H K L ~ O ~ W A R ~ I C R ~
WindoursN~CurrentVerslon\
AeDebug
Control ory ~ ~ j e c ~ ~ e s isk Control ~echni~ues
C o ~ ~ l i a~~scsee s s ~ e ~ t
Tech~~ues
HKLM~DFFWflREWIlCRDSD~ Industry guidelines state:
WindowsM\Cum2ntVefsionWeDebug Creator Owner: Full Control
Creator Owner: Full Control
HKLM~DFTWflREWIlCRDSD~ Adminis~ator:Full Control
System: Fnll Control
WlndoursNnCurrentVersion\ System: Full Control
Everyone: Read
Compatlbliity Everyone: Read
HKLM~DFTWflREWIlCRDSD~ 5.Close regedt3S. HKL~DFTWflREUVIICRD5~~~indows
WindowsNnCurrentVersion~rivers NnCurrentVerslon\Compatibility
HKLM\SDFTWflREWIICRDSD~P~
HKLM\SDFTWflREWIlCRDSD~ (and all subkeys) HKLN\SOFTWRREWIICRD5D~indows
WlndowsNnCurrentVersion\ NT\CurrenWersion\Drivers
HKLM\SOFFWflREWIICRDSDmWindouJs
~mbedding
~CunenWersion\ HKLM\SDFTWRRRNICRQED~indows
HKLM~D~WflflEWIlCflDSD~ NT\CurrentVersion~mbedding
HKLM\SDFTWRREWIICRD
WlndowsNnCurrentVerslonts
NnCurrenWersionWeDebug HKLM\SDFTWRRRMICRQSD~Window
HKL~DFFWflR~lCRDSD~ sNnCurrentVersion\Fonts
HKLM\SOFTWflR~ICflDSD~Windows
WindowsNnCurrentVerslon\Font
N72CunentVersion\Compatiblllty HKLM\SDFTWflflEWIICRDSD~Windows
Substitutes
N~CurrentVersion\Font5ubstitutes
HKLM\SDFTWflRRMICRDSD~indows
HKLM~DFTWflREWIlCRD~Om
NnCunentVersionMrlvers HKLM\SDFTWRfl~ICRDSD~indows
WindowsNnCurrentVersion~ont
NnCur~ntVersion~ontDriver~
Drivers HKLM\SDFTWflR~ICRDSO~Windows
NnCunentVersion\Embedding HKLM\SDFTWflREWIICRDSD~indows
HKLM~D~WflREWIlCRDS~m
N~urrentVersion~ontMapper
Windows~urn?nWefsion~ontMapper H K L M \ S D ~ W f l R R M I C R D S D ~ ~ i n d o w
sNnCurrentVerslon\Fonts HKLM\SDFTWRRE\MiCRDSD~WindouJs
HKLM~DFTWflREWIlCRDSD~
NnCurrentVersion\FantCache
WlndowsNT\CurrentVersion~ontCache HKLE\/RSDFTWflflEWlICRDSD~Windows
NnCunenWerslon~ontSubstitutes HKLM\SOFTWRR~ICRDSD~indouJs
HKLN\SDFTWflR~lCRDSD~
NnCurrentVerslon\GRE_Initialize
WindowsNnCurrentVersion\ HKLM\SDFTWRRRNICRQSD~indows
~flE-lnitialize ~CurrentVersion~ontD~vers
NnCurrentVersion~Cl
HKL~DFFWflRRMlCRD~Dm HKLMLSDFFWflRRNICRDSD~Windows
WindowsNnCurrentVersionVvlCi NnCunentVersion~ontMapper HKLM\SDFTWflREWIICRD5O~indo~s
N72CunentVersionWICIExtensions
HKLM~DFTWflREWIlCflDS~m HKLM\SDFTWflRRNICRDSD~Windows
WlndowsN~CurrentVersion\ ~CurreniVersion~on~Cache HKLM\SDFTWflRRNICRQED~Windows
MCl~xtensions NnCurrentVersion~o~ (all subkeys)
HKLM\SDFTWRREWIICRDSD~indows
HKLM~DFTWflR~lCRDSD~ ~CunentVersion~RE-Initialize HKLM\SDF7WRRRNiCRD5O~lndows
WlndowsNnCurrentVersion\Po~(all NnCurrentVersion\TypelInstaller
HKLM\SDFFWflRE\MICRDSOmWindows
subkeys)
N72CurrentVersion~CI HKLM\SDFTWflREWIICRDSO~Windows
HKLM~DFFWflR~MlCRD~DFn NnCurrentVersion~ro~le~is~
HKLN\SDFFWflR~lCRDSD~lndows
WindouJsNnCurr~ntVerslon\
NnCunentVerslonWICIExtensions HKLN\SDFTWRRE\MICROSO~lndows
Typellnstaller
NnCur~ntVersion\Windows3,1~igration
HKLM\SDFFWRREWIICRDSD~lndows
HKLM~DFTWflR~lCflDSD~ Status(al1 subkeys)
N T \ C u ~ e n t V e r s i o n(all
~ o ~subkeys)
WindowsNT\CurrentVersion\Pr~flleList
HKLN\SOFTWRflRMICRDSO~indows
HKLM\SDFTWRREWIlCRDSD~Windows
HKL~DFTWflRE\MlCRDSD~ NnCurrentVersion\WDW (all subkeys)
N71CurrentVerslon\Typellnstaller
WindowsNnCurrentVerslon\Wlndows
3.lMigrationStatus(all subkeys) HKLM~ystem\CurrentControlSet\
HKLN\SDFTWflflE\MICRDSD~1ndows
Services\UPS
N72CunentVersionV3rofileList
HKL~DFTWflfl~lCflDSD~
HKEY-USER~.d~faul~
WindouJsN~CurrentVersin\WDW(ail
HKLN\SDFTWflRRNICRDSD~lndows
subkeys) are restrictedto only authorized users.
N~CurrentVersion\Wlndo~s3,1Nigratlon
HKLM~ytern\CurrentControlSet\ Status (all subkeys)
Re~ornrn~l~ded Settings:
Services\UPS
HIII"\SDFTWflREWIICRDSD~Windows Creator Owner: Full Control
HKEY-USERS;de~auIt NnCurrentVe~ion\WDW(all subkeys) Administrator: Full Control
1. Choose Securlty I Permissions HKLN\System\CurrentControISet\
Everyone: Read
from the pull menu bar. ServicesUPS
2. The permissionsshouldbein
HK~-USEfl~.default
accordance with corporate standards.
12 Security
Thelast u s e r n ~ and
eThere
increased
an
is risk
that Set the
A d ~ ~ s ~ a t i default
on u s e r ~ should
~ e not an unau~horizeduser may
Activities be displayed at login. gain knowledge of the
companydomainnaminvalueof 1 anddelete any
standards and a name to usein u s e ~ a m e c o n t ~ nwithin
ed
gainingaccesstothedomain the registrykey
last
the
username
if is ~ ~ f ~ u l t ~ ~ ~ r ~ ~
displayed at logon.
12 Security It should notbe possible to If users could shut down the Set the
A ~ ~ s t r a t i o nshut down the PDC without PDC without loggingon, no ~ ~ t h ~
Activities logging on. audit trail would be created, entry with a value of
0.
and unauthorized users might
be able to shut the PDC down.
12 Security The system should notbe In some cases,it might be Set the
A d ~ ~ s ~ a t i oshut
n down if the audit
lo necessary to shut downthe
Activities becomes full. server when the audit log registry entry witha value
becomes full, ensuring thatan of 0. A value of 1 should
audit trailis always in be set under certain
existence. However,it is not circumstances to shut
normally necessaryto enable down the machine but is
this on a PDC. normally unnecess~y.
12 Security
The
auditing
user
all
ofAuditing
user
allrights
will
Set
the ~ ~ l i ~ f ~ ~ i i ~
Ad~nistration rightsshouldbedisabled.generateaverylargenumber ~ U ~ ~ registry
t ~ fentry
l ~
entries audit of Activities with a value of0. A value
user rights, including Bypass of 1 should be set under
traverse checking, are certain circumstances to
enabled. audit all user rights but
is
normally unnecessary.
Techniques
Verify that theD o n t D l s ~ l a ~ L ~ s t Review <se~ername>.
~lnlogo~.txt
and ensure the value
ained within the registry key to 1.

u l t ~ s e r ~ abymp ~e ~ o r ~ n g
1. Open regedt3~'
of 0 by pedorming the following S~~tdo~nWit~a

to 0.
WithautLogan is
Verify that theCr~shOnRuditFail Review the < s e ~ e r n ~ m e > . l ~

registry entryis set to a valueof 0 by txt and ensure the value
C r ~ s h ~ n R u d ~ist Fset
~ to
l l 0.
and review the value

FullPrivlegeRuditing.If it is a
highly secure server, the setting
should be 1; otherwise, it should
be 0.
Verify that the Note: Setting this value to1 greatly

FullPrlvllegeAudltrngregistry increases the numberof events
entry is set to a value of 0 or 1 by logged in the Event Viewer.
p e ~ o r l ~ i nthe
g following steps:
the
Select hive 1. Open r e g e d t ~ ~ .
ry Control ~bjectives Sk Control Techni~~es
12 companies
Security
all If run Windows NT supports Set the L ~ C a m ~ ~ t ~ ~ ~ i ~ t y
Administration
Windows W,then only
LanManager
Challenge k v e l registry entry with a
Activities
Windows
NT
Challenge
Response and
Windows NT value of 2 if all companies
Response
authentication
Challenge
Response run Windows NT,
should
accepted.
be authentication.
Because
the Otherwise, setit to a value
LanManager uses a weaker of 1, which only sends the
form of encryption, a hacker LM hash ifit is required.
may potentially be able to
crack the password hash if Note: This requires the
they sniff it asit traverses the LM hot fix or Service
network. Pack 4.
12 Security
Only
administrators
should
The
schedule
service
could
Set
the ~u~m~tC~ntral
Administration
scheduling
be jobs. potentially
allow an registry
entry
value
with
a
unauthorized
user
Activities to execute of 0.
malicious code as an
ad~~strator.
12 Security
Individuals
should
only
be
Assigning
individuals to the
Grant
individuals
the
Adminis~ation members of the Ad~nistratorsgroup may minimum necessary rights
Activities Administrators groupif grant them excess user rights.to perform theirjob
absolutely
necessary.
These
excess
rights
mayallowfunction by placing
them
Individualsmanagingfilesthem to performunwarranted in appropriateusergroups.
and sharesshouldbeServeradministrativefunctions.
Operators. Individuals
managing accounts should
be Account Operators.
Individuals managing
printers shouldbe Print
Operators, and individuals
p e ~ o r ~ backups
ng should
be Backup Operators. These
accounts should not be
allowed to log on locally
except for Ad~nistrators
and Backup Operatorsif
backups of the PDC are not
done remotely.
Verify that the Review <servername>.isa.txt
LNCompatibilit~Level registry and review the value
(Set to2 if all companys are entry is set to a valueof lor 2 by LNCompatibilit~Level. If the
Windows W) by performing the performing the following steps: environment being reviewedis
1. Open regedt32. strictly WindowsN T , the value
2. Select the hive should be equal to2. If the
environment is mixed, the value
ControlSet\Control~S~. should be equal to1.
3. Verify that the key LN
Compati~ilit~Level
is set to 1
or 2.
4. Close regedt32.
Verify that the~u~mitControl Review <servername>.l5a.txt

registry entryis set to a value of 0 by and ensure the value
performing the following steps: SubmitCofltrolis set to0.
1. Open regedt32.
2. Select the hive
3.
4. Close regedt32.
After discussionof users and user Review the <E;ervername>.

roles with the network administrator, right5.Mand ensure only
following: open User Managerfor Domains and authorized usersare granted User
ensure the following: Rights. Verify the following:
Individuals managingfiles and Individuals managing files and
shares should be Server Operators. Individu~s managing files and shares are Server Operators.
Individuals managing accounts shares are Server Operators. Individuals managing accounts are
should be Account Operators. Individuals managing accounts are Account Operators. Individuals
Individuals managing printers Account Operators. Individuals managing printers are Print
should be Print Operators, and m ~ a g i n gprinters are Print Operators, and individuals
individuals p e r f o r ~ n gbackups Operators, and individuals p e r f o ~ n gbackups are Backup
should be Backup Operators. performing backups are Backup Operators. These accounts should
These accounts should not be Operators. These accounts should not be allowed to logon locally
allowed to log on locally except not be allowed to log on locally except fora d ~ n i s ~ a t oand
r s backup
for ad~nistratorsand backup except for administrators and backup operators if backups of the PDC are
operators if backups of the PDC operators if backups of the PDC are not done remotely.
are not done remotely. not done remotely.
No. Cate~or~ Control ~ ~ j e ~ t i v e s sk Control Techni~~es
12 Security The Guest account should The System and Application Set the
Adminis~ation not be able to view the Event Log could contain ~ ~ S t f ~ C t ~ U ~ S t ~ C C ~ 5 5
Activities System EventLog and the sensitive information about registry entry with a value
Application Event Log. the PDC that guests could use of l.
to attack the system.
12 Security The “Access this Computer If an Administrator accountis Restrict who can access
Ad~nistration from the Network” standard compromised, it would not be the PDC from the network.
Activities user right shouldbe able to compromise thePDC
restricted to ensure the PDC from the network. In addition,
is secure from outside threats nonauthorized users will not
andthat if Administrators be abletoaccessthe PDC
accountsarecompromised,fromthenetwork.
the entire domainwon’t be.
C o m ~ l i ~Assessment
ce C o m ~ ~ a n ~erification
ce
~echni¶~es Tech~¶ues
Set theRestrictGuestAccess Verify that theRestrictGuest Review <servername>.
registry entry to a valueof 1 by Access registry entry is setto a event1og.M and ensure the values
p e r f o r ~ n gthe following steps: value of 1 by performing the R e s t r l c t ~ u e s t ~ c c is
~ sset
s to 1
1. Open regedt32. following steps: for the system, application, and
2. Select the following hives 1. Open regedt32. security entries.
independently: 2. Select the following hives
independently:
MKLMUSMstem\CurrentControl
SetUSe~ices\EventLog\ ystemUurrentControISet\
Applicat~on )3ervice~ventLog\application
3. Set the key Restrlct 3. Verify that the key

Restrlct~uestAccessis set
to 1.
4. Close regedt32.
Verify who has the “Access this

Restrict user rightsby performing Review the <se~ername>.
the following steps: Computer from the Network” user r l g h t s . ~ and
t ensure only
1. Open User Manager. right by performing the following authorized users are granted the
2. Choose ~ ~ l l c i from
e s the steps: “Access this Computerfrom the
pulldown menu and choose 1. Open User Manager. Network” user right. The following
r Rights. . I) 2. Choose Policies from the guidelines can be used:
I1 through the R~ghtsand pulldown menu and choose * Users
find “Access this Computer User Rights. .. e Server Operators
3. Scroll through theRights and * Account Operators
tind Access this computer from e Print Operators
commensurate with corporate the network. * Backup Operators
standards. 4. Verify that the list of usersis
commensurate with corporate
Industry guidelines state: standards and best practices.
* Users 5. Click Cancel.
* Server Operators 6. Close User Manager.
* Account Operators
* Print Operators Industry guidelines state:
* Backup Operators * Users
e Server Operators
5. Click OK on the new window e Account Operators
to confirm changes. * Print Operators
6. Close User Mana~er. * Backup Operators
Sk Control T@c~ni~u@s
12 Security
The“Add ~ o r ~ t a t i to
o nthe
Users
should
not
be
addingRestrict
whocan
add
A ~ ~ s t r a t i o Domain”
n standarduserrightmachines to thedomaincomputers to the domain.
Activitiesshouldberestricted to ensureunlesstheyareauthorized.
that unauthorized users They might be able to add a
cannot add miscellaneous domain controllerand
machines to the domain. compromise the SAM.
The “Backup Filesand

12 Security
Directories” standarduser
There
should besegregation
a Restrict who
can
add
A d ~ i s ~ a t i o right
nshould
restricted
be of duties
between
backup
files.
Activities
because
anyone with this Adminis~ators,users, and
user right can bypass individuals who can back up
resource ACLs and readall files. Individuals with this
files. user right can bypass the ACL,
of a fileand read any file they
want.
T e ~ ~ ~ ~ u ~ s
Restrict user rightsby pedoming Verify who hasthe “Add
the following steps: Workstation to the Domain” user rig~ts.txtand ensure only
1. Open User Manager. right by performing the following authorized users are granted the
2. Choose Polkies from the steps: “Add Workstation to the Domain”
pulldown menu and choose 1. Open User Manager. user right. The following guidelines
User Rights. .. 2. Choose Policies from the can be used:
3. Scroll through the Rights and pulldown menu and choose * Ad~nistrators
find “Add Workstationto the User Rights. .. * Server Operators
Domain.” 3. Scroll through the Rights and
4. Edit the Grant To list tobe find “Add Workstationto the
commensurate with corporate Domain.”
standards. 4. Verify that the list of users is
Industry guidelines state: standards and best practices.
* Administrators 5. Click Cancel.
* Server Operators 6. Close User Manager.
5. Click OK on the new window Industry guidelines state:
to confirm changes. * Adminis~ators
6. Close User Manager. * Server Operators
Restrict user rightsby performing Verify who hasthe “Backup Files Review the <sewern
the following steps: and Directories” user right by rlghktxt and ensure only
1. Open User Manager. p e r f o r ~ n gthe following steps: authorized users are granted the
2. Choose Policies from the 1. Open User Manager. “Backup Files and Directories” user
pulldown menu and choose 2. Choose Policies from the right. The following guidelines can
User Rights. . pulldown menu and choose be used:
3. Scroll through the Rights and User Rights. . * Backup Operators
find “Backup Files and 3. Scroll through the Rights and
Directories.” find “Backup Filesand
4. Edit the Grant To list to be Directories.”
commensurate with corporate 4. Verify that the listof users is
standards. commens~atewith corporate
standards and best practices.
Industry guidelines state: 5. Click Cancel.
* Backup Operators 6. Close User Man~ger.
to confirm changes. * Backup Operators
Compliance Assessment
Control Objectives Sk Cont~olTechni~~es
l2 Security The “Change the System Accuracy of the system time Restrict who can change
Adminis~ation Time’, standard user right is a prerequisite for an auditthesystemtime.
~ctivities should be r e s ~ c ~ because
ed trail because knowing who
anyone with this user right was accessing resources at a
can change the system time, specified time could implicate
which in turn could a user. The entire audit, event
misconfigure the timeon all monitoring, and logging
member servers. system is based on time and
therefore requires that time
not be tampered with.
Security policies, suchas
those for account lockout and
expiration, are basedon the
system time
12 Security
The
“Log on Locally”
Individuals
that
interact
with
Restrict who
can
interact
A d ~ n i s ~ a t i o nstandarduserrightshouldbethe PDCcanusuallygetwiththePDC.
Activities
restricted so that
normal
access
very
tosensitive
users cannot interact with thesystem resources or create
PDC. denials of service.
~ o ~ ~ l i a Assessment
nce ~om~~ance ~e~lcation
Tech~ques Techniques
Restrict user rightsby performing Verify who has the “Change the Review the <se~ername>.
the following steps: System Time” user right by rights.txt and ensure only
1. Open User Manager. performing the following steps: authorized users are granted the
2. Choose Policies from the 1. Open User Manager. “Change the System Time” user
pulldown menu and choose 2. Choose Policies from the right. The following guidelines can
pulldown menu and choose be used:
3. Scroll through theRights and User Rights. . * Admi~s~ators
find “Change the System 3. Scroll through theRlghts and * Server Operators
Time.’’ find “Change the System Time.”
4. Edit the Grant To list tobe 4. Verify that the listof users is
c o ~ e n s u r a t ewith corporate co~mensuratewith corporate
standards. standards and best practices.
5. Click Cancel.
Industry guidelines state: 6. Close User Manager.
* Administrators
* Server Operators Industry guidelines state:
* Adminis~ators
S. Click OK on the new window * Server Operators
to confirm changes.
Restrict user rightsby performing Verify who hasthe “Log on Locally” Review the <se~ername>.
the following steps: user rightby performing the rightrj.txt and ensure only
1. Open User Manager. following steps: authorized users are granted the
2. Choose Policies from the 1. Open User Manager. “Log on Locally” user right. The
pulldown menu and choose 2. Choose Pollcies from the following guidelinescan be used:
User Rlghts. . pulldown menu and choose * Ad~nis~ators
3. Scroll through the Rights and User Rights. .. * Backup Operators (onlyif the
find “Log on Locally.” 3 Scroll through theRig ts
I h and backups are performed locally)
4. Edit the Grant To list to be find “Log on Locally.” * Server Operators
c o ~ e n s u r a t with
e corporate 4. Verify that the list of users is
standards. commensurate with corporate
Industry guidelines state: S. Click Cancel.
* Ad~nistrators 6. Close User Manager.
* Backup Operators (onlyif the
backups are performed locally) Industry guidelines state:
* Server Operators * Administrators
* Backup Operators (onlyif the
S. Click OK on the new window backups are performed locally)
to confirm changes. * Server Operators
NO. ~ontrolObjectives sk ~ontrol es
12 Security The “Manage Auditing and There should be a segregation Restrict who can audit the
A d ~ ~ s t r a t i o Security
n Log” standard user PDC.
between
of duties
Activities so
right should be restricted Ad~nistrators,users, and
that only designated auditors individuals who can audit the
can view and delete the PDC’s logs. Since individu~s
PDC’s logs. with this right can clear a
security log, they have the
ability to attemptan attack on
the system and then delete the
log, althougha security control
inherent in WindowsHT is
that theErrst entry in the new
log states that the old was log
cleared and by whom. Only
authorized individu~s,such as
the Security Officer or the
Internal Auditor, should be
given this right. Those typesof
individuals should be members
of an Auditors group.
12 Security The “Restore File and There should be a se~regation Restrict who can add
Administration Directories” standard user of duties
between
restore
files
from
backups.
Activities right should be restricted Administrators, users,and
because anyone with this individuals who can restore
user right can bypass files. ~ndividualswith this
resource ACLs and read and user right can bypass the ACL
write toall files. of a file and read or writeto
any file on the PDC.
Com~lianceA$$e$$ment Compliance ~ e ~ f i c a t i o n
Technique$ TechNque$
Restrict user rightsby performing Verify who hasthe “Manage Review the <servername>.
the following steps: Auditing and Security log” user right r/ghts.txtand ensure only
1. Open User Manager. by performing the following steps: authorized users are granted the
2. Choose Pollcies from the 1. Open User Manager. “Manage ~uditingand Security
pulldown menu and choose 2. Choose Pollcles from the Log” user right. The following
pulldown menu and choose guidelines can be used:
3. Scroll through the Rights and User Rlghts. .. * Auditors (must be created)
find “Manage Auditing and 3. Scroll through the Rights and
Security log.” find “Manage Auditing and Review the <servername>.
4. Edit the Grant To list to be Security Log.” rights.txt and ensure only
c o ~ e n s u r a t ewith corporate 4. Verify that the listof users is authorized users are granted the
standards. commensurate with corporate “Restore File and Directories” user
standards and best practices. right. The following guidelines can
Industry guidelines state: 5. Click Cancel. be used:
* Auditors (must be created) 6. Close User Manager. * Backup Operators
5 , Click OK on the new window Industry guidelines state:

to confirm changes. * Auditors (must be created)
Restrict user rightsby performing Verify who hasthe “Restore File and
the following steps: Directories” user right by
l. Open User Man~ger. p e r f o ~ n gthe following steps:
2. Choose Pollcles from the 1. Open User Manager.
pulldown menu and choose 2. Choose Policies from the
User Rights. .. pulldown menu and choose
3, Scroll through the Rights and User Rights. ..
find “Restore Fileand 3. Scroll through the Rlghts and
Directories.” find “Restore File and
4. Edit the Grant TOlist tobe Directories.”
c o ~ e n s u r a t ewith corporate 4. Verify that the listof users is
standards. commensurate with corporate
* Backup Operators 6. Close User Manager.
to confirm changes. * Backup Operators
es
12 Security The “ShutDown the Individuals who can shut Restrict who can shut
~ d ~ n i s ~ a t i System”
on s t a n d ~ duser right down the PDC could cause a down the PDC
Activities should be restricted to denial of service or degrade
prevent unautho~zed the performanceof the
individuals from shutting network dependingon the
down the PDC and causinga BDC c o n ~ ~ u ~ a t i o n s ,
denial of service.
12 SecurityThe ‘‘Take ownership of This is a very

powerful
user
Restrict
whocan
t
A d ~ i n i s ~ a t i o nFiles or Other Objects” right becauseindividu~scan ownership of files or other
Activities standard user right should be ignore theACL of an object, objects.
restricted so that no one can take ownershipof the object,
manipulate afile they do not and change theACL to what
dready own. they want.
Restrict user rightsby performing Verify who has the “Shut Down the
the following steps: System” user rightby p e r f o r ~ n g
l. the following steps:
2. 1, Open User ~ a n a ~ e r . “Shut Down the System” user right.
2. Choose Policies from the
pulldown menu and choose
3. User Rlghts. .. * ~d~inis~rators
Server Operators
4.
c o ~ e n s u r a t ewith corporate 4. Verify that the listof users is
st~dards. c o ~ e n s u r a t ewith corporate
Industry guidelines state: 5. Click Cancel m
* ~dminis~ators 6. Close User nag

* Server Operators
S, Click OK on the new window * Ad~nis~ators
to confirm changes. * Server Operators
Restrict user rightsby p e ~ o ~ n gVerify who has the “Take Ownership

the following steps: of Files or Other Objects” user right
l. Open User ~ a n a g e r . by performing the following steps:
1. Ope “Take Ownershipof Files or Other
2. Cho Objects” user right. The following
pull uidelines can be used:
User Rights. .. No one
3. Scroll through the R ~ ~and~ t s
find “Take Ownership of Files
or Other Objects.”
c o ~ e n s ~ awith
t e corporate 4. Verify that the list of usersis
standards. co~mensuratewith corporate
* No one
5. Click OK on thenew window Industry guidelines state:

to confirm changes. * No one
ory ~ o n t r oO~jectives
l isk ~ontrolTechni~ues
12 Security The “Act as Partof the The “ActasPart of theRestrict whocanactasthe

Administration Operating System” advanced Operating System” right is
Activities user right should be one of the most powerful
restricted so that no one can rights within WindowsW.It
act like the “system.” allows the designated
accounts to act as a trusted
This rightis required by part of the operating system
some applications such as and can therefore do anything
Bindview. regardless of other rights.
12 Security The “Bypass Traverse If Everyone is removed from Ensure that Everyone has
~ d ~ n i s t r a t i o nChecking” advanced user this userright, POSIX- therighttobypasstraverse
Activities compliantapplicationscouldchecking.
right shouldbe available to
Everyone. cause a denial of access when
they trytraverse
to Note: The “Bypass
ote: This is a divergence subdirectories.
Checking”
right
Traverse
from the book, which allows WindowsNT to be
specifies that the configured in a POSIX-
Ad~nistrator7 Server compliant manner. It
Operator, and Backup allows users to traverse
Operator groups are the only subdirectories regardless
ones to have bypass traverse of parent p e ~ s s i o n s .
checking on the PDC.
Restrict user rightsby performing Verify who has the “Act as Part of
the following steps: the Operating System” user right by
l, Open User ~ a n ~ ~ e r . p e ~ o r ~ the
n gfo~~owing steps:
user right. The following

~uidelines
can be used:
OUI ~dvanced * No one
ow ~dvanced
find “Act as Partof the

Opera~ngSystem.” find “Act as Parto
S. Edit the Grant l a list to be Operating Sy~tern.~’
commensurate with corporate 5. Verify that the list of usersis
s~and~ds. commensurate with corporate
* No one

to confirm changes. * No one
Ensure user rightsby performing Verify who hasthe “Bypass Traverse

the following steps: Checking” user rightby p e r f o r ~ n g
1. Open User ~ ~ n a ~ ~ the r . following steps: autho~zedusers are granted the
2. Choos 1. “Bypass TraverseChec~ing”user
pulldo 2. can
right. The following guidelines
User be used:
3. Select * Everyone
User 3. OUI ~ ~ v a n c e ~
4. Scroll
find “Bypass Traverse 4, Scroll through the
Che~king.’~ find “Bypass Traverse
5. special
the
group
t Checking.”
is granted this S. Verify that the listof users is
right. c o ~ ~ e n s u r awith
t e corporate
6. Click OK on the new window standards and best practices.
to confirm changes. 6. Click Cancel.
7. Close U5er ~ a n a ~ ~ r .
* Everyone Industry guidelines state:
* Everyone
No. Cate~ory Control Objectives sk
12 Security The “Logon as a Service” The“Log on as a Service”Restrict whocan log on as

Adrninistration advanced user right should rightallows a user to log on a service.
Activities be restricted so that no one as a service, sirnilar to those
can actas a service. required by virus scanners
and faxing software. These
services runin the
background without any
interaction fromany
additional users. Some
services have Full Control
over the system and could be
very powerful if configured
in that manner.
12 Security
“Modify
The Firmware
“Modify
The Firmware
Restrict modify
who
can
Administration Environment Variables” Environment Variables” right firmware environment
Activities advanced user right should allows usersto modify the variables.
be restricted so that users system environment variables
can’t modify the system that affect certain programs.
environment variables that If a variable is modified, it
affect certain programs. could be set to point ato
batch program that launches
a Trojan horse or denial of
service.
~om~liance ~ssessment
T~ch~ques Tec~niques
Restrict user rightsby performing Verify who has the “Log on as a Review the <servername>.
the following steps: Service” user right by pedorrning rights.txt and ensure only
1. Open User ~ a n a g e r . the following steps: authorized users are granted the
1. Open User Manager. “Log on as a Service” user right. The
pulldown menu and choose 2. Choose Policies from the following guidelines can be used:
User ~ l ~ h t s.. pulldown menu and choose * Replicators
3. Select the “Show Advanced User Rights. . .
User ~ i g h t 5check” box. 3. Select the “Show Advanced
4. Scroll through the right^ and User Rights” check box.
find “Log on as a Service.” 4. Scroll through the Rights and
5. Edit theGrant To list to be find “Log on as a Service.”
c o ~ e n s u r a t ewith corporate 5. Verify that the list of usersis
standards. c o ~ e n s u r a t ewith corporate
* Replicators 7. Close User Manager.

to confirm changes. 0 Replicators
Restrict user rightsby performingVerify who has the “Modify Review the <servername>.
the foilowing steps: Firmware Environment Variables’’ r i g h t § . ~ and
t ensure only
S. user rightby performing the authorized users are granted the
2. following steps: “Modify FirmwareEnvironmen~
1. Open User Manager. Variables” user right. The following
2. Choose Policies from the guidelines canbe used:
3. ow Advanced pulldown menu and choose 0 Administrators
User Rights. ..
4. 3. Select the “Show Advanced
find “Modify Firmware User Rights” check box.
Environment Variables.’’ 4. Scroll through theR l ~ h t and
s
5. Edit the Grant To list to be find “Modify Firmware
commensurate with corporate Environ~entViuiables.”
stand~ds. 5. Verify that the list of users is
c o ~ e n s ~ awith
t e corporate
~ n d u s guidesines
t~ state: standards and best practices.
* Administrators 6. Click Cancel.
7 . Close User Manager.
6. Click OK on the new window
to confirm changes. Industry guidelines state:
* Ad~nistrators
omain ont troll er ~ e c ~ r i t y
No. Cate~ory Control Objectives Sk
12 Security Certain advanced user rights TheseadvanceduserrightsRestrictwhoisgranted

Adminis~ation should either be granted to could be used to compromise these advanced user rights
Activities no one or to Administrators the PDC if they are granted to (as listed in
only. These rights are listed thewrongindividualsotherimplementationchecklist).
in the implementation than Adminis~ators.They are
checklist. very powerful and do not need
to be granted to normal users.
C o m ~ ~ a n~ceer i ~ c a t i o n
Technique§ TechNque§
Restrict user rightsby performing Verify who hascertain user rightsby Review the <sewername>.
the following steps: performing the following steps: rights.txt and ensure only
l. Open User Manager. 1. Open User Manager. authorized users are granted the
2. Choose Policies from the following user rights. The following
pulldown menu and choose pulldown menu and choose guidelines canbe used:
User Rights. ..
3. Select the “Eihow ~ d v a n c e ~ 3. Select the “Show ~dvanced Should be granted toAd~nistrators:
User R~ghts”check box. e Create a pagefile
4. Scroll through the Rights and 4, Scroll through theRights and e Debug programs
find the following: find the following: e Increase quotas
0 Increase scheduling priority

Should be granted to Group A: e Load and unload device drivers
Ad~nistrators: e Create a pagefile e Profile single process
e Create a pagefile e Debug programs e Profile systempe~ormance
e Debug programs e Increase quotas
e Increase quotas e Increase scheduling priority Should be granted to no one:

e Increase scheduling priority e Load and unload device drivers e Create a token object
e Load and unload device drivers e Profile single process e Create permanent shared objects
e Profile single process e Profile system performance e Generate security audits
e Profile system performance e Lock pages in memory

Group B: e Modify fmware environ~ent
Should be granted to no one: e Create a token object variables
e Create a token object e Create permanent shared objects e Replace a process-level token
e Create pe~manent shared objects e Generate security audits
e Generate security audits 4 Lock pages in memory
e Lock pages in memory 4 Modify firmware environment
4 Modify firmwaree n v i r o ~ e n t variables

variables * Replace a process-level token
Replace a process-level token
5. Verify that the list of users is
standards or the above 6. Click Cancel.
industry guidelines. 7 . Close User Manager.
6. Click OK on the new window
nges.
con to Industry guidelines state:
7. Close a ~ ~ g ~ r . e Group A (Adminis~rators)
e Group B (No one)
ote: The standard user right

“Force shutdown froma remote ote: The standard user right “Force
machine” and the advanced right Shutdown froma Remote Machine”
“Log on as a batch job” are not and the advanced user right “Log on
listed anywhere in ESAS because as a Batch Job” are not listed
they are not implemented in anywhere in ESAS because they are
Windows NT 4.0 and have no not implemented in Windows NT4.0
consequences. and haveno consequences.
Domain Controller~ e c ~ r i t y
No. C a ~ ~ o rObjectives
~Control Sk
12 Security The company’s legal DisplayingalegalwarningSettheregistryvalue

Adminis~ation department shouldbe ensures that users are aware of
Activities consulted, and consideration the consequencesof
should
unauthorized
given
be
to access
“Authorized
and Use
Only”
imple~enting legal
a assists
conveying
in the
and
“TheUse of this
warningmessagetobeprotection of corporateassets.System is Restricted to
Persons
Authorized
login. duringdisplayed Only.
All Others willbe
Prosecuted to the Full
Extent of the Law,”
respectively.
12 Security Services that compromise If the company has services Disable any unnecessary
Administration the securityof the domain running that compromise the or insecure services
Activities should not be started. security of the domain, there running.
is an increased risk that
domain resources willbe
compromised.
12 Security
Services
provide
thatCertain
services
(Messenger
The ~essengerand
Adminis~ation enticement information and Alerter) allow usersto get Alerter services andany
Activities should be disabled. enticement information about other services that provide
thedomainanditsresources.usersenticement
information shouldbe
disabled when possible.
Compliance ~ssessment Comp~anceV e ~ ~ c a t i o n
Tech~qMes TechniqMes
For all servers, enable the display Verify that an appropriate Legal Review <sewer~ame>.
of legal textby p e ~ o ~ the n g Notice has been created and cleared luinlog~n.~t and ensure the
following steps: with the Legal Department. Ensure I e g a l ~ o t ~ c e ~ a ~and
tion
1, Open the Registry Editor that the Legal Notice is implemented Lega~~ot~ceText values contain
(regedt~~.exe). on all machines by attempting to log adequate legal text.
2. Select the on to selected machinesand
Softluar~\Microso~\ verifying the existenceof a legal
UJindolus~urrentVerslon\ notice.
UJinlogon subkey of the
W KIM hive.
3. Enter the appropriate text in
the I e g a l N o t i c e ~ a ~ t ~ on
and
4. Close the Registry Editor.

NiA Verify that there areno services Verify that there areno services
running on the PDC that could lead running on the PDC that could lead
to unnecessary risk and exposure by to unnecessaryrisk and exposure,by
performing the following steps: reviewing <sewername>.
1. Open Sewer Manager. sewices.txt and ensuring that
2. Select thePDC and choose unnecessary or insecure services are
Services. . .from the not running.
computer pulldown menu.
3. Review each running serviceto
determine if it may compromise
the securityof the PDC.
NiA Discuss with the network Review <sewername>.

administrator the useof Messenger sewices.txt and determine if the
and Alerter. If these services are not Messenger and Alerter services are
used, be sure that they are stopped. running. If the services are running,
inquire with the company if they are
necessary to support applications or
services runningon the server (e.g.,
backup software).
g specific security”re1ated tasks and
also c o n t ~ nprocedures
s
trusted system. Acco
so~w~e inte~ty ~ toe a s u r e

ve or classified info~ation.’,
for a comprehensive security

tasks must bedis~ibutedto
ty Act of 1987 cast new urgency on c o ~ ~ u tsec
er
ulates thatif ~nancialloss occurs asa result
e pe~etrator,is liable for damages. Thus,the
~ ~ i i n f go ~ a ~ i lies
o n with in
rm ~nvironmentof cooper~tin~
atically. Unauthorized persons
le havoc to the system.
ty, a ~usinessentity shouldesta~lisha comprehensive se-

e ~ i com~uter
n ~ use. computer security policy is a state~entof rules
ehavior of users to ensure s y s t and
~ ~ datainteg~ty.
it ~anagementto security.
ont~olphysical e ~ u i ~ m e n t .
what is expected of them.
Design administrative procedures to increase security.
~egregateand c o m p ~ m e n t ~ idata.
ze
Disconnect unused terminals and mass storage devices.
Never perform any task as super user that can be performed with a lesser privilege.
Do not trust what others can alter,
Require usersto be on the system purposefully, on“need-to-how”
a basis.
ave users reportany unusual or irresponsible activitiesto authorities. T ~ e s activi-
e
ties might include unaccounted-for programs or unexpected software behavior.
esides software features,ad~nistrativesupport is essential for achieving a workable
security policy.When drafting a security policy, be sure to address the followin
What facilities require protection?
ich data warrant protection?
o is allowed accessto the system and under what circumstances?
8 m a t permissions and protections are required to maintainsecurity?
can the system security policybe enforced by physical, procedural,md system
anisms?
hysical security safeguards system hardware from damage. It protects softw

ruption as a resultof envir~nmentalconditions and assures that unautho~zed person~e~
are
denied access to areas containing system equipment. Hardware includes the ~entral
cessing unit (CPU), system console, terminals, and other peripherals such as
drives, and tape drives. Software includes the operating system, progr
strict physical access to areas containing system equipment by:
Using perimetercontrols, such as locked computer rooms, fenced buil
guards at building entrances.
Using antitheft protection designedfor desktop computers.
8 Issuing keys and ID badges.
* Physically securing access to terminal wiring and network cables.
8 ~afeguardingsensitive or proprietary data by keeping media archived o
locked facility.
Erasing obsolete data.
8 Shredding or securely disposingof console logs or printouts.
Although practicesmay differ dependingon the type of computer involved,the p r o c e ~ u ~ a ~

security policy should govern the following:
* Use of equipment and systems operation.
anagement of software and data, including the following:
8 How computer-processed information can be accessed, manipulated, an
tored tom ~ t a i system
n safeguards.
the system’slife cycle.
ncluding frequencyof audit review and analysis
audit in^ should be performed by authorized sec

t use securityfeatures such as action c o n ~ olist
l
ntai~ingsystem security involves:
a system level, Unix provi~estwo ~ n of a~u t hso ~ ~ com-

ed
er user. ~ndividualusers also may be granted or rest~cted
nal file p e ~ § s i o n and
s accesscontrol lists.
diting of computer usageby user, systemcall,
tents and trained in

its use.
levels.
rity ~ e a s u r e often
s force users to developloopholes to maintain
s y s t e ~a ~ ~ i ~ i s t r aist itoo ~ i s t r i ~ u t e
e syste
ollects v ~ i o u ss y s t e statistics,
~
r super user) a t t e ~ p t sand invali~network
S online t e r ~ i n
The system programmer,^ tasks are:
Installs system upgrades.
Performs dump analysis.
Writes programs that conform to security
criteria,
This section providesa strategic road mapfor setting up a secure system.

ered include setting upthe system, enabling auditing, and maintainingthe system afterim-
plementing the security features.
1 is used to perform security-related system

administrationtasks. ,a windowenvironmentreserved for userswithsuperuser ca-
through. each step, focuses choices, and protects theuser from
c o ~ p t i n gcritical files. It avoids in~oducing~ s t ~orec os m p r o ~ s e that
s might breach
e following security-related system ad~nistrationtasks can be performed
* Turning auditing on and off.

Setting the audit monitor andlog parameters.
Viewing audit logs.
Viewing and modifying audit optionsfor users, events,and system calls.
~ o n v e ~toi ~
a trusted
g system.
ana aging user accounts.
t the following area you wish

to work in:
interface and the

test
The procedures presented here cover all of the tasks required to implement a secure
(trusted) system.Deternine whether the following steps were followed:
lan prior to conversion.
Install the system from tape.
onvert to a secure ( t ~ s t e dsystem.
)
riorto the convers
to evaluateyour audit logsd e t e r ~ n e d ?
nts of the work site i~entified?

user levels, how were the written
e work site established?
S i n f o ~ e of
d their se-
y risks? This is m a n d a t o ~
files should be exam-
ined r e ~ ~ l ~orl when
y , a security breachis suspected. How wasit d e t e ~ ~ thate d no
security breaches existed before proceed in^ to the next section?
updated but should be installed from tape because the effective-

may be c o m p r o ~ s e dif the system files were altered.The steps
. The file system s~ouldbe bac d up for later recovery of user files.
m the backup media.

1for each product fileseti ~ s t a l l eon~ the system
ed as a reference when checkin
e onv version. After step4, proceed directly to

the conversion task that
is described as follows.
ass~ordsthe
from 1 file
the to 1. 1
an with the
replaces
and file *,
orces all users to use
ets the audit flag onfor all

files to use thes u b ~ t t e r ’audit
s
efore ~ ~ i then conversion

g program:
If the system returnsth.

d string to copy the file:
Insert
these lines if
theyare
not ert the subroutine
c
theend of the list of calls in the sectionandinthe I
this file.
To convert to a secure ( ~ s t e d system:
)
onverted, theuser will re-
subsystem is now ready to be enabled.
The system supplies defaultauditi~g~ ~ a m e t eatr sinstallation.

activated a~tomatically,some have to be enabled.
tem calls can b

cree
Primary log file path name The full p a ~ n of~ the e file set to collect
audit in^ data initially.
Primary log file switch size(AFS) 5,000 kbytes
Auxiliary log file path name
A u x i l i log
~ file switch size 1,000 kbytes h size for the bac
CAPS)
onitor wake-up interval 1 minute
Allowable free space 20%

m i l i i ~ (FSS)
u~ witch point, the~ n i m u m a ~ oofu file
nt
space allowedon the file system before a
90%
trigger w ~ i n g s ill
ollowing is an exampleof the possible outputof the
kbytes Used ~vailable ~ a p a ~~ i o~ u ~on

~ e d
23,191 19,388 1,483 93% I
207,~67 184,224 2,316 99% /mnt
120,942 13,374 95,473 12%. / m f l ~ ~ t ~
121,771 48,273 61,320 44%
hoose a file system with adequate spacefor the audit logfiles. For example, using
the system supplied defaultfor the primary audit logfile would mean that:
tc file system must have more than5,000 kbytes availablefor
the primary audit logfile.
. It must have more than20% of its file space available.
The following errors can occurif file system spaceis inadequate:
the primary audit log file resides ina file system withless than 20 percentfile
ace available, the system immediately switches to the auxiliary audit log file
when auditingis invoked.
. If the file system chosenhas insufficient spaceto handle the indicated auditfile
switch size (i.e., 5,000kbytes), the system issues the followi
have completed task .. current audit file 1.
le on audit file system, speci
diting system unchanged.
vide a new pathname for the auxiliary audit log file. The primary and auxiliary au-
files should reside on separate file systems. Since each installationof Unix is
nt, it is not known which file systems are available at the user’s installation.
,the default situation has both the primary and auxiliary log files residing on
same file system, I .
(I These parameters can now be enabled and auditing turned on. Leave the default
d leave the default of (y) at
he system is now ready for normal operation asa secure system.
nce the system is up and ~ n n i n gone

, should periodically verify
file system security and
for security breacheson a regular basis.
for each of the product filesetsin-

stalled on the system tobe used as a basis for later comparison. The f files created will
le-line entryfor each file having the followinginfoma
mbers arelisted for device
~ l ~ o r This
i t ~field
~ . reflects the
er user to ese-
fck does not produce output unless it finds
discrepancies.
Examine the results, paying particular attention
to changes in:
* Mode permission bits.
* Owner ID and group ID.
-discrepancies.
Use the same procedures as before to verify

file consistency for customized systems.
rnk
Create a prototype file list and run the 1c o ~ a n on
d that list to produce a
listed files, runthe fck commandusing the

will read eachentry in the file, gather the cur-
rent statistics, compareit to the baseline, and report any discrepancies.
This section covers basicinfomation on password security, system and userfile pemis-
sions, and file access control usingACLs.
The password is the most important individual user identification symbol.

tern authenticates auser to allow access to the system. Since they are vu1
promise when used, stored, or even known, passwords must be kept secret at all times.
The System Security Officer and every user on the system must share responsibility
for password security.The security policy shouldbe based on the following assumptio~s:
A password is assigned when a user
is added tothe system.
* A user’s password should be changed periodically.
The system must maintain a password database.
Users must remember their passwords and keep them secret.
Users must enter their passwords at authentication time.
The ~ y s t e mSecurity O ~ l c eperfoms

r the following sec~ritytasks:
Assigns the initial system passwords.
proper
aintains p ethe
~ i s s i o n on
s / files,
Assigns the initial passwords to all new users.
Establishes password aging.
Deletes or nullifies expired passwords, userI S, and passwordsof users no longerel-
igible to accessthe system.
security violations.
bserve
the
following
gui
en c ~ o o s i na ~assw word:
t must containat least two~ ~ h a ~ e t i c
aracters cm include control charac-
choose
o not a wor youif spell it b a c ~ w a r ~ s .
I, or re~etitionsof your
d words make suitable
t is a securit~ ~iolation
for users to sh
atelyafterentryand store
ssvvord is used inCO
sists of seven fields sep-

he fields cont~inthe f o ~ l o ~ i n g i n f o ~ a(liste
tion
e consistingof up to
rd field heldby an
nteger less than ~0,OO~.
ser can change the encrypted

c o ~ ~ a nthe
d ,c o ~ ~ efield
nt
file, accessible only

r fields s e p ~ a t by
e~
The fourfields of the I. the

tain ~ollo~ing
infor~ation(listed
in order):
ting of up to eight c ~ ~ a c t e r s
eneral use~sc a ~ oalter

t any fields in1.
users should construct
,the system searches th
7 before creating a file. This restricts
o not leave executables where they were developed. Restrict access to executables
under development
r m s should be set as restrictively as possible without los-

et to prevent users from writing to them. These include:
tcl .Only root shouldbeabletoreadfrom
on encompass entire subsys-

access to filesthey protect or use, the
ility to grant access
enforces the security of all programs en-
f Unix programs areset according to the principle of least privilege,

to any object based on ‘heed to knowluse” only. The number of
ize the risk of Trojan hors
grams have been changed to
Directories to which files are addedor deleted often (dynamic directories) ne
mission, for example:
The same guidelinesfor static and dynamic directories

x e applicable to executables,
scripts, and databases (e.g.,I
Access to all devices in a system is controlled by device special files

be device independent. These files have been shipped with permiss
proper use andm ~ m u m security. If installing any other special files
command manual entry orI the
Since device special files can be as vulnerableto t ~ p e r i n gas any otherfile, o b s e ~ e
the following precautions:
Use only Unix-su~plieddevice drivers in your kernel.I
driver, you invalidate theTru
Protect the memory and SW
since these files contain user
i n f o ~ a t i o nthat has a potential
for
ple, a program that watches memoryfor an invocation of the I
copy the password fromio in's buffers when a user types it in.
All device files shouldbe kept inId
Write-prokt alldisk special files from general users to prevent in
Read-protect disk special files to prevent disclosure.
Terminal ports on Unix systems may be writable by anyone i
to communicate by using the
should haveread permission.
Individual users should neverown a device file other than at e ~ i n a l
sonal printer.
e the lowestpn~ilegelev
on m ~ a g i n guser accounts, refer tothe ~ y A ~~ ~ ~i ~ e-
work is con~dential.
e ~ s s i o to Use I
n general users.
e accounts on,for accounta~i~ity

and as-
Include the user’sfull name and a~ork-re~ated identi~er

(such as phone number) in
include confidential info~ation,since any-
oradirectoriessuch as
promote accoun~bility.
er’s account to call at-

ew user account with
auses the user to re-
s it is ~ e c e stos deactiv
~ ~
ccount assoon as it is es
ui~elinescan be used to reactivate a user account:

to reactivate a user account.
To allow the user toset the passwor~,
chance of system penetration,r e ~ o v an

e account assoon as a user leaves or- an
cess. To r e ~ o v ean account follow theseste~s:
&e a backup copy of the user’s d i r e c t o ~tree so that the account can be recon-
Search the system
for files owned by the user after removing
the home directorystmc-
Remove referenceto the user in
To remove them,type the following commands:
Remove reference tothe user in

Remove the user’s mailbox from /U
(1) c o ~ a n to
d locate all files in whichthe user is explicitly included in
an ACL entry, as follows:
If appropriate, notify thefile owner and removethe ACL entry.

reference
to
the
user in /U or redirect
the
user’s
mail, if ap-
A user might have accounts on other systems that one does not admi~ster.Inform
other systemadmi~stratorsto removethe user.
Use
to
remove
the
account.
Moving a user account from one system to another

is trickier thanit seems.
on the new system. If either

S, the user must be reassigned new a one for the new system, andthe
of all of the user’s files must be changed.Do so from the user’s hom
opy the user’s files fromthe old to thenew system.

move or deactivate the user from the old system.
If ac~uiringa user from a system one does not administer, or the user is moving
from a less to more secure environment, check the user’s files carefully for
programs that might com-
promise security.
ecause teamsof employe * de- directories, and

ne groups of users in the .All members of a
have sole access to
hen adding a group:
~ d ~ n ~work.
ial
n to rant or restrict access

~ s s i o bits
Access control lists are a key enforcement mechanism of discret
(DAC), for specifying access to objects by users and groups more
tional ‘Unix mechanisms allow, based on the user’s legitimate needfor access.
ACLs offer a greater degreeof selectivity than permissionbits b
owner or super userto set (permit or deny) access to individual users or
An ACL consists of sets of entries associated with a file to
S
S set a combination
utsynta the in resented
ACLs are supported for files only.
To understand the relationship between access control

lists and traditionalfil
consider the following file and its permissions:
-rwxr-xr- - karen adrnln dat~fii
The file owner’s grou
The file group’s permissions aref-X.

The file other permissions aref- -.
L, user and group IDScan be represented by narnes or ~ ~ m b efoun

rs
.The following special symbols can also
be used:
96 No specificuser or group
Current file owner or group
When a file is created, three base accesscontrol list entries are mapped from th
cesspermissionbits to matchafile’s ow group
Base ACL entries can be changed by the I1and
) Base ACL entry for the file’s owner
) Base ACL entry for the file’s group
ase entryfor other users
(Except where noted, examples are represented in short
form notation.
ACL notation.)
358 UNlX
Granting Selective Access with Optional ACLs

Optional access control list entries contain additional access control information that the
user can set with the setacl (1 system call to further allow or deny file access. Up to thir-
teen additional user-group combinations can be specified. For example, the following op-
tional access control list entries can be associated with the file:
(mary. admin, rwx) Grant read, write, and execute access to user mary in
group admin.
(george.%,- - -) Deny any access to user george in any group.
Access Check Algorithm

ACL entries can be categorized by four levels of specificity based on their user and group
IDS. In access checking, ACL entries are compared by effective user and group IDS in the
following order:
(u.s, rwx) Specific user, specific group
(u.%, rwx) Specific user, any group
(%.g, rwx) Any user, specific group
(%.%, rwx) Any user, any group
Once an ACL entry is matched, only other entries at the same level of specificity are
checked. More specific entries that match take precedence over any less specific matches.
In the Berkeley model, a process might have more than one group ID, in which case
more than one (u.g, mode) or (%.g, mode) entry might apply for that process. (See
setgroups(2) in the Unix Reference Manual.) Under these circumstances, the access
modes in all matching entries (of the same level of specificity, u.g or %.g) are mode to-
gether. Access is granted if the resulting mode bits permit. Since entries are unique, their
order in each entry type is insignificant.
Because traditional Unix permission bits are mapped into ACLs as base ACL entries,
they are included in access checks. If a request is made for more than one type of access,
such as opening a file for both reading and writing, access is granted only if the process is
allowed all requested types of access. Note that access can be granted if the process has two
groups in its groups list, one of which is only allowed read access and the other is only al-
lowed write access. Even if the requested access is not granted by any one entry, it may be
granted by a combination of entries as a result of the process belonging to several groups.
ACL Uniqueness
All ACL entries must be unique. For every pair of u and g values, there can be only one
(u.g, mode) entry; one (u.%, mode) entry for a given value of u; one (%.g, mode) en-
try for a given value of g; and one (%.%,mode) entry for each file. Thus, an ACL can have
a (23.14, mode) entry and a (23.%, mode) entry, but not two (23.14, mode) entries or
two (23.%,. mode) entries.
How to Use ACL Notation

Supported library calls and commands that manage ACLs recognize three different sym-
bolic representations:
MANAGING USER ACCOUNTS 359
operator form Used to input entire ACLs and modify existing ACLs in a syntax similar to that used
by the chmod(l1command.
short form Easier to read, intended primarily for output. The chaclIll command accepts this
form as input to interpret output from the IsaclIll command.
long form A multiline format easiest to read, but supported only for output.
The base ACL entries of our example file are represented in the three notations as follows:
Operator form karen.%.= rwx, %.adrnin = rx, %.% = r
Short form (karen.%,rwx) (%.admin , r-x) (%.%, r- -)
Long form rwx karen.%
r-x %.admin
r- -%.%
Some library calls and commands use a variant format known as ACL Patterns (described
later in this section).
Operator Form of ACLs (Input Only)

Each entry consists of a user identifier and group identifier, followed by one or more op-
erators and mode characters, as in the mode syntax accepted by the chmod(1) command.
Multiple entries are separated by commas.
u s e r . group operator mode [ operator mode] ...,...
The entire ACL must be a single argument, and thus should be quoted to the shell if
it contains spaces or special characters. Spaces are ignored except within names. A null
ACL is legitimate and means either “no access” or “no changes” depending on context.
Each user or group ID may be represented by:
name Valid user or group name.
number Valid numeric ID value.
% Any user or group, as appropriate.
@ Current file owner or group, as appropriate; useful for referring to a file’s u.%
and %.g base ACL entries.
An operator is required in each entry. Operators are:
= Set all bits in the entry to the given mode value.
+ Set the indicated mode bits in the entry.
- Clear the indicated mode bits in the entry.
The mode is an octal value of zero through seven or any combination of r, w, and X. A null
mode denies access if the operator is =, or represents “no change” if the operator is + or -.
Multiple entries and multiple operator-mode parts in an entry are applied in the order
specified. If more than one entry or operator for a user and group are specified, the last spec-
ified entry or operator takes effect. Entries need not appear in any particular order.
~ s e r to
s only r ~ a d i ~
i ~ ~ use
be ~ o l l o wallows
space.
ies arnated.Forconsistencywithoperatorform,adot (.)is usedto
r and
entifiers.
n output, no spaces are printed except in names (if any). Identifier numbe~sare
printed if no matching names are known. Either identifier canbe printed as% for 66anyuser
or group.” The mode is always represented by three characters: (r, U,and X) and padded
with hyphensfor unset mode bits.If the ACL is read fromthe system, entries are ordered
by specificity thenby numeric valuesof identifier parts.On input, the entire ACL must be
delimited by quotation marksto retain its quality as a single argument, since it might con-
tain spaces or special characters such as parentheses. Spaces are ignored except within
names. A ate and
means either “no access”
“no
orchanges”
depending
contex
on identifiers
are
represented
operator
in
as form. The mode is
presented by an octal value of zero through seven orany combi
dundancy does not result in

error; the last entry for any U
takes effect. Entries need not appearany
in particular order.The
The following is a sampleACL as it might be printed. It allows userj t: to read or execute

the file while in group
access to the file whil
to only read the file,any 0th
r usermay only readthe file.
On input,the following ex
sets uJri
The following ss for user bill in any group:
for user 1
The following sets the entry
cl “l
r
The following setsthe base ACL entry for the file’s owner to allow both
capabilities for other (%,%)users:
ut. The mode appears first in a fixed-width field,

bits) for easy vertical scanning. Each user and group identifier
st to least specific then
at least three entries, th
L as in an earlier ex
r- - ~.~
e library calls and c o ~ reco~ ~ s

s all~wsoperations on all
f o ~ l o ~ways:
in~
e v a ~ ~of
e sbase
This sectiondescri~esthe new ~ r o ~ ravailable

a ~ s tom
r the detailed s~eci~cations,
refer toth
control list,
S Unix commands, system calls, and sub-
, This section identifies issues critical
to us-
h access controllists are implemented. For
to the Unix ~ e ~ e ~~ e ~~ cn for
the detailed specifications, refer e ~thea specific
2 entry.
The general purpose commands and system calls are:
dl) is executed. Use

store the p e ~ s s i o nbits of ACL
hose ACL entries

match or include specificACL patterns.
I indicates the existence of ACLs by displaying a+ after
h file’s p e ~ s s i o nbits.
ilx does not support optional ACL entries on lu5rl
These programs copy optional ACL entries to the new files they create.
he file chive commands are:

1 Use only these progrms to selectively recover and
-
backup files. However,use the option when b a c ~ n g
up and recovering filesfor use on systems thatdo not
implement ACLs.
S do not retain ACLs when archiving
The configuration ~ o n t r o ~ c o ~are:

ands
The c o ~ a n d in
s these packages do not support ACLs.
As a general practice,do not place optional ACL entries
on system software. They are not preserved across
updates.
~ c c e s s c Q ~ lists
t r Q 1use
e r hen usi
Q ~ s i ~them
~ a n eun ~~i e s~
u n ~ e these
r cir
n t e ~ r ethe
t p r e ~ e ~ i nlisting
g as follows:
user (%I)from any o

-
p e r ~ s s i o n s(- -)o
The following section
rectory to be accessible to on1

c o ~ a ton grant
~ orrestrict
Since both the

an a ~ ~ ehow
n eofs s interact is ne cess^.
I c o m a n d is a supersetof the
or e~ample,~ u ~ you
~ use
o s ~
allow only yourself
make an exception andall
other than yourself and
yo
ously specifiedby the
Create
new
a ACLentry
allowing
the
user CYC in group (%)r
any chacl ‘cyc.%=rw’rnyfile
write (=rw) access to rngfil
Modify an existing ACL entry allowing all users(94)in all groups (%)r
(+r) access to fooflle.
(%)in the
Modify an existing ACL entry denying all users
curite [-W) access to afile.
L entry denying userion in the mkt group read, write,

rch access to olddir.
To S ecifthatyourer,who is in a d i ~ e r e n ~
access to
If a directory is writ le, anyone can removeits files, ~ardlessof the per
S. The only way to ensure that n files can be removed from a directory is to
p e ~ s s i o nfrom that directory. r ~ a s i ~ ~rotection
um this technique can
be lied to the d ~ r e c t oof~a user accou~t.
hide the directory’s name from
routi~eview, use a
. List the ~ e ~ i s s i o on
n sthe directory.
rectory.
tools that one can use

to:
mess s y s t e ~files for ~ot~ntial s~curity
sis
~ for routine security

iew s y s t e files
Locate sus~iciousfiles in case of securit~b r e ~ c ~ .
suspect any breach of sec
ote whichp r o ~ r ase

~s
tay vi~ilantof any
ate further any programs that appear to b
hange the p e ~ i s s i o nof any unn
programs in the hierarchy, list the files returned by the

find command:
programs in system directories:
~ v i ~thewoutput for the following unexpected results:

me p e r ~ s s i o n as
s shown
programs are the most

significant,
ow what that programmay be doing.

x~minethe code of all programs importedfrom external sourcesfor destructi~epro-
ow ~ ~ a cwhat
t l ~they do.
sword file should be perrnitted. The conver-
is leaves a potential for security breach
ord fields or fields that force
nce the system has been convertedto a trusted system, periodical~ylook for pass-
omesho~ld
dire~tories not be w re~ove
files from them, To fin
‘\
m e ~ b e r sbe denie
files should not be~ritableby an oneother t h ~

se that are writable by
..”m e ~ that
s theuser does not
as pre~entinganyone
readable or writable .r
’\
readable or writable by anyone other than its owner.

files, run:
ome systems~ a i n t a i nan I
takes severalm o m ~ ~tot s~~,

ret~rnsinode andfile ~ a m e rs
listing of the ~ n ~ o ~ n t e
If decidin
cia1 file with its
I
~onsiderthis only a tempor
elete the fileif it t ~ e a t e n system
s sec~~ty.
ers sons, ~rocesses,or devices that cause i n ~ o ~ a t i otonflow
e the s ~ s t state.
e ~ Allsubjects are a
ects are passiveentities: files, directory trees, programs, bits, bytes, fi
isters, video displays, keyboards, clocks, printers, network nod
that contains or receivesi n f o ~ a t i o non a system. ecause access to an
cess to the informationthe object contains, objects re~uire ~rotectio~.
objects require special attention:
oot directory.
ensitive files such as.F
onfiguration files such
ublic directories.
og files.
To ensuresecurity,set U asrestrictivelyaspossibleandassign
. further direction^, r
l i ~ tFor
he principle of least privil requires each subject in a systemto be granted only as much
privile~eas is needed to pe authori~edtasks. Users should be able to access i n f o ~ a -
tion based only on a valid to how.” These criteria help to limit daxna
“need
accident, error, orunauthori~eduse.
ensure that individual users are heldaccounta~lefor their activities online,the conver-
usted
system creates
an
audit
identifies
every
user
uniquely
user
with
every
process inv
and
Unix. auditing
functional-
personnel
ed evaluate
to au w ~ i are
c ~actions
potentially
capable of allowing access to, generatin
tion on auditing including auditIDS,
programs have the following

ch~acteristics.These c o ~ e n t also
s
)position of the file erm mission modes.

the is set to its owner^ r
bit is set to its group,
cess with four numbers: real and effec-
with the owner to thatof the object. The

e object, giving the user the
s ~ access
~ e
f the process are set

to that of the owner
of the file.
of the file,
bit isw e d on, the privileges of the process
~ are
c h ~ ~ e ~
ystem are dueto operator error! owever, a system attacker

progra~s,most often in oneof
rogram executec o ~ a n d defined
s by the attacker,
e data createdby a p r o g r a ~ .
y those values necessary
for the proper operation
t e ~ i n e dvalues:
ard output,and s t a n d ~ derror are
hese sa~eguardsincreas~the assurance thatlsnown programs are executed in a known en-

viron~ent.
to so would inhibit their

me programs because do
grams have been carefully
e x ~ n e for
d flaws:
r e t ~ n e dwhen the
er than standard input, standard output,
e e n v i ~ o n ~ eisn tpassed along unchanged.
,once ~ a v i n glogged in the user has accessto virtu-

h nix has nu~erousbuilt-in softwarerest~ctions
group ~ a n a g e ~ e nand
t , accesscon~ol),it i
r~ctionor compro~iseof ater rial or data,
hostile program as a system program.

A, clas-
y captu~ngthe person’s login and password.
query for their passwordonce logged in.
circu~ventssystemrotec-
ly useful c o ~ p u t epro
~
a ~ a ~ i l i ttoi ethe
~ d e t ~ ~ e
Trojan horses als
~ i l i t ahosts,
t ~ and
0 Protecting passwords when using RFA.
et: to restrict outside access.
0 Denying access with I
0 ~ o u n t i n gfiles in an NFS environment.
0 Safeguardinglink-levelaccess.
An a d ~ ~ s t r a t i domain
ve is a group of systems connectedby network services that allow
users to access one another without password ve~fication.An a ~ ~ n i s t r a t i vdomain
e as-
sumes their host machine has already verified system
vices assume security is established atthe system level.
ministrative domains.
d not enter a password to read anN
verified the password when the use
ad~nistrativedomain.
the user to provide

a pas
istrative domain.
administrative domain.
in
Ad~inistrativ~
Domains
.
' \
LA
syntax and use of this file.
the file transfer protocolse

ice request is received at
stricted account name must appear alone on

a line in the fi
skips the securitycheck,
aintain consistentfile usage.

rovide a lean, cooperative user environment,
le-sh~ng bet nd client
systems by controlli
file. ~ n ~provide
i ine s p e ~ i s s i omount
nto
existing onthe server ontoany client machine. Oncea file systemis put into I
ailable to anyonewho can do an NFS mount.
client user can accessa server file system without having logged in to
and disklessclusters also provide access to files hooke~up to a re-
,but do not bypass password authentication.
erver security is maintained by setting restrictive e ~ i s s i o n son the

maintained across Net System (NFS). Thus, having root
stem does not provide special access to the server.
The server performsthe same p e ~ s s i o nchecking remotelyfor the clientas it does
r side controls access to server by files
the clientby com-
which it receives viathe network with the user
occurs within the kernel,
lient can exploit that privilege to
any file system to a node on W
granted more leniently than from your own node’s policy.
In earlier releases
ystem reside
for to
workstation
had
client
disk.
theon m now allows ma-
for
the
ining
the
jor and rninor numbers of a client-~ounteddevice to exist onthe server side. This opens
the possibility for someone to create a Trojan horse that overrides permissionsset on the
client’s ~ o ~ n t de d
server side.
~ssions:
or other misc~ief).
and table only by root.
rovides t e c h ~ i ~for
~ ecs
i ~ e n t i ~and
y control an
administr~tived o ~ a i n .
for cor-
n reach on your network are named
at you are working aonma-
e of a file system followed

uters. Any entry consist-
me is a file ~ystemavail-
associated withspecific
com uters. You can find
ists the names of computers with equivalent password files.
trative d o ~ a i ~ .
e in the a~ministratived o m ~ nA
. user
can be com~aredb -
aintain consistency am0 in the ad~nistrativedo-

working on syste sistency with system
m is remotely mounte
les are inco~sistent.The

one or bothof the files,
n both cases,you
if see no ou files are consistent
and you are
done.
heir correct values are

om these values should
~ e rwritableby the public.am on^ these are:

s h o ~ l d n ebe
emote hosts allowed accesse~uivalnt to the local host

ervices name~ ~ t a ~ a s e
ist of file systems bein
rotocol n ~ database
e
Internet configurationfile
List of networkwide groups
file defines which file systems can be exported to other systems.

ave at least two fields: theis the
firstname of
the file system bein
the second and subsequent name the systems to which the file system can be export
than two fields are present, the file system can be shipped anywhere in the world.
Verify that nofile system can be universally exported:
i
This command examines I removes all comment lines, removes all
null
lines
(lines containing only spacesor tabs), and then searches thefile for lines with fewer than
two fields.
If a network security breach occurs because

of an unknown cause:
* Shut down the network and telephone access tothe computer.
Inform the network administratori ~ e d i a t e l y .
e Allow external access to the computer only after identifying an
problem.
A security breach can present itself in many different ways:
* Someone might report unexpectedor destructive behaviorby a conlmon program.
* The user might notice a sudden increase in the system’s load avera
computer not to respond well.
e permissionsownership
or might be changed
from
what i s expected.
* The byte countof any system files changes unex~ectedly.

sug
Anything that seems to deviate from normal system behavior might
one suspects a security breach, such as a virus or worm, one shouldbyhandle
l i ~ t iitn gits
immediate impact.
Shut down the system.If users can be given a warning, use the more
co~lrteousshut-
down command:
or
. Bring the system to a sudden halt

is actively corrupting the system
might allow more time for furthe
system load.
:Once rebooted, some systems would ask to autoboot from the ~rimaryboot
any key wit~in10 seconds
path enabled. Others would return without asking, Press
only. thin^ in t e ~ofs what went
login filesfor clues.
c o ~ ~ dassdesc~bed
, in ste
been found and
ad~isableto rein-
et have a lot to do with the Unix o~erating

more features and utility s an
~ n c t i o nthan
all of these powerful features made it a secu
un: You can run the command line i at any time to see a list of inter-
ces cu~ently config~ed and their par
: The sending host specifies how long ( I) in seconds live. Once
e packetis discarded.
O~tions:The options that are infrequently used inI datagrams follow:
:A list of internet addresses through which the d a t a g r ~must
pass.
:The nodes which the datagram passes through arei n s ~ c t e dto
return their Internet address. Thus, wemay d e t e ~ n the e route takenby a data-
grans.
:The time it takes for the d a t a g r to
~ passt ~ o u g hthe nodes is re-
host. This allows measurement and c o m p ~ s o n sof network per-
formance.
ot :A host
cansendthe I
a remote system'sInternet Protocol is up and op
mand uses this message.
Provides a login to a remote system.

Provides a remote login to a remote system and a
suite of commands to perform specialfunctions
such as copyingfiles over the network.
oes remote copyingof files over the network.
Executes commands on a remote system over the
network.
A file transfer program that providessuite
a of file
transfer utilities.
Provides statistics that measurethe load and
efficiency of the network's hardware and data
transfer environments.
Examines network connectivity and efficiency of
the network intransfe~ingpackets.
Some other commonlyused 7" applicationsthatprovideservicestotheuser's inter-
active processes are:
omain Name Services (DNS) aps IP addresses to the names assigned to the
network devices.
Network File System (NFS) Allows file systems and rectories to be shared by
various hosts on the net
outing ~nformationProtocol ( ing of datagranss
through
the
network t ~ o u g hdesignated devices assignedby
~nternetaddress.
he three network name services that provide p~eceding
the capabilities and provide
ervices m a y be in use, the

host table may still be needed to:
ide i n f o ~ a t i o nabout impo~anthosts (includingitself) when DNS or NIS is not
ing.
ad~itional info~ation.
is to be connected twork, onemust have a rangeof

d to the machine^ et Central Network~ u t h o r i t E
~.
networ~must be as
e ~ t e ~~e t ~w oer ~~ .
tive: f
of the l i s t e ~files are security threats.
B
invoked,
looks
system
in file, gets
phone
number
I)
For these systems,

figured into the ker-
rvices at multiuserboot times. Which

configuration of the system and the
time butmay be invoked on

’),sometimes calledthe Int
on demand,thus sav-
cess completes its ex-
n to invoke processes
The ~oint-to-pointprotocol only startsif con~guringan

file.
The Simple Network
only be startedif con
files are configured,
nter.net. The I n t e ~ e t n willonly start if an

file has been created.
This line printer will only start if any ofthe p~ntershave been
configured aseither print serversor clients and thus have an
file on the system.
d
le.
securityriskbecausenopassword is requiredto re
all takes the proper attention to

rotocols such as:
Never have a gateway broadcast or rebroadcast (with
tside theenterprize network (i.e., onto the Internet).
S from outside your enterprise network into your network.
irectoryaccess by e ~ s u r i n ~ started
with
the
arguments
f is the
name of the direct0 insonlydownloaded files.
This prevents
malicious p net-
publicly
readable,
yet
ensure that it is not installedby default and review the
use such as control of what kind

revent users from access in^
e accounts. Also account names presented
* Nothaveanullassword.
Trusted Access allows users to utilize the enterprise network inway

a that is more conven-
ient and more secure via the rl in command. If trusted access is not confi~uredfor the
in command, it will prompt usersfor a password, This password is transnitted across
the network andmay even be onthe Internet. Packets containing these passwords are rela-
tively easyto intercept and identifyand thus cancompronise the securityof the enterprise
ep in nind the following:
If trusted accessis set up, no pass
If trusted
access is notset
up, the ds do not
even
work.
Trusted Access canbe set up at the host or user levelor both.
c o ~ a n d s ~ i t hpro-
out
can be created for users
S for users or they can do it for themselves by

in the user’s home directo~.The format is the
same as inthe I
lems
associated wi are
typically
the
result of
cause of the traffic c involve several factors:
ysical layer perform
e t ~ o r card
~ n perfo~ance.
~
ata c o ~ p t i o n .
tion of resources to a p ~ r o p ~ anodes
te and networks.
If the network a ~ p e to~ be
s p e ~ o ~poorly,
n any combination of the
may be the cause.
a echoes.
perly t e r ~ n a t cable.
~d
etectin~echoes with acable scanner.
§mitted toa host faster thanits networ~n card canbuffer the
e problemsmay also be due to overload in^ ~hysicallayer capa-

stribute a d ~ n i s ~ a t i accounts
ve if the passw
e same onall machines ~ ~ i n g
password on one machine on th
nes on the network.Lf my m S allowed to set
the binding
uld send the hosts a command thatcauses them
server. This person e account names all ready
(i.e., rootp~vileges).This person cannow control the hosts.
ctionality is con~guredby the following:

le in initializing the
be tuned for better p e ~ o ~ a n and

c e functionality.
cord user accessto objects. The resulting record can show such
S by a user to assume a levelof privilege that exceedsthe user’s
and conversion to asecure ( ~ s t e d system,

) you are ready to
subsystem allows one to audit selected users performing se-
(a number ranging from 0 to 60,000) is kept in the

file, which can only be read by super users. Whenan audited user
iting) p e ~ o ~ by
e that
d user is traceable to the user
r such asfile deletions. Choose to auditany action
either succeeds or fails.

To simplify the selection of actions to be audited, system
grouped together in categories called event types. Selectin
automatically turns auditing on for all processes in that c
diting can be selected without selecting the event type th
lected for auditing because of their a s s ~ i a with
~ o a~ p
Exhibit 6.5 shows the event types (andthe proc
be selected for a u ~ i t i n ~ .
vent Type escri~tionof ~ c t i o n

Create Log all creationsof objects (files,
directories, other file objects)
Delete Log all deletionsof objects

(files, directories, otherfile objects)
Moddac Log all modificationsof objects’

Discretionary Access Controls
Nodaccess Ilnk(21, unIlnk(~1,

Log all access ~ o d i ~ c a t i o other
ns chd
than Discretionary Access Controlsc~root(2), setgroups(
rename~21,s~mctl(2),
Open Log all openingsof objects (file open(21, execv(2),p
open, other objects open)
Close Log all closings of objects (file close(2)
close, other objects close)
Process Log all operationson processes

Remova~l~ Log all removable media events
(mounting and unmounting events)
Login Log all loginsand logouts

Adrnln Log all ad~inistrativeand
privileged events
Ipccreate Log all ipccreateevents

lpcopen Log all lpcopen events
ipcfecvcn(~)
Ipcclose Log all ~pcclose
events
lpcdgfam Log [PC datagram transactions udp[71user datagram
uevent l, Log user-defined events See the following section “Streamlining
Au
uevent2
write their ownpro~ramsto streamli~eau-
system calls to sus end rocess-~-process
"I
I"
*I
"I
t*l
"l
time
ethe ~ r o is run,
~ r ~ r~turns
l l ~no
s ~ c c e s s f ~but , a u ~ i t i nrecor
~
efer
the to ~~~~ ~e~ere~c write
tohow
on
ation self-
For each event audited, the following
i n f o ~ a t i o nis recorded in the audit log file:
ate and timeof event.
of the user generating the event.
ubject (user/process).
Type of event.
uccess andlorfailure of event.
)for identificatio~authenticationevents.
Name of an object introduced to or deleted from a user’s address space.
~escriptionof modifications madeby the systemad~nistratorto the user/system se-
curity databases.
ther i n f o ~ a t i o nrelevant tothe event.
All auditing datais written to an audit log file. One can specify two files to collect auditing
data, the ~ ~ m alogr yfile and the option^) auxiliary log file. These files should reside on
two differentfile systems. The growth of these files (and the file systems on which they re-
side) is closelymonitored by the audit overflow monitor n,
that no audit data is lost.
The primary
log file is where be collected.
When
this file a -
proaches a predefined capacity (its
tem on which it resides approaches
size), the auditing subsystem issues a warning. When ei
primary log file is reached, the auditing subsystem atte
file for recording audit data. If no auxiliary log file is
hibits 6.7 and 6.8 show what happens as thisfile grows.
The example assumes that:
nly the p r i m ~ yaudit logfile has been specified.
0 It resides on a file system with no other user filesCO
auditloghasreached 90 percent of its M S si a,which is monitor-
ing the state of the auditing system, issues the warning message shown to the sys
The primary audit log has passed the first warning pointand reached
The system attemptsto switch to an auxiliary audit log file, but finding none
dicated m~ssage pe~odically to the system console.
In Exhibit 6.9, the primary audit log has grown past its size and reached 90 per-
cent of the space allocated to it on the file system. The mess ent indicates that the au-
dit file S stem is approaching capacity.
6.10,the primarylog file hasreached .The message shownis sent pe-
system console.If other activitiescon space on the file system, or the
file system chosen has insu~cient itch
point could be reached before the
AF
90% of Log File

illed
Primary Audit LogFile
Message:“Currentauditfilesize is kilobytes.An a ~ e ~top switch

t to the b
S and usersto audit decided?
ncy to evaluatethe
nt of an overall security policy.
re the security re~uirementsof the W
re the written guidelines at both
fleet the realistic needsof the work site establi§hed?
W were all perso~el-adminis~ator§ an
hat procedures werein. place to keep se
. Were all existing files on the system inspected for

the first time a secure (trusted) systemis installed.
ined r e g ~ l ~or
l ywhen asecu~tybreach is su
A ~ e ~ p ttoi n ~ to
switch
auxiliary auditfile
ile ~ y s t e m
S % free
space I ~ e m pto
t
switch to the
backup
ded since it focuses choices
or dis~laysaudit file
r y file path name = 1.

~ ~ r n alog
- ~ =~ 1
nitor w ~ einterval
owable free space ~ n i r n u m
onal area win-

,and whenau-
Secure the system and perform
the following steps:
. Take one of the following actions:

To turn auditingon, from the “Actions” menu9choose
To turn auditing08from the “Actions” menu, choose
You are informedby a message boxof the change you have requested. Activate
. The ‘‘User Audit Status” window now indicates the change requested.
to turn auditing on andoff when auditlog file and monitor pa-
hen changing audit logfile and monitor parameters, choosethe
.menu itemto make the changes and turn auditing on or off.
To
An audit flag is set to on for all existing users at initial conversion to a trusted system.
change the selection of audited userson the systemdo the following procedure.
Secure the system andf o l l these

~ ~ steps:
S of the highli~htedusers, choose one of the following
of each hi~hlighteduser will be hanged to reflect the

m are automatically audited.You must enter this screen
that youdo not wish to have audi
ct at next login. For example,i
ecure the s~stemand follow these steps:
ose one of the fol-
iting a ~ c ~ ~ u l aa tlot
e sof data.
want to view.
Follow these steps:

Use the default settings on this screen alter
or them tosuit particular needs.
:It ay take afew ~ n u t eto

s prepare the record for viewing when working with
large
audit logs.
file shows a failed attempt to openthe se-

The following sample record from an audit log
cure password file:
Users and aids:
elected the following events:
The initial lines identify i n f o ~ a t i o nfor which the audit logfile was searched. Following
in t a ~ uform
l ~ the record shows:
he year, month, and day (inthis case 1989,June, 20th).
ime of day (in this case 1400 hours, 31 ~ n u t e s30
, seconds).
d (in thiscase F for failed).

Event numberidenti~edwith the event type (in this case 5).
Eectlve UserID (in this case69).

ounts of data, be d i s c r i ~ i ~ a t i n
of all events andall users
ell as a very rapid ~ l l of~ n ~
for the operation can help
e a w ~ of
e the fol~owin~
when p r o ~ r that
~ s call auditabl
nts and users for a~ditin
S when a d ~ i n i s t e ~ n
eview the audit logfor unusual activities such as:
4 Late hours login.
* Loginfailures.
Failed access to system files.
* Failed attempts to perform secu~ty-relatedtasks.
ickly remove users who no longer have access to the system.
nt overflowof the audit file by archiving daily.
e current selectable events periodically.
Revise audited users periodically.
t follow any patternor schedule for event or user selection.
. Set site guidelines. Involve usersand management ind e t e ~ n i n gthese guidelines.
Auditing increasesthe system overhead. Whenpe~ormanceis a concern (such as ainreal-

time environment), the system administrator to
hasweigh security versus
pe~o~ance.
ing selective about what events and users are audited
can help reduce the impactof audit-
ing to an acceptable level.
diskless
a context
nare
files
log
Audit dus
clients, each cluster
data.
audit
node All
merged into a single audit
when using the“View Audit Files’, wind
I/.
ify thecdf wanted. For example, type
Since implementing Unix security features requires thatone completely install (not update)
Unix pera at in^ System, one needs to back up and recoverthe entire file s y s t e ~ .
tion provides security guidance tosupple~entother i n f o ~ a t i o nsources and p
curity guidelinesfor file system manage~enttasks such as:
ackup and recovery.
ounting and unmounting file
a system.
For basicinst~ctionson backing up system files, refer to the~ y s t ~e ~ ~ i n i ~ ~t r ~~ t si ~ ~n

1in the Unix ~ e ~ e r e~~ c~e i ~ e .
a
user error. Ensure that
retain access control lists

ben backing up and recove
it should be ensured thatthe user’s
rial. Allow access to the media only
is ~ o u n t e don the correct output device.

e sure that the tape
ars the user to coworkers

y, recovery of c ~ e ndata
t is critical to ~ ~ o t e c t i n
the ~ollowing preca~tions:
tain access controllist in-
1"- allows one to overwrite a file. owever, the file retains the pemis-
Ls set when the file was backed up.
enrecoveringfilesfromanothermachine,onemighthave to executethe
n[l) command to set the user ID and groupfor the system on which they now
reside if the userand group do not exist on the new system, If files are recovered to a
new system that does not havethe specified group, the files will take on the group
ownership of the personrunning Fr 1. If ownerandgroupnameshavedif-
ferent meaningson different systems, recoveryresults might be unexpected.
ep the recovery system tape locked up or otherwise physically secured. Allow ac-
cess to the archive onlyon the basis of proven need.
Power failure should not cause file loss. ever, if someone reports a lost file after
apowerfailure, look for it in /I fore restoring it fromabackuptape.
To verify contents of the tape being recovered, use the-Ioption of
preview the index of files on the tape. Note, howev that existing p e ~ s s i o n of s a
file systemarekept intact by thebackup; fr preventsone from readingthe
file if the permissions onthe file forbid it.
9 E x ~ n the e file listing for overlylib
Change attributesif warranted, using the
ACLs might be present. See the Un
Never recover in place an critical
stead, restore the file ato
preventing anyoneelse
verifying theiridentities and moving them to their final destinations. Compare the re-
stored files with those to be replaced, to ensure that allc u ~ e ndata
t is preserved.
any necessary changes then move the files into place.
If this
precaution is not followed,
system
e after the
system has
beenbackedupandpossiblyafterthe / le hasbeenchangedwould be
unable to log in unless the ~ u ~ eand n t archival files had beenreconci~ed.
V files in place.If one does and then tries to reboot, the system is
like1 to hang and willbe unable to reboot.
evice files can be recovered in /t ne must then manually create any miss-
hat is on the tape and recovered /tto
very s c e n ~ o , s u ~ p othe
s edisk had ed and one had no way
to recover from their own system. A coworker might have a ~ n n i n gsystem.
could then roll their disk over to their coworker's
t and
with p e ~ s s i o n set s to -.Then one could
ensure to turn auditing on.
ountin~a file system can create security problems

f not done carefully.
f the media being mounted contain
co~promisingfiles.
-confi~uredcomputer enviro~ment.
is section is intend~dtoprov
I
systems and disksor disk p ~ i t i o n s .
d a file c ~ l 1~ d
The mount c o ~ a n uses
eir per~ssions.The
ut readableby others.
disk:
of the file system’s root direc
trol accessto disks,
drives and disks.
quests thatyou mount a ~ersonalfile system.
in its desired location.

sure to unmount all mo~ntedfile systems of a user W ose account you are dis-
h ~ t d o is
~ used
n to halt the system in an orderly fashion for ~aintenance,installation,
down, without adversely a ~ e c t i n the file s y s t e ~After
, a
11s all u ~ e c e s processes.

s ~
Fo~cesthe contents of the file syste~’sl1 b u ~ ~tor be
s W ~ t t to
e ~the
co~a~d).
or mode,
nistration
sinlaces the
in system
hutd down can also abruptlyhalt or reboot the system. Since it is run onlyfrom the system
console by a user logged in withroot privileges, shutdown mustbe performed conscien-
tiously to ~ a i n t system
~n security.
Observe the following security precautions when bringing down the system:
I n s t ~ cusers
t tolog out before starting final shutdown procedures.
hen invoking the shutdown command, set a grace period to allow stragglersto log
out and processesto complete.
lwaysuserebootorshutdownto halt the yousimplypull the plug or push
theresetbutton, all theprocesses halt andcannotwritethememorybuffers
on to the disk.
Never leave the system in the syste~-ad~nistration (S) run level any longer than
necessary. Shutdown does not self-audit, and it turns auditing off.
Do notphysically writ tectamounted file system, since thisprevents sync
from updatingthe hard
Complete the shutdown before taking off-line any diskordrives other peripherals. Do
not takea disk off-line without syncing and unmounting file the system on the disk.
f the computer is halted andthe last command involving output to the file system was
not a reboot shutdo~n,
or a superblock might be corrupted. The fstk program canbe
used to detect superblock inconsistency.
udit
he auditing system monitor
iscretion~yaccess c o n ~ o l ( means of restric
ne cess^ to p e r f o their
~ tasks.
system- define^ saturation
private c ~ ~ a c tstring
e r used toau
i~e~tity.
The current file usedby au
data.
ven ~ a ~ ~that
a gs ei ~ ~ l
rograms that can sus

c e ~ a i n~rocesses.
A. program whose groupI is set to grant a user
privileges e~uivalentto thatof the program
A program whose userID is set to rant a user
privileges equivalentto that of the
owner.
Trap door A hidden softwareor hardware m e c h ~ i s mthat
circumvents system security.
Trojan horse ram c o n t ~ ~ additional
ng
~nctionalitythat exploitsthe program’s
capabilities for destructive ends.
Trusted computingbase (TCB) All protectionmecha~smswithin a computer
system (including hardware, ware, and
software) responsiblefor enforc
policy. Securitye~ectivenessis
mechanisms andits correct implementation
by system adminis~ativepersonnel.
Trusted system A. system that employssuf~cienthardware and
software security measures to allow its use for
processing sensitive material.
Virus Code segmentsthat replicate themselvest ~ o u ~ h
a system destructively.
VVOlXl A program that migrates through a system for
harmful purposes.
n ~ r o ~ e ~ontrol
nt ea tu res
1 Check
for
the NI5 is a distributed database
existence of NIS with system that letsmany computer
/usr/~in/~puthlch. systems share password files,
group files, and other files over
the network.
2 Review the
output of Domainnamesand MS Server
names D o m a i n n ~ eshould
be
hard to
command: domalflnam~. guess.
easy
are
toguess.
used
can
be
with
It
NIS
to
grab password files.
3 Review NI5 password

user
All
identification
codes
This
increases
risk
the
that
file
with
command:
defined
in
the NI5 password
file
unauthorized
users
log
in
to
these
gpcat pa5swd. password.
unprotected
have
this
accounts.
Once
a
access is achieved, the unauthorized
user has accessto a user’s
configuration filesand any system
processes ownedby that user.In
addition, the usermay then attempt
to gain further accessto the system
by exploiting other weaknesses.
4 Review the NZS password Rootlevel identi~cationcodesareThisincreasestheriskthat

filewiththeprecedingdefinedonlocalserversandarenot ad~nistrativeusershaveprivileged
commandlookingforanyprovideddomainwideaccessthroughaccesstosystemsthatarenot
user
account
the
that
has
a NI5password file.
required for their job functions.
UID of 0. these to access have that Users
systems asroot have the ability to
modify or delete system
configuration files, system
processes, and modify or delete
sensitive user data files.
5 Duplicate UIDs are not permitted Duplicate UIDs increase the risk
NI
and should not exist in the that unauthorized users will modify
password file. or delete files created
by another
user, and accountability is in
jeopardy.
6 Review thescriptoutput Only users who requiredomainwideUserswithdomainwideaccess may

of the gptatpassutd access
areincluded
in
the NI5 have
privileges
that go
beyond
their
password
file. the
command.
Note job responsibilities.
They may
unauthorized
perform
functionsnumber
as listed of users or
entire the with compared
user population.Review
the list with the system
a d ~ n i s ~ a tand
o r verify
that the levelof access is
appropriate for the
listed users.
Avoid using obviousdom~nname.
The system ad~nistratorshould

immediately assign passwordsto these
accounts, then notify each user
of their
assigned password andask that they
log in and change their password. If no
user is associated with the user
ID, the
user ID should be removed from the
NI5 password file.
The system administrator should remove

any privileged identification codes from
The system administrator should delete

any duplicate UIDs and create new
unique identification codes for each
user. The ownershipof any files owned
by the duplicate users should be changed
to match the newly createdUIDs.
The system administrator should restrict

users access where appropriateby
removing users from theNI5
password file.
0.
7 Review the
script
output End users are not provided command Access to the commandline via a
at p a 5 5 ~ d line accessto the Unix operating shell (the commandline inte~reter)
Identify users system. increases the risk that users access
access have that unauthorized
to the comands, data, and
shell (i.e., access to files. configuration
password file. Review the

list with the system
ad~nistratorand verify
that users with shell access
require that accessfor their
job functions.
8 Review thescriptoutput The use of genericuser identifica~on Generic user identification codes
surd codes is notpermittedand not limit accountabilityon user action
commandandidentifyevidentwithinthesystem. performed while logged in asa
generic user identification generic user. Evenif the systemis
codes, Review the listof logging all events of the generic
generic users with the user. In addition, default, generic
system a d ~ n i s ~ a tto
or
define their use identi~cationcode aren o ~ a l l y
and purpose. targeted by intruders atte~ptingto
gain access to a system.
10 Review output of command:Verifythatthereare no 'This increases the risk that

d! r~up. duplicate GIDs. unau~orizedusers will modify or
delete files createdby another user.
11 Review output of Verify that only authorized and Identi~cationcodes listed in

approved user
codes
are
members
rivileged
groups
such
as
gpcat group. of privileged groups. 0 have access to group
writable files createdand owned by
ot user. This increases the risk
that sensitive system configuration
files willbe changed or deleted.
In orderof eEectiveness:
1. Replace the shell located in the last

field of the NI5 password file with
a menu program.
2. Give usersa restricted shell with no

access to cd, rm, cat,and other
sensitive commands.
The system ad~nistratorshould

deactivate the generic users
and
remove them from theNI5
password file.
It should be investigated whether or

not allusers who currently access
the system via the generic ID can be
moved to individual I D S with a
similar env~onment.
The systemad~nistratorshould delete

any duplicate GIDs and create new unique
group identification codesfor each group.
The group ownershipof any files owned
by the duplicate groups should be changed
to match the newly createdGIDs.

any user codes that do not need access
to the GI D =0 group.
0.
port” of 21.
port other than the “well-known

is configured on the “well-known port” increases the risk that
port” of 23. unauthorized users will bypass the
controls of the routerACLs. Many
The mailor srntp service defined publicly available programs called
“‘port scanners” will identify open
“well-known port”of 25. ports and the service to which they
are assignedon the host.
Review
13 output
the of only properly
configured
and Many t ~ r d - p software
~ y packages
approvedservicesarebeingprovidedrequiretheability to ~ o ~ u ~ i c a t e
inthenonprivilegedportrange.tootherhosts on thenetworkwithin
(Ports greater than 1,023.)
ports increase the risk that
unauthorjzed users willgain access
to the system.
~ .~
authorize
valid,
Only
14 t Review Unneeded or unauthorized hosts in
file. Review the listW

a d ~ n i s ~ a t and
o r verify that all
a approved
be
to
with the system administrator. risk

Verify that all hosts are witkin the ess
NI5 domain.
l6 nning of gives an
about the host,
including when the machine was
last booted, how muchCPU it is
using, how many disks it has,and
how many packets have reached it,
load average, network Ira&, etc.
of 17
output Review
provides the ~ f o ~ a on ~ o n
pmxding.provides It host. the infor-
mation on how busy the machine is
and on login accounts an intruder can
use in an attack.~ baccountt ~ ~
~ obenused by a scanner
i ~ o r ~ a can
or attackerin a brute force attack.
(Network ~ f o m a t i o nService)
contains data suchas host files, pass-
word files, andemail aliases for entire
map info~ation.An i n ~ d e who r

~ssessesthe M S d o ~ (often
~ ~ e
set up as a derivative of the public
domainname) can stealinfoma-
tion helpfulin guessing passwords
and gaining unauthorized access.
If the FTF?Telnet, and SNTP services
are configured on ports20 and 21,23 and
25 respectively, norecom~endationis
required. However, if the serviceis
configured onany other port, the system
ad~nistratorshould reconfigure the
service on to the standard ports.
If the open ports are required, no

r e c o ~ e n d a t i o nis required. However,
the system administrator should remove
unnecessary ports from the list.
If all hosts are required, no

reco~endation
is required. However, the system
a d ~ ~ s t r a tshould
or remove any
unnecessary hosts from the list.
If all hosts are required,

no recommendation
is required. However, the system
a d ~ n i s ~ a t should
or remove any
unnecessary hosts from the list.
Disable serviceby com~entingout the

rstat entry in the/etc/inetd.canf file.
Restart theinetd process.
Disable serviceby commenting out the

rusers entry in the/etc/inet~.canffile.
If possible a different approach should be

taken to the distributionof this typeof
information to servers. There are several
commercial packagesas well as many
homegrown systems that accomplish these
tasks in a more secureway.
0. sk
19 Review output
the of The
password
file
should
Unshadowed
be password
files
shadowed and does not include increase the riskthat unautho~~ed
encry~tedpasswords. users will attemptto gain accessto
systemthe field
Note
second
if the by c r a c ~ user
n~
in the file contajns passwords.
“X, *,I” or an encry~ted
access is achieved theunautho~zed

user has accessto a user%
configuration files,and any system
processes ownedby that user. In
addition, the usermay then attem~t
to gain further accessto the system
by exploiting other weaknesses.
22 Of duplicate
that
Verify UlDs are not riskDuplicate
the
crease
wd for p e r ~ t t and
e ~ do not exist in the that unaut
users
will
modify
local
password
delete
created
files
orfile. by another
i s in
user, and accoun~abili~
jeopardy.
23 Review thescriptoutput End usersarenotprovided command Access to the command line via a
lineaccess to the Unix operatingshell(thecommandlineinterpreter)
Sers system, risk the increases access
that users
access
that have unauthorized
to the c o ~ a n d sdata,
, and
confi~urationfiles.
last field of the password

file. Review the list with
the system a d ~ i n i s ~ a t o r
and verify that users with
shell access require that
access for their job
functions.
The system administrator should
shadow
the password file.
The systemad~nistratorshould
immediately assign passwords to these
accounts, then notify each user
of their
assigned password and ask that they log
in and change their password.If no user
is associated with the user ID, the user
ID should be removed from the local
password file.

=0 identification codes, except
root.Users should be required to log in
to theirown unprivileged identification
codes and “su” to root.
The system administrator should delete

any duplicate UIDs and create new unique
iden~ificationcodes for each user. The
ownership of any files ownedby the
duplicate users should be changed to
match the newly createdUIDs.
~ ”
. ~
In order of effectiveness:
1. Replace the shell locatedin the last
field of the password file with a menu
program.
no
2. Give users a restricted shell with
access to cd, rm, cat, and other
sensitive commands.
NO.
24 Review thescriptoutput The useof generic user identification Generic useridenti~cationcodes

of the and not
codes is not permitted limit accountabilityon user action
mm fY evident within the system. er formed while logged inas a
neric user identification generic user. Even if the systemis
codes. Review the listof logging all events of the generic
generic user with the user. In addition, default, generic
system adminis~atorto
define theiruse and identification code aren o ~ a l l y
purpose. targeted by intruders a t t e m ~ t i nto~
gain access toa system.
25 Duplicate GIDs are not Duplicate G D s increase therisk
permitted and should not that unau~orizedusers will
exist in the group file. by
modify or delete files created
another user,and accountability
is in jeopardy.
26 Review output oE Verify

that
only
authorized
and Identi~cationcodes
listed
in
approved user codes are mem privileged groups, such
of privileged
groups.
Such as . have access to group wr
created and owned by the root user.
This increases therisk that sensitive
system c o n ~ ~ u r a tfiles
i o ~ willbe
changed or deleted.
The system administrator should
deactivate the generic users
and
remove them from the password file.
It shouldbe investigated whether or not

all users who currently access the system
via the generic ID can be moved to
individual I D S with a similar environment.
The systema d ~ n i s ~ a t should

or
delete any duplicate GIDsand
create new unique identi~cation
codes for each group. The
ownership of any files ownedby the
duplicate groups should be changed
to match the newly created GDs.
The system a ~ n i s ~ a tshould
or
remove any user codes that do not
need access to theGID=O group.
27 The root partition of host
a Unix is ot access to exported file
not exportedfor use by any other tems may allowa privileged user
system, on a remote system unrestri
n is files. exported the to access
could user
exported.
being not
any files on the exported file
system.
Only authorized file systems are Unauthorized exported file systems

exported by use for other systems. being exportedmay allow users on
h o s t n ~ for
e the remote systems unrestricted access
machine
the that
exports users
These
files.
exported
to the
modify then can is telling. any files
on the exported system.
- ~ ".
29 Review theoutput of File system partitions, such /as

U
X P O ~ Verify
~ . shouldbeexportedread-only.
the risk thatunautho~zedusers will
exported
system theto changes
file
makesystems.
con~gurationfiles. These changes
may lead to additional ~nauthorized
access ora denial of the services
being providedby the system.
30 Application or user file Exporting file systems without the

systems should be uld option increasesthe risk
exported with the that non~rivilegedusers on the
n o s ~option.
i~
By obt~ningprivileges on the
system the userwould be able to
modify or delete files.
"
"
~"
31 Exporting to hosts without fully

qualified d o m a i n n ~ e s . qualified
names
increases
risk
the
that a compro~sedDNS server will
allow access to the exportedfile
systems.
32 General W S
Finding Control T ~ c h ~ ~ ~ e s
If a requirement exists to export theroot

partition the system administrator should
export the file system with read-only
permissions. However,if the file system
is not requiredto be exported the system
administrator should remove the file from
the letcl~xparts file.
If these file systems are required,

if
possible, explicitly specify each node
All exported file systems should be listed

in letclexports preferably withRead
access. If the file systems have not been
approved, they should be removed
from /etclexpa~s.
If the file systemis required to be exported

the system administrator should con~gure
the export tobe read-only within the
letclexparts file.
The system administrator should export

application or userfile systems with the
"nosuld"parameter.
Ensure that only fully qualified hostnames

are usedin d e ~ ~ hosts
n g in the
letc/export~file.
Ensure that export lists do not exceed

256 characters.
NO.
33 Review theoutput of Ensurethatthereare no trusted Any entriesin this file increasethe

the c o ~ ~ d : hosts
within
the
network.
risk
that an unauthorizeduser
will
gain access to the system from a
remote system withoutenter in^ a
Verify that there are no
entries within this file. uses could modify or delete files
In addition, verify that and may have accessto sensitive
there isno "+"entry in processes ~ ~ i onntheg system.
this file, whichwould
allow any user on any
hosts unauthenticated
access to the system.
34 Review theoutput of the The existenceof this file increases

the risk that unauthorized users will
Verify that thesewas no

file found in the root nintended purposes.
directory.~dditionally, For example, hackers who break into
review the policies and computer systems frequentlyadd
procedures surround in^
these files with the
system a d ~ i n i s t r ~ ~ o s . easily break into the systems in the
future.
35 Review theoutput of theTheuse and creation of .hostsfilesTheexistence of thesefilesincrease

shouldnotbepermittedwithinthetheriskthatunauthorizeduserswill
the accounts
onuserenvironment.
toaccess
gain
system.
Verify that there wereno
tiles found on the system.
36 Review thefilesoutput The existenceof these files increase

of the individualrho5t the risk thatunautho~zedusers will
files from the prior step. gain access to user accounts on the
system.
The system adminis~atorshould either
all entries from within

it.
The systema d ~ ~ s ~ ashould

t o r remove
The system adminis~atorshould remove

all . ~ ~files
s t located
s on the system.In
addi~on,the system administrator should
create acrcm job which searchesfor and
removes these files on a regular basis
(i.e., weekly).
Ensure thatany , ~ ~ files ~

that tares
required on the system contain only
hostnames that are directly controlled
within the same network. The systems
Adminis~atorshould remove any hosts
that do not fit this criteria.
Verify
37 the
operating
Discuss
with
the a ~ i ~ s t r a tthe
Older
o r versions
unpatched
or
system
level
and
application
and
schedule of securityversions of operatings
systems
often
hostnme
patches
upgrades.
security
vulnerabilities
have
thewith
arethat
command: name -a. or remotely either
exploitable
locally on the server.
38 Review theservicesoutputThe FrP servicedefined is configured Manyrouter-basedaccesscontrol

with
the
command: on
the
“well-knownport” of 21.
lists
(ACLs)filter TCPflP packets
cat / e t c / s e ~ ~ ~accessed.
e ~ being port the on based
netstat -a. The teln~t service
defined is Configuring
these
services anyon
configuredonthe“well-knownport”portotherthanthe“well-known
ifverify
And the services thatincreases
risk
port”
ofthe
23.
the running
bypass are usersor not,
will unauthorized
especially ifthey areonThemailor srntp servicedefined is controls of therouterACLs. Many
the
nonstandardports.configuredonthe“well-knownport”publicly
available progrms called
open
identifywill
scanners”
“portof 25.
ports and the service to which they
are assigned on the host.
39 Review theoutput of Only

properly
configured
and Many t h i r d - p ~software
~ packages
cat / e t c / ~ e ~ i c e s approved
services
are
being
provided require the ability to communicate
in the nonprivileged port range. to other hostson the network within
.)
(Ports greater than 1,023 the nonp~vilegedport range. Open
ports increase the risk that
unauthorized users will gain access
to the system.
40 Review theoutput of Ensure that only necessary services are The standard Unix “out of the box”
the command: running on the hostout of the con~gurationleaves many
cat /et~~ne~d,con~. inetd daemon. unnecessary services running which
could open the server up to denial of
service failures as wellas additional
entry ori n f o ~ a t i o ngathering
points to an intruder.
41 Ensure that the finger The fingerdaemon increases the risk

service is not running. that unauthorized users obtain
sensitive i n f o ~ a t i o nabout users on
the network that could enable them
to gain unauthorized accessto user
accounts.
It isr e c o ~ e n d e dthat the operating
system be upgraded or that allsecurity
patches be applied.
,Telnet and 'F°5 services are

configured on ports 20 and 21,23 and 25
respectively, nor e c o ~ e n d a t i o nis required.
However, if the serviceis configured onmy
other port, the systema d ~ n i s ~ a t should
or
r ~ c o n ~ g uthe
r e serviceon to the
standard ports.
If the open ports are required, no

r e c o ~ e n d a ~ is
o nrequired. However, the
system a ~ i n i s ~ a tshould
or remove
unnecessary ports fromthe list, and add
definitions for needed ones to/ e t c / s e ~ ~ ~ e 5 .
Limit the numberof services that are

~ n n i n gon the server to those that are
any services have more
secure r~~lacements.
The systemadminis~atorshould
remove the finger ernon on from
the system start-up files or
0. st
42 (trivial that Ensure file at Use of

disabled
unauth
beentransfer
pro
across
option.
secure
or the
is running
with if
the /et ed
AIX
net,across
the
flags: could
a user run a
cracker p r o g r on
~ the password
-1 Logs the IP address of thecallingfile and obtainunauthorized
machine
messages.
error
with
passwords.
-n Allows the remote user to create

files on your machine.
-r Attempts to convert theI

the appropriate host name beforelogsit
messages. This flag must be used with
the -l Rag or the-v flag.
-S Turns on soc~et-leveldebug gin^.
-v Logs information messageswhen any

file is successfully transferredby the
tftpd daemon. This logging keeps track
of who is remotely ans sf erring files toand
from the system with the tftpd d
43 Review output of This is potentially an

command: TFTP reads throught
cat /etc/tftpacce~~.ctl that start withallou:
trol lines are ignored. If th
access is allowed.
The allowed directories and files minus

the denied directories and files can be
accessed.
For example, the lusr directory

might be allowed and the/ u ~ r / u c ~
directory mightbe denied. This means
that any directory or filein the lusr
directory, except the/u~r/uc~ directory,
can be accessed. The entries in the file
must be absolutep a t h n ~ e s .
syste~ ~ a t o r removeit
a d ~ n i s should
restricts its use to a specific directory.
reco~nizethe existen~eof the file and allows

access to the entire system.
absolute ~ a t h n a ~Iteseaches
. the
const~ctedby adding the nextcom~onent

from the file pathna~e.The Ion
matched is the one allowed.It then does the
same with denied names, s t ~ t i with
n ~ the
longest allowed pathname~ a t c h e ~ .
ne I
For example,if the file ~ a ~ n a l were
be allowed.
g I
one de~iedmatch s t ~ t i n with
and also contained
allowed namesare searched first.

0. st Risk
eview theoutput of theTheuse of the FTP (filetransferWithouttheexistence of the

command: cat
letclftpusers
protocol)
should
be
restricted. /etc/ftpusers file any user listed
in
the access
to review
ftp the / etransfer
t c / pcan
a s sfile
~~
oss files restrictions.
increases the risk that unauthorized
files are transferred across the
network.
iew theaboveoutput.SystemidentificationcodesshouldSystemuserswhoarenotlisted in
Note
the
system usersbe
restrictedfrom
using FTP, the / e t c / ~ ~ u s efile
rcan
stransfer
This
network.the across filesReview
inclu~ed
it. within
he
ncreases
systemthe with list the
the across
transferred
a ~ ~ n iare
s t r a tto
ofiles
rdetermine
o users which system
46 Review theaboveoutput. End users not listed in the

Users who do not / e t c / ~ p ~ s efile
r s can transfer files
s ~ e c i ~ c ~require
l l y useof across the network. This increases
P should be identified the risk that unauthorized files are
and restricted from using transferred across the network.
system administrator to
d e t e ~ n which
e users
unauthorized users delete or modify

such filesconfiguration as files. these
of the systembut are

not writableby any
user other thanroot.
writable only by root. these

files,
including
files
created by
other users.
The systema d ~ n i s ~ a tshould
or create the
i-5 file and at a m i ~ m u mthe
following identification codes should be
included: This includes the root account,
any guest accounts, uucp accounts, accounts
with restricted shell,and any other account
which should not be copying files across
the network.

or include the
following system users in the / e t ~ f t ~ ~
and
file: root, bin, uucp, nuucp, sync, hpdb,
sys as well as other system ids.
The systemadminis~atorshould include the

following users in theI
any guest accounts, accounts with restricted
shells, and any other account which should
not be copying filesacross the network.

or reduce the
permission settingson these filesto be
writable onlyby root.
~-
The systemad~nistratorshould reduce
the permission settingson these filesto
The systemadminis~atorshould reduce

the permission settings on these files
to
be writeable onlyby root.
0. st ~ontrol~ ~ j e c t i v e sk
50 Review theoutput of the X11-based softwarehasbeenconfiguredUnsecured X Windows access

commands: xhort and in a secure
mannerby
explicitly
allows an unauthorized individual
to
tC/X~.hO~t~ allowing
access to only
those
capture
user
keystrokes to obtain
ew Xll-based
addresses
the
network
on that
login IDSand
passwords.
In
addition,
access.
require
settings. could unauthorized
user an
issue keystrokes as if the user on the
the entireX screen to a remote

co~puteron the network.
51 Review the
output of the SUlD files
are
authorized,
inventoried.
Files
that
increase
the
risk
that
the U ng
the
file
will
escape to a shell. Once at the shell
prompt, the user would retain the
same accessas the actual ownerof
the file.
52 Reviewthe
output of theApplicationanduserfilesshould This increases
theriskthat
command: find not
writable any by user
other
than
unauthorized
users
modify
delete
or
rm -2 I -type I -print. owner. these files.
Review the list with the

system adm~stratorto
identify any files that are
proprietary, sensitive, or
confidential.
53 Review theoutput of theTheuse of scriptsorreferencefilesTheexistence of referencefilesor

c o ~ a n dfind
: l c ~ n t a i ~ unencrypted
ng passwords
scripts
with
unencrypted
passwords
-name .netrc -print. should
not be permitted within
increasesthe
risk
that
unauthorized
userenvironment.
to
access
gain
thewill
users
output
Review
files the by identification
codes system.
on the
this command.
54 Review theoutput of theUserfilecreationdefaultsettingsare Improperly setting the mas^

com~ands:cat letclprofile configured to restrict write access to vhable in the user’s.profile,
and thefilesoutputby:files by otherusers. .login or .chsrc file increases the
find l -namE! .profile- risk thatunauthori~edusers will
print modify or delete files createdby
other users.
print
find l-name .cshrc -
print
find l-name.ttashrc -
print
or execute
the command:xhost -.
Other security steps include:

l.~ p e c i f y i ~individual
g computers that are
permitted to access the X-Windows server.
2. Protecting the commandxhost by making
the ownerroot and givingit the permissions
of 700, this will allowread, curite, and
secure manner.Do not execute the-noauth

command when starting theX windows.
g X server use
4. If ~ ~ i then NIT
IC-CO~~IE by entering the following
command:

or verify that
these files are proper and needed for the
functioning of the system, reducing
p e ~ i s s i o n where
s possible, Additionally,
the systemadminis~atorshould create a
static inventory listof the remaining files
and create a cronjob that searchesfor and
reports any newly created SUlD files on a
regular basis (i.e. weekly).

or reduce
the p e ~ i s s i o nsettings on these files
where possible.

or remove
trc files located on the system. In
addition, the systema d ~ n i s ~ a tshould
or
create a cron job that searches for and
removes these files ona regular basis
(i.e., weekly).
The systema d ~ ~ s ~ ashouldt o r correct

any problems notedby changing the
umask command in the.login, .cr;hrc,or
.profile script filefor these users to 027.
This results in the following accessany to
files createdby the user: Owner:read,
write, @xecut@:Group: r
World: no access.
0. it Test
55 Review theoutput of the Users are restricted from exiting Improperly set traps allow users to
preceding commands. start-up scripts prior to their completion.break outof login shells or scripts
and access thec o ~ m a n dline. Once
command line accessis achieved
users can read sensitive
con~gurationfiles and attemptto
gain further system privileges.
56 Review
output
the configured
isable
of the
preceding commands.
bogus IS program could be executed.

57 Review the of the
Users
are
required to log
in
as
S: unprivileged
users
from
every
terminal
except
the
console.
host on the networ~,including PCs
increases the risk that an
/ e t c / ~ et fa~t u l ~ l o ~ ~ ~ gain will user unauthorized
system.HPUX: the to access privileged
cat / ~ t ~ / 5 ~ t u r ~ t t ~ .
58 Review theoutput of the Onlyknown RPCprogramsshould beUnkaownorunauthorized

-p.
c o ~ a n d rpci~fo
: running on TCP and UDP ports.
that Verify all RPC access gain will unauthorized

users
o appropriate. are programs
s
e system ~ d ~ i n i s ~ ashould
t o r correct
or cons~ct
The system a d ~ n i s ~ a tshould
variable so that directories are
(if neede~).
t no time should a world w~tahle
directory he included in any user
Proper setup should include:

the opera tin^ system the method to secure
this function will vary. For those systemsnot
specified the control must be placed in the
individu~luser’s profile.
file, only the console entry
e script outputof th
has beenunco~m~nted.
eview the script output of th
the file.
e s y s t e ad~inistrator
~ s sable
any u n ~ o w orn unaut~oriz
rams ~ n n i on n ~the system.
0. t sk
59 Review
the
output of the
All
network
interfaces
are
This
increases
the
risk
that a
commands:
configured
appropriately
network
(i.e.,
sniffer is
could
beactive
or
promiscuousmode is notenabled),activated by anunauthorizeduser.
Verify that all network

address c o n ~ g ~ a t i o nare
s
appropriate.
60 Rev~ewtheoutput of theEnsurenetwork traffk is properlyImproperlyroutednetworktraffic

co~and: corporate
routed
through
the unauthorized
allow
mayusers to
view the network traffic.
Verify that all routes

are appropriate.
61 of
authorized
Only
the hosts
should network
Unknown
the
beon
hosts
available to communicateontheincreasestheriskthatunauthorized
system.
the access
tonetwork.
gain
will
are
users
hosts
allVerify
that
appro~riate.
6 output
e of the
Ensure
that
users who access root Users
accessing
root
have
the
ability
have that access logged and that the to modifyordeleteanyfileonthe
m / ~ u l o ~log is reviewed
on a regular basis.
system.
with theAdm~istratorto
ensure that only authorized
users are accessingroot.
63 Review theoutput of theThesystem is restartedonly when Unauthorizedsystemrestarts may

indicate an unauthorized user
access
privileged
gain policy
attempting
to restarts,
of system
configuration
orserious a note that
any discrepancies.
or
application problem exists.
64 Reviewtheoutput of theEnsurethatthere is adequateloggingInsufficientloggingwillresultin a

c o ~ ~ ~ d : of system
activities.
lack an
event
the
of intrail
audit of
an unau~orizedaccess. With good
logging and monitoring
Admi~stratorsare often given early
warnings for hardware and software
errors or problems.
65 Review theoutput of theEnsurethatthecorrectnameserversThewronginformationcould

anddomainnamearebeingused on substantially slowdownmany
lookups
reverseifrequests
machine.
network
the
are used.
Finding
The system administrator should reconfigure

any network interface that has been
~scon~gured.
The system administrator should work with

the network group (or administrator) to
configure the network routing appropriately.
The system administrator should investigate

and remove any unknown and unauthorized
hosts on the network.
The system administrator should change the

root password and ensure that only
authorized users receive
it.
The system administrator should review the

system messages on a regular basis and
investigate any unplanned system restarts.
The administrator shouldreview the system

log messageson an active basis with alerts
being sentoff if there are problems.
Ensure that theON5 lookup i n f o ~ a t i o n

in /etc/resolv,conf is correct.
at
at
etting more than one computer
buil~ingblock functionby transpo~in
(~icrochannel~ c ~ t ebus-based
c ~ e on the originalIBM’s P52)
S for the ~acintosh)
(~c~itecture
I
~nshieldedtwisted
pair Low Easy if inside walls, outside
walls, around corners
band wid^ capacity:

amount of i n f o ~ a t i o nthat
can be~ a n s ~ t t ate dthe
same time
Fiberoptic High DifIicult trans~ssionif wire is

broke-no ~ ~ s ~ s s i o n
I
High (ii) Satellite
1 5
Infrared-la se^
point to (i) Point Difficult

Very high
" "
(ii) power,
High
single
High Diffcult
frequency
Difficult Moderate spectrum(iii) Spread

~a~acity
10 Mbps 30
therefore
Low,
nodes
per
Moderate
long-
vulnerability
segment of cable
distance
transmission
Up to 10 Mbps;
can 2 nodes
per
segment
High,
therefore
short-
High vulner~bility
go toMbps
(i.e.,
155 2 connections,
distance ~ans~ssion
one at each end of
cable, pointto point)
l Mbps
155
toup 2 nodes
per
segment,
High,
therefore
short-
Moderate
vulnerability
or point to (point
Mbps trans~ssion
hub)
Resistance to trafficon
the network. High
attenuation meanslow
distances, low
attenuation means long
distances
EM1 (interference):
noise gets in or
~ o ~ sniEed ~ out
o n
Up to 2 Gbps Point to point(2 Low, therefore logon Not vulnerable to

(typically 100 Mbps nodes per segment) distance uph2 km sniffing, good for
(e.g.,
Mbps
1-10 2 nodes Depends onatmospheric
High vulnerability
between two large conditions (e.g.,
buildings) ~ ~ d e ~ t o ~ )
Mbps,
1-10
larger 2 nodes Depends on vulnerability
High
distances atmospheric conditions
Application
Depends on
Vulnerability
light = 0, only
affected quality dependent by intense
light vulnerableto
interception.
than
Less 1Application
MbpsDepends onVulnerability
light = 0, only
intense
lightaffected
by
purity
dependent
and
quality
vulnerable to interception.
1-10 Mbps
1-10 Mbps
High 2-43Mbps
secure than (i)or (ii)
above
he second building block g is interoperability.
co~passesthe ability to e tion on between si
S stems. The most well- ability solution is the In
er ability solution is
e t e ~ i n how
e the esign of the netwo
much thought was put into
selected and how?
The first networks were ti~e-sharingnetworks that used~ainframesan

uch environments werei~plementedby both
cess sharedresour~essuch as file servers.
is an interconnected groupof systems that coversa single geograp~clocation or

S are
typicallyused for dataservices an voice. ~xamplesof solutions
include:
ernet (10, 100,1,000
deareanetworks ( S) interconnected L
r media), thereby inter~onnectin ~ogra~hically ~isperse~
users.
ation system that interconnects

S are ty~icallyused for voice, d
tions include:
elay
e
* TI,T3
us
Today, high-speed LANs and switched internetworks are becoming widely
cause they operate at very high speeds and support such high-b~dwi
voice and videoconferencing.
Internetwor~ngevolved as a solution to threekey problems:
. Isolated LANs
. Duplication of resources
. Lack of network management
Isolated LANs made electronic c o ~ u n i c a t i o nbetween different offices or
impossible. Duplicationof resources meant that the same hardwar
supplied toeach office or department, as did a separate support st
management meant thatno centralized methodof managing and
existed.
Implementing a functional internetwork is no simple t

ially in the areas of connectivity, reliability, network
area is key in establishing an efficient and effective int
Reliable c o m m ~ c a t i o is
n the first consideration
ious systems is to support c o ~ u n i c a t i o nbetween disparate techno
for example, may use different typesof media, or
Another essential consideration, reliable se
work. Individual users and entire o r g ~ z a t i o ndepen
s
work resources.
ana age ability is the ability to manage andCO
see the conditions as they work.F u ~ e r m o r enetwork,
ized support and troubleshooting capabilities in anint
pe~ormance,and other issues must be adequately a
tion smoothly.
Flexibility, the final concern, is necessary fo
tions and services amongother factors.
Large networks typically are organized as hierarchies. A

such advantages asease of management, flexibility,and
Thus, the~ t e ~ a t i o n a l ~ r g ~ for
z a Standardization
tion
rninology conventionsfor addressing network entities.
tion include end system (ES), intermediate system (IS
An ES is a network device that does not perform
tions. The typicalES includes such devices as termin
An IS is a network device that performs routi
The typical IS includes such devices as routers, swi
works exist: intradomainIS and interdom~nIS.
454 NETWORKS
An intradomain IS communicates within a single autonomous system.

An interdomain IS communicates within and between autonomous systems.
An area is a logical group of network segments and their attached devices. Areas are
subdivisions of autonomous systems.
An AS is a collection of networks under a common administration that share a com-
mon routing strategy. Autonomous systems are subdivided into areas, and an AS is some-
times called a domain.
Networking is a complex endeavor, and breaking it into digestible pieces is why a lay-
ered network model was developed. The OSI model enables the network to be broken down
into logical layers (i.e., the seven layers), which ideally specifies and groups the functions
that need to be performed at each layer. These functions within each layer are further bro-
ken down into tasks.
The layered network task model facilitates specialization by the age-old concept of
division of labor, and this in turn enhances simplicity and increases standardization, which
further helps competition and drives costs down. More importantly, this layered approach
facilitates intervendor product interoperability. Now one can determine what products are
in use and how much interoperability is taking place.
OSI MODEL
OSI (Open Systems Interconnection) is a standard description or reference model for how
messages should be transmitted between any two points in a telecommunications network.
Its purpose is to guide product implementors so that their products will consistently work
with other products. The reference model defines seven layers of functions that take place
at each end of a communication. Although OSI is not always strictly adhered to in terms of
keeping related functions together in a well-defined layer, many, if not most, products in-
volved in telecommunication make an attempt to describe themselves in relation to the OSI
model. It is also valuable as a single reference view of communication that furnishes every-
one a common ground for education and discussion.
Developed by representatives of major computer and telecommunications compa-
nies in 1983, OSI was originally intended to be a detailed specification of interfaces. In-
stead, the committee decided to establish a common reference model for which others
could develop detailed interfaces that in turn could become standards. OSI was officially
adopted as an international standard by the ISO. Currently, it is Recommendation X.200
of the ITU-TS.
The ITU-T (for Telecommunication Standardization Sector of the International
Telecommunications Union) is the primary international body for fostering cooperative
standards for telecommunications equipment and systems. It was formerly known as the
CCITT. It is located in Geneva, Switzerland.
The V Series Recommendations from the ITU-TS are summarized below. They in-
clude the most commonly used modem standards and other telephone network stan-
dards. Prior to the ITU-T standards, the American Telephone and Telegraph Company
and the Bell System offered its own standards (Bell 103 and Bell 212A) at very low
transfer rates. Another set of standards, the Microcom Networking Protocol, or MNP
Class 1 through Class 10 (there is no Class 8), has gained some currency, but the devel-
opment of an international set of standards means these will most likely prevail and con-
tinue to be extended.
OSI MODEL 455
The V Series Recommendationsfrom the ITU-TS

Standard Meaning
v.22 Provides 1200 bits per second at 600 baud (state changes per second)
V.22bis The first true world standard, it allows 2400 bits per second at 600 baud
V.32 Provides 4800 and 9600 bits per second at 2400 baud
V.32bis Provides 14,400 bits per second or fallback to 12,000,9600,7200, and 4800
bits per second
V.32terbo Provides 19,200 bits per second or fallback to 12,000,9600,7200, and 4800
bits per second; can operate at higher data rates with compression; was not a
CCITTDTU standard
v.34 Provides 28,800 bits per second or fallback to 24,000 and 19,200 bits per
second and backward compatibility with V.32 and V.32bis
V.34bis Provides up to 33,600 bits per second or fallback to 31,200 or V.34 transfer
rates
v.35 The trunk interface between a network access device and a packet network
at data rates greater than 19.2 Kbps. V.35 may use the bandwidths of
several telephone circuits as a group. There are V.35 Gender Changers and
Adapters.
V.42 Same transfer rate as V.32, V.32bis, and other standards but with better error
correction and therefore more reliable
V.90 Provides up to 56,000 bits per second downstream (but in practice somewhat
less). Derived from the x2 technology of 3Com (US Robotics) and Rockwell’s
K56flex technology.
An industry standard, Integrated Services Digital Network (ISDN) uses digitally encoded
methods on phone lines to provide transfer rates up to 128,000 bits per second. Another
technology, Digital Subscriber Line, provides even faster transfer rates.
The main idea in OSI is that the process of communication between two end
points in a telecommunications network can be divided into layers, with each layer
adding its own set of specially related functions. Each communicating user or program
is at a computer equipped with these seven layers of function. So, in a given message
between users, there will be a flow of data through each layer at one end down through
the layers in that computer and, at the other end, when the message arrives, another
flow of data up through the layers in the receiving computer and ultimately to the end
user or program. The actual programming and hardware that furnishes these seven lay-
ers of function is usually a combination of the computer operating system, applications
(such as the Web browser), TCPIIP or alternative transport and network protocols, and
the software and hardware that enable a signal to be put on one of the lines attached to
the computer.
OSI divides a telecommunications network into seven layers. The layers are in two
groups. The upper four layers are used whenever a message passes from or to a user. The
lower three layers (up to the network layer) are used when any message passes through the
host computer. Messages intended for this computer pass to the upper layers. Messages
destined for some other host are not passed up to the upper layers but are forwarded to an-
other host.
7 A~~iic~tion
Layer
L
~resentati~n
a field of the layer below it. This eon-

be split up into multiple s ~ a l l e sec-
r
the network, and the destination
sical Layer,which consists of the h ~ d w

at echmical level. It
ivi
ng and syn~hroni~~tion
s ~ s s i o ndistm
V35 The trunk inte~ace between a network access device and a packet network at
data rates greater than 19.2 PS. V35 may use the bandwidths of several
telephone circuits as a group.There are V.35 Gender Changers and Adapters.
(ISDN), there are two levels

of service
d for the home and small enterprise, and the Prim
r larger users. Both ratesinclude a numberof
arry data, voice, and other services.
The D channel carries con-
64-Kb s B channels and one 16-Kbps D

service. The PR1 consists of 2
es or 30 B channels and 1D ch
Rate usage in a city like Kingston, New York,is about $125
for phone company installation,~ 3 0 for
0 the ISDN adapter, and extra an $20 a monthfor a
line that supports ISDN.
ed Serial Interface (HSSI)is a TEDCE interface developedby Cisco Sy

us Networ~ngto address the nd for high-speed c o ~ u n i c a t i o nover
~~
I specificationis available to any organ

SS1 is now in the * anNationalStandard
0.2 cormnittee for formal stand~dizati
moved into the ITU-T (formerly the Consultative ~ommitteefor I n t e ~ a t i o ~T~legraph
al
ne[GCITT])and the IS0 and is expected to dardized by thesebodies.
definesboth the electrical and the physical CE inte~aces.It therefore
c o ~ e s ~ o nto
d sthe Physical Layerof the OS1 reference model. HSSI technical characteris-
tics are summarized below.
~ a l ~ e
~ a x i m u msignaling rate 52 &%bps
~ ~ i m cable
u m length 50 feet
Number of connector pins 50
Interface D'IB-DCE
Electrical technology Differential ECL
Typical power consumption 610 mW
Topology Point to point
Cable type Shielded twisted pair wire

rror ~ o d i ~ c a t i o(end
n st~tio~s)
in today’s r e ~ l - ~ o r net-
ld
a y ~ 1r and
~ 2 com~in~d
low control~ontrols info~ation
o ~ in the
r networ~
~ computer to use the
in which multipledata channels are combined into a single data

ultiplexing can be imp mented at any of the
lexing is the process of separati multiple~eddata ch
le of multiplex in^ is when d from ~ u l t i p l eap~lications is
er-layer data packet
combined into a sin
a ~ultiplexer).
es multiple data streams into
emultiple~the channels into
the use of the andw width of
traffic sources. ome meth-
y a calculation thatis
.First, the source device

+Transpo~.The upper-l
This layer sets up, coordinates, and

tween the applications at each end. It
S tasks associated withestablis
tation Layer (Layer6) entities.
mat~on ~rotocol), which coordinates
This is a layer, usually part of an

data from one presentation fo
dow with the newly
Layer handles tasks associat
task items i ~ c l u ~ e :
ata representationfo
)
ata co~pressio~deco~pression
ata encryption and deencry tionco~munication( S
This is the layer at whichc o ~ u n i c

er authentication and p ~ v a c yare
tified. (Thislayer is not the applica
lication Layer functions.)
lication Layeris the
the ~ e t w o resource
r~
~ ~ e n t i fcommunication
yi~~
e t e ~ i n i resou~ces
n~ available
ynchronizi~~ co~mu~icatio~
S
e
10 Base 7: UTI?
10 Base F 10 Mbs Star Fibero~tic
S0 m s us 50-ohm thin coax

30 Base 5 S0 Mbs Bus 50-hm thin coax
10 Base T - E ~ e ~ e Network
t
token
ring
network computers
is all
a local
hconnected
are in
a ring or star topology and a binary digit- or
t
the collisionof data between two computers
stand~d versio~,
specified as
a transfer rates of either 4 or
n frames areconti~uous~y circulated on thering,

has a message to send, it inserts a token in an empty
changing a 0 to a 1 in the tokenbitpart of the frame) ageand a destina-
tion identifier in the frame.
The frameis then examinedby each successive workstation.If the workstation sees
that it is the destinati it copies
the
message from the frame andchanges
the token back to0.
terfaces t
have a p t
tolerance, and the use
of ~beroptics.
de area networktec~ologiesconsist of two ty

stics
serial links,
), etw work Control
eci~cationsinclude:
ee cells.
103 \ R&D
ala Link l~entifier

for er~anentVirtual Circuits(PVC)
e
= Ter~in
1 =Term
I
The basic i n t e ~ ~ t ~devices
o r ~ nare:
~
router § ~ ~ c i ~ c a t iare:
on§
7 an
S
103 and 10
ress ort etric

210,157.64.1 1 10
210.1~7.64.2 2 10
210.157.64.3 3 10
\
Layer 1-
Layer 2- tru
owest level ofaccess
o ~ p l e t eac~essto allc o ~ a n d and

s con~~uration
for router buffer pools.
-Shows all selected interfaceinfor-

~atio~.
* ~ o n ~ g u r ~register
~ i o n value:
~on~guration re~ister
is
Visible in resultsof 66show version” in

privilege^ mode
ayers 3 and 4 sensiti~ity
11.
ta
of t
Stop connections thatdo
moment atthe need for

ument that details an e
up a rew wall without a
The best approachis usuall~a combination of all four.
here are
scores of threats on the inte a few
of more insidio~sprob-
the
lems that a firewall will attempt to fix:
ort service. There are
iI has often been the hacker’s choice of entry (via its security
tion that han~lesall
c o n ~ oal connection ed on the source and ~estinationad-
used in thatsession, acket-~lter~ r e w(which
~ l is one of
one that inspects each
ssion d e s to grant or
a second destination ad
l, but it makes upfor that in
t have to do any thin^ special,
fined as accepting traffic, the
rough. This also means that
e port number could pass through the firewall.
the “’state’, and “context” of the user’s request so that when the data are returned via the
firewall, it is able to verify whetheror not the data was speci~callyrequested.
spection attempts to track open, valid connection without the need to process a rule for
each packet.
enerally less expensive

ort user authentication
tically hide netwo
so on)
b, Java, and
n a ~ l t e r environm~nt
s (such as
time of day accesscontrol
rect connectio~between i n t e ~ and

a ~ ~xternal
enerally offers higher levelof secu~ty

reat deal of c u s t o ~ z ~ t i o
mands, protocols,or services
rect connection betwe
d user authentication
an automatically hide network and system addresses

from public view
ble to providetime of day accesscontrol
enerally more complex

e wants to use through
the fire~all
bandwidth canbe a tati ion
ore secure thana stan
plication level attack
system addresses from
11vendor would make such

rc h ~ l e n does
~ e not prove
t have a baseline testing
not mean that no~roblemsexist. And
would not wantto ~ublicizethe security vul-
want the vendor to ship a defective product
awards that the firewall vendor has. Even

Show9’ award,that does not n e c e s s ~ l y
t for an organi~ation,
ecision about thea ~ ~ r o p r i afirewall

te is with a security audit.A
zation9sinternal security staff,or an external staE, p e ~ o ~ an g
had thep~vilegesto do
the need to connect mac
what it was originally ~ e a ntot be.
isk or data~asefile
lowing securityproble~s:
es stealing the supe
quires s u p e ~ s e rpri
t ~ o ~ ~the ~ netw
o u t
retaliation.
a s e c ~ r elevel by elixni-
These software and hardware barriers stand etw wee^ the privatei ~ t enetwork
~ ~ l and
its connection to the outside worl such as thei n t e ~ e tThe
. ~ ~ e w a l l ~ ~ oanv iextra
d e s layer
of protectio~and regulates andcontrols c o ~ u n i c a t i o n .
ow do users who have an internet connection ensure that tr c between their net-
d the outside worldis secure and controlled? If one can tolerate the restrictions
im-
posed with this typeof connection, use it to reduce the e
ronment.
Numerous options are available

for c o ~ e c t i n ga personal modem on an existing network.
These
options
include
analog, I ous flavors of digital subscriber lines-
n a robust firewall? Cable modems,for exmple, use a fixed,

-allocated address rangekno
more about network security
resources, such as personalfiles, are availablefor public consumption.
hat about the browser? Hackers spend dispropo~io

ucts like terne et Explorer ( ).There are a numbero
and malicious Web sites to sh the browser or wor
Navigator is safe either.
ny problems by steering clearof
,and ActiveX unless absolutely
the browser version thatsuppo~sstrong enc
)whenever personali n f o ~ a t i o nis sent.
Leased line networks and remote accesse~uipmenthave been replacedin favor of virtual
private networks(VPNs) offering substantialin~rast~cture and suppo~in
enable secure privatec o ~ u n i c a t i o n simplement
, the following:
* Authentication
Enc~ption
Key management technologies
ecause these technologies are ‘~battle-hardened~9
not V
will remainso until the emerging protocols, standards, and products mature.
Three critical VPN components are:
e Security (access control, authentication9and enc~ption)
. Traffic management (makingsure that critical applications are delivered reliably and
with the highest possiblep e ~ o ~ a n c e )
. Policy-based network management (the ability to manage the entire network from
one central console to one easy-to-install turnkey solution).
ow does one stay familiar with
the latest viruses and fixes as well as other security issues
b sites such aswww.ce~.orgor www.NTSecurity.net? The enemy is likely more ex-
a prevention cango a longway. Often the technology,
perienced, but little like firewalls that
ess have not been
process that also offers the opportunity to qualify or authenticate the request or match it to a
previous
request. NAT conserves
also o addresses
that a company
needs and lets the company use a sing1
NAT is included as part of a rou is often part of a CO
ad~nistratorscreate a NAT table that does the global-to-local andlocal
dress mapping.NAT can alsobe used in conjunction with policy routi
ically defined,or it can be set up to d y n a ~ c a l l translate
y from and to a PO
allows internal internet addresses or internet protocols to be hi
firewall will appear to have been sent from the ~ e w ~external' s ad-
ender invisible to the internet, which makes it d i ~ c u lfor
t hackersto
track down the network i ~ o ~ a t i and
o n addresses required.
Statefix1 inspection is the most sophisticated technology availab
around this technology interrogate the packets based on source, dest
c o ~ u n i c a t i o n port.
s Is stateful inspection tec
based on source, destination, protocol,
oesthe
design provide both
router
andurations?
The routersetup is
most c o ~ o for n c o ~ e r c i afirewalls
l that receive a packet, compareit to the rules defined,
and either permitor deny access to another network. This scenariorequ~es often several net-
work changes including managing static routing tables, and it can makeit an easy targetfor
hackers. To address these issues, the firewall was built on top ofa s e c ~ operating
e system.
Another signi~cantrequirement is monitori

tools is incre~iblyimportant to reactingto a
three crucial~uestions:
hat is being detected?
ow quickly canit be detected?
ow often is the detection tool updated?
Even with detection, few ~ompanieshave idea what to do if
has become c o ~ o knowledge
n that most do very
little, except perhap
curity system. Few companies legally pursue hackers according to in
Thus, there have tobe procedures available to react toa breach even if it will not be pur-
sued legally.
The critical security tasks include network protocol analysis and security
networ~
and man-
agement solutions.
These tasks should be followed during all sta es of network development and secu&y
from planningand design toimple~entationand ongoing management. They include:
per at ion^ tasks
oftware distributions
Event alerts
System monitorsof Total Virus Defense from within the
IT env~onment
e they reside on the system witha
s the a ~ ~ ~ i c a t iand
o ~ n e r of o n susers,
locking distributionof viruses, spam, andother inappropriate message content.
E-mail cannow be used tod i s ~ b u t confidential
e or inapprop~ateinfo
can raise a number of serious legalissue Can di~erentfilters be applied to
of people at different timesof the day? ow is the corporate policy implemented and cen-
trally controlledby the company’s IT that the filter is effective and has-
S and digital “sledgehammers.,’

~ t t e m pto
t bypass it withbasicscans,fragmentedpacketscans,and
~ t t e m pto
t overwhelmit with
les are well designed and
d y n ~ port
c selecti
allis often di~lcult,but solutions i~cludede
masks let you define the nextse uence o
e
a
etennine that the connectionto an external network, such as the

internet, is se-
cured with an application gateway firewall and that the firewall
is properly configured to
secure internettrfllc.
in a detailed network diagram of the firewall networkCO
server, firewall host system,Web server, andso on) with hos
etemine that all of the physical andlogical component
are managed by the same group and that thecontrol procedures and policies are
well documented and updated regularly.
eview the firewall network operations andcontrol proce res to ensure that pro-
cedures are documented and in place to back up security and confi
to properly restore these files after system failures and software
tern upgrades.
Using the network diagram asa guide, observe the physical connections between
the various components noting proper labeling of all physical c o ~ e c t i o nand
s that
all physical connectio~sare consistent with the diagram. ~vestigateany connec-
tions thatlink portions of the firewall network to networks links r not documented
in the network diagram.
etemine that the firewall has only two network inte~aces:the li
nal network andthe link to theinternal network.
password controls-autho~~ations for
viewandassess the use of groupstoassignserviceaccesscapabilitiesto

users.
F o r generic proxy programs that may be in use, review the
source and destinationrest~ctionsto ensure that they areCO
strict this traffic. Assess the need and implementation of
such as router filters.
For each proxy,d e t e ~ n that
e adequ
and that logs are reviewed ontime1 a
e t e ~ n that
e audit alerts have been ade~uately
a real-time basis of security events that require
traps, e-mail messages, pagers, and
and assess theappropriateness of s~atorswithaccessto viewand
modify the firewall configuration.
wall products supportthis) and investig
to ensure they area u t h o ~ ~ changes.
ed
ore detailedi n ~ o ~ a t i on
o na t t, refer to the section
twork ~ecurity’,in Chapter6. te the subsections “Technic
anaging ~ e t w owithr~ I
n f o ~ a t i o nquickly
ained on theirlocal
~ cinterchange(€331)
c ~ o data
sig~fi~antly in the past five
replace paper~ansactions with
routine business~nctions may
ystem is not operating.
orks, and ~crocomput-
no longer the domain

business assets rests
ecause today's~utomatedinfor-
in momentsof a d i s ~ ~ t i in
o nsys-
pecifically, the plan should

'S responsibilities, the distribu-
feasi~ility,plan testing, recov-
ency i n f o ~ a t i o nthat may
cific statements regarding eachof these
lete enough to~ n i ~ z e
overy plan, the direct support

bility for disaster recovery ul-
sponsi~ilityfor the assets
e resources are available
recovery planning tobe
ining its c o ~ i t m e n to
t
ader d i s ~ i b ~ t i oofn
r the sole provider
no longer isolated in the controlled environ-
sources affected. It is possi
worst-case s c e n ~ o sThis
.
covery p l ~ n e r ssh o u l ~solici

to resources and assi~nrnent
with r n ~ a ~ e r ntoe c~ot ~ r n u n ~ c ~ t
of approp~ate
plan, availa~i~ity
w e ~ e s s e in.
s the e~istin
~ ~ nthe~ o ~~ ~r ~ sn i z~ ~ t inoto~se
~ its i~n f o ~la t i o ~n t e c ~ n o l o ~ yc ~ ~ s e s
~~~ s i ~ n ~ c
loss of ~ s s ~ ~ ~ i ~ l s ~ ~ i c ~ s .
h it might be perceived as such. Thus,there
are classificationsof exposu~e:
ant i n t e ~ p t i o ndepending
, on its duration and
a1 of the o~ganization.
ing a disasterinclude the degree of dependency placedon
er canp e ~ required
o ~ recovery tasks.
uld be as co~prehensiveas possible and should d o c u ~ e npreestablished
t
ions in a crisis atmosphere. The plan should also provide
e ~ p h a s i the
~ e actions intended to protect the organiza-
se who would take ad-
sic ~ t e ~ ~that,~ ifo not

n asd ~ e s s e d e ~ c i e n t ~ y ,
ntial causesof business ~ t e ~ p t i oinclude:
ns
Fraud
Te~oristactions
Theft
00
~ gpotentia~impact of a disaster is to i~entifythe es-
e t e ~ n i the
at need prot~ctio~.ne way to do this is to p e ~ ano impact
~ study. Some
498 DISASTER RECOVERY PLANNING
essential assets (e.g., facilities, hardware, and software) might be tangible and easily iden-
tified and their value easily calculated. However, the value of data is more difficult to as-
sess because it depends on its relative value to management. The following categories
should be considered when developing an inventory of essential assets requiring protection:
Facilities
Data
Software
Personnel
Data processing hardware
Communications circuits
Communications hardware
These assets are susceptible to any of the threats listed as probable causes of business in-
terruptions. Management is responsible for recognizing the probable causes of business
interruptions and, to the extent possible, taking steps necessary to protect critical infor-
mation technology operations. Auditors should assess the risk of exposure and the ade-
quacy of precautionary steps to prevent or minimize the effects of disaster. It can be ex-
pensive to develop and maintain a DRP. Designing a DRP is a labor-intensive task and can
take a year or more to complete.
BUILDING A CASE FOR DISASTER RECOVERY

Audit has an opportunity to communicate the need for a DRP program to senior manage-
ment. Audit must emphasize the risks of not being ready and able to recover and continue
the firm’s critical business functions, not complying with regulatory requirements, not
meeting contractual obligations and service level agreements, and not providing an ade-
quate level of awareness within the organization.
Audit may also be well positioned to compile information throughout the organiza-
tion on risks and potential threats to facilities and business processes because of their close
examination of these areas during other scheduled audits. Furthermore, audit can often
compile and share DRP benchmarking data and leading-practices information across busi-
ness units and locations. Audit could also obtain information on DRP plans, strategies, and
practices from similar organizations or other firms within an industry grouping, which can
assist in a company’s DRP efforts.
BUSINESS IMPACT ANALYSIS

The business impact analysis (BIA) is the foundation of effective disaster recovery plan-
ning. It must originate from the individual business areas and should highlight business
strategy as well as inherent risks and critical threats to achieving business goals. As such,
it will represent the business area’s risk assessment of its financial, operational, competi-
tive, and systems environments. The more defined the BIA is, the easier it will be to justify
the expense of the disaster recovery program to senior management.
Audit should help make this process less subjective and more quantifiable through the
use of appropriate measurement tools and risk assessment techniques. Remember, this is
what audit does regularly. This is an area of expertise.
KEY COMPONENTS OF A SUCCESSFUL DISASTER RECOVERY PLAN 499
Audit’s most significant contribution to the BIA process is one of validation. At a

minimum, they should review and validate the following components:
Business process inventories
Business process owners
Resource listings, including systems inventories
Business impact information (financial and nonfinancial)
Critical time periods
Interdependencies
Recovery time frame objectives
Recovery resource requirements
Obtaining audit’s evaluation and validation of the preceding items will enhance the DRP’s
framework and serve to strengthen its effectiveness not only for the eyes of management
but also in the event of a disruption.
STRATEGY SELECTION
Disaster recovery strategies range from providing fully functional alternate sites to “quick
ship” programs, which may be internally or externally provided. Based on the BIA, a suit-
able strategy should be selected to provide the organization with the necessary recovery re-
sources within its predetermined recovery time objectives (RTOs).
Audit should review the strategy to ensure that it is in line with the overall business
process and fits the organization’s bigger picture. Audit can also perform independent re-
views of vendor contracts and agreements as well as liaise with procurement and legal de-
partments during this process. The key is to ensure that the selected recovery strategies and
all assumptions surrounding those strategies have been adequately and independently re-
viewed.
These assumptions may include:
Assuming that the alternate facility will be available at crisis time.
Assuming that the alternate facility is a certain distance away and unlikely to be affected.
Assuming that key personnel will be available to facilitate recovery.
Assuming that identified vendors and alternates will be available to provide products
and services.
Audit should work with the disaster recovery planner to ensure that there are no “surprise”
audit findings after the DRP program is implemented. It is far more efficient and effective
to build audit requirements into the DRP process during development than to retrofit a DRP
program with audit-required controls.
PLAN PREPARATION
Since individual business managers are ultimately responsible for the successful execution
of the plan in the event of disruption, they should assume ownership of the plan. They
should provide the time and resources to clearly document the detailed recovery procedures
necessary to resume and continue critical business activities.
plans have never really been
te
excuse withor~anizations
r e re ~ e n t
a s ~ ~ p ~ i e r a ~for
The ~ e t h o d o l o ~describ
y
to prove the accuracy and
is to keep pace with chan
testing is to verifythe validity and functionality of the recovery procedures
components are combined,If you are able to testall modules, even if you
e ~ o r ma h11 test, then you can be confident thatthe business will survive a
when aseries of co~ponentsare combined without in-
les of m~duletests are:

lternate site activatio~
~pplicationrecovery
un production processing
The full test verifies that each component within every~ o d u l is

e workable and satisfiesthe
irements detailed in the recovery plan.The test also verifies the
modules to ensure that progression from one moduleto m-
out problems orloss of data.
objectives associated with full
a test:
ed time to establish that the production
env~onmentmeets
the recovery plan to

ensure a smooth flow from module to
To achieve the first objective, a computer system

of the similar capacity and speed must be
available for the ~stimatedtime frame as stipulated in the This
plan.is not critical to achiev-
e second objective.
ned ~ o u n ad worst-case scenario for equipment since this will

e ~ a ~ i n while
e d catering to all possible disastrous si~ations.
around best-case scenariofor stafing to ensure that all p ~ i c i p a n t are
s involved
and to understand and resolve each issue in the processof build-
sonnel should note any weaknesses or oppo~unitiesto improve the

ce confident that the recovery plan is effective, other scenarios for
that the procedures are complete and can
when every requirement associated with
nent has been
doc~mentedand verified can the recovery be plan
said tobe com-
aspects of the test are properlye x a ~ n e d
st, some considerations will be necessary that perhaps wouldbenot

r example, a testmay require agreement with~usinessunits to pre-
ction, or require thatall change controlbe frozen for a period, or
place. The role of the observer is to give an unbiased view and to com-
ment on areas of success or concernto assist infuture testing.
There will need to

be some assumptions made. This allows a test to achieve
the results with-
bound by other elements of the recovery plan that
may not have been verified yet.
ons allow prerequisitesof a particular componen~moduleto be established out-
All technical inforrnation documented the

in plan, including appendices,is complete
and accurate.
11purchases (equipmen~furni~re, etc.) can be madein the time frame required.
es and other equipment recalled
from off-site are valid and usable.
efore any test is a~empted,it must be verified that the recovery plan is fully documented
m all sections, includin~all appendices and attachrnents referencedto each process. Each
~ i c i p a t i nteams
~ in a test must be aware of how their role relates to other teams,
when and how they are expectedto perform their tasks, and what tools are permissible. It
is the responsibility of each team leader to keep a logof the proceedings for further irn-
provement and top r e p ~ bettere for future tests.
o matter whetherit is a hypothetic^, component, module,or full test, a briefing session

r the teamsis necessary. The boundaries of the test are explained, and theo p p o ~ n i t yto
discuss any technical u n c e ~ ~ n t i eprovided.
s,
~ependingon the complexity of the test, additional briefing sessions may be re-
quired, one to outline the general boundaries, another to discuss any technical queries,
nd perhaps one to brief senior ana ent on the test’s objectives. The size of the ex-
rcise and
number o determine the time between the briefing ses-
sion(s) and the test. me period must provide suf~cientopportunity for
person~elto prepare a~equately,p ~ i c u l a r l ythe technical staff. It is recom~endedthat
the final briefing be held no more than two days prior to a test date to ensure that all ac-
tivities are fresh in the minds of the p~ticipantsand the test is not impacted throu~hmis-
s or tardiness.
da would be:
Team objectives
enario of the disaster
Location of each team

e s ~ c t i o non
s specific teams
Assumptions of the test
rerequisites for each team
S
Can you restore each subsystem and are they documented in the plan?
o you h o w what time and day you have to recover to? Start of current day (SOD)?
nd of previous day? idd day? Is this in the plan?
your recovery procedures reflect the correct backup tapes tobe used? (For exam-
,if recovering to SOD, the backup tapes will probably have the previous day’s
o you h o w the recovery point (e.g., OD or end of day [EOD] checkpoint recov-
ery?) Is this documente~in the plan?
Can you recover the databases to the SOD?
uestions to ask about the plan include:

the databasesto the point of €ailwe?Is this documented in
you ~o~ard-recover
o you b o w how to verify the i ~ t e ~ iand

t y currency of the databases?
ho is to perfom this task andis it documented in the plan?
oes this person needto f o ~ a l l y a u t h o this
~ z e fact?
Can you IPL the system andis it fully documentedin the plan?
* Are theseproce~uresaccurate; thatis, can your manager use them to load the system?
Are thereany processes thatare not included inthe recovery plan?If not, why not?
as yourvendor/supplier/mai~t~ner checked and verifiedall procedures?
o you have documented and verified procedures to:
* Initialize disk drives
* Restore system (reload)

eboot from stand-alone backup
* Performrestarts
estore other libraries

Initialize catalogues
~pplicationrestore
* Databaserestore
et unit addresses
Perfom restarts
uestions to ask about the cold

site include:
oes everyoneh o w the locationof the recovery site?
ave all those who will be located there visited
the site?
ave you checkedthe access to andfrom the location?
Is the equipment st
oes the site have a security system and do you h o w how to p r o g r ~ u s eit?
Are all the cables, phones, ower, telex, and modems of the a
u a n ~ t yto meet recovery needs?
ave you verified as functional, the air conditioners,li
cient floor and office space to meet your needs?
ave you checked the access for en and exit of equipment and s t a ~ ?
o you have a d i a g r showing
~ th tworkhystem c o n ~ g ~ r a ~ ando nflo
o you h o w the e ency ~vacuationprocedures of the sit
hting equipment meet the required s t ~ d ~ dand
s , hasit
Is all this documented in asite manual?

o you have a copy of the site manual in your possession?
oes the site satisfy all your recoveryco~unications/netwo
S anyone else situate
If so, are they totally isolated from your equiprnen

moves, security risk, physic
Is a method inplace to che
Are all critical consumable (special forms) located in con~olledcon
multiple locations?
uestions to ask aboutt h i r d - ~ hot

~ y site checks include:
hat peripher~equipment do you require to meet your disaster needs as stated in
recovery plan?
hat system si~e/capacity o you re~uireto run in disaster
Is the hot site equipment (e.g., system, peripherals, corn
oes the site have tape library facilities?

o you regularly reviewthe site to checkall these items?
tion under recovery mode?

~uestionsto ask about warrn/hot
site checks include:
Do you have aDRP machine at this location?
Is the system a development or second production machine?
Is the system large enough to allow the P system and all its re~uirementsto be
loaded (e.g., CPWdislc capacity, tape/cart drives, speed to meet user satisfaction)?
Do you h o w which ~les~ibraries you need to remove from the
vide sufficient space?
Do you wish to keepthe data on theDRP machine and restoreit after a testor actual
disaster?
If not, do you have a plan to clear or prepare this system
for both testing purposes and
the actual disaster?
Do you have procedures to perform this clearing function (backupdelete)? and
Do you havecleanup procedures for the DRP machineat the completionof the test to
enable return to normal processing?
While testing is in itself beneficial, an effective recovery plan canbeonly achieved by con-
structive analysisof each test andthe test’s results through a postmortem. Thisalso main-
tains the momentum gained from the test, whichis critical to the process of buildin
able plan.
any staffs see disaster recovery as an additional workload; however, with time
con~tructiveand regular involvement, staffs develop a greater commitment.
If the company has a dedicated D team or coordinator assigned pe~anently,then this

team or coordinator would havethe responsibility of conducting thebrie~ngand debrief-
ing sessions. If not, the responsibilitylies with the command team leader.
The format is to discuss the results and~ndingsof the test with view
a to improving
the recovery planfor future exercises. From these discussions, a set
of objectives is devel-
oped for later inclusion in the report. An agenda could be:
Overall performance
Team pe~ormance
~s~rvations
Areas of concern
e Next test (type and time)
Each team leader has the responsibility of maintaining alog of events during eachtest, The
i n f o ~ a t i o ngat here^ from these logs, in addition to the postmortem reportby the test man-
eas of i ~ ~ r o v e ~are
e nnt
en a realisticco~pletion
o test is cons id ere^ a failure, as any

infor~ation
enefit, evenif the o~Jectives
an i ~ e d i a tupdate to the
controls.
As mentioned before, audit should be an ally in the disaster recovery process.
the case, a reevaluation andrede~nitionof roles mightbe in order. Audit shouldbe the in-
dependent group to monitor and report the progress and effectivenessof the disaster recov-
ery program. They should also confirm that senior management is receiving the right mes-
sage and not a false sense of security when it comes to disaster recovery readiness. The
following statements shouldbe considered “warning signs” that may indicate afalse sense
of security among anorgani~ation’s manag~ment:
have a disaster recovery planfor te~hnology.~’
conduct annual plantests at our vendor facility.”
software package,”
Tf I am affectedby disaster, so are my competitor^.^^
Statementssuchastheseindicatethatthecompany’sprogram maynotbecompre-
hensive. Audit should recognize these symptoms r and e c o ~ e n solutions
d for b~ngingthe
DRP pro~ramto the appropriate level. Audit should work with disaster recovery planners
and business managers to identify synergies with other ente~rise-wideactivities, such as
corporate standards, self-assessment compliance p r o g r ~ s , a w ~ e ~ e s s DRP p r oex-
~r~s,
pense reporting, plan development, and the development andofuse monitoring tools.
Audit may often feel like 6‘referees9’ in a largec o ~ o r a t eeffort. They are r e ~ ~ l a r l y
asked to “enforce the rules’’
of a well-con~olledand operated environment.
ery planningis clearly one area in which audit can shed the “striped shirts,”
pany9s“team colors,” and participate and add value to the critically import
embers of disaster recovery teams and senior managers should receiveofathecopy com-
sider providing copiesof the plan to external groups
at may help with disaster prevention and recovery.
ed a prop~etarydocument, and they should not be
distri~uted indisc~~nately, either i n t e ~ a ~or
ly
As describedin the previoussection,thehouldnot be dependenton the par-
ticipation of any individual or team, A disaster could result in the unavailability, injury,or
death of key recovery team members.It is also possible that essential membersof the re-
covery team may findthe recovery process o v e ~ h e l ~ and n g resign from their positions.
Therefore, to help prevent chaos following a disaster, the S should contain enough de-
tail to allow available staff to begin implementing the recovery process as quickly as pos-
sible f o l l o w i ~a ~disaster.A complete, up-to-dateset of plans should alsobe maintained in
an accessible off-site location ensure to accessibility when needed.
saster Recovery Strategies

iate
site, notification requ~edbefore occupying the site, length of stay p e ~ i t t e d testing
, pro-
cedures, assistance available fromthe backup site, and adequacy of office space.
adequately describe operations and procedures presently in use at

nter, plus any unique procedures developedfor use at the internal backupsite?
ati ion allowsstaffmembers ( thanthosemostfamiliarwith the tasks)to
esume critical processing. The shoulddefine critical data, documentation,
and supplies that are be
to stored at the i n t e backup
~ ~ site. It should alsoinclude notifica-
and how to move personnel, equipment, and supplies to the alter-
Id address the adequacy of the computer room layouts, building
o the periodic testsof the DRP fulfill audit objectives by:

e t ~ r ~ n i the
n g adequacyof the off-site storage facilities and existing recov-
ery procedures?I n ~ o ~ a t i will
o n be obtained concerning availability of off-site
files andthe documentation necessaryfor efficient recovery.
* Identifying deficiencies in recovery capabilities and related internal controls?
Plan testing will also help assess manageme~t’scommand of the situation and
its ability to adapt to unusual situations.
Identifying and evaluating thecost and effectiveness of continuing operations
at an alternate site?
Audit should compare the criticality of the controls being tested with the strength of the test
results. If they are equal (i.e.,there
if is high criticality and a high levelof compliance), then
the disaster recovery procedures should be considered adequate. Differences between com-
pliance and criticality may suggest that resources associated with the control are being over-
used or underused
P adequately identifycritical files necessary for operation and e E -

cient recovery? It is important to verify that adequate procedures exist for backup, docu-
mentation, and storageof critical files.
Is the DRP designed to protect and recover d all levels within the organiza-
additiontoaddressingmainframe-based data S shouldalsoprovidepolicies
and proceduresfor protecting and recovering programs data
and developed by end users for
use on personal computers.
.Does the organization maintain adequate insurance coverageto ensure restoration

following a disaster? The orga~zation’sinsurance should also protect a ~ ~ nbusiness
st
losses resulting fromthe inadequate performanceof a third-party vendor.
~ d e ~ ~ ~ c aoft critical
i o n data?
sults p e r f o ~ e dand a conclusion d r a ~ n ?
stat~mentof objectives andassu~ptions?

ifferent levelsof dis~ptionsuch as disaster, loss of indivi
components,andtemp loss of r e s o ~ r c e ~ ?
~ e s c ~ b e s c efor n each
~ o s po
a ~ ~ lofe potential
s disasters include:
~ n t ~ ~ poftc io ~o m~ ~ n i c a t i o n ~
e what a disaster is, who may declare one, d bow to i ~ ~ l e ~ ~ n t

define proceduresfor each recoveryarea identified as a resultof the
cess? For example:
~pplicationsystem recovery
Teleco~unicationssystem recovery
* Systemssoftwarerecovery
describe alternate operating and processing proceduresof electronic
oes the DRP also describe maintaining communications with the value-added net-
Is there ana u ~ o r i ~ list

e d for u~datingthe
How fre~uentlyis it reviewed or revised?
o is responsible for updating the plan to reflect changes in

nel, software, and telecommunications?
enefits of a hot versus a coldsite processing facility?
Does the DEW require storage of at least one complete, current copy of the plan at a
secure and accessible off-site location?
oes the D W identify the test team and the procedures the team should follow in
o c ~ m e n t i nthe
~ physical testingof the plan?
specify proceduresfor conducting regularly schedule
ocumentin~those results?
oes the recovery team include key representatives from the following business
. Data processing management

. Data a d ~ n i s ~ a t i o n
e. User d e p ~ m e n t s
. Telecommunications (voice and data)
. Facilitiesmanagement
Computer operations
. Systems and applications p r o g r a ~ i n ~
Personnel, security, audit, and vendor representatives
e senior managers officially assigned the respon$ibilityfor initiating disaster re-
covery procedures?
Does the DRP provide for assigned alte~atesfor each p e ~ a n e nteam
t member?
the alternate team members know of this assi~nment?Do they know their job re-
sponsibilities?
ses and telephone numbers of the team members, users,
ar procedurefor notifying vendors and

alte~ate-sitecon-
ning recovery team membersfulfill

to their assigned roles?
. Does the DRP address the defini~ionof team members functions at the task level?
si~ilitie§
would include:
nerd c o ~ ~ ~ n~rocedure§
ity desi~ned
to notifythe entire workforce, by
in the eventof a seriou§ disaster?
Are management personnel able to run the computer center in the event that non-
management personnel are unavailable?
S a personal skills inventory been conducted to identify special employee skills
at could be used during anemer~ency?
Is access to the data library restricted to designatedl i b r ~ a ~even
s , during disaster
periods?
as a recovery team beenassi~nedso that they can begin work immediately in the
event of a disaster?
Is user management heavily involved in computer disaster recoveryp l ~ n i n g ?
Are computer personnel in key positions of authority bonded?
as the staff been trainedfire inalarm, bomb threat, and other emergency procedures?
Has the staff been adequately instructed in what to do when an emergency alarm
sounds?
e computer center personnel been trained to protect con~dentialdata during pe-
s of disaster recovery?
Do all security procedures remain in effect during a disaster recovery period?
Are disaster recovery responsibilities includedthe in appropriate job desc~ptions?
Are new or transferred employees immediately trained in disaster recovery proce-
dures and assigned appropriate responsibilities?
of allsupplies and copies all
Is there a complete listing of forms av~lableat a second site?
been reviewed by senior management and approve by all responsible
managers?
If extracopies of the disasterrecoveryplanaremaintained,aretheyregularly
updated?
In the eventof a disaster, havesuEkient funds been allocatedfor transpo~ation,op-
erating expenses,emer~encysupplies, andso on?
The following questions must be answere by member§ of mana~ementwho own a vital

business process:
ave you ensured that the vital business process can fulfill
its mission inthe event of
a disaster?
(C) All processesevaluated
(A)Targetdate
(AE) Target date
ave you prepared disaster recovery plans that include vital business process recovery
requ~ementsas well as servicec o ~ ~ i ~requ~ements
e n t from sL~p~liersof service?
isaster recovery plans prepared
(A)Targetdate
(AE) Target date
ave you planned conducted a review of the disaster recovery plan in the past
vin any de~cienciesdiscovered during the review?
eviewed within thepast year
(A) et date
(AE) T ~ g edate
t
as a disaster re cove^ test been conducted withinthe last two years, resolvingany
prob~emsor exposure iscovered durin~the test?
sted withinthe past two years
(A)Targetdate
facility (i.e., local area networ~s,

rting the vital business process, have you answeredthe Sup-
upplier of service sectiona~plicable/notapplicable

(A) Targetdate
(AE) Target date
ction plan in progress, Ai3"ction plan ending date,
The following questions must be answered by members of management who are suppliers
of services essential to the recovery of the vital business process (i.e., information systems
services, site services, site security) and who must negotiate service levela~reementswith
owners of vital business processes defining servicesc o ~ t t e ind the period followinga
disaster untiln o ~ aoperations
l are restored.
ave you negotiated service level
agree~entswith ownersof vital business processes
ho are on your service/system?
(C)
are disaster recovery plans covering their service commitments and protect it
oE-site.
ou havea disaster recovery plan for your servicelsystem that will recover
the vi-
tal business processes as c o ~ i t t e in
d the service level agreement?
(6)
S your disaster recovery plan
for y
upd~tedwithin thelast twelve mo
o nthe effort in
In a ~ ~ i t i to
(C>
(A) Targetdate
e C10 when testing is not in compliance
(A) Targetdate
(AE) Target date
See E x ~ i ~8.1
i t for a sample disaster recovery plan.
U
$
.i
c
b E
E Y
Access, 129, 144, 145, 146 diskless enviro~ent, 414
Access control, 191 enable auditing, 342
Access control lists (ACL), 188 event types, 399,410
ACL entries, 360 key concerns, 386
ACL notation, 358 mounting and unmountinga file system, 416
ACL patterns, 362 select users, 409
ACCs and file~ ~ s s i o n357
s, system calls, 410
file mode permissions, 358 system parameters, 404
long form of ACES, 361 turn on or off, 408
operator form of ACL, 359 Authority holders, 148
short form of ACL's, 360 Authority parameter, 89
ACL Functionality Authori~ation lists, 108, 146
c o ~ ~andd programs,
s 363 Automatic c o ~ g ~ a t i o136
n,
network environment, 365 Automatic sprinkler system, 66
Unix core programs, 364 Auxiliary storage pools, 96
ACL, (see Access control lists)
Account policy, 202 Backup and recovery, 96, 152
Accountability, 24 Behaviors, norms & values, 5, 14
Admi~strative domains, 382 rowser, 484
Adopt authority, 109, 147 Build a case for disaster recovery, 498
Airducts, 78 Business continuity, 130
Application development tools, 89 Business impact analysis, 498
Application layer, 462
Architecture, 83 Carbon dioxide, 65
Assumptions, 14, 16 CHACL commands, 367
Attacks, 374 Change model,6,7
Attacks and defenses, 224 Checklist, 5 15
Attention program, 136 Checksum protection, 97
Audit, 479 Classification, 70
Audit approach, 73 C o ~ ~ e 5, n 11
t ,
Audit checklist, 73, Compliance,5
Audit policy, 204 Computer room, 13 1
Audit tests,49,57, 153 Con~g~ation, 485
Auditing, 398,512 Conflict awareness, 33
administering, 413 Conflict resolution,32,33
audit record,400,403,408 ~onnection-oriented, 146
auditing tasks, 406 Connectionless, 461
ontrol re~~rements, 53,452 File system consistency, 345
ontrolled access areas,44 File system export, 385
onv version plan, 341 Filters, 477
Fire, 65
Firewall, 474,476
Focus inward,4
us tom er satisfaction, 1, 14 FTTP, 470
Function keys, 56
Gateways, 478
General controls, 127,131
Glass walls, 78
Glossary of Unix terms, 419
Ground rules, 36
Group profiles,108
Guidelines:
evice sessions, 135 adding a group, 355,356
network security breaches, 385
isabling and deleting user accounts, 216 overallrisk m~a~ement, 373
isaster ~re~aredness,496 user account, 353,354,355
isaster recovery, 498
iscretionary access control, 70, 183,373 Hardware, 82
accountabi~ty, 374 High-risk utilities, 149
least Privilege, 374 Home directories, 2 18
objects, 374 Hub, 474
subjects, 373 Human resources, 19,22,23,25
Hu~difier,65
~ - s u ~ ~ profiles,
l i e d 141
is~osingof media, 56,73 Info~ationsecurity, 1,2
ocumentation questions,5 15
omain objects, 133
o m ~ nand
s trusts, 222 ~nstaIlin~ the system, 341
ropped ceilings, 77 Integration, 85
ust, 67 Interfaces, 464,465
y n ~culture,
c 1,2,4,6,8, 10 International0rga~zationfor
ynamic cultureat~ibutes,10 (Em),453
ynamic culture self-assessment, 11 Internet operating system, 472
Internet threats, 475
- c o ~ e r c e494
, Internetwor~ng,448,453,468
lectrical noise, 60 Intro~uction,8 1
lectronic data interchange, 494 I S 0 (see International0rgani~ationfor
§tandardi~ation)
Issue ~oordinator,34
End-user c o ~ ~ u t i493
n~,
Environmental controls, 59 Job descriptions, 147
Ethernet, 463 Job time-out, 139
buted Data Interface)
Key subsystems, 350

ile security, 368,369, 372 Key switches, 56
LAN (see Local access network) People, 69
Leading, 5, 16, 18 Performance, 485
Libraries, 94 Per~ssions,186,200
Library, 140 Physical access controls, 42
Lighting, 62 Physical layer, 456
Link-level access, 382 Physical protection of storage media,53
Local access network (LAN), 452 Physical security, 41
Logon process, 184 Physical security Plan, 43
Logon scripts, 218 Physically securing company's installatio~,42
Plan preparation, 499
Management c o ~ t m e nand t funding, 494 Planning, 198
Manager~leaderroles, 2,5, 15, 17,24,25,31 Policy planning, 202
~anaging,5,16 Portable storage media,58
M ~ a g i n ggroups, 209 Positive resolution, 34
M ~ a g i n gnetwork with /etc/hosts table, 389 Power supply, 62
Mana~inguser accounts, 212 Power, 59
Ma~ke~lace, 14 Presentatioll layer, 462
Modem, 63,484 Preventing theft, 77
Process improvement, 4
Name servers, 389 Product Description Files (pdfs),344,346
Narning nomenclature, 94 Productivity, 15
NAT (see Network Address Translation) Profiles, 141, 144
Network Address Translation (NAT), 485 Program development, 129
Network file systemenviron~ent: Program m~ntenance,129
client ~lnerability,38 l Protecting backups, 54
files mounted in networke n v ~ o ~ e n38t ,1 Protecting data,'79
s~eguarding,382
server vulnerabi~ty,38 1 Raised floors, 77
Network Layer, 458 RAID (see R e d u n d ~ array
t of
Network transfer protocols, 224 independent disks)
Network topologies, 463 Recog~zingtraits, 8,26
Networks, 493 Recovery team, 496
Number of device sessions, 135 Eedundant array of independent
disks (RAID), 97
Object and security, 185 Reengineered processes, 4
Object ownership, 148 Remote file access(RFA),380
Object-based operating system,88 Remote sign-on controls, 135
Operating system, 369,373 Residual info~ation,55
Open SystemsInter-co~ection(OSI), 454,456, RFA (see Remote file access)
458,459,461,462 Risk analysis and acceptance, 47
Orga~zationalstructure, 128 RisWexposure, 53,70
Risk management, 373
Password security, 346 Root, 349
encryption, 347 Routers, 473
file security, 370
m ~ i p u l a ~ npassword
g files, 349 SAM (see System Ad~nistrationManager)
password aging, 354 S ~ t i z i n g55
,
protection, 380 Secure (trusted) system, 341
pseudo accounts, 348 Secure systemmainten~ce,344,377
responsibilities, 346 Secured area access,50
Passwords, 133 Secured area deter~nation,50
Pdfs (see Product Description Files) Secured area inspection,51
ystem shut down, 417
ystem utili~es,91
Users and ~ r o ~36~ s ,

Audit - Auditing and Security and Disaster Recovery Plans

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Audit - Auditing and Security and Disaster Recovery Plans

Uploaded by

Copyright:

Available Formats

This Page Intentionally Left Blank

This book is printed on acid-free paper. @

Published simultaneously in Canada.

No part ofthis publicationmay be reproduced, stored in a retrieval system or transmitted

This publication is designed to provide accurate and authoritative information in regard

Printed in the United States

Io my mot he^ Mrs. ~ a t i m a ~ u swho

To my son, Ali Musaji, who taught me perseverance, patience, and

riven by the rush to e-commerce, se rity has rapidly become a mission-critical

ased Operating System

Backup and Recovery

Backup and Recovery in a Secure Enviro~ment

Different Typesof Networks

4A.5 Other Objects 169

4A.6 ~tilities 170

4A.9 ~ecurityAdministration 178

Access Control:Securi~ ~anagement

omains and Trust

ecure System ~ a i n t ~ n ~ n c 344

ing User Acce~sto System and Files 34

hoosing a Firewall 479

~onductingBusiness across the Internet

Technical Audit Program 490

merging Technoio~ies 493

Key Com~onentsof a Successful Disaster Recovery Pian 494

test in^ the Disaster Recovery Plan 501

uditing the Disaster Recovery Plan 512

Plan ~rgani~ation and Assignments: For~-~ine-Point

m nt processes are world class.It is not them

ts from a dynamic c u l t ~ e ~ m p l o y e ecustomers,

S of IS m~ager-leaders that enable the

Transfo~ationis about change. There are man mo els that describe S

manager-leaders also touches on the follow in^:

owever, given that real

hase 2 suggests thatif we want

Its employees arean energetic global te

S on the right things.

Its employees are diverse.

ecurits comes fromits success withits customers.

loyees need to demonstrate in

itment; concern for the truth even when it’s un-

o-workers; ability tocapitalize on

n ascale of 1 to 5, with 1 be w- e r f o ~ ~ can

3. Setting aggressive targets

5. Holding employees accountablefor their

14. Modeling a worwlife balance

20. Energetically buildingcross-functiona~global

e you driven bya c o ~ o vision

Do you showb once^ for quality and productivity?

o you model respect, integrity, teamwork, and excellence personally?

The result in^ acronym helpsr e m e ~ b ethat

hese are strong levers toaffect behavior since they

tions are like 44givens,’9 and

ever lose s i ~ hof

arly when they work as

more di~lcultto dis-

ABOUT TIME! FR.AME

e Short-termsurvivallsuccessisparamount; we can * Long-term surviva~successis paramount; webaseour

T e ~ i n o l o g yin the area of leadership andm ~ a g e ~ ecan

gmentstothese characte~stics. do notneed either

ws that varying degrees of leading, managing, and doing skills are

es are, at least situ-

~ligningthe culture with the desired direction and strate

leading, ~ ~ amd ~ doingg roles.