Professional Documents
Culture Documents
Audit - Auditing and Security and Disaster Recovery Plans
Audit - Auditing and Security and Disaster Recovery Plans
Musaji, YusufaliF.
Auditing and security: AS/400,W,UNIX, networks, and disaster recovery plans/
Yusufali F. Musaji.
p. cm.
ISBN 0-471-38371-6 (cloth: alk. paper)
1. Electronic data processing-Auditing. 2. Computer security. I. Title.
~A76.9.A93M87 2001
005.84~21 00-064922
10987654321
This book is dedicated tomy g r a n ~ m o t h eMrs.
~ ~ulsumbai ~urbhai,
who taught me to sacrgce so I could grow.
Io my w$e, ~ a oMusaji,
~ i for herlove, tolerance, and faith.
This Page Intentionally Left Blank
nd the big picture, see their roles within
it, continuo
resources from hackers and computer thieves, corporations neglected the physical security
aspects and as a result suffered financial loss from lack of physical security controls, thus
becoming easy gamefor crooks. In spite of this, physical security continued be toregarded
as being limitedto the perimeter controls and bodyguards at the front doors.
Theft or damage to information processing resources, unauthorized disclos~eor era-
sure of proprietaryinformation,andinterruption of support for proprietarybusin
processes are all risks that managers who own or are responsiblefor i n f o ~ a t i o nresources
must evaluate. Since physical access to information processing resources exposes a com-
pany to all of these risks, management must institute physical access controls that are com-
mensurate with therisk and potential loss to the company.
The objective of the physical security audit is to determine if mana~ementprocesses
have been implemented, are effective, and are in compliance with established ins~ctions
and standards as formulated in the company security policy. they ensure that the com-
pany’s information resources are protected from unauthorize
Chapters 3, 4, 5, and 6 discuss auditing the most advanced platforms:AS/400,
crosoft NT, and Unix.
M y are system concepts and architecture important to understand?
do not startby choosing a computer platform. They start by choosing map
ss needs. Becauseof this, the computer system is very often consideredfirst.
should the computer architecture matter? The accelerating rate of change of
e and software technologies necessitates that the system selected has been de-
signed with thefuture in mind. Do the platforms accommodateinevitab~e,rapid, and dra-
atic technology changes with m i ~ m u mrelative effort? Are the systemsfuture-oriented?
aradoxically, the characteristic of the most advanced design and technologyis subtle. It
a c c o ~ o d a t e sthe rapidly changing hardware and softwarecompo~ents-permitting one
to fully exploit the latest technologies.
Is the operating system conceived as single a entity? Are the facilities such as rela-
tional database, communications andnetwor~ngcapabilities, online help, and so on fully
inte~ratedinto the operating system and the machine?
Successful audits of computer platforms are intended to provide an analysisof the
computing and network hardware components with potential risks and reco~endations.
If the computing platformis not secure, neitheris the company’s data.
Chapter 7 continues the discussion of auditing networks. ~ o ~ o r a t i o deploy ns net-
works to lower the total cost of network ownership,m ~ i m i their ~ e return onin~estment,
provide seamless, enterprise-wide services, enable appli~ations,enhance their perfom-
ance, control network resources, speed up project implementation, and minimi~erisk and
Chapter 8 discusses auditing the disaster recovery plan. Large pools of shared data-
bases, t i m e - s h ~ nvast
~ , teleprocessing networks, t e l e c o ~ u ~ c a t i oconnections
ns to non-
company facilities, multiple distributed printers and systems, and thousands of users char-
acterize the state-of-the-art computer centers in corporations. Disruption of service or the
intentional orinadve~entdestruction of data could potentially bring business processes to
a halt.
Across this entire computer i n f r a s ~ c ~ rthee , Information Security (IS) processes
must be implemented to ensure the confidentiality, integrity, and availabilityof the com-
pany’s information assets. The responsibility for the implementationof an effectiveIS pro-
gram is assigned according to the company’s goals and objectives. Generally, this respon-
sibility is delegated to the information system because of its traditional role as Provider of
Service. However, ISis often not the Provider of Service for smaller systems thatexist at a
location. Regardlessof the organizational roles and responsibilities, corporate the informa-
tion officer (CIO)is responsible for the overall implementation.
With the emergence of disaster recovery planning, physical security is regarded as the
cornerstone to developing a viable disaster recovery plan, The pundits have suddenly pro-
ureka,” and the dawnof physical security as the foundation on which the disas-
ter recovery plan can be built has begun to take hold. Protecting assets from disasters is now
one edge of a double-edged sword with the other edge preventing losses from theft and hu-
man errors, which in fact pays partly if not wholly for the costs of disaster recovery plan-
ning. The auditbr must ensure that the computing environmentssuppo~ingvital business
processes are recoverable in the event of a disaster.
Auditing and Security has been developedfor IT managers, IT operations manage-
ment, andpractitioners and students of IT audit. The intent of this book is to highli~htthe
areas of computer controls and to present them to the reader in a practical and
pragmatic manner. Eachchapter contains usable audit programs andcontrol methods that
can be readily applied to information technology audits. As an added value, two presenta-
tions are available onthe World Wide Web.The first presentation is a proposalfor invest-
ing in a disaster recovery plan and the second is a firewall selection guide. Please visit
www.wiley.co~musaji.The user password is: auditing. These documents are in Power-
point format.
Yusufali. F.Musaji is the Founder, Director and Presidentof Mi’s Y, Consulting Inc., anIT
and Financial Consultingf m specializing in computer consulting. Yusufalihas a strong
computer science and financial background. He embraces full sthe
pect~m of financial, op-
erational, andIT disciplines requiredof a state-of-the-artorgani~ation.His functional and
technical areasof expertise include system development and implementation, project man-
agement, computer security and financial systems.
Yusufali F. Musaji is widely publishedin IT, financial, and securityj o u ~ a l re
s
ser Relations~ps,and has also developed numerous business continuity plans.
e holds a Bachelorof Computer Science from York U~versity,Toronto, Canada,
and is a C.G.A., CISA andCISSP.
information Security throu h Dynamic Culture
Information Securi~ ~anager-L~ader Roles
~ y n a ~Culture
ic Is a Prerequisite forG r o ~ h
Sustaining Culture for Process Improvement
~ o c u sInward
~ynamicCulture Overview
from IS ~anager-Leade~
Leadership ~ e e d e d
~ y n aCu~ture
~ i ~ Tra~sformation
eco~ni~ing ~aits
~esired ~ehaviors~ Win, ~xecute,Team If
~ y n a ~Culture
ic Self-Assessm~nt 11
~ o r and ~ sValues
Syste~s,Structures, and Processes
As~ump~ions
IS an age^ Leade~or ~anager-Leaders
~ o t aJob
l ~odel
~ u m a n R e s o u r c e s / ~ ~ p l Processes
oy~es
~an~g~r-~eaders Accounta~ili~
~ e w ole of the ~ a n a g e r
S~aredResponsibility for~ R l ~ m p l o y e e Processes
s
~oundational~ a i t and s A~ributes 26
Specific Skills Required by IS ~ana~er-Leaders 29
Personal Learning Sparks~rgani~ational Learning 2
~xecutiveSkills Versus~ a n a g e r - ~ a sSkills
ic 31
Conflict ~ e ~ o l u t i o n 32
~haracteristicsof ~ ~ r mConflict
al Resol~tionPlans 33
Conflict Awaren~ss 33
r ~ afor
t ~ositive ~esolution 34
36
38
40
41
ical Access Controls 42
the C o ~ ~ a lnst~llation
n y ~
43
An~lysisand Accept~nce 47
49
52
53
3
57
58
59
59
63
64
65
65
67
7
69
70
70
70
77
77
78
AS/400 System Concepts andArc~itecture
System Concepts
~ u lIntegration
l into the~ ~ e r a t i System
ng and the~ a c h i n
Security
~ystemKey Lock
~ystem wide S e c u r i ~
Values
~ystemAuthority
~ s e~rofiles
r
roup Pro~les
Authori~ationLists
A ~ o pAuthority
t
~ r d eof
r Authority Checking
~ t h eSecurity
r Issues 111
~ystemValues 11
Summary 1
tiv
Operationa~Controls
~ r ~ a n i ~ a t i oStructure
nal
~rogramDevelo~ment, Ac~uisition,
and ~aintenance
Access to Data~ i l e s
usiness Continui~
General Controls
Computer ~ o o m
Set Auditoni it or and Audit Log Parameters
Turn Auditing On or Off
Select Users to be Audited
Select €vents to be Audited
Select System Calls to be Audited
Interpreting Audit Log Data
~ a n a ~ i Audit
n g Log Resources
Administering the Auditing System
Using Auditing in a Diskless~nvironment
vir
Internetworking
over vie^
Devices
Con~rol Re9uire~ents
OS1 Model
~ommunicatingData through €ncapsulation
OS1 Layer 7: Physical Layer
OS1 Layer 2: ~ a t Link
a Layer (TheVirtual ~ o r l d )
OS1 Layer 3: ~ e ~Layer o r ~
SI Layer4: ~ a ~ s p oLayer
rt
~onnection-Orientedand Connectionlessc et work
OS1 Layer 5: Session Layer
OS1 Layer 6: Presentation Layer
OS1 Layer 7: Application Layer
Audit ails 157
~ ID Authori~ation
~ r i v i l e g eUser 758
160
A ~ / 4 0 0Installed
165
168
1.7
Job ~escriptions 172
173
174
4A.8 ~ e ~ Q~Qnsiderations
rk 174
IntrQduction 182
~ecurity ~e~erence oni it or 182
~ecurity ~ccount ~anager
~ ~ s c r e t i o ~Access
ary Co~tro~s 183
~ t ~ eat e tur res 184
~ecurityOverview
on ~rocessand User entity
~ ~ j e cand
t s ~ecurity 185
~er~is~ions 186
Access Control Lists 188
~ e s i g nea tu res 788
i
User Accounts
User ~ i g h t s
User Accounts, Groups, and
S~curi~
~lan#ing
erm missions §ummary
Policy Plannin~
Account ~ o i i c y 202
User ~ i g h t sPolicy
Aud~tPolicy
§yste~ ~olicies
Share Ptannin~ 07
Creating Shares 207
Creating a~ e t ~ o r k S~are 207
Se~ingFile SystemPerm~ssions
nag in^ Groups
§pecial ~ r o u p s
~ a n a ~ i User
n g A~~ounts 12
~ e t ~ o r k and
e d Local Users 2l2
~pecial ~uilt-In Accounts 272
Creating User Accounts 273
copy in^ User Accounts 75
~isablingand ~eletingUser Accoun~s 76
~ e ~ ~ mUser i n gAccounts 277
n v i r o n ~ ~Profiles
nt 217
~ o g o nScripts
~ome ~irect~ries
Creatin~User ~irectories
~ u m ~ a r ~
Introduction 336
336
336
339
340
tion ~ a n a g e~r e v i e ~
340
e ~ i n g a Secure S y s t e ~
~~ 3 4 ~
352
353
354
355
356
356
~ 5 6
357
363
...
111
P~ysicalAccess to System Unit 131
System Key Lock 137
~ystemConsole 132
Dedicated ServiceTools 732
Security Level 732
' AllowUserDomainObjects 133
~ a s s ~ o r d ~ o r mRules
a~ing 133
~ a x i m u mSign-On A~empts 134
Limit SecurityO ~ c eAccess
r 135
emote Sign-On ~ontrols 135
Limit umber of Device Sessions 135
Automatic Configuration of Virtual Devices 136
Automatic Confi~urationof Local Devices 136
A~ention Pro~ram 136
Violation Reporting and~ollow-Up 137
Default Public Access Authori~ 73
is play ~ign-Oninformation 139
Job ~me-Out 139
~ystem or ti on of Library List 140
User ~ ~ r t i of
o nLibrary List 140
l ~ ~ - S u p ~ lUser
i e d~r~files 147
Special UserPro~les 14I
User Profi~e~ 742
roup ~ r o ~ l e s 144
Li~raryAccess 1
ccess to D a t ~ 145
Access to ~rogramLibraries 1 4 ~
Authori~ationLists 746
Job ~escriptions 747
148
749
lniti~lProgram 149
C Support 150
Output ~ u e u e s 750
Sensitive Commands 151
a c ~ u pand ~ecovery 752
153
753
User Verific~tion 155
N ~ e ~ o r k i Topologies
ng 3
lmple~enting ~thernet 463
Token Ring 464
A ~ S I ~ j~istrjbuted
ber Data lnte~ace 46
464
N e ~ o ~ k l n ~ ~ ~ ~ c e s 464
Physical Layerlnte~ace 64
at^ Link Layerl n t e ~ ~ c e 465
asic l ~ t ~ r n e ~ o rDevices
kin~
CiIiClJ outer
Lab ~verview
Power Up and Basicouter Access UsingFlTP ~ e r v e r
A Look lnsi~e
Internet ~ F e r a t i n
System
~
irewall 474
What Is a irew wall?
curity Policy
o ~ m Internet
~ n Thre~ts
irew wall Arc~itectures 476
Stateful Inspection 477
Packet ~ilters 477
~ircuit-Level~ a t e ~ a y 478
Application~Levelatew way
Stateful InsFectionAdv~ntagesand ~ i s a ~ v a n t a ~ e s
~etworki~g
~onfiguratjon
~ e t ~ oAddress
rk an slat ion
~onitoring
NT i
~ecurity 486
~ e t w o Information
r~ Services 487
~ o c u ~ e n t a ~ heckl
i o n list 487
irew wall C ~ e c ~ l i s t
~ilters #89
ire wall Tests 490
~~i~
Introduction 493
f these, imageis considered tobe four times moreimpo~antthan anyof the other factors,
Image is a composite of four e loyee-related issues:
. Highly skilled employees whoare committed to excellence.
loyees who are responsive and helpful and who take charge.
. A company thatis customer oriented and easyto do business with.
. A company you can trust.
~ u l ~ l l i ncustomer
g satisfaction on thesefourissues, e s p ~ i ~ l y ~ i r stwo,
t is very de-
IS manager-leade~roles,
at is the missio~of IS m
ow does their~ i s s i o nrelate toa c
would a security-conscious culture/co~pa~y
look like?
n ~ o ~ a t i dynamic
on culture
oles versusjobs and titles
d ~ t u expectations
~ e
ny success~l
business s ~ a t e is
~ geared
y tow
orations-attributed to failure to an sf om cultures in conjunction with
ffo~s-has been high.
-shap~dchart in E ~ i b i 1.2,
t shows the four factors that must be present for
be effectively im~lemented.It is not enoughto only have reengi-
processes willfail without the accompanying changes job in ac-
oring methods, andnoms and values embedded in the
intangible cultural factors below the surface depicted by the
ered processes as the visible tip of the iceberg above the sur-
ods and ideas on employees will not work, especiallyif the
e than halfthe reengineered efforts have failed
the cruciali m ~ o ~ a nof
c ethe cultural factors belowthe sur-
to squander their huge investments in the new processes if
estment is dismal. ~onse~uently, attention to cultural un-
S is b e c o ~ i mandatory.
~g
e word t r ~ n s ~ o r ~isi nintended
g to capture both the journey and the needfor dy-
lture. This requires modeling the new culture in the way
res new relations~ps,and adds value inthe evolv-
loyees ”+ ~ a t i s ~ e d ~ u s t o ~ e r s .
to your customer^.^'
eir ~ i s c r e t i o n a ~ ein r t t~atbot^
~ ogoals
nd ~ ~ ~ the
i ~c oi ~z~ ea nsuccess.
y ~ s It is this “voluntee~sm”
pliance, A dynamic culture/company unleashesthe pot en ti^ of employees who are com-
to clear, relevant, andmeaning~lpurposes that they have helped shape.
mployees will committo the new dynamic culture when four factors arein place:
~ Z ~ rStaff members
i ~ :understand what
nthe is-the character-
istics of the culture areclear to them andthey ate them to others,
eZev~nce: StdT members see the relevance
ynamic culture to
the
com-
'S business success-they see how it wi z the company'scustomers
elp the c o ~ p a n ygrow.
~ ~ i Staff
~ g members
; see the personal m e ~ i n gof the new
what it means to thempersonal~y,and they canget excited about it.
~nvozve~ent:Staff members want to be, and are, involved in the shaping and de-
ployment of the new dynamic cul~re-without involvement9 noco~mitment.
it is impractical to involve everyone in shapingl a e-scale change, theirchos
r~sentativesmay be involved. Giving employees the choice to be involved is the key
point, evenif they choose not to be.
The need shouldbe for everyone, especiallyIS manager-leaders, to help § u s t ~ the
n jour-
ney and notslip back-to be comfortable reinforcin ,evolving, and nurturin
culture/company. In summary, I manager-leaders enable the dynamic culture that gener-
ates a dynamic company9 producing highlysatis~edand loyal customers that fuel company
growth.
he most obvioussi
r l e ~ and
~ e valuable
les on m a ~ a g e ~ e n t ,
izations. To help understand these behaviors in the cont
are o r g ~ i z e daround the three foundationalo
and team.
ynarnic company has six core elements as shown i
dynami~ cul~re/company uzzle are as follows:
a
t expects teamwork, integrity, respect,
oyees earncom~etiti~e
pay and benefits.
ts l e a ~ e create
~ s and c o ~ u ~ c aa twinning
e strategy.
ts lea~ers~ a l k
the talk
4. Insisting on results
Execute 0 ~ e s t ~ c t u ~ n g /and
s ~ scale
ze
* Flatterorganization
6. Showing concernfor quality and productivity * “Fit in fast” checklist
* “Fit for you” card
7. Using and beingloyal to the company’s products * Delegation of authority
0 Skills process
8. Co~municatin~listening
efEectively 4 Skills focus
4 ~rofessionalcareers
9. Welcoming the truth * Expert professions
* Job news
10. Capitalizing on change
* Globalprocesses
* Workloadstudy/module
1l. Showingdisgust with bureaucracy
to skills
12. Putting never-ending attention
improvement
13. C o ~ i t t i n to
g being a process-managed business
Team * Diversitycouncil
0 Diversitytraining
15.W a ~ n the
g talk on respect, integrity,t e ~ w o r k , * Flexible work options
and excellence * Team implementations
* Teamsymposiums
16. Valuing diversity * Teambased rewards
* 360-degreefeedback
17. Sharing and leveraging knowledge * Peer recognition
* Roles versus job
18. Acting unburdenedby b o u n d ~ e s
19. Empowering individuals and teams
he three c o m ~ t m e n t of
s the n o m categories
. Execute
. Team
The four values are
o ~ ~ a n i require
es systems, stru~tures,and ~rocessesto o
these include thefollo~ing:
agement and measurementsyste
archical or tea~-basedS
he ~ a r ~ e t ~islthe
a c drivin
e
t the core, a c o ~ ~ a depe
ny
with a ~ i ~of bu-
i ~ u ~
Id be re~ectedin the
ct on a~proachestoward team-
er~
the terns Z e ~ ~and
n many co~panies9 ~ ~are ~used
g interchan
e r
business processes.
1
ne Set of ~ s s ~ ~ t i o ~ s
ABOUT H U NATURE
~
Employees basically dislike work, are lazy, need * Employees basically love being challengedby
to be coerced and controlled, and prefer tohave meaning~lwork, and are energized when they help
superiors make their decisionsfor them. make decisionsdecting their work environment.
ABOUT TRUST
e Trustistied to positionpower;superiorsarenot * Trustwo~hyemployees who displaycharacterand
questioned becausethey must have good reasons competence, andwho encourage and open two-way
for their actions or views. dialogue earn trust.
ABOUT M O ~ A T I O N
Extrinsic “carrotsand sticks’’ are what motivate e Intrinsic satisfactionis what motivates employees-
employees. rewards are “hygiene factors.”
ABOUT ~ T C O M PEE ~ ~ O N
~ ~
Internal competition brings out the best in e Internal competition destroys teamwork, inhibits
employees and should be encouraged to stimulate sharing and leveraging knowledge, and demora~zes
high performance; reward systems should promote team members; reward systems should promote
trying todo better than peers. collaboration.
iness of innovation; m ~ a g i n g
craves order.
w directions; managing demands proof.
ing relies on control.
?” ;managing is asking “
Administrator Complete
Leader
A~dicato~ Dreamer
HIGH
t
i
\
\
Win
I
"
1. Focusing
on w i n n i n ~ ~ r customer
e avalue
tbest
i~g H H H H M
1 2. ~ u t t i n gcustomer ~ s ~ c o msecondhit
p ~ y third H H H M
I Execute
"
1
Modeling 14. a worldlife
balance L H L M
I Team
Walking
talk
15.
the on respect,
integrity,
teamwork,
Mand H H H M
excellence (the 'RITE9values)
Energetically
20.building
cross-functional/global
teamwork H H H ' H M
)~mployeesprocesses merit more explanation because of their
are processes, there are consistent steps thatconstitute the best
esses, therefore, involves ensuring that the steps are
~ ~ l r e~s o n~ r ~~This
~ se . process consists of
* Inco~oratingplanning for the right level of resources directly into the business
processes.
0 Making sure the approp~atestaffing solutio~~rocess is used, based on the work
that needs tobe performed.
* ~ n d e r s t ~ d i when
n g to staffinte~allyand when touse external resources and fol-
lowing the appropriate policies and processes when doing so.
* Recruiting and hiring employees using s~ll-basedcriteria and reflecting on the
di-
versity in the marketplace.
0 Ensuring the optimum balance of employment options, both full and part time, and
respecting diverse needs.
\ \
ø sing employee development processes the way they are intended.
siness needs to add to stafEng levels and to release employees
from the business and doing both with sensitivitygood
and judgment.
i s i o ~ ~ s s i o ~ ~ a l u e s / o b j e c of
t i vemployees
es with the objectives
of
ssessing p e ~ o ~ a n against
ce the plannedc o ~ ~ e n twiths , the help of feed-
ack from others.
n s u ~ n gperformance is rated equitablyand fairly within and among related units.
oyees in ~ ~ cases.
n y
managers need tobe network-savvy practitioners not
job hol
sense.
elationships built on trust are vital.
The f ~ a g ~ e n t a ~oifothe
n t~a~itional
~ a n a ~ e ~job
e namong
t several
mental tothe new c o n s ~ c t , E x ~ pofl specialized
es mana
~ e s o ~ r c e c o o r ~ iThis
n a t operson
~ is often not aman
has the responsibility to deploy employees with valu
~ ~ ~ j e c t / ~ r o p o s a l l e a ~ e ~This
/ ~ aperson
n a g eov
~
work. Employees movefrom project to project, so
during the course of the year. Some are knowledg
and others are not, depending on n athe
~ r of
e the p
Proce~ses’~ role.
~ e ~ s o n a l ~ e v e l o ana
p ~ eage^
n t An individual who ove~sees
with employment, transfers, assessment and evaluation, intro
ucation, handling increases, and so on. Theyensure that all five
HIGH
0 l 2 3
~ager-Leader Team leader/ Team leader/
does the task, doesthe task, team does team does
without with the task, the task,
team leader/ team leader/ with Manager- without ~ a n a g e r -
team input team input LRader input Leader input
dGR EE RC L FRT
issio~values/objectives
* U ~ d e ~job s linkages-busin~sslpersonal
t ~ ~
* Establish specific objectives
I ~ ~ t ~360-degree
r ~ n input
e sources,~ e c h ~ i c s
* Gather ~ e ~ f o data-~60-de~re~
~ ~ c e input
* ~ e t e ~ i overall
n e evaluation
* Adclress c o ~ ~ tissues/oppo~unities
~ e ~ t
Role
Legend:
MGR = ~o~le-Holding
~ ~ a g e r RC = Resource Coor~nator A = Accoun~ble(ensure
it is done;
EE = Employee PTL = Proposal Team has a u t h o to
~~ delegateit)
TL = Team
Leader PRTL = Project Team Leader R = Responsible (does it)
emonstrate the courage of your convictions.
-~acilitateorganization change 2
uild shared c o ~ t m e n t 3
* 3
~om~unication-presentation 3
-Com~unica~ions-written 3
* Encourage a l e ~ n i n gorganization 3
* ~ l i ~ n ab~iers/inhibiters
te 3
* Coaching 3
* g go ti at ion 3
* ~nte~ersonal
communication 3
* Fac~litatemeetings 3
* Risk awareness/t~i~g 3
* Understa~dglobal ope~a~ions
siness initiatives
* Recruit employees 3
* Release employees from the business 3
~ ~ i n v o l v e / ~employees”)
~~age
* Delegate tasks/responsibi~ties 3
( ~ ‘ ~p e~ ~ ao r ~m ~e of
c eemployees”)
(“ackno~ledge
employee con~butions”)
-Analyze problems/situations
-Client relationships
-~uality/proble~
prevention
--Apply project ~ a n a ~ e m epractices
nt
* Internal supporttools
s ’ with a wider b
shows e ~ e c ~ t i v ejobs
ers. The skill tem~latesfor ~ r s t - l i man
~e
r, the~xecutives’ski1
The e x ~ e ~level
t e ~of ~ r o ~ c i e n for
c y an exec~tiveis hi
ecutives are moreencom~assin
e proficiency levels are as follows:
oficiency: No skill.
Expe~ence: None.
vel l:
oficiency:
Limited
skill.
xperience:
None.
vel 2:
~roficiency: Limited ability to perform. Has general, conceptual knowledge only.
Expe~ence: Very limited.
Level 3:
:
~roficiency performwithassistance.Hasappliedknowledge.
Expe~ence: performedwithassistanceonmultipleoccasions.Hasperformedinroutinesituations
vel 4:
oficiency: Can perform without assistance. Has in-depth knowledge. Can lead or direct others in performing.
Expe~ence: Repeated,
successful.
Level S:
oficiency: Can give expert advice and lead others to perform. Is sought by others for consultation and
leadership. Has comprehensive knowledge with ability to make sound judgments.
Expe~ience: Extensive, co~prehensive.
er scope implied in the skills for executives than for first-line man-
ers because of the larger size of the organizations and business results
for which they are accountable.
t in c o ~ ~ ir~solution
ct will set
critical step in buildingconflict resolution strategiesis a formal declaration to the
members of the probability of conflict
anisms being established to c
amounts to ‘6flushin
sibilit of hidden agendas or toke
that conflict is inevitable
on, the employees involv
or concern to remain buried, which often allows di~lcultiesto fement and blow out of pro-
conflict resolution
complete issue res
imum, thisins~ectionsho
ri~~eral ~include:
evic~s
nnection for p ~ n t ~and
r s plotters
er ~ ~ ~as used e ~ ~ c e
services on behalf of
I Tele~~one
lines x I
t
Systems that are essenti~lto supporting High
Zone
Area 1in
or an office
room that
vital business process is lockedwhen unattended
VPe B Area
Medium
Zone 2
ecision has tobe made on whether toi lement protective measures or as-
sume the risk with the associated e x p o s ~ e . order to demons~ate
ical access control process, managers responsible for computing facil
tain the follow in^ minimum documentation:
ntification of the area,its use, the levelof i n f o ~ a t i o nsuppo
equipmen~se~ice, and the level of control required.
The means of communicatinlevel of i n f o ~ a t i Q n s u p ~ o ~ e
provisions andrequire~ents
~ ~ ~ The ~ tinformation
e : s y s t e ~ senvironment is continually
erefore, risk analysis should becQme an on~oingprocess thatis
cted and reevaluated on a periodic basis ensure to that thecost assQciated with
im~lementationis ac~evingthe projected benefitsto
timate decisionof what riskto accept and what risk to
ement, risk analysis requires a total team effort.
in~ividualswho can help to evaluate the risk.
i n t e ~ aolr restri~te
requires approp~at
n s revalidated ona re
i ~ ~ t i oare
st:
tected by sec~redspace.
r inclusion in yours ~ ~ l e :
If volume is suf~cient,~ o m ~ ~ t ~ r
hoc mode to verifye
e sexits are s ~ c ~ r
sure that all e n ~ ~ cand
access levelm e c h ~ i s m ,
hese con~olsare not applicableto individual§con troll in^ their own
eir ~croproces§orsince the c~stodialrelationship does not exist.
often c o n t m
~ ~e ~ o ~
o n approp~atecontrol se uences. A s a re-
red i n f o ~ a ~ with
in ~astepaperbaskets
ia inclu~ing inve~tory
the po~ablestorage m
esses all po~ablestorage media h
t u ~ i storage,
n ~ ~ and~ e s t ~ c t i o n .
ntrols to ensure that bypass lab
from u n a u t h o ~ ~ euse.
d ~ ~ pre l e
ia ~ansactionsto ensure that pr
view the ~ ~ e c t i v e ~of
ess
tape remo~alprocedur
processes, and proceduresfor m
posal or nonpropriet~use,
ed a classification or labeled to iden-
controls ensure accountability for the
and thati n v e n t o ~
records c o m p ~ to
e phys-
these invento~es,select
ach inventory entry,
ve
classi~eddata is st0
ti~cationif r e ~ u ~ e d .
I Telephone x x I
People X X x x
d installedfor e
etective re~e~tive orrective
Fire A l m s Fire procedures
Emergency extin~uishers
drills
detector
Smoke
Fire
~aintenance CO2
Water, dry-pipe
Halon
Sprinkler heads
Ins~ance
~ ~ r i ~ g
~ i r i ceilings
trays,
nSmoke
~detectors
regulations
Rules
andSprinkler
heads
regulations
Rules
and Cleaning
~~ntenance
Mainten~ce
Dust covers
very
saster
cutoffs
Automatic
powertraceboard
Circuit
carrying voltage and a
trace
carrying
ground
Water
Detectors
I Insurance
1
r the air-conditionin
reventative m~ntenance.
he c o n ~ o l req~~eme~ts
Q O ~ of~ the
Y computer room.
o a good conductorof
t can be connected
n u ~ b e r to
s advise
otor ~ e ~ e r a toverheat?
or
.
a
.
.
.
(t
.
bo causes break-ins?
bo writes computer viruses?
ho steals passwords?
h0 causes vandal is^^?
o can be no~orious~ r e a t s ?
Is it aliens from outer space?
The security policy must ensure that mana ment awareness of all physical ace
co~putingfacilities, i n t e ~ a systems,
l and ta can be demonstrated and that
Various classes of m~agementpositions.
0 I m p l ~ l ~ e naudit
t s in^ procedures.
Inspects and analy~esaudit logs.
* ~ ~ ~ n i s tgroup e r sand user accounts.
0 Repairs d ~ a g e user d files and volumes.
Updates system software.
* Sets sys~emconfiguration p~ameters.
Collects various system statistics.
0 ~ l y file permissions.
~ e r i o d i ~scans
Deals with invalidsuperuserattempts and invalid network requests.
0 Installs security-relev~tsoftware.
erforms routine~aintenancesuch as backups.
y with which owning mana ers should review the nonregular employ
.,who a u t h o ~ access
~ ~ s to a user to the CO
le to an owner.
eview documentatio~
vent ~ n a u t h o ~ ph
ze~
procedures ~escribin
at here^ or obtaine~.
nauthorize~ ~ersonnel?
ogical p ~ i t i o n i nlets
~ you run multiple indepen
ce§§ors, memory, anddis~s-within a singles y m ~ e t ~
server consolidation, business unit consolidation,
ed clusters, as well for
as suppo~in
otecting your business
fro
not run on earlier
on a card9which enables
to
authorized
personnel. can also be
used
to
perform
implications, arediscusse~in
ities listed ~reviously,many S
utilities, productivity aids,t r ~ n i n gtools, and other system S
uti~tiesor ~ a c ~ a gintroduce
es additio~alsecurity c o n c e ~ s . U ~ programs
lity andopera tin^
system functions that are of interest to a~ditorsare as follows:
to ~ ~ ~ ~ o ~ersonnel.
rized
s i m ~ l i ~database
es in~uiryprocedures.
allows
users to interac-
tivelyspecify criteria for the e~~action, summ~zation, and resenta at ion of database
erating randomnum~ers(
on to the system, th
can display a series
ment, or a control
mandatory menu.
This control f e a ~ r is
e
be inapprop~atefor many
A u ~ o ~ist designated
y as
es
ta d to all
of system
after images of changes,
,all entries stored in thejo
abase so that it will bein the same state as
it was
,all the transactions
hen a single ans sac ti on updates multiplefiles, there is a risk that dataCO
crash before all the files are updated.~ o ~ ~ tCO~ e n t
should the s y s t e ~
t e c ~ i ~ utoe srecorddata until the transaction
is compl
data c o ~ p t i o by
n e~suringthat the transactionis CO
atabase is updated pen-nanently.
S method of protection stores duplicatedata on separate disks. hould One of the disks
,processing continues usingthe mirrored disk.The cost of this 1 el of protectionis that
all write operations are d licated and av~lablestorage is halved. This option is utilized
when it is critical for the systemto be up and~ n n i n gUse
. of this option results in increased
perfon-nance for read operationssince there are two places to read i n f o ~ a t i o nfrom.
inimal s e c ~ t y passwords
~ ~ o are used, an any user can p e r f o ~ any
asswords are used, but users can erf0n-n any function.
ste
1. Manual 3. Secure
2. Normal 4. Auto
Yes NO NO
Remote P L No S NO
security r e ~ u i r e ~ e n t s .
is used to display to
tion (e.g.,date of last sign-on, number of invali
~ a s s ~ oexpires,
rd if less than seven days)i
at is either a t t ~ ~ to
h the
e~
ere are eight~pec~c u ~ aore~d vt i e s
~ that
thorities. To work withan object, a user must have
ct ~uthoritiesare:
ect an ~ities
derive
theto
stern A u t ~ o ~ t i e s .
A
x x X X X X X
x x x x x
x x
No system authorities given
on of the A ~ / ~ Ooperating
O system,each user pro-
a user’s pro-
of the user’s capabilities are defined within
s profile also defines the user’s work
enviro~ent
l menu, ~ ~ i secondary
~ u m storage, user prior-
disable the user
may be of i ~ t ~ r etos t
0 operating system does not auto
profile and password. Therefore
among ~roupsof individu~s.
duces user accountability. Thus, sharing of us
should be dis~oura~ed.
adminis~ativel complex wi
shown in Exhibit3S .
S
Users may be assigned di~erentaccess rights. All users are assigned the same access rights.
all
ned the same access rights for A user (as part of the group) may have a different access
objects secured by thelist. right for each object secured by the group profile.
Users may be listed on multipleautho~zationlists. Users can only be assigned to one group profile.
Objects mustbe ex~licitlyadded to the Objects are authorized automaticallyto group members
authorizati~nlist. when created by a group member if up setto do so.
on the screen.
~ ~ e t eand
r sEvents
~ ~ n t i an spooled
g file and sending output directly to a printer
are logged.
~ystemvalue contai~sthe p ~ m e t e *
r
Vdues and P ~ a ~ e t e ~ s
C ~ ~ g e Change Change
Change andUse Change and Use Change and Use
r the following protocols:
LC ( ~networks)
~ ~ N
rity level.
n ordinary workstation
ossible v ~ l ~ are:
es
all function autho~ty
no theabove
with
user * y. The default
value is
allowed
domain
n ~ e non
t the specificre~uirements.
e t e ~ i n whether
e audit in^ is performed on the system. Itis
the opera tin^ system. It serves toturn the fQllo~ing attrib-
ossi~levalues are:
ting of user actionsor objects is perfo
ed for objectssp by means of the
ctions
specified
the
in L sys-
individual user profile ~arameter,while using the
ecific re~uirements,
e c o ~ e n d e value:
d ~ e p e ~ d eon
n tthe specificre~uirements.
t on the specificre~uirements.
ecific re~uirements.
ines the action takenby th
empts as s ~ ~in the c i ~ ~ ~
ossible v~luesare:
It.
A value of 1 to 365 This represents the number of days before a password ex
efault value: "N
ecommended value: 30or higher
This system value canbe used to prevent a userfrom specifying a password with numbers
(0 to 9) next to one another (e.g., 12345). Possible values are:
* 0 Adjacent n u ~ b e r are
s allowed.
1Adjacent numbers are prevented.
e c o ~ e n d e value:
d Dependent onthe specific requirements.
e c o ~ e n d e dvalue:
30 or higher ( set values: 10 equals low secu-
rity, and 50 equals high security.)
10 0 30 50
Active initial program and menu securityLNTCP No Yes Yes Yes Yes
Programs may not contain restricted instructions. Yes Yes Yes Yes Yes
l i b r is
~ a temporary object. No NO No No Yes
NN system value determines the libraries Yes Yes Yes Yes Yes
where the objectsWSRSPC, *URDX, and USRQ may be created.
e rapidly changing hardware and software tec~ologiesin its stride. This same
tecture will continueto serve its users wellby enabling its customers to con-
tinue to deploy the very latest technologies while causing themini mu^ possible dis~ption
to their work.
1400 ~chitecturehas another advantage besides speed: it makes the
nt of data and applications easier. Why? e it lets AS1400 assign a unique,
addresstoeverypiece of dataandappinsidethesystemusing a tech-
el storage. Imagine what would happen if you were mayor of a town
that had 10,000~ u i l d i ~ an
g s state law re~uiredyou to identify them using~ree-digitad-
dresses and no street names bviously, you couldn't give every ~uildingits own address.
ine how d i ~ c u litt would beto deliver mailor respond to e
leve it or not, manyof today’s mode^" servers face a si
assign a unique addressto every object in memory or on dis
g r a m ~ e r have
s found clever waysto work around these pro
p r o ~ r a ~ time,
n g added complexity, added costs, and err0
sin~le-levelstorage lets ~ ~ /mark ~ OeveryO object, whether
age, witha unique, permanent address.This reduces the tim
developandenhance ap~lications.It S the entire system mn mo
pecially when~ n n i n gmultiple tasks.
oftware failures. As one custo
eneral ~rotectionFault.”
A s y s t values
~ ~ report,
ment should be designed to provide segregation between
ns, systems and applications p r o g r a ~ i n g a, data control. Often in midrange
installations, there are a limited num~erof personnel, and control concerns
he segregationof duties.
trols thatmay address or monitor alack of segregation of
urity ~ n c t i o n may
s be p e ~ o only ~ efrom~ a limited numberof terminals.
ublic Authority to production data files is *
are
assigned an Initial ~ r o g andlo r ~enu limit in^ accesstoonly
~ n c t i o n necessary
s to perform their work.
Limited ~apabilitiesand atte~tion-key-handlingare set to
sonnel from modifying their Initial ~ r o g r andlor
a~ anInit
to the systemis controlled after business hours ~ o u g the
h use of automated
and c o ~ u n i c a t i o nlines c o ~ a n d s .
.,dis~ettes,tapes) is r ~ s ~ c t etod a u t h o ~ ~ e d
bserve the physical a su~oundingthe system unit and evaluate whetherit resides in a
,access by unauthorized individualsis restricted).
ter with its peripherals located?
hat physicalsecu~tymeasures are used to reduce or prevent access?
Are visitors (nonco~puterroom personnel) ente~ngthe computer room requiredto
out and bea c c o ~ p ~ e d ?
e t e ~ n whet~er
e the ~ y s t e m y Lock is in the auto or secure position.
y is maintained ina secure location.
here is the key to the System y Lock maintained, and who has access toit?
hat procedures are use~followedwhen the position of the
chan~ed?
hat is the positionof the
at is the value of
S the device specifiedin the
number of unsuccessful sign-on attempts is not set too high. When the max-
of unsuccessful sign-on attemptsis reached, the user IDis revoked and/or
at is the valueof
ho is authori~edto change the valueof
* What isvalue
the of ?
* Is this value ever changed?
value on the system values
parameter has been set 1.toVerify that chan
* What isvalue
the of ?
* Is there a need fo rs to signon to the system?
Obtain the value ofthe p a r ~ e t efrom
r the system
se g h toS
display station p a s s - ~ o ~ users
If users to access the system, the value
to preventus
parameter has been changed
ing on to more than one
wor~stationat a time.
t is the value of
t ~ ~ that
~ the
n e
f e a ~ r activated?
e
ow often andby whom are history logs/audit j o u ~ a l reviewe
s
at security-related events are being recorded for users of the system?
e followed when a security violation is noted?
cted fromunautho~zedaccess an
Is there a need to monitor the use of and changes to specific objects by users?
Is there a need to m o ~ t othe ~ c by S
r useof andchanges tos p ~ c i objects
eview the settings to the following system values onthe system
eva~uatethe appropriatenessof the settings:
logging
will
take
p * ,even
though
user
profile
thepa-
LVLp ~ ~ e thas
e rbeen c h ~ g e from
d the default setting
twelve avai~ablevalues if additional monitoringof indi-
e appropriat~nessof the para~eterset-
tings and ensure that the p~ameter settin~s meet the needs of the or~anization’s
security r e ~ u i r e ~ e ~ t s .
* ts on thesystem, usethe c o ~ to de~ d
alue is approp~ateso th
Unattended t e r ~ n a l are
s bein timed out; thus no opportunity is created for an unautho-
rized userto gain access to the systemby way of an active but unattendedwor~station,
p ~ a m e t ehas
r been set
will function like an *
o a ~ t h o ~ z e s c ~toa n ~ e s
d e t e ~ n the
e following:
blic Authorityis no higher than*
Usershave a maximumauthority o tosystemandutilitylibraries(except
m e r s have a ~ a x i m u mauthority
system
and
utility libraries,
o production objectlibraries,
to production source libr *
n data libraries
source libraries.
Note
that
or
an i n t e ~ aprofile
l without a password, such as uld
be
the
owner of libraries.
Also,
note
that
most
vendor-written so ,and data
libraries will have an owner that may also be a group profilefor end users. This means that
userseffectivelyhaveauthorityover endo or-written ects, and thereforeaccessto
usersmust be controll ugh pac~age-basedcontrols (e res~ctionofmenuoptions).
fault public
access is set to (if the
data.
Users are not granted levels of access greater than those required to perform
job func~on.
their
object i d e n t i ~ previo~sly,
e~ use
rofile is allowed read-onlyaccess.
at policies and procedures are used
for crea
ow are authori~~tion lists del
Are authori~ationlists reviewe
ist ofsensitive
authori~ation
the lists on
theser lists, obtain a listing of all use ilities as-
d to these lists and verify the appro
lders r ~ ~ o v in
e da timely manner?
)c o ~ a n to
d list all
m136 mode and Au
access ~arametertotheCreate
are t r ~ s f e ~ into
ed ownership
e also transferred to a
le?
re objects owned at the user levelor the group level?
hat procedures are followed when ownershi
Who assumes ownershipof owned objects whenan own
~dentifyprocedures p e ~ o by~ installation
~ d ~ersonnelto ensure that c
ership of an object does not CO r o ~ s installation
e securi
ewing user profiles, incl
access p ~ ~ e t1se r
ed by installa~onpersonnel
a ~crocomputer
upport is the utility program that allows users to use instea
mal'' workstation to access an AS/400. For PG upport to p e ~ functions,
o ~
~ a n s f e ~ i of
n ga data file, PC Support ignores menu security.
*The installation has secured production programs and data files usin
lists or Specific Authorities.
* ~ S / 4 0 files
0 are secured in thePC environment.
* Users are not able to bypass security by using the submit remote CO
(
PC Support usersare not able to freely download and upload data files.
nsure that thepara~etersettings are appropriateto achieve the desired levelof se-
queues that hold spooled filescont~ningsensitive and con~dentialin-
ensitive systemc o ~ ~ d s .
ified).
cannot be saved via
for the AS
be Access Control Facility
e the n u ~ b e r objects
R e t e ~ n if of owned by
e Determine if procedures for findingvalidowners for allobjectsowne
N are adequate.
e: Object ownership canbe viewed using the
the basic authorities have been given separate names. They are as follows:
asic autho~zation)
a u t ~ o ~for
t y the object
authority for the a u ~ o ~ z a t i olist
n associated with the object
:The first authori%ation entry found, matching the user andobject, is taken. There rnay
e otber ~ a t c h e of
s hi her or lower authority, but they are not used.
that ade~uateaudit trails are generatedand audit trail histories are maintained to pro-
a n a ~ e m ~andlor
nt legal with
s u ~ ~ i edocumenta~on
nt for security incident follow-up
and resolution. The re~uirementfor a documentation retention period should be documented
in the~ f o ~ a t i o ~
Audit trails are maintainedi
which
controls secu~ty-re1 ng j o u ~ a lAny
. user
alter cannot a j o u ~ a entr
l ~ ~ ~ l i c a tdesign
ion
t ~ a overa~l
n s y s ~ se e~c ~ r i ~ .
ince the use of journals is relate
auditor needs to understand the site’s
l the activityof the S
tten toj o u ~ aall
tem audit save andrestore information9authorization failures, deleted objects,or security-
related functions.
and is c u ~ e ~The
t,
istrative a u t h o ~ t y ~ ’
of the access con-
trol system:
dministrativeauthority is therivi at is general1usedinthe er-
of ad~ing,del et in^, and a1
e individual own in^ a us
not have the job responsibility of strati on^, they arestill considered to
have this privilege and mustCO ireme~tsfor its authorization.
/400 attributes, as escribed ~reviously,can often e co~sideredas the re-
~ ~ i r e m e noft ssystem su
ccess to componentsof the ntrol systemis not considered “privi-
in the explicit sense of the te ever, by the potential ability to circum-
he access control system itself, with access to these components should
e ~anage~ent autho~-
~ o ~The~ d .
ith adopteda ~ t h o ~ t y ,
to all s y s t e ~
resources.
strator orofker
com mies will survive, and even then, only by rest~cturin
usiness. The laurels will go to those companies with
adapt themselves tothe changed industrylmdsca~e.
Successful auditsof ~ n f o ~ a t i o n
analysis of the physical environment
potential risks and recommend
infras~cture,specify
audit
will
The stan~ardsi stablish a com-
puting e n v ~ o ~on ~ an t
and creases the availab
ing will be brought into
I
The following isa list of reports that have audit significance. They can be printed and used to audit the AS/400 platform:
166
169
170
171
173
175
179
ote ~ ~ s i ~a e~ s~ s1 i ~ a tmn.
io~s
is r e c o ~ ~ e 3nmax
~ e ~ ~
s not effectivefor users
~ i n i 6 ~characters
u ~
me of the validationpr
andensurethat it does ow someusersto
is found to be onero~s.
e t e r ~ i n if
e the syste ity to linnit access to worksta-
tions for profiles wi special authorityis being
a ~ t ~ o r ifor
t y objects createdin a library:
s y s t e value
~ takes
)for the libraryis set to *
is recommended, but clientm
this change becauseall
(e.g., device descripti
normal operation.
e systemwide attention"k:ey-handling program:
.No attention-~ey-h~~ling
program.
user-w~tienprogram that will handle the attention inte
2.10 ~ e t e ~ isystem
the
n evalue ,which d e t e ~ i n e whether
s objects
that are security-sensitive
This willlist all group profile names and user profile ~ a ~within
e s each group
of users. It willalso list at the bottomany user profile
3.2 Evaluate each group profile to ensure that it represents a common group of users
with the same or similar business~nctions.
Where group profiles are used, ensure that the group profiles
to prevent anyunautho~zedsign-on.
3.3 Check:thatthefollowing supplied profileshavehad t h ~ iori
r
changed:
User Pro le
lease of QS/400V3
password
3.4 the that
passwords heck following
forenthe
securely,
stored
changed,
are and are on1 neers:
Passw rd
3.6
.4 pecifies which user profile is the ownerof objects createdby this user
3.
)
~ ~ p r o p r i aaccess
te a u t h o ~should
t~ be d e ~ ~ ate the
d l i ~levr ~
data files and programs are ~ r o t e ~from
t ~ du n a u ~ o ~access
ze~
4.1
ibraries that willbe searched when the system
for which a library name has not been
ex~licitly
L d e t e ~ i n e the
s initial s~ttingsof the system
e c o n ~ o l p r o c e ~from
u r ~ sthe implementationof new
programs or files from ~ e v e ~ o ~ mtoe n~roduction
t
y of a ~ r o ~ u c t i oorno * * users
security
omise ad by priate
grams should beres~ictedto autho~zed
se the integrityof ~ r o d ~ c t i osystems.
n
~ ~ any programs
o to review ~ dthat adopt the author
.~ c c e s to
s the query ~ e ~ n i t i o should
ns be ~ r ~ v e n t e d .
security-related c o ~ a n usin
~ s
nistrators haveuse of
rities are usually requiredto exe-
c m use thisc o ~ ~ a n ~ .
nds should be*
6.
7,
7.
7.7
7.
7.
7.10
.1
of network filesfor the receiving
ay, cancel, or receive thejob stream into a database
the input stream was
e t e ~ i n ehow
s the system
meter is as follow *
co~munic~tions ~ h PC
network entry~ o u which
d e ~ n ethen
~ , the subsyste~
target system allows the source
user ~ ~ e c i in~ the
e dc o ~ u n i c ~ -
e ~ send a u
then the sources ~ s t will
ill be under the authority of this user
8.
syste~ allo~s ~ccess ~ith
.6
.S.7
urces are ~ e c o ~ d in
e d the auditmd
S sho~ld be revie~edon a reg-
( s y s t e ~value)
E ~ i b iS.t 1, in which
le for enforcing all access val-
thority. In this way, the S
s c r ~ t i o n access
a~ c o ~ t ~(
o~s
control who can accessr ~ s o ~ r c e s
be the File Name, data it cont~ns,and the
Network shares
a l l o ~the
s speci~c
S
. The ~ a s s ~isobr ~ 1.
S
a user’s identit?,i s th
ill facilitate a c c ~ s to
s
.Fromthe console
a n o n y ~ o logon
~ s to the ince the acco~nti a ~ e ~ -
case it is a c c i d ~ ~ t a l l y ~ e e nThe
a~~ed.
S if it is ena~led and has no ~ a s s ~ o r d .
,and groups shouldbe created to give users
gn p e ~ s s i o n to
s groups and allow access
em m e ~ b e rof
s the appropriate groups. Groups nare o ~ a l l based
y on
n a ~ n convention
g should b able to c o n s t ~ can
t object
r users, the name may incl e their full name and func-
nter, the name may include the model number and con-
cation inthe build in^, and the kind of work the printer
~ s s i o n plus
s creating,d ~ l e t i nand
~ , c ~ ~ ~contained
i n g directories and files.
s c ~ ~ file
p e r ~ s s i o n plus g s~y snt e ~ e ~ i s s i o and
n s takin
Prevents any access to the directory and
level full control.
Allows view in^ and browsing the direct
or directoryp e r ~ i s s i o ~ s .
nes access
ined per-
securing files. Use the
licy,
r in
iversal s ~ c u r i t ~ s e t tfor
i n ~user
s ac
e forced toc h ~ ~ ~
elmit blank
password r dleast six ch~acters
~ a s s ~ o at
At leastx c h ~ a ~ t e r s
Forcibly
disconnect
remote
elected Tied to logon hoursspeci~edwhen
users from sewer when
logon Not selected user account was created
hours expire
*Sixty days would be ap e ~ i s s i b l epassword change rate onlyif strong passwordsare imple~ented.Strong passwordsmay only be imple-
mented under~ i n d oNT ~ s4.0 at the domain controller. Strong passwords may be i~plementedusing the p sr;R II.dl I program available
under service pack2 oftVindows NT 4.0. The strong passwords providedby p ~ s s f i l t . ~arlel further describedin the section on password
filtering.
~ i n i s ~ ~ tori oban
Access this computer from network Adminjstrators, Everyone
~ h a n g the
e system time Adminjstrators, Server Operators
anage
auditing
security
and log Ad~njstrators
~ s t ~ l applications
ed to be run
from the server
C ~ ~ m ~ n to
public
Files e domain
v e ~the
o n in
e
User ~ o n t ~ nfor
e r subdirectories
private to each user
t ~ e nint an or-
e ctio
t ical users.
c ~ ~ aatnew
e sh and the user direc-
etween ~ o l u ~duri
es
cure environ~ent.
th function works
220 WINDOWS NT SERVER: SECURITY FEATURES
Profiles
User profiles control Windows NT features such as desktop colors and settings, program
groups and start menu settings, and network connections. Because these settings are dif-
ferent for each user, storing them separately allows users to customize and control their
Windows NT environment. Bob will always log on to the same environment, even if Susan
changes her wallpaper.
Local
Windows NT stores each user’s settings in special directories contained in the Profiles di-
rectory under your Windows NT System W INNT-ROOT directory. Each user’s local profile
is stored in a subdirectory named after the user. These directories contain all user-specific
settings. A special directory called All Users stores the settings that are global to all users.
Each profile contains many subdirectories. Applications such as Word and Excel
store user preferences in the Application Data subdirectory so that shared copies of these
applications can maintain different customized features for each user. NetHood contains
persistent network connections. Many other directories may exist and contain other settings
such as Start menu programs and program groups.
Roaming
Roaming profiles are stored like the local profiles, except that they are stored on a Windows
NT Server. Storing one profile on the server, instead of storing a local profile on each of the
Windows NT computers that you use, means that changes to your environment will be in
effect for all the computers you use rather than just the one on which you made the change.
When specifying a roaming profile in the user settings for your user account, the pro-
file is downloaded from the server every time you log on. Changes you make are then sent
back to the server so that they will still be in effect the next time you log on and download
the profile. Windows NT profiles affect only Windows NT. Logging on to a Windows 95
computer will not bring down the Windows NT roaming profile.
You may want each user’s home directory to contain the user’s profile. The
%username% environment variable can be used when creating User Directories to
automate this process (see the list discussed earlier on the steps to create a user directory).
To create a roaming profile, follow these steps:
1. Select Start -+Programs -+ Administrative Tools + User Manager for Domains.
2. Double-click Administrator.
3. Click Profile.
4. Type \\name-of-your-server\winnt\profiIes in the User Profile Path input box.
(Replace name-of-your-server with the share name of your server and replace
winnt with the name of your Windows NT directory share name.) If your Windows
NT directory is not shared, use the following path: \\name-of-your
server\c-drive-share\winnt\profiIes .
5. Click OK to close the User Profiles window.
6. Click OK to close the User window.
SUMMARY 221
SUMMARY
Just as providing service to network users is the primary purpose of a network, creating a
coherent, secure, and useful user environment is the primary function of network adminis-
tration. Windows NT Server creates such an environment by using group accounts, security
permissions, user rights and policies, and network shares.
Effective groups make administering large numbers of users easy. Rather than as-
signing permissions to individual users, you can assign rights to groups and simply indicate
membership in different groups for each user. Windows NT will manage the combinations
of rights for users with multiple group memberships.
Security keeps resources from being exposed to unauthorized access. An optimistic
security policy allows maximum access to information and secures only specific informa-
tion. A pessimistic security policy secures all resources and grants access only where nec-
essary. Both approaches are valid, and the choice will depend on the physical security en-
vironment. Windows NT supports two types of secured resources: network shares and file
system objects. File system objects provide more control over security than shares do.
When resolving conflicting file system and share restrictions, Windows NT chooses the
most restrictive permission.
Policies are the general security characteristics of Windows NT. Policy changes af-
fect the entire system, not just individual users or groups. Windows NT implements four
types of policies: Account Policies control access to user accounts, User Rights permit or
restrict security-related activities, Audit Policy controls the auditing of user activity, and
System Policy controls all other security-related system settings.
Setting specific permissions for many users of a network can be an error-prone and
time-consuming exercise. Most organizations do not have security requirements that
change for every user. Setting permissions is more manageable with the security groups
concept, in which permissions are assigned to groups rather than to individual users. Users
who are members of a group have all the permissions assigned to that group. Windows NT
implements two types of groups: those local to the machine and those global to the domain.
Global groups are stored on the primary domain controller and replicated to all backup do-
main controllers.
User accounts allow you to control security on a per person basis. Every person who
accesses a Windows NT domain receives a user account through which identity is estab-
lished to the network and by which permissions to resources are granted. Windows NT also
provides two types of user accounts: accounts local to the machine and accounts global to
the domain. As with groups, global accounts are stored on the primary domain controller
and backed up to the backup domain controllers. User accounts can have logon scripts,
home directories, and roaming user preference profiles to allow users to work comfortably
at any computer in the network.
DOMAINS AND TRUST
A domain is a set of computers with a central security authority, the primary domain controller
(PDC), that grants access to a domain. Usually a domain also contains one or more backup
domain controllers (BDCs) that provide distributed authentication services to continue
authentication services in the event of failure in the PDC as well as load balancing for au-
thentication services. As a rule many types of systems may join a domain, but the PDC and
the BDC must be Windows NT systems because of the compartmentalized security they can
offer.A domain can be set up to ease viewing and access to resources, to share a common user
account database and common security policy, and to allow administrators to enforce a com-
mon security stance across physical, divisional, or corporate boundaries. Once users are au-
thenticated to the domain, using either the PDC or a BDC, they can gain access to the re-
sources of the domain, such as printing and file sharing, or access to applications across all of
the servers within the domain. This concept of a domainwide user account and password elim-
inates the need for every machine to provide its own authentication service. Instead, the au-
thentication processes are passed through to the domain controllers for remote authentication
against that user account database. This allows machines to be dedicated to servicing indi-
vidual applications or programs without the overhead of authentication.
The primary function of the PDC is to maintain the security database. A read-only
copy of this database is replicated to each BDC on a regular basis to maintain consistency
in the environment. Because of the importance of maintaining the security database on the
PDC and BDC, strict logical and physical access controls should be implemented.
Trusts are one-way relationships that can be set up between domains to share re-
sources and further ease administration. These relationships allow a user or groups to be
created only once within a set of domains yet access resources across multiple domains.
There are a number of trust models used to configure domains. The first is the single do-
main model with only one PDC and, by definition, no trust relationships (see Exhibit 5.10).
The next model is the master domain model for companies who desire centralized se-
curity administration. In this configuration, all domains, known as user or resource do-
mains, trust the master domain. The master domain maintains security resources for all of
the domains within this structure. This configuration can support up to 15,000 users. There
is one trust relationship for every domain that trusts the master domain (see Exhibit 5.11).
The multiple master domain model is designed for larger organizations that desire
some centralized security administration. With more than one master domain, administra-
222
DOMAINS AND TRUST 223
tion needs increase as a result of the need to create all network accounts on each master do-
main. The two master domains in this case trust each other, while the resource domains have
one trust relationship with each of the master domains (see Exhibit 5.12).
Finally, there is the complete trust model. This is designed for larger companies that
desire totally decentralized security administration. This configuration presents considerable
o m ~ nhave
s two-way trust relationships with each other. This concept essentially
er-to-peer domains (see Exhibit
5.13).
D
Value: l
Remote Registry Access attemptsto gain access to Remote registry access is prevented in Windows NT
the registry, either to retrieve passwords or to change Server version 4.0by the additionof a Registry key.
system settings. This key is presentby default in a new installation of
Windows NT Server 4.0 but is not presentby default in
Windows NI?Workstation 4.0. It mayalso not be
present in a computer that has been upgraded from
Windows NT Server 3.5 1.
WI(LM~ystem\CurrentControISet\ControI
~ i p e ~ e ~ e r ~ ~ l n r e ~
Password Theft and Crackingis an attempt to capture SAM by applying
Increase password encryption in the
hashed passwords and crack them in order to gain the featuresof SP3. Remove onymous access to the
further accessto a system. system and tighten registry security.
Weak and Easily Guessed Passwords Enforce a strong password policyfrom the domain
controller usingp~ssfllt.dll.~ ~ s 5 f i i t . d
isl available
l
from Service Pack2 onward.
GetAd~n-The GetAdnnin program was recently A security hotfix to patch both GetAdmin and the
released from a Russian source. GetAdmin allows a follow-on issuehave been released byMicrosoft.
regular user to geta d ~ n i s ~ a t i rights
ve on the
local machine.
Services running under System context couldbe Run Services as accounts other than system wherever
used to gain access to the registry and other parts possible.
,I
of the system as"
Unsec~edFilesystem access using eithera DOS-or Physically secure the server to prevent access to the
~inux-basedtool gives accessto the NWS file diskette drive.
system without any security controls,
A recent versionof this problem has affected A new hot fix has been released, post-SP3, called the
Windows NT Server version4.0 SP3 systems that icmp-fix.
run IIS and are exposed to the Internet. This was due
to a fragmentedand improperly formed ICMP packet.
‘SW?’ Hood Attack-A flood of TCP connection Service Pack 2 provides a fix to this vulnerability.
requests (SYN) can be sentto an IIS server that
contains “spoofed” sourceDp addresses. Upon
receiving the connection request, the IIS server
allocates resources to handle and track new the
connections. A response is sent to the “spoofed”
none~stentIP address. Using default values, the
server will continue tor e t r ~ s m iand
t eventually
deallocate the resources that were set aside earlier
for theco~nection189 seconds later. This effectively
ties up the server, and multiple requests can cause the
IIS server to respond with a reset to all further
connection requests.
Out of Band Attacks-Out of Band (OOB) attacks, in Apply Service Pack and
3 the subsequent OOB-fix.
which datais sent outside the normal expected scope,
have been shown to affect Windows W.The first OOB
attack was identified after Service Pack 2 (SP2), and a
patch was released that was also included in SP3. This
attack caused unpredictable results and sometimes
caused WindowsNT to have trouble handling any
network operations after one of these attacks. Since
the releaseof SP3, another problem has been identified
network driver that caused Microsofr
networking clients to remain vulnerable to variationsof
the OOB attack, coming from the Apple Macintosh
environment. The OOB attack crashes theTCPm
protocol stack, forcing a rebootof Windows N T . A
subsequent hot fixwas released to counter this attack.
fense ~ e p ~ m e n tArpanet,
’s which was first created in the
traffic was allowedon it for the first time. With commer-
cial use and the subse~uentdevelopment of the hypertext transpo~protocol andthe World
b that usesit, companies began to connect their corporate WANs to the Internet.
visible co~ectivityand accessibility to corporate networks by large numbersof
people have createda number of changes incorporate views of data security. The primary
one of aw~eness.In y short time,nontec~icalpeople started talking about
They also started as about the security of their connections. The hype and
misinfo~ation su~ounding the Internet’sfeatures and risks have created the need for tech-
nology solutions and education about technology and security. Anyone can become a con-
tent publisher almost overnight. Sharing data with employees, strategic p ~ n e r scustomers,
,
and even competitors has become very easyto do. Naturally, this introduces or enhances
the risks to an organi~ation’sdata.
he addition of Internet Information Server (11s) to the base ndows NT operating sys-
ndows NT Server with new functionality as well as exposing Windows
sks of the Internet. 11s is integrated with the Windows NT operating
alternative to expandNT Servers toWeb servers for in~anetand the
udes standard TCPm servers for FIT and Gopher. ThisWeb client-
a method toutilize Windows NT to provide i ~ o ~ a t i to
o npeople on
the internal n e t ~ o r kas well as on the terne et.
ell-known security risks associated with the Internet, and IIS al-
ws NTto be exposed to them. However, becauseisIIS coupled with Windows
Server, it allows for the use of the security features found in the operating system.
applications and protocols have been developed ain~ ean m pto
t limit
S. A few of these applications and protocols have been explored in
sections as an exampleof icrosoft’s role in Internet tec~ologies,As always,
any system exposed to the Internet should be protected using multiple layers of security.
is a combination of the c o n ~ g ~ a t i of
o nhardware and so
are five subtrees in the registry.
es and their purposes areas fo
eps all the con~gurationi n f o ~ a t i o nfor the specific
ns i ~ o ~ a t i o n p e tor t the
~ ~ nhard
g
changes hardware the user is chan~ingthe reg
t-end tools to change the registry rather than
c o ~ because~ d the us
Create Subkey Create anew key or subkey within a selected key or subkey
HKEY-CL~55€5-RO~T Administrators:
Control
Full Administrators: Full Control
Creator/O~ner:Full Control Creator/O~ner:Full Control
System: Full Control System: Full Control
Everyone: Read Everyone: Special Access (defined
following)
HKEY-USEFI5 ControlAdministrators:
Full No Change
System: Full Control
Everyone: Read
HKEY-CURRENl-U5ER Adminis~rators:
Control
Full No Change
System: Full Control
User: Full Control
* Allow special access only to the Everyone group with only four of
ns: Query Value, Enumerate Sublceys, Notify, and Read Control.
*
NG: Using the Registry Editor incorrectly can cause serious, systemwide prob-
lems that may require reinstallationof Windows NT. Microsoft cannotg u ~ a n t e ethat any
problems resulting fromthe use of the Registry Editor canbe solved. Use this tool at your
own risk.
Windows NTis designed to provide an operating system that could be used in many types
of implementations, from local application servers and LAN file servers to r e ~ o t eaccess
n e t servers. WindowsNT has f ~ a ~ rfor
servers and~ t e ~ e ~ i n t r aWeb e ss e c ~ t desi~ned
y
to providethe user with choicesof a limited or extensive control implementation, depend-
ing on the business needs. Exhibit5.17 lists the features and their descriptions that either
control or implement security,
The LSA is also referred as the security subsystem and is the
heart of the WindowsNT ewer subsystem. TheLSA provides the
following services:
User Aecou~t~ e c ~ r i t ~ User account security policies are managed through the user
manager and consistof account policies and user rights policies.
Feat~re ~esc~ption
The domain model establishes security between multiple domains
through trust relationships. A trust relationship is a link between
two domains causingone domain to honorthe authentication of
users from another domain. A trust relationship between two
domains enables user accounts and global groups to be used in a
domain other thanthe domain where these accounts are located.
Trusts canbe uni- or bidirectional and
require the p~icipationof
an ad~nistratorin both domains to establish each directional trust
relationship.
Windows NI7 Server provides domain authenticationservice
through the useof primary and backup domain controllers.
If
ain Controllers communications to the primary domain controller break, the
backup domain controllers will handle all authentication.
A
backup domain controller may be promoted toa primary domain
controller if necessary.
IP routing, tradition^
Windows lW Sewer 4 ~ n l e a s ~ e d .
Grant, G., et al. Troubleshooting with Microsoft:G
dows NT ~ ~ g a ~ i n e .
Karanjit, S. Windows W Sewer ~rofessional
Corporation. Windows NT ~or~sta~on
W4.0: ~xplorethe N ~ weat tu res.
S NZ’ S e ~ u rIssues.
i ~ So~arsoft Corp.
Sheldon, T. ~indowsNT S e ~ u~~a ni d~~ o o k .
Sutton, S. A. Windows N ~ S e ~ u r i ~ Trusted
~ u i d eSystems,
. 1997,
Microsoft Security(www.~icrosoft.co~sec~rity)
sk
1 System
All
servers
the
domain
in Older
servers,
such
All
as W~ndowsNT and 3.5
Configurationshould beWindowsNT 3.51 WindowsNT3.5orLANLAN ~ a n a g e servers
r
orhigher;no LANManagerManager,maysubjecttheshouldbe e l i ~ n a t e dfrom
orWindows W serversWindows NT environmenttothe domain orupgraded
previous to version
3.5 l undue
security
risk. i~ediately.
should exist within the
domain.
1 System
latest
Microsoft
The service Current versionsof the Obtain the latest service
Configurationpacksand hot fixesshould operating system contain pack and hot fixes from
be installed and properly processing and security ~icrosoftand properly
configured. enh~cements.Service packs install and configure the
Service packs and hot fixes correct bugs thathave been service packand
should be reapplied after c o ~ u n i c a t e dto Microsoft. appropriate hot fixes. The
each new software If the versionof the operating latest service packfor
inst~lation. system is not current, there is Windows NT3.51 is5, and
an increased risk thatan the latest service packfor
unauthorized user may be able Windows NT4.0 is 3.
to exploit weaknessesin the
operating system. Certain
service packsand hot fixes
require systemad~nistration
intervention such as the
running of an application or
the manual entryof a registry
key into the registry.
1 System The “system key” optionsof The systemkey feature of Enable the syskey option
Configuration Service Pack3 (SP3) should Service Pack 3 provides
be implemented. stronger encryptionof the
SAM database. Enabling this
option decreases the risk that
password hashes will be
cracked if obtained.A utility
has been released that can
extract the Windows NT
password hashes even with
syskey implemented;
therefore, this risk is only
mrtiallv mitigated.
T~chni~u~s
Upgrade allLAN Manager and Verify, through discussion with the Verify, t ~ o u g discussion
h with the
Windows NT 3.5 servers to company and physical inspection, company and physical inspection,
Windows NT version 3.51or that each severis running the that each severis ~ n n i n the
g
higher. Windows NT operating system Windows NT operating system
version 3.S1or higher. This version 3.51 or higher. This
document is only applicable and docu~entis only applicable and
effective for said versions. effective for said versions.
Choose one of the three methods Verify the choice of the key storage. Verify knowledge of boot password
for storing the system key: for the key.
* obfuscated key on machine
* obfuscated key on diskette
* password protected key at boot
1 System
The Primavy
Domain
Running
applications
on a PDCs
should
utilized
be
ConfigurationController(PDC)shouldnotPDCopensthePDC to any forauthentication and
be utilized for other purposes vuln~rabilitiesthatexistinrelatedservicesonly.
except those directly related that application. Additionally,
to authentication, suchas if the PDC is used for other
address assignment or name purposes than authentication,
lookup. there is an increased risk that
the server may not possess
enough resourcesto perform
both functions adequately.
1 System System services shouldbe If services are allowed to No services should have
Coll~guration running undera secured interact with the desktop the “Interact with the
started,
there
are
context.
they
when is desktop” check box
an increased risk that domain checked. Services should
resources may be not run undera global
compromised. In addition, if account but rathera local
the service is compromised, account. Accounts created
the service will be running to run asa service should
with too much authority. not be allowed certain
rights such as LogOn
Locally unless required.
2 Networking
Workstation
and
time
Restricting
users
based
on ~orkstationand
time
restrictions
should be workstations
andtime
reducesrestrictions
should
be
enforced when possible.
the risk that
unauthorized enforced when possible
for
access will be obtained. These typical domain users.
controls shouldbe enforced
for users that utilizeonly one
workstation during set hours
of the day.
~om~liance Assess~ent
Tech~ques
Ensure that allPDC servers are Verify that thePDC is onlyused for Verify that the PDCis only usedfor
only performing authentication. authentication by p e r f o ~ n the
g authen~cationby reviewing the
following steps: <servername>.5ervic
l. Open server manager. ensu~ngthat only authentication
2. Select the PDC and choose related services are installed and
Services. ..from the started. Also,review the
computer pulldown menu. <servername>.pulist.txt file to
3. Review each running service to ensure only authentication-related
determine if it is usedfor a processes are running.
purpose other than
authentication. Allowable applications include
DHCP, WINS, and DNS.
W e n services are startedthey Verify that services cannot interact Verify that services cannot interact
should not have the allow service with the desktopby performing the with the desktopby revi~wingthe
to interact with desktop option following stepsfor all servers in Services Report portionof
selected. Open server manager for scope: <senrername>,uJinms~.~t and
each server in question. Open l. Open server manager. noting any services with a Service
services from the computer 2. Open 5ervices. . fromthe Account Nameof anything other
pulldown menu. Double-click on computer pulldown menu. than Localsystem or any services
each serviceand verify the settings 3. Double-click on each service with a ServiceHag of Interactive.
for LogOn As. and verify that theAllow
services to Interact wlth the
~esktop option is not selected.
When enteringnew users orto Verify the user Logon hours by Verify the user Logon hours and
change existing users perform the performing the following steps: workstation restrictionsby reviewing
following steps: l. Open User Manager. <servername>.users.txt and
l , Open User n nag er. 2. Open u5er Properties by d e t e r ~ n i n gwhether workstation or
2. Open theUser P r o p e ~ ~by es double-clic~ngon the time restrictions are enforced for any
d~uble-clic~ng on the users
username. system. on the
usernarne. 3. Click the Hours button.
3. Click theHours button. 4. Verify that the hours listed in
4. Select the appropriate time Blue meet corporate standards.
and click theAllow and 5. Click the Cancel button to
Disallow buttons as close.
appropriate. 6. Click Logon To button.
5. Click OK to confirm changes. 7. Verify user access by stations.
6. Click LogonTo button.
7. Verify user accessby stations.
3 Networ~ng Users
should
forcibly
be Having
users
automatically
Enable
th
disconnected from servers disconnected
system
from
the acco~~t cl
when their login hours whentheir time expiresfeature in account
policies,
expire. ensures that network
resources will not be accessed
unless the user is specifically
authorized for access during
those hours.
User All users and groupsin the If users and groups exist An inventory of users and
M~agement domain should be known within the domain that are not groups should be
and documentedby the known or documented, there performed periodically
group responsiblefor is an increased risk that the and checked against an
maintaining the Windows security of the domain may be approved listing of users
NT environment. compromised. and groups. If “rogue”
users or groups are found
they should be investigate^
~mmediately.
User All user accounts should Requiring all users to have Add an applicable and
Management have an applicable, descriptions and full names informative full name and
informative full name and minimizes the possibility that description to each user
description. an extraneous, unneeded user account.
accounts willbe created. Such
a user could bypass system
administration and be used for
unfavorable purposes.
~ o ~ ~ l i a Assessment
nce Compli~ce ~e~fication
~ech~ques Tech~ques
Enable the Forced account Verify that the Forced account Verify that the Forced account
Dlsconnect feature in account Disconnect feature in account Disconnect feature in account
policies by p e r f o ~ n the
g policies has been enabled by policies has been enabledby
following steps: p e ~ o ~ i the
n g following steps: reviewing c5ervern~me>.
1. Open U i e r ~ a n a g e r . 1. Open User Manager. pollcies.txt and ensuring that the
2. 2. Choose Select Domain. .. “Force logoff when logon hours
the user pulldown menu. from the user pulldown menu. expire” controlis imple~ented.
3. 3. Enter theAuthen~cation
omain in the Domain: box. Verify that logon hours are set for
4. Click OK. 4. Click OK. users.
5. Select account from the 5. Select Account. ..from the
policies pulldown menu. policies pulldown menu.
6. Select the~ o r c i ~ l y 6. Verify that theForcibly
is connect remote users dlsconnect remote users
from server urhen logon
hours expire check box has
7. been checked.
8. Close User ~ a n a ~ e r . 7 . Click OK.
8. Close User Manager.
3 User Naming conventions should Having all users with the Name all user accounts in
Management be established and followed same naming convention accordance with
for all user accounts. increases network security, as established n ~ i n g
Naming conventions should users can easilybe identified conventions.
cover end users, contractors, and accounts that do not
consultants, and vendors. adhere to the naming standard
are easily identified. Setting
up temporary accounts for
con~actors,consultants, and
vendors with an identifiable
naming convention allows
these accountsto be easily
identified and purged if
warranted.
3 accounts
User
User
should
only Having all user accounts Remove all user accounts
Managementbeenteredinthe centrally administeredby from resource domains,
Authentication Domain’s domain increases network servers, and workstations
PDC and noton security because resource and move them to their
workstations
or
servers.
allocation
can be controlled. respective au~entication
The only accounts that should domain.
exist outsideof the domain,
on local workstations, are the
built-in Guestand
Administrator accounts.
Name all user accounts in Verify that all users are named in Obtain a copy of the company’s user
accordance with established accordance with corporate policy by naming conventions and ensure they
naming conventions. viewing the users in User ~anager are being enforced on all user
by performing the following steps:
t m ~ i .n..
4. C h o o s e 5 ~ l e~~ o
&om the user pulldown menu. Note whether then a ~ i n g
5. ~ u ~ e ~ t i c a ~ o ~
conventions providefor the ability to
identify employees, vendors, and
6. temporary IDS.
7. View all users and verify that
they have been named in
accordance with corporate
policy.
Move all user accounts from the Note whetherthe naming ~ern~me>.~sers.txt
resource servers to the conventions providefor the ability to and ensure that end user accounts
authentication domain by identify employees, vendors, and are only created in the
performing the following steps: temporary IDS. Authentication Domain.
1. Open User ~ a ~ ~ ~ e Verify r . that there are no user
2. Choose Select Domain. .. accounts on each server and
from the user pulldown menu. wor~stationby performing the
4. Click OK.
5. Double-clic~user account.
6. Write down all visible
info~ation. the
Enter
3. server
on
7. Close user information. name.
8. With the user account 4. Verify that the only accounts
highlighted select Delete listed are the Default
from the user pulldown menu. Ad~nistratorand Guest
9. Click OK. accounts.
10. Repeat steps 5-9 until all 5. Repeat steps 2-4 until all server
and workstations have been
1s. .. verified.
enu. 6. Close User Manager.
12.
13.
14. Select Neu User. .from
m
the userpulldo~nmenu.
15. Enter all user information.
16. Click Rdd.
17. Repeat steps 14-16 until all
ain ~ontro~ler
~ e ~ ~ ~ t y
ory ~ o ~ t r~o~lj e c t i v e s sk
3 User
Any
account
Inactive
not
that
has accounts
often
are Disable allaccounts that
~ a n a g e ~ e n t loggedintotheauthenti-used by intruders tobreakinto have not been logged into
cationdomain for an network.
a If a useraccount in accordance with
extendedperiod of timehasnotbeenutilized for some corporate standards.
should
be
disabled.
time,
the
account
should
be Industry guidelines state
disabled untilit is needed. that if an account has not
This minimizes the possibility been used for 90 days, it is
that an unauthorized user will inactive. Enablean
utilize the account. account only after being
contacted by, and
verifying, the useris
appropriate.
3 User
Accounts of individuals who
Having
outstanding
accounts
Delete
unneeded
all
~anagement are
no
longeremployedor
that
are no longer
neededaccounts,
including
vendor
do
not
need
their
accounts
increases
the
risk of accounts, t e r ~ n a t e d
deleted.
be
should unautho~zedemployees,
access. and
contractors.
~o~~liance ~ssess~ent ~ o ~ ~ Ve~ficatio~
~ ~ n c e
Tech~que~ T~c~ni~ue~
Disable stale user accounts by Verify that all inactive user accounts Verify that all inactive user accounts
performing the following steps: have been disabledby performing have been disabled by reviewing
l. At the command prompt, issue the following steps: <servernarne>.user5;.txtfor
the net user<User Name> 1. At the command prompt, issue accounts with a“ T ~ u e ~ a s ~ o g o n
command for each user. the net user<User Name> Time” that exceeds the corporate
2. Note the last login time.If the command for each user. policy.
account has not been logged 2. Note the last login time. If the
into in a specified periodof account has notbeen logged
time (in accordance with our into in a specified period of time
best practices), this account (in accordance with corporate
should be disabled. policy or out best practices), this
3. Disable the accountby issuing account should be disabled.
the net user<User 3. Verify through the useof a tool
Name./~ct~ve:no> when the last valid logon time
was.
Note: If a user often authenticates
to aBDC rather than the PDC,
then this proceduremay not
provide the true last logon time.
Remove unneeded user accounts Verify that there are no unneeded Verify that there are no unneeded
from the authentication domain
by user accounts inthe authentication user accountsin the authentication
performing the following steps: domain by p e r f o ~ i n gthe following domain by obtaining a listingof
steps: recently departed employees from
2. Highlight the unneeded 1. Open the User ~ a n a ~ ~ r . the HR department and ensuring that
account and selectDelete 2. Review the list of users. the former employee’s account have
from the user pulldown menu. 3. Discuss these users with the been removed or disabled from the
3. Repeat until all unneeded network adminis~atorand Authentication domain. This
accounts have been removed. human resources to determine information can be found in the
approp~ateness. appropriate < s e ~ e r n a m ~ ~ .
users.txt file.
No. Cate~o~ Control ~bjectives isk
3 default
User
The
Administrator
The ~ d m i n i s ~ a tGuest
and
or Rename the default
ManagementandGuestaccountsshouldaccountsareknowntoexist Administrator and Guest
be assigned a strong on all WindowsBIT systems. accounts. Assigna strong
password and renamed Consequently, they are one of password to both the
immediately after the first accounts that an accounts. Addan account
installation. intruder will altemptto use. named “Adminis~ator”
The A d ~ i n i s ~ a taccount
or on and assignit no user rights
Windows NT has all system and no group
rights and therefore shouldbe memberships. Having an
the most protected account on account named
the system. If these accounts Administrator with no user
are not renamed,all an rights will aid intruder
attacker would have to detection by writing to the
accomplish is brute force audit log.
guessing a password.
Depending on other system
settings, this might be easy to
achieve in a relatively short
period of time without being
detected.
EN
7. S.
8. Choose NeuJ User from the
User pulldown menu.
9. Enter A~~inistrator in the
Username box.
10. Enter a full name in
accordance with corporate
e .
11.
12.
PassuJord boxes.
13.
that the User Must
e PassuJ~rd atnext
box is not selected.
14. he PassuJord
Never
Expires check box.
15. Click the Groups box.
16. groups
the
under
Of: box.
17. Remov~ button.
18. Click the OK button to confirm
changes.
19. Click the Close button.
ain ~ontroll~r
~ecu~ty
3 default
Guest
account
The
User The Guest account is known Disable the default Guest
Management
should
be
disabled to existon all WindowsI W account on all Windows
immediately after systems. Consequently, it is NT systems. The account
installation. one of the first accounts that should remain disabled at
an intruder will attempt to all times.If the Guest
use, If enabled,an attacker account is needed for any
will attempt to loginas the types of services (i.e.,
Guest and compromise the printing), definea new
system. account for that function,
Rename the Replicator account Verify, through discussion with the Review <servername>.users.txt
and secureit by performing the network ad~nistratorand physical Replicator account security settings
following steps: inspection, thatthe Replicator and ensurethe account hasa
account has been renamed and di~lcult~to-guessusername, belongs
assigned a strong password. Also only to the Replicators group, and is
ensure that the Replicator account is not overriding default account
2. Choose the rename option only a member of the Replicators policies. Also ensure the account has
under the User pulldown group. These can be accomplished been assigned a strong password by
menu. by performing the following steps: executing LOphtcrack against the
3. Enter a new account ~ ~ , User ~ a n ~ g e r .
el. Open <sen/ername>.passlud.txt file,
which conforms to corporate 2. Verify that an account named if permitted.
standards, in theChange box. Repl~cator does not exist.
4. Click OK to confiim changes. 3. Double-click on the renamed
5. Double-click on the Replic~toraccount,
Replicatoraccount. 4. Click on the Groups button.
5. Verify that this account is only a
member of theReplicators
group.
3 User
Automatic
logon
options for There is an increased risk that
Ensure
the
value of the
~anagement servers
should
be
not an unauthorized
user
may AutoA
enabled. knowledge of a usernarne
gain registry key is to
set 0.
and password for the domain
as the use of this option
embeds the password of an
account in the registryin clear
text.
N~~inlagon.
3. Determine if the value of
dm~nLogonis set to 0.
4. Close r e g e d t ~ ~ .
N~~~nlogan.
N~Winlagan, 3. Verify that the keys mentioned
3. Delete the keys mentioned above do not exist.
above.
o. C ~ t e ~ o r ~ ~ontrol Risk
3 Anonymous
User
Credentials
Null
The
that
users
Logon Add the regisbykey
~anagement connect with
the
Null
gives
individuals a method of Re5tr~ct~nan~mau5 to
Credentials Logon shouldbe procuring every share and the ~ ~ L ~ ~ ~ 5 t ~ m \
denied access to all systems username that existson the
in the domain. system. In addition, group Cafltrai\L5~\po~ion of
members~pscan alsobe the registry. The valueof
Null session pipes should be discovered. With his this setting should be1.
disabled. info~ation,
can attackers
start brute force guessing Review the values on the
passwords and attemptto null session restrictions
compromise the system. registry keysin the
~KL~~~5tem\Curr~nt
Note: Some softwaremay not C a n t r a l 5 ~ t 5 \ ~ e ~ i c ~ 5 \
function after these changes. f i a n m a n s e ~ e ~
Additionally, the abilityto ~arameterportion of the
change passwords may be registry.
lost. Ensure compatibilityby
testing. Also, users may be
unable to proactively change
their password.
Com~liance ~s§e§sment
Techniques Technique§
Add the registry key Verify
registry
the
thatReview
key cservern~m~>.i
n o n y m o u ~to the R e ~ t r i ~ t A n o n y m has
obeen
uensure
~ the
value
ystem\CurrentControl\ added to the~ ~ L M ~ y s t e m \
ontrol\LSA portion of the furrentControl~et\ControlUSR
registry by performing the portion of the registry by performing
the following steps:
CESS is set to 1.
the default.
Sk
4 PasswordThe
maximum password age Without forcing
users to Set the m ~ i ~ u ~
~ a n a g e ~ e n t shouldbesetinaccordancechangepasswords,therisk password age in
withcorporatesecuritythatapasswordwillhavean accordance with corporate
standads andguidelines.unlimiteduseful life after security standards and
guidelines.
Industryguidelinesstate 60 increased.
days. ~ d uguidelines
s ~ state
60 days.
4 Password
The ~ n i ~ password
u m Having an adequate
password Set the m i n i ~ u m
Ma~agement length
should
beset
in
length
increases
the
difficulty
password
length in
accordancewithcorporaterequired to guessapassword.accordancewithcorporate
and standards
security and standards
security
guidelines. guidelines.
4 Password The password uniqueness Requiring unique passwords Set the password
Management should be set in accordance prevents a user from recycling uniqueness in accordance
with corporate security old passwords that may have with corporate security
standards and guidelines. been compromised in the past. standards and guidelines.
4 Password The Service Pack Having a high degree of Enable passfilt so that not
Management Enhancement, passfilt, password strength decreases just lowercase letters are
should be implemented to the likelihood of passwords required for passwords. Be
enforce strong password being guessed by intruders. aware that with Windows
controls. 95 companies, passfilt
does not enforce case-
sensitive passwords.
Additionally, the error
messages produced by
passfilt are often unclear
so administrators must
stay alert. Finally, know
that administrators can
create their own dll with
their own password rules.
APPENDIX 5B 263
For the PDC, enable passfilt by Industry guidelines state 6 Review <servername> Isa. txt to
performing the following steps: passwords. ensure the value Notification
1. Open regedt32. Packages contains the passfilt.dl1
2. Select the Key HKLM\ For the PDC, check for passfilt by entry.
System\CurrentControI\ performing the following steps:
Set\Con tro I\LSA . 1. Open regedt32. If the Notification Packages
3. Edit the Notification 2. Select the Key HKLM\ value contains an entry of
Packages value name. System\CurrentControI\Set\ FPNW CLNT.d II, inquire with the
4. Add passfilt to the Value Contro I\LSA . company if this is required for
name. 3. View the Notification connectivity between NT and Novel1
Packages value name. servers. Also, ensure that the
FPNWCLNT.dl1exists within the
system path and is properly secured.
Password
4 Theaccount
lockout
feature
Lockingout
accounts
after a Enable
the
account
lockout
~anagement should be enabled,andthespecifiednumberoffailedfeatureandset the
related parameters shouldbe login attempts decreases the appropriate parmeters in
set in accordance with risk that user accounts will
be accordance with corporate
corporate security standards compromised through brute security standards and
and guidelines. force attacks. guidelines.
Industry guidelines state 3 Industry guidelines state3
bad logon attempts and to bad logon attempts and to
reset the counter after 1,440 reset the counter after
minutes. Accounts should be 1,440 minutes. Accounts
locked forever or until an should be locked forever
administrator manually or until an administrator
unlocks them. manually unlocks them.
Password
4 The resource kit utility, The Administrator account is Enable passprop’s
~anagement passprop, should be utilized susceptible to an infinite ~ m i n l a ~ ~ afunction.
ut
to enable lockout on the number of password guesses
Admi~stratoraccount overa over a network connection
network connection. unless passprop is
implemented.
Regardless, Administrators
should not be able to “access
this computer from the
network,” but thisis a good
supplemental procedure.
Password
4 The password for the The renamed Administrator Require that the password
~anagement Administrator account account oneach server is the for the Administrator
maintained oneach server most privileged account on account on each serveris
should be changed in the system. Therefore, extra changed periodically and
accordance with corporate care should be taken withits is unique for all servers.
standards and guidelines and use. Changing the password
be unique across all servers. periodically limits the useful
life of any compromised
passwords. Requiring unique
passwords on different
systems limits the exposure to
the system if one
adminis~atoraccount is
compromised.
~ o m p ~ a n ~c es s e s s ~ e n t
~ec~~ques
For all servers, set the account For all servers, verify the account Review
lockout parameters by performing lockout parameters by performing <sENernam~>.polici
the following steps: the following steps: compliance with corporate polices
I. Using User Manager, select 1. Open User Manager. relating to account lockout.IC no
2. Select the ~ c c o u n t ...Option corporate policy exists,use the
under the Policies menu. following as a baseline:
2. Ensure the Account Lockout 3. Ensure the ~ c c o u nLockout
t * Industry guidelines state 3 bad
option is enabled. radio button is selected. logon attempts andto reset the
4. Verify the settings for Lockout counter after 1,440 minutes.
After Bad Logon ~ttempts, * Accounts should be locked forever
Reset Count After Minutes, or until an administrator manually
and Lockout Duration. These unlocks them
settings should be set in 1,440 minutes equals 24 hours.
settings shouldbe set in accordance with corporate
accordance with corporate standards or our best practices.
standards. 5. Click OK to exit.
4. Click OK to confirm changes.
Change the passwords on the Verify, with the network Review <servername>.users.txt
Ad~nistrator-levelaccount by administrator and administrator and ensure the A d ~ i n i s ~ a t o r
performing the following steps: equivalent users, that Administrator- accounts are required to follow
1. Using the User Manager, level account passwords are being default account policies. Also review
open the user account that changed in accordance with cservername>.passuJd.itxtand
requires a change of password corporate security standards andare ensure theAd~inistratoraccount
2. Enter the ~e~ passwo unique across all servers. password hashes are unique across
both the PassuJord and the servers.
Confirm PassuJor~fields. In large multidomain
3. Click OK to close the User implementations of WindowsN T ,
ProPE~ies. this maynot be a practical policy.
An alternative might bea different
password within different domains.
ectives
4 Password Default passwords supplied Application default passwords Change all default
Managem~nt with software packages are widely known and application default
should
be
changed upon typically
initial
targets for passwords upon
installation.
attacks. applications.
installation
of
The
that risk
unauthorized access willbe
obtained is increasedif these
passwords are not changed.
4 Password
Privileged
user
passwords
Distribution
privileged
of Only distribute privileged
M ~ a g e m e n t should
not be widely account
passwords
multiple
to account passwords to users
dis~ibuted. the weakens
users who require this access for
effectiveness of a stringent a legitimate business
password policy and reduces purpose. Each user with a
user accountability. privileged account should
have a unique ID and
password.
4 Password
User-level
overrides
user-level
If ofoverrides of
manage men^ passwordpoliciesshouldnotpasswordpoliciesareallowed, Change Pas5ward and
be enabled for any user there is an increased risk that Password Never
accounts except for service unauthorized accessby users Expires user overrides of
accounts. will be obtained. the default password
policy.
4 Password
All
new
user
accounts
should Requiring new users to Require all new user
Managementberequiredtochangetheir change their passwordupon accounts to change their
password on first logon, login ensures that the password on &st logon.
There should not be generic temporary password will not
or predictable passwords usedbe in use. Additionally, by
as a new default. Each new having users create their own
account should be created passwords, the chance of their
with a unique and diEcult to remembering their password
determine password. is significantly increased.
4 Password
Controls
should
be System adminis~a~ors should Write down the
Managementimplemented to ensurethe provide a mechanismto Administrator password,
A d ~ ~ s t r a tpassword
or is obtain the Ad~nistrator place it in a sealed
available for emergencies. password inthe event of an envelope, and keepit in
emergency to reducethe risk secure locations, on and
of significant downtime. off site, in the event
it is
These passwords should be needed in an emergency.
stored on and off site. They
should residein a physically
secure location.
Change the passwordson the Verify, with the network
a p ~ r o p ~ aaccounts
te by ~ d ~ n i s t r a tand
o r through physical and ensure thatany default accounts
p e r f o ~ i n gthe following steps: inspection, that default application are required to follow default
passwords have been changed in account policies. Also review
accordance with corporate security <sen/ername>.pa~suJd.txland
standards. ensure that these default accounts’
password hashes are unique across
servers.
Properties.
Implement a procedure for Review the account password Review the account password
distributing privileged account distribution procedure.Verify that dis~butionprocedure. Verify that
passwords to only users who privileged account passwords are privileged account passwords are
require this accessfor a legitimate distributed onlyto those individuals distributed only to those individuals
business purpose. with a legitimate business need for with a legitimate business need for
such access. such access.
For all servers, disable the userFor all users, verify that the user Review csen/ername>.u
overrides of default password overrides of default password and ensure there areno end user
policies by performing the policies have been disabledby accounts that are allowed to override
~ol~owing steps: p e r f o r ~ n gthe fo~lowing
steps: default account policies.
1. Open User ~ a n a g e r .
open the user account. 2. Double-click on the user
account.
3. Verify that the User Cannot
Change Passu~ordand the
options are not enabled.If P a s ~ w o r dNever Expires
they are enabled,they should options are not checked.
be unchecked to disable them. 4. Click OK to exit.
3. Click OK to confirm changes. 5. Repeat for all users
For all new users added to the Verify, with the network Inquire with the company regarding
PDC7 require that they change admi~strator,that the User Must the proceduresfor creating new user
their password on initial login by Change Password at Next accounts. Determineif the accounts
pe~ormingthe following step: Logon box is checkedwhen new are required to change their
1. When creating a new user accounts are created. password on &st logon. Also review
with the User ~ a n a g e r ~ t i l i t y , the <sen/ername>.users.txt for
re the User Must users who are required to change
their password on next logon.
Establish a procedure for keeping Verify, through discussion with the Verify7 through discussion with the
the A d ~ n i s ~ a tpasswords
or network administratorand network administratorand
written down and ina secure inspection of written policies, thata inspection of written policies, thata
location. Establisha second procedure exists for the storage and procedure exists for the storage and
procedure for obtaining the retrieval of the ad~inistrator retrieval of the administrator
passwords in the eventof an password. Verify that this procedure password. Verify that this procedure
emergency. is followed and that the passwordis is followed and that the password is
stored in a secured location. Ensure stored ina secured location. Ensure
that the retrieval processis known to that the retrieval processis known to
seconda~/e~ergency second~y/emergency
administrators. administrators.
ain ~ o n t r o ~ Sec~rity
er
5 Group
The
Users
local
group
Both the Users
local
group
Add the Domain
Users
~anagement should only
contain
the
and
Domain
Users
global
globalgroup to the
Users
Domain Users global group groupare
built into the
local
group.
from the PDCof the system. All domain users are
Authentication Domain. by default membersof the
Domain Users global group.
There is no need to have
additional accounts inthe
Users local group, and doing
so increases the risk that a
local system resource will be
abused.
5 Group
user
accounts,
All with
the Having all user accounts Remove all user accounts
~anagement exception of thebuilt-in contained within global from local groups and
accounts of Guest and groups increases network move them to a respective
Administrator, shouldbe in security by simplifying global group,
global groups only. Global admi~stration.User accounts
groups should be assigned to should never appear in local The renamed
local groups. groups or have Access Administrator account
Control Lists (ACLs) withany should be the only user
The renamed Administrator object. account inthe
account shouldbe the only Administrators local
user account in the group.
Ad~nistratorslocal group.
Com~~ance ~eri~cation
~ech~~ues Techni~u~s
Add the Domain Users global Verify that the Domain Users global Review cservername>.groups.txt
group to the Users local group
by group is listed in the Users local and ensure the only end user
performing the following steps: group by performing the following accounts in the Users local group are
1. steps: those accounts contained within the
2. Choose Select Domain. ,. 1. Open User Manager. Domain Users global group from the
from the user pulldown menu. 2. Chooseselect Domain. . Authentication Domain.
3. Enter theserver n ~ intoe from the user pulldown menu.
the Damain box. 3. Enter theserver or workstation
4. ame into the Domain box.
5. Double-click on the Users 4. Click OK.
Lacal Graup. 5. Double-click on the Users
6. Domain users should be Local Group.
present. 6. Verify that Domainusers is
7. If domain usersis not present, present as a member of Users.
click theAdd button. 7 . Click Cancel to close.
8. Select theAuth~ntication 8. Close User ~anager.
Domain in the List Names
Frarn:box.
9. Highlight theOornaln Users
Global group.
10. Click theRdd button.
11. Click OK to confirm the
changes.
32. Click OK to close theLocal
Group ~ r o p e ~ ibox.
es
13. Close User ~anager.
Remove alluser accounts from Ensure that all user accounts are Review <servername>.groupf;.txt
local groupsand move them toa members onlyof global groupby and ensure that all end users
respective global groupby performing the following steps: accounts assignedto local groups are
performing the following steps: 1. Open User Manager. done so by the useof global groups.
1. Open User Manager. 2. Choose Select Domaln. .
2. Double-click on the from the user pulldown menu.
appropriate Local Group. 3. Enter theserver orworks~tion
3. Domain users should not be name into theDomainbox.
present. 4. Click OK.
4. If domain usersis not present, 5. Double-click on the Users
click theAdd button. Local Group.
5. Select theAut~enti~at~on 6. Domain users should be present.
Domain in theLlst Names 7 . Click Cancel to close.
From: box. 8. Close User Manager.
6. Highlight the Domain Users
GIabal group.
7. Click theAdd button.
8. Click OK to confirm the
changes.
9. Click OK to close theLocal
Graup ~ r o ~ e ~box.ies
10. Close User ~anager.
ory ~ o n t r o~l b j ~ ~ t i v e s Sk
5 Group
User
accounts
should be Global
groups
simplify
Create
global
groups
the
in
Management
logically
grouped
through
network
administration by Authentication Domain
theuse of globalgroups in cont~ninglogical groups of andadd all applicableuser
the Authentication
Domain.
users.
Users
should
be
accountsto
these
groups.
grouped accordingto similar
job functions, department, or
access requirements.
5 Group Naming conventions should Global group names, which Name all local and global
Management be established and followed can be easily identified, groups in accordance with
for allglobal and local established
network
simplify na~ng
groups. Global groups ad~nistration.This increasesconventions.
should have different namingsecurity because nonstandard
standards than local groups. groups can easily be
identified. Groups shouldbe
named in sucha fashion that
the typeof group, group
purpose, and/or department
could be identified.
5 Group
Each
group
should
have a Requiringall
groups
have
to Add an applicable
and
~anagement descriptionprovided by the descriptions ~ n i m i the
~ s info~ativedesc~p~ion
for
application or business possibility
that
extraneous, allgroups.
manager. unneeded groups will be
created. Such a group could
bypass systemadminis~ation
and be used for unauthorized
activities.
Tec~~ques
Create global groups according to Verify, through discussion with the Inquire withthe c o ~ p a n yregarding
corporate policy and access needs network a d ~ i n i s ~ a t and
o r review of procedures for grantingusers access
and add all applicable users written policies, that global groups to resources. Ensure that these
accounts to these groups. have been created and are utilized in procedures requirea ~ ~ ~ s ~ to a t o r s
accordance with corporate policy. add end user accountsto global
Ensure compliance with said groups (in the Authentication
policies through physical inspection Domain), global groups to local
via User Manager. groups, and local groups to resource
permissions.
Name all groups in accordance Verify, through discussion with the Obtain a copyof the company’s
with established naming network a d ~ n i s ~ a tand
o r reviewof group n ~ n conventions
g and
conventions. written policies, that all groups are ensure that they are enforced on all
named in accordance withcorporate local and global groupsby
policy. Ensure compliance with said examining the
policies through physical inspection <se~@rname>.grRup
via User Manager. Note whether the Note whetherthe n ~ i n g
naming conventions distinguish conventions ~stinguishbetween
between local and global groups and local and global groups and provide
provide for the abilityto identify for the abilityto identify employee,
employee, vendor, and temporary vendor, and temporary groups.
groups.
For all servers, providean Verify that all servers have an
applicable and informative applicable andinfor~ative and ensure thatallgroups havean
description for all local groupsby description for all local groups
by applicable andi~ormative
p e ~ o r ~ the
n gfollowing steps: p e ~ o ~ then gfollowing steps: description,
1. Using User ~aflag@r, open 1. Open User Manager.
the appropriate Local GfRUp 2. Double-click on the Local
Group name.
2. 3. Verify that an applicable and
informative descriptionexists in
the D ~ s c r i p t ~ obox.
n the D~~criptiRfl box.
3. Click OK to confirm the 4. Click OK to exit.
changes. 5. Repeat for each local group.
ain ont troll er ~ e c u ~ t y
5 Backup
Operators,
The
Group The Backup Operators, Server Add the authorized global
~anagement Server
Operators,
Account Operators, Account Operators, groups to the Backup Op-
Operators, and Print and Print Operators local erators, Server Operators,
Operators local groups groups have several privileges Account Operators,and
should only contain global associated with them, such as Print Operators local
groups that are authorized the ability to log on to groups on each server in
for this purpose. systems interactively. the Authenticationand Re-
Therefore, caution shouldbe source Domain and any
exercised when adding users workstations in the net-
to these built-in groups. work environment.
Having only global groupsas
members of these groups
helps to ensure that the groups
will be properly restricted.
5 Group
special
The
group
Everyone Using the special group Replace references to the
~anagement shouldnotbeused.Using Everyone isvery broad and special group Everyone
specialized groups will allow could inadvertently allowan with Domain Users or
the Administrator tohave intruder to gain access to Domain application
better control over files
and system resources. groups.
directories.
If more broad group naming is Note: Certain applications,
Note: Certain applications, required, the Authenticated as well as the Windows
as well as the Windows NT Users groupmay be used as a NT system directory, will
system directory, will not substitute for Everyone. not function without the
function without the Everyone group in the
Everyone group in the ACL. ACL. This is more
This is more appropriatefor appropriate for data
data directories. directories.
Add the authorized globa Verifythat
theauthorizedglobalReviewthe <servernam
to the Eackup Operators, groupsaremexnbersoftheBackup ~ r ~ u ptxts and
. ensure that only
Operators, Account Operators,and Operators,
ServerOperators,authorized
users
are
members of
on
Print Operators local groups Account
Operators, and Print
these
groups.
each serverin the Authentication Operators local groupson each
esource Domain andany server in the Authentication and
worksta~onsin the network Resource Domainand any
env~onmentby p e ~ o r ~ the
ng workstations in the network
following steps: environment by performing the
l, following steps:
l. Open User Manager.
from the user pulldown menu. 2. Choose Select Domain. ..
3. Enter thes e ~ e name
r in the from the user pulldown menu.
3. Enter theserver namein the
4. D ~ m a ~box.n:
4. Do~ble-clickon the Backup
5. C l p e r ~ tlocal
~ r group,
6. Select theautho~izedglobal 5. Verify that only authorized
global groups are listed.
7. 6. Click the Cancel button.
Click theCl# button, 7. Repeat steps 4-45 for the Server
9. Re eat ste S 4-43for the Clperator5group.
8. Close User Manager.
10.
estrict default group access to Verify, with the network Review < s ~ r v e r n a m e ~ . p e r ~ s
application and system files and a d ~ n i s ~ a t othat
r , the special group <drive lett
directories by p e ~ o ~ i the
ng Everyone has been replaced with special group Everyone is not
following steps: Domain Users or Domain allowed access to any fileson the
l. Open the ~ i n ~ o NT
ws application groups. system.
Explorer.
. Right-click on the file or If more broad groupnarning is
directory to set the security required, the Authenticated Users
per~ssionsand select the group may be usedas a substitute for
properties option. Everyone.
security p e ~ i s s i o n that
s you
select on all files and
subd~ectoriesunder the
selected directory, while the
5 Group
Other
than
the
built-in
global
Global
groups
simplify
Delete
global
all groups
Managementgroups, no global
groupsnetwork a d ~ ~ n i s ~ a tby
ion (other
then
the
default
should exist outside of thecontaininglogicalgroups of globalgroups)contained
authentication
domains. users.
There need to
is no in resourcedomainsand
create
global
groups on re-createthemin
the
resourcedomains.Doing so AuthenticationDomain.
only decreases the ability of
the network managerto
effectively manage the
network.
emave button. "he special
group everyone's permissions
should be removed from all files
and directories on the system.If all
users require this access, it should
be granted to theUsers Local
he
hese
Pefmlss~ansshould be set in
accordance with corporate
system standards.
Click theCIK button to confirm
these changes.
After the security permissions
have been changed, click the
OK button to close the fileand
directories propertieswindow.
5 Group Access Control Lists (ACLs) In WindowsNT, only local Utilize local groupsto
Management for filesand directories groups should be granted grant p e ~ i s s i o n to
s files
should only specify local rights to resources. All users and directories.
groups as having access. should be placed in global
ACLs should not specify groups, and global groups
individual user accounts or should be placed in local
global groupsas being groups. This ensures that the
granted or revoked access. environment hasa s ~ c t u r e d
method of adminis~ationand
decreases the possibility that
users will be granted
excessive rights.
6 File
System The WindowsNT File NTFS associates permissions All File Allocation Table
Access and System (NWS) should be with each file and directory. (FAT) or High
~anagement used on all partitions. Using these permissions, P e r f o ~ a n c eFile System
Additionally, there should be different levelsof access can (HPFS) partitions should
no unformatted spaceon the be granted or denied to be converted to the
drive. different groupsof users. Windows NT file system
Under NT,file access is based (NTFS).
solely on file permissions.
HPFS is not supported
under WindowsNT 4.0.
Any file systems in that
format would haveto be
converted during the3.51
to 4.0 upgrade.
6 File
System Application and system Granting excessive Set the default permissions
Access and directories should notallow permissions to applications for users to beas
Management Write, Delete, Change could leadto their abuse or restrictive as possible on
Permissions, orTake deletion. application directories.
Ownership to users. The Remove all permissions
built-in special group should for the built-in special
have no permissions. group of Everyone. If
these typesof permissions
are needed, create new
groups that contain the
appropriate usersand have
the requiredpe~issions.
6 File
System Data files shouldbe stored in Data files shouldbe placed in Separate application files
Access and segregated directories separate directoriesto help from data files.
Management external to the application prevent the changingof
and system directories, directory permission levels
possibly in the data owners’ that may accidentally flow
home directories, or the down to executable program
applica~on-specifieddata files. Itis also good practice
directory. to separate data from
application files in order to
grant the appropriate level of
security for each type of file.
plianee ~ssessment
niques
Implement a procedure to utilize Verify thata procedure exists to
local groups for granting ensurethatpermissions for files and <drive letter>.txt and ensure that
p e ~ i s s i o n sto files and directoriesareonly grated to localonlylocalgroupsaregrantedaccess
directories. groups.
Makecertain,
through
files
to and
directories.
discussion with the system
ad~nistrator,that this procedureis
followed.
Open Disk Administrator viewto Verify that theNWS file systemis Review the <s
the partition informationand file being used and that there is no <drive letter>.txt and ensure that
system for all drives. unformatted or nonpartitioned space drives revieweduse the ~ F ?fileS
by performingthefollowingsteps:system a d thatthere is no
Issue
the
followingcommand to 1. Open Disk ~ d m i ~ i ~ t r ~ t a r . unformattedor n o n p ~ t i o n e dspace.
convertthe FAT p ~ i t i o n to
s 2. View thepartition infor~ation
S: At thecommandpromptandfilesystem for alldrives.
enter the following command:
Implement a procedure to set Determine, with the network Determine, with the network
default pel~issionsfor users to be ad~nistrator,the appropriate (most a d ~ n i s ~ a t othe
r , appropriate (most
as restrictive as possible on restrictive) levelof permissions for restrictive) levelof p e ~ s s i o n sfor
application directories and to application and system directories. application and system directories.
remove all permissions for the Verify that this levelof access is Verify that this level of access is
built-in special group Everyone. granted. Ensure that the special granted by reviewing
If these typesof p e ~ i s s i o n are
s group Everyone hasno file system
needed, create new groups that permissions. Under certain
contain the appropriate users and circumstances, ensure thatnew ensuring that end users are not
have requiredpermissio~s. groups are createdto manage allowed excessive permissions to
relaxed permissions. application filesand directories.
Under certainc~cumstances,ensure
that new groups are createdto
manage relaxed permissions.
Impleme~ta procedure to place Verify thata procedure exists to Verify thata procedure existsto
data files in separate directories ensure thatapplica~onand data files ensure that application and data files
from the application and system are segregated. Ensure, through are segregated. Ensure, through
directories. physical inspection, that application physical insp~tion,that application
files and data files are located in files and data files are located in
separate directories oron separate separate directories oron separate
drives. drives.
Control Techniques
6 File
System The c : ~ l n n ~ y s t ~ mIf unauthorized
~ ~ \ users gain Restrict access to the
Access and canfig directory contains the access to this directory,they c:\wi
Manage~ent SAM, audit files, and other could view the audit filesor canfi
registry files. These should attempt to get access to the prevent unautho~zed
be secured from SAM if theycrash the server. access.
unautho~zeduse.
Verify that permissionson the Review the <servername>
by following directory comply with the c ~ e r r n ~ < ~ drive y~te~
S: reco~~endations by performing the Ietter>.txt and ensure the following
l. Open the ~ i n d o w N
s" following steps: permissions are in place for:
Explorer. l. Right-click on the directory in
2. Right-click on the file or Explorer. Directory:
directory to set the security 2. Choose ~ r o ~ e r t i e s . C:\uJinn~ystern3~~~nff~
'sions and select the 3. Select the 5ecurlty tab.
rties option. 4. Click the ~ e r r n i s s ~ o button.
n5 ~e~omme~ed Pe~issi~ns:
5. Compare the current Ad~inistrators Full
Control
The followingper~ssionsshould permissions to the List Everyone
be set: recommendations. CreatodOwnerFull
Control
ControlFullSystem
6. Repeat for all listed directories.
Ad~nistrators Full Control
Everyone List Directory:
Creator/Owner Full Control C:\uJinnt\systern3;?\rronflg
System Full Control
~ecommended Pe~issions:
3. Ad~nistrators Full
Control
List Everyone
4. Creator/Owner
Full
Control
ControlFullSystem
o, C ~ t ~ ~ o r y Control ~ ~ j e c t i v ~ Sk
6 File
System
The c : ~ ~ n n t ~ ~ sIftunauthorized
~ r n ~users ~gain
Restrict
access to the
Access and spool directorycontainstheaccess to thisdirectory, they ~ : ~ I n n ~ ~ ~ t ~ r n
Management printer
drivers
and
files.
could
gain
access to printer spool directory to prevent
These
should be secured
settings
and
drivers.
unauthorized
access.
from unauthorized use.
6 File
System
The
replication
directories
unauthorized
If users
gain
Restrict
access
the
to
Access and contain login scripts, access to these directories, re~licationdirectories so
Manage~ent policies, and other user- they could gain access to user that only authorized users
sensitive data thatis data,
policies, and login
have
access.
replicated among servers. scripts. That type of
These should be secured information could contain
from unauthorized use. password information or be
replaced with Trojan horses.
."
Restrict access to replication Verify that permissionson the Review the <servername>.
directories by performing the following directories comply with perms<system drlve letter>.txt
following steps: the reco~endationsby performing and ensure the following
l. Open the WindowsNT the following steps: permissions are in place
for the
Explorer. 1. Right-click on the directory in following directories:
2. Right-click on the file or Explorer.
directory to set the security 2. Choose Properties. Directory:
Permissions and select the 3. Select the Security tab. C:\luinnt\system3~epi
Propertles option.
Control Objectives
~mplemen~tiQn Tec~ni~uesCQmpliance Assessment
Tec~niques
The following directory 4. Click the Permlssions button. Recommen~edPermissions:
permissions should be set: 5. Compare the current Ad~nistrators Full
Control
permissions to the ServerOperatorsFullControl
~:\winnt~ystem3~epl reco~endations Read Everyone
6. Repeat for all listed directories. Creator/Owner
Full
Control
Ad~nistrators Control
Full ControlFullSystem
Server Operators Full Control Directory:
Everyone Read C:\winnt\system3~~epl Directory:
CreatorlOwner Full Control
System Full Control Recommended Permissions:
Administrators
Full
Control Recommended Permissions:
C:\~innt\system3~epI\ ServerOperatorsFullControl Administrators
Control
Full
import Read Everyone Server
Operators
Change
CreatodOwner Full
Control Read Everyone
Administrators Full Control
ControlFullSystem Creator/Owner
Full
Control
Server Operators Change ChangeReplicator
Everyone Read Directory: Network No Access
CreatodOwner Full Control C:\winnt\systern3~~epl\im~ort ControlFullSystem
Replicator Change
Network No Access Rec~mmendedPermissions: Directory:
System Full Control A d ~ ~ s t r a t o r s Full
Control C:\winn~y5tem
Server
Operators Change
C:\winnt\system~~epl\ Read Everyone Recommended Permissions:
export Creator/Owner Full
Control Administrators
Full
Control
ChangeReplicator Server
Operators
Change
Ad~inistrators Full Control
Access NoNetwork CreatodOwner
Full
Control
Server Operators Change
ControlFullSystem Read Replicator
CreatodOwner Full Control ControlFullSystem
Replicator Read Directory:
System Full Control C:\winnt\system3~epI\E?xport
3. Click the Permissions Re~omme~ed Pe~issions:
button of the 5ecurlty tab. Administrators
Full
Control
4. Select the Replace Server
Operators
Change
Permissions on CreatodOwner
Full
Control
Subdirectories and the Read Replicator
Replace Permissions on FullSystem
Control
Existing Files check boxes
as appropriate. TheReplace
Permlsslons on
5ubdirectories will place the
security permissions that you
select on all files and
subdirectories under the
selected directory, while the
Replace Permissions on
Existlng Files will ensure
that all files contained in the
directory have the selected
security permissions.
5. Click the OK button to confirm
these changes.
6. After the security permissions
have been changed, click the
OK button to close the file and
directories propertieswindow.
6 File
System
The c : ~ i n n ~ ~ unauthorized
~If ~ ~ users
rgain
Restrict
access
the
to
Access and directory contains a backup access to a backup copy of the ~ : ~ i ndirectory n ~ ~ ~ ~ ~
~ ~ a ~ ecopy~ of ~the nSAMt and needs SAM, they canrun a so that only authorized
to beprotectedagainstpasswordcrackerandpossiblyusers have access.
unauthorized
access.
guess
user
passwords.
6 File
System The default system shares Windows NT creates special Document the default
Access and for tile systems shouldbe ad~n~strative-level shares by shares and their
Mana~ement disabled and re-created default thathave preset directories.
under standard share security levels. These shares
security. The default admin provideaccess to therootDisablethem pe~anently
level shares are:C$, D$. .. level of each NI'drive and the if they are not required.
and Admin$. NT system root directory.
Re-create new shares to
those directoriesif needed
with appropriate
permissions.
"
es
Directory:
C:\~inn~epair
Reco~mended Per~issions:
A d ~ n i s ~ a t o r s Change
as appropriate. TheRep1
~ ~ ~ i r e c t o will
r i e splace the
security permissions that you
select on all files and
subdirecto~esunder the
selected directory, while the
ermissions on
these changes.
6. After the securityper~ssions
have been changed, click the
K button to close the file and
directories propertieswindow.
Disable the shares in the registry Verify the existenceof the default Review <s~wername>.~hares.
shares by checking theShare button txt to ensure only authorized users
under the Server Manager. are allowed access to the shares.
2. Select the Keg
If none exist, verify the registry
key
by checking the valueof the
~wices\LanmanSeweh
7 Sensitive Permissions on shares must Shares allow usersto access Set the default~ e ~ i s s ~ o n s
System not allow Write, Delete, resources remotelyon the for the default group Users
Privileges and Change Permissions, or Take network. ~onsequen~y, care in accordance with
Utilities Ownership to the special should be takenwhen permissions seton the files
group Everyone. Permissions granting share rights.In within the share. The built-
on shares shouldbe particular the default system in special group
equivalent to thep e ~ i s s i o n s groups should not be granted Everyone’s access should
on files within the share. permissions thatwould allow be removedon all share
members of these groupsto permissions.
abuse the system.
Com~liance ~ssessment C o m ~ l i ~Verification
ce
Te~hniques Techniques
Restrict share permissions by Verify that share permissions are Review <se~ername>.shares.
pedorming the following steps: properly restrictedby performing the txt to ensure only authorized users
1. Using the Server Manager, following steps: are allowed accessto the shares.
highlight the applicable server 1. Open 5erver Manager. Permissions should onlybe granted
and select the shared 2. Highlight the applicable server to groups. The special group
directories option under the and select the shared directories Everyone should notbe allowed
Computer menu. option under theComputer access to the share.
2. Highlight the shareand view menu.
its propertiesby selecting the 3. Highlight the shareand view its
Propert~esbutton. properties by clicking the
3. Click on thePermiss~ons Propertles button.
button to view the Users who 4. Click on thePerm~ss~ons
have accessto this share via button to view theUsers who
the network. have access to this share via the
4. Click the Add button to network.
include the applicable groups 5. Verify that only appropriate
to be granted accessto this groups have been granted access
share and select the groups to this share.Verify that the
you wish to grant access to. special group Everyone does not
When you have selected all have access.
the applicable groups, click 6. Click the Cancel button to
the OK button to confirm these close.
additions. 7. Repeat for all shares.
5. Grant theType of Access for 8, Close 5erver Manager.
each groupby high~ghtingthe
applicable group and selecting
the access from the Tgpe of
Access box. These
Permlss~onsshould be set in
accordance with corporate
system standards.
6. If the special group Everyone
has access to the share, this
access should be removed by
highlighting the memberand
clicking theRemove button.
7. Click the OK button and then
the Yes button to confirm
these changes.
o ~ ont troll
~ eri ~ e c~ u ~ t y
isk es
8 ~ ~ n t e n a n c e If standard user profiles are If standard profiles are Move all standard user
and used they should be utilized they should resideon profiles, if implemented,
Operations maintained on the PDC. the PDC, where their access to thePDC in the
can be controlled and changes Aut~entica~ion Domain.
can be monitored. Having
standard user profileson local
systems can easily, lead to
their modification, and/or
abuse.
~ o ~ ~ l i aA§§e§s~ent
nce ri~cation
Tec~ni~~es
For all servers, disable the ability Verify, through discussion with the
for normal users to access sensitive network administratorand physical
n g inspection, that sensitive system
system utilitiesby p e ~ o ~ i the and ensure the sensitive system
following steps: utilities are properly restricted. utilities are properly protected.
1. Open the Windows NT
Explorer. Sensitive utilities include:
2. Right-click on the utility to be
restricted and select the
Pal~dit.~x~
User Managerfor Domains
Server Manager
4. Click the Add button to Resource kit utilities
include the applicable groups Auditing tools
to be granted security
pe~issions.
5. Select the groupsyou wish to
add to the security
permissions. m e n you have
selected all the applicable
groups, click theOK button to
confirm these additions.
6. Grant ihe Tgpe af Access
for each group by highlighting
These per~ssionsshould be
set in accordance with
corporate system standards.
7. If the special group Everyone
or the group Users have
p e ~ i s s i o n to
s the utility, they
these c h ~ g e s .
9. After the security permissions
have been changed, click the
OK button to close the file
properties windo~s.
ove all standard user profiles, if If standard profiles are used, verify, If standard profiles are used, verify,
i~plemented,to the PDC in the through discussion with the network through discussion with the network
authentication domain. ad~inistratorand physical administrator and physical
inspection, that all such profiles inspection, that all such profiles
reside in the Authentication Domain reside in the ~uthenticationDomain
and obtain the applicable policies and obtain the applicable policies
and procedures. and procedures.
0. Y
9 Fault A disaster recovery plan Without a properly con~gured Establish a proper backup
Tolerance should be setin accordance and tested disaster recovery rotation planin accordance
Backup and with corporate security plan, the system is open to with company policy. The
Recovery standards and guidelines. extended downtime. registry mustbe backed up
using a ~ r d - backup
p ~ ~
tool or the regback utility
from the resource kit.
Backups should be cycled
through an off-site storage
location along with the
copies of the emergency
repair disks.
Note: Be sure to run RDISWS Inquire with the company regarding Inquire with the company regarding
before backups are createdso that policies and procedures for updating policies and procedures for updating
the Repair directoryis up to date. of the Emergency Repair Disk on of the Emergency Repair Disk on
periodic basis. Check the file dates periodic basis.Review the
in the repair directory to assure
they <~e~ername>,dir<5y~t
are not outof date. drive>.txt and ensure the dateson
the files in the< ~ y ~ e ~
drive>:~innt~epair are current.
NIA Inquire with the company regarding Inquire with the company regarding
the controls in place to mitigate a the controls in place to mitigate a
loss of power. If the serveris loss of power. If the serveris
protected by an individual U P S , protected by an individual UPS,
inquire whether the UPS is inquire whether the UPS is
integrated with Windows NI’ i n t e g r a t ~with WindowsNT
operating system. Then, ensure that operating system. Then, ensure that
the PDC is connected to a the PDC is connected to a
functioning U P S system. functioning W S system.
Run RDISK and click“Create Ensure that a procedure is in placeto Ensure that a procedure in is place to
~ e p a i rDirrk.” create, update, physically secure, create, update, physically secure,
retrieve, and utilize the Emergency retrieve, and utilize the Emergency
Reminder: RDISK only creates the Repair Disk. Verify that the Repair Disk.Verify that the
default i n f o ~ a t i o non the disk Emergency Repair Disk exists, is not Emergency Repair Disk exists, is not
when the /S switch is not used. out of date, and is physic~ly out of date, and is physically
secured. Ensure that proper secured. Ensure that proper
individuals are aware of the recovery individuals are aware of the recovery
process. process.
m y ~ontrol~ ~ j e c t i v e s es
1l Auditing,Auditingshould be enabled
Without auditing
on
files
andEnableauditingfor
file
Logging,and for FileandObjectAccess.objects,hackersmighthave and objectaccessfor
~onito~ng time
enough to figure out a
success and failure.
way around compensating
controls. For example,
hackers might tryto access
files they do not have read
access to. In addition,it is
possible to detect a virus
outbreak if write access
auditing for program files,
.dl1extensions, is enabled.
C o ~ p l i ~Assess~ent
ce
Tech~ques
Remove the default community Verify that the defaultcom~unity Inquire with the company whether
“public” and input the correct “public” is not being used by SNMP is being used to monitor the
n g following p e r f o ~ n gthe following steps:
name by p e ~ o r ~ the server. IfSNMP is being utilized,
steps: 1. Open Control Panel. inquire whether thec o ~ u n i t y
1. Open Control
Panel’s 2. Double-click the~ e t ~ o r ~ name has been changed from
applet. “public” to adi~cult-to-guessname.
2. 3. Choose the1Servlces Tab.
3. 4. Double-click theSNMP service.
service. S. View the community settings.
4. the
“public”
Disable 6. Click OK.
com~unityand enter the
5.
Enable the~uditiugfor system Verify that Auditing has been Review <senrername>.policies.
logons and logoff by performing enabled for system logons and logoff txt to ensure auditingis enabled for
the following steps: by p e r f o ~ i n gthe following steps: successes and failures for logons and
1. Using the User Manager, 1. Open User Manager. logoffs.
select theAudlt option from 2. Select the Fiudlt option from the
Policies menu.
3. Ensure the Audit These
Events button is selected. Events radio button is selected.
3. Enable both theSuccess and 4. Verify that both theSuccess
and Fallure check boxesfor
Logon and Logoff auditing
option. option have been selected.
4. Click the OK button to confirm S. Click theOK button to exit.
these changes.
Enable theAuditi~gfor file and Verify that Auditing has been Review <servername>.policies.
object accessby performing the enabled for system file and object txt to ensure auditingis enabled for
following steps: access by p e r f o ~ n gthe following successes and failures for file and
1. Using the User Manager, steps: object access.
select theAudlt option from 1. Open User ~ a n a g e r .
the Policies menu. 2. Select theAudit option from the
Policies menu.
ents button is selected. 3. Ensure the Audit These
Events radio buttonis selected.
Failure check boxes forFile 4. Verify that both theSuccess
and O b ~ ~Access
ct auditing and Failure check boxes for
option. File and Object Ficcess
4. Click theOK button to c o n k n auditing option have been
these changes. selected.
5. Click theOK button to exit.
omain on troll er ~ecurity
l1 Auditing, Auditing shouldbe enabled If a user is granted access Enable auditingfor User
Logging, and for User and Group above what they deserve,it and Group~anagement
~onitoring ~~agem~nt, would be important to know success and failure.
who made those changes.
Without auditing User and
Group ~ ~ a g ~ m eit nwould
t,
be impossible toknow within
Windows I?".
l1 Auditing,
Auditing shouldbe
enabled If changes
are
made
to
the
Enable
auditing for
Logging,andforSecurityPolicyChanges.SecurityPolicy,whereusersSecurityPolicyChanges
~ o ~ t o r i n g failure. and success to access
are granted
resources they should not
have been,it is important for
an ad~nistratorto be able to
determine who made those
changes.
~o~~liance ~ssess~ent
Tec~ni~ues
Enable the Auditingfor Use of Verify that Auditing has been
User Rights byp e r f o r ~ n gthe enabled for Use of User Rights by txt to ensure auditingis enabled for
following steps: performing the following steps: failures for Use of User Rights.
l. Using the User Manager, 1. Open User ~ a n a g e r .
2. Select the Audit option from the
2.
Events button is selected.
3. 4, Verify that the Failure check
box Use of User ~ i g h t s
auditing option has been
4. Click the OK button to confirm selected.
these changes. 5. Click the OK button to exit.
Enable the User and Group Verify that Auditing has been
Management byp ~ ~ o r the ~ n g enabled for User and Group txt to ensure auditingis enabled for
following steps: ~ ~ a g e m eby
n tpe~formingthe successes and failures for User and
l. Using the User Manager, following steps: Group ~ a n a g e ~ e n t .
1. Open User nager er.
2. Select the A ~ d ioption
t from the
2.
3.
3.
4.
Enable the Auditingfor Security Verify that Auditing has been Review < s ~ ~ e r n ~ m e ~ . ~ n l i ~ i e
Policy Changes bype~ormingthe enabled for Security Policy Changes txt to ensure auditing is enabled for
following steps: by p e r f o ~ i n gthe following steps: successes and failures for Security
l. Open User ~ ~ n ~ g e r . Policy Changes.
2. Select the Audit option from the
3.
d.
4.
l1 Auditing, Auditing shouldbe disabled Process Tracking will not help Do not select successor
Logging, and for Process Tracking. much in determiningany failure for Process
onito~ng breaches.
security It is more
Tracking.
useful for debugging a
program that doesn’t function
correctly. If used, Process
Tracking will generate
thousands of audit entries in a
few seconds, thereby flooding
the log.
C o ~ ~ l i a nAsse§§~ent
ce
Techniques Techniques
Enable the Auditingfor Restart, Verify that Auditing has been Review <sen/ername>.policies.
Shutdown, and System by enabled for Restart, Shutdown, and txt to ensure auditingis enabled for
pel~ormingthe following steps: System by p e ~ o r ~ the
n g following successes and failures for Restart,
l. Using the User Manager, steps: Shutdown, and System.
select theRudit option from l. Open User Manager.
the Policies menu. 2. Select the Rudit option from the
2. Ensure the Rudit These Policies menu.
Events button is selected. 3. Ensure the Rudit These
3. Enable theboth the Success Events radio button is selected.
and Failure check boxes for 4. Verify that both theSuccess
Restart, 5 h u t ~ o and
~~, and Fallure check boxes for
5ystem auditing option. Restart, S h u t d o ~ n ,and
4. Click theOK button to confirm System auditing option have
these changes. been selected.
5. Click theOK button to exit.
Disable auditingfor Process Verify that Auditing has been Review <sen/ername>.policies.
T r a c ~ n gby performing the enabled for Restart, Shutdown, and txt to ensure auditingis not enabled
following steps: System by performing the following for successesand failures for
l. Using the User Manager, steps: Process Tracking.
select theRudit option from 1. Open User Manager.
the Policies menu. 2. Select the Rudit option from the
2. Ensure the Rudit These Policies menu.
Events button is selected. 3. Ensure the Rudit These
3. Deselect both th ess Events radio buttonis selected.
and Failure che S for 4. Verify that both the Success
the Pracess Tr and Failure check boxes for the
auditing option. Process Tracking auditing
4. Click the OK button to confirm option have been deselected.
these changes. 5. Click theOK button to exit.
~ o ~ t r~o~lj e c t i v e s Sk S
11 Auditing, Logs containing auditing Audit logs may contain Logs should be secured to
Logging, and i n f o ~ a t i o nshould be sensitive info~ationabout prevent them from being
~onitoring secured. the system and can be used toviewed or deletedby
compromise the system.In unauthorized individu~s.
addition, if logs are unsecured
it would be possible to delete
them in order to eliminate an
audit trail.
11 Auditing, All audit files shouldbe Having all reviewed audit filesAfter audit files have been
Logging, and archived and purged in archived and purged ensures adequately reviewed in
~onitoring accordance with corporate that if they are needed they accordance with corporate
standards.
will be
standards
the
available
guidelines,
and
atand
sametimeguaranteesthatallauditfilesshouldbe
unauthorized users
cannot
archived
andpurged.
pursue the audit files to
identify system patterns.
~ o ~ ~ l i aAssessment
nce ~ o m ~ ~ a Ve~fication
nce
Tec~niques Tec~~ques
The Auditorsand System groups Verify that permissionson the Review the < s e ~ e r n a m e > . ~ e r m s
should haveFull Control of the following files comply with the <system drive letter>.txt and
following filesand no other reco~endationsby performing the ensure the following:
permissions should be specified: following steps:
1. Right-click onthe file in Explorer. Files:
2. Choose Properties. c:~inn~ystem3~~nf~g\
3. Select the Security tab. ~~PEVENT.Em
4. Click the Permissions button. c:\uJlnnt\Eiystern3Stconflg\
5. Compare the current permissions 5ECEVENT.EVT
to the recommendations. c:\Luinnt\l3ystem3~config\
6. Repeat for all listed files. SYSEVEN1.M
Note: The System groupis a built- Files: Reco~~ended Pe~issions:
in special group,and the Auditors c:\uJinnt\l3ystem32\config\ Read Auditors
group will needto be createdby an ~PP~ENT.EVT System
groups
Change
administrator. c:\Luinnt~ystem3~~onfig\
SECEVENT.Em
c:~innt\Eiystem32\confl~\
SYSEVENT.EVT
Reco~mended Per~issions:
Read Auditors
System
groups
Change
Review the audit filesin Ensure that policies exist to archive Ensure that policies exist to archive
accordance with corporate and purge audit files. Verify, through and purge audit files. Verify, through
standards and guidelines. Properly discussion with the network discussion with the network
back up the audit logsand then ad~nistrator,that these procedures ad~nistrator,that these procedures
purge them from the system. are followed. are followed.
omain Contro~er~ecurity
No. C a ~ ~ o ~ Objectives
Control Risk Co~trolT e ~ h ~ i ~ u e s
11 Auditing,
Auditing of sensitive
system
Auditing
access to sensitive
EnableWindows NI'
Logging, and and application filesand system and application files native auditing featureon
~onitoring directories shouldbe and directories increases the all sensitive systemand
unauthorized
and
application
that
chances
enabled.
files
accesstothesystemwillbedirectories.
detected and terminated in a
timely manner.
~ l e r n e n ~ ~Techniques
on C o ~ ~ ~ aAssessrnent
nce Co~~li~ce ~er~cation
Tech~ques Techniques
Enable WindowsNT native Verify that the Windows NT native Review the
auditing feature on all sensitive auditing feature has been enabled for <servemame>.perrns <system
system and application filesand all sensitive systemand application drive letter>.txt and ensure the
directories. Identify these files and directories by performing sensitive system files are being
directories per the corporate the following steps: audited for the following actions:
standards. In addition, the l. Right-click on the directory in
following Windows NT system Explorer. Directories:
directories and files within should 2. Choose Properties. Those stated in the best practices,
be audited: 3. Select the Security tab. plus
4. Click the ~uditing button.
5. Compare the current audit
settings to the
recommendations.
6. Repeat for all listed directories.
The following items should
be Directories: ~ecommendedSettings:
audited: Those stated in the best practices, Write: Select Success& Failure
plus Delete: Select Success& Failure
Write: Select Success& Failure Change Permissions: Select Success
Delete: Select Success& Failure & Failure
Change Permissions: Select Take Ownership: Select Success&
Success & Failure Failure
Take Ownership: Select Success&
Failure
Reco~mendedSettings:
Write: Select Success& Failure
Delete: Select Success& Failure
Change Permissions: Select Success
& Failure
Take Ownership: Select Success&
Failure
Objectives Control ry Risk Control ues
12 Auditing,
Auditing of sensitive
system
Auditing
access
sensitive
to Enable ~ i n d o wNT
s
Logging, and registry keys should be system registry keys increases native auditing featureon
Monitoring enabled. the chances that unauthorized all sensitive system
access to thesystemwill be registrykeys.
detected and terminatedin a
timely manner.
Verify that the Windows NT native
audi~ingfeature on allsensit~ve auditing feature has been enabled for
system registry keys. Identifjr these all sensitive system registry keys
by
keys per the corporate standards, performing the following steps: portions of the registry are being
In addition, the followingkeys 1. Open r ~ ~ ~ d t ~ ~ . audited for the following actions:
should be audited:
u ~ i t ~.n.from
~ , the Irltys:
Those stated in the best practices,
4. Compare the current audit plus
settings to the
reco~endations. ~ K L ~ ~ 5 T E ~
The f o l ~ o ~items
i ~ g shoul~be 5. Repeat for all listed keys. ~ K ~ ~ D ~ W ~ ~
audited: HKCR
Kf2Y.S:
Set Value: Select Success Those stated in the best practices, ~ e c o ~ ~ e nSettings:
ded
Failure plus Set Value: Select Success& Failure
Create Subkey: Select Success Create Subkey: Select Success&
Failure Failure
Create Link: Select Success & Create Link: Select Success &
Failure Failure
Delete: Select Success& Failure Delete: Select Success& Failure
Write DAC: Select Success& ~ e ~ o m ~ e nSettings:
ded Write DAC: Select Success&
Failure Set Value: Select Success& Failure Failure
Create Subkey: Select Success&
Failure
Create Link: Select Success &
Failure
Delete: Select Success& Failure
Write DAC: Select Success&
Failure
Control ~ e c h n i ~ ~ e $
1l Auditing, The event viewer should be If events a e ove~ritten The event viewer should
Logging, and allocated sufficient spacefor before they can be reviewed, be allocated adequate disk
~onitoring audit logs. there is an increased risk that space to store allaudit
continuous unautho~zed logs. The disk space
activity may go undetected. needed should be based on
size of the domain and
review intervalsof the
audit logs.
12
Security
Unauthorized
individuals
There is an increased
risk
that Set the winreg registry
Ad~nistration shouldnotbeallowedto an unautho~zeduser maykey ~ e ~ i s s i oto
n scomply
Activities
remotely
edit
the
registry.
gain
knowledge
about
the
with
corporate
standards.
PDC anddomainandevenIndustryguidelinesstate
attack the system with denial that only Adminis~ators
of services or Trojan horses,if have full control.
they can access the registry.
Set the amountof space thatis Verify that suflcient space is
being allocatedby performing the allocated for log filesby performing
following steps. the following steps: MaxSize and ensure adequate disk
1. Open Event Viewer. space is allocated
2. Select Log ~ e t t i n g .~..from
the Log pulldown menu. Log: Security
3. Select appropriate logfile in the g ~ : M B (Overwrite after
~ e t t ~ n5-10
Set the log settings according to C ~ fornLo ~
~ Settings ~14 days)
corporate standards. The following box.
are industry guidelines: 4. Compare current settings to the
recomtnended settings.
5. Click Cancel. 14 days)
after 14 days) 6. Close Event Viewer.
System: 1-2 MB (Overwrite after Log: Application
14 days) Log: Security Settings: 1-2 MB (Overwrite as
Application: 1-2 MB (Overwrite Settings: 5-10 M B (Overwrite after needed)
as needed) 14 days)
ote: If a log is setin the above
3. Click Close. Log: System manner, for example, Security Log
Settings: 1-2 h4B (Overwrite after 5MB, 14 days, the log can be filled
ote: If a log is set in the above 14 days) the firstday, and no events would be
manner, for example, Security Log logged for the next13 days.
5MB, 14 days, the log can be filled Log: Application
the first day, andno events would Settings: 1-2 MB (Overwrite as Log sizes should be based on the
be logged for the next 13 days. needed) system including then u ~ b e of
r
users if logon and logoffis going to
Log sizes shouldbe based on the Note: If a log is set in the above be tracked.
size of the system including the manner, for example, Security Log
number of users if logon and S M B , 14 days, the log can be filled
logoff is going tobe tracked. the firstday, and no events would be
logged for the next 13 days.
12 Security Partsof the registry run With its default permission Set the
A d ~ i ~ s ~ a t i oprograms
n at startup should levels, any locally logged on R ~ f l ~ f l registry
ce keys
Activities ured to not allow user can change the value of permissions to comply
u ~ a u ~ o users
~ ~toe dedit the ufl key topointto a withcorporatestandards
the list of programs.Trojan
horse
program. This or
industryguidelines.
Trojan horse can be anything
from malicious code to a
program that, when run as
a d ~ ~ s ~ aequivalent,
tor
dumps the password hash.
I ~ p l e m ~ n ~Tech~ques
tio~ Comp~ance~ s s e s s ~ ~ n t Comp~anceV e ~ ~ c a t i o n
Tech~ques Tech~qu~s
Secure theRun and Runonce Verify an appropriate security setting Review < 5 e ~ e r n ~ r n e > . r u n . ~ t
registry keysby p e ~ o ~ i the
ng on the Run and R u n ~ n c registry
e and ensure the following:
following steps: keys by performing the following
l. Open regedt32. steps: KqS:
2. Select the followingkeys l. Open regedt32. H K L ~ ~ O ~ W ~ R ~ i c r ~ 5 o ~ \
inde~ndently : 2. Select the appropriatekey. Windours\CurrentVersion~un
3. Choose Perrnlssions. from
H K L ~ ~ O ~ W ~ R ~ i c r o s the o ~Security
\ pulldown menu. H K L ~ ~ ~ W ~ R ~ ~ ~ c r o ~ o
Windour~CurrentVersion\Run 4. Compare the permissionsto the Windours\CurrentVersion\
r ~ c o ~ e n d settings.
ed Run~nce
o ~ w ~ R ~ i c r o 5 o f n5. Close regedt32.
Windows\CurrentVer5i~n\ ~ e c o m m ~Settings:
~ed
Run~nce Kt?J)s: Creator Owner: Full Control
~ K L ~ O f f ~ ~ ~ ~ i c r oAdministrator:
5 o ~ \ Full Control
3. Choose Securitg I Windours\CurrentVersion\Run System: Full Control
P ~ r r n i s s i o n from
5 the Everyone: Read
pull-down menu bar. HKL~O~W~R~~crosoft\
4. The permissions should be in Windour~CurrenWer~ion\
accordance with corporate unOnce
standards.
Reeomme~edSettings:
Industry guidelines state: Creator Owner: Full Control
Administrator: Full Control
Creator Owner: Full Control System: Full Control
Administrator: Full Control Everyone: Read
System: Full Control
Everyone: Read
5. Close r e ~ e d t ~ ~ .
ry Control Objectives Risk Co~trol~ ~ c ~ ~ i ~ ~ e
12 Security Parts of the registry contain If an unauthorized user could Set the registry keys’
A ~ s ~ a t i o sensitive
n systemi n f o ~ a t i o n read these registry keys, they (listed in the
Activities like performance data, the might gain access to sensitive i ~ p l e ~ e n t a t i ochecklist)
n
logonprocess, and securitysystemresourcesor be abletopermissionstocomply
info~ation.Theseregistrylearninformationaboutthewithcorporatestandards
configured
should
bekeys to
industry
guidelines.
or
PDC.
not allow unauthorized users
to edit the listof programs.
12 Security Certain registry keys should If an unauthorized user could Set the registry keys’
A ~ s ~ t i o ben secured to prevent read these registry keys, they (listed in the
Activities unauthorized access to the might be able to launch a implementation checklist)
PDC’s configuration.
denial of service
attack
permissions
or comply
to
upload a Trojan
horse.
with
corporate
standards
or industry guidelines.
Secure the following registry keys Verify that appropriate security
settings exist on the following and ensure the following:
registry keys by performing these
Keys:
independently: HKL~O~UJAR~lCRO~Om
UJIndolusN~urrentVerslon\
Pe~Lib
the 5ecurity pulldown menu. HKL~oft~are~icorso~\
4. Compare thepe~issionsto the Windolu~N~CurrentV
r e c o ~ e n d e dsettings.
Set\C~ntroI\LS
WKLM\Syste~\CurrentControI
S e ~ e ~ i c e ~ a n ~ ~ n 5
WindolusN~CurrentVersion\ Shares
R e c o ~ ~ e n d esetting^:
d
Creator Owner: Full Control
Wini~gon Ad~nistrator:Full Control
System: Full Control
Everyone: Read
4. The p e ~ ~ s s i o should
ns be in
accordance withcorporate Reco~~ended Set~~ngs:
standards. Creator Owner:Full Control
Ad~nistrator:Full Control
I ~ ~g ~si ~t e ~~ state:
i~es System: Full Control
Creator Owner: Full Control Everyone: Read
Administrator: Full Control
System: Full Control
Everyone: Read
5. Close r
Secure the following registry keys Verify that appropriate security Review ~ ~ e ~ e r n ~ m e > . h k i m . t x t
settings exist on the following and ensure the pel~ssionson the
registry keys bype~ormingthese values
steps:
indep~ndently: HKCR (all subkeys)
H K L ~ O ~ W A R ~ I C R ~
WindoursN~CurrentVerslon\
AeDebug
Control ory ~ ~ j e c ~ ~ e s isk Control ~echni~ues
C o ~ ~ l i a~~scsee s s ~ e ~ t
Tech~~ues
HKLM~DFFWflREWIlCRDSD~ Industry guidelines state:
WindowsM\Cum2ntVefsionWeDebug Creator Owner: Full Control
Creator Owner: Full Control
Administrator: Full Control
HKLM~DFTWflREWIlCRDSD~ Adminis~ator:Full Control
System: Fnll Control
WlndoursNnCurrentVersion\ System: Full Control
Everyone: Read
Compatlbliity Everyone: Read
HKLM~DFTWflREWIlCRDSD~ 5.Close regedt3S. HKL~DFTWflREUVIICRD5~~~indows
WindowsNnCurrentVersion~rivers NnCurrentVerslon\Compatibility
HKLM\SDFTWflREWIICRDSD~P~
HKLM\SDFTWflREWIlCRDSD~ (and all subkeys) HKLN\SOFTWRREWIICRD5D~indows
WlndowsNnCurrentVersion\ NT\CurrenWersion\Drivers
HKLM\SOFFWflREWIICRDSDmWindouJs
~mbedding
~CunenWersion\ HKLM\SDFTWRRRNICRQED~indows
HKLM~D~WflflEWIlCflDSD~ NT\CurrentVersion~mbedding
HKLM\SDFTWRREWIICRD
WlndowsNnCurrentVerslonts
NnCurrenWersionWeDebug HKLM\SDFTWRRRMICRQSD~Window
HKL~DFFWflR~lCRDSD~ sNnCurrentVersion\Fonts
HKLM\SOFTWflR~ICflDSD~Windows
WindowsNnCurrentVerslon\Font
N72CunentVersion\Compatiblllty HKLM\SDFTWflflEWIICRDSD~Windows
Substitutes
N~CurrentVersion\Font5ubstitutes
HKLM\SDFTWflRRMICRDSD~indows
HKLM~DFTWflREWIlCRD~Om
NnCunentVersionMrlvers HKLM\SDFTWRfl~ICRDSD~indows
WindowsNnCurrentVersion~ont
NnCur~ntVersion~ontDriver~
Drivers HKLM\SDFTWflR~ICRDSO~Windows
NnCunentVersion\Embedding HKLM\SDFTWflREWIICRDSD~indows
HKLM~D~WflREWIlCRDS~m
N~urrentVersion~ontMapper
Windows~urn?nWefsion~ontMapper H K L M \ S D ~ W f l R R M I C R D S D ~ ~ i n d o w
sNnCurrentVerslon\Fonts HKLM\SDFTWRRE\MiCRDSD~WindouJs
HKLM~DFTWflREWIlCRDSD~
NnCurrentVersion\FantCache
WlndowsNT\CurrentVersion~ontCache HKLE\/RSDFTWflflEWlICRDSD~Windows
NnCunenWerslon~ontSubstitutes HKLM\SOFTWRR~ICRDSD~indouJs
HKLN\SDFTWflR~lCRDSD~
NnCurrentVerslon\GRE_Initialize
WindowsNnCurrentVersion\ HKLM\SDFTWRRRNICRQSD~indows
~flE-lnitialize ~CurrentVersion~ontD~vers
NnCurrentVersion~Cl
HKL~DFFWflRRMlCRD~Dm HKLMLSDFFWflRRNICRDSD~Windows
WindowsNnCurrentVersionVvlCi NnCunentVersion~ontMapper HKLM\SDFTWflREWIICRD5O~indo~s
N72CunentVersionWICIExtensions
HKLM~DFTWflREWIlCflDS~m HKLM\SDFTWflRRNICRDSD~Windows
WlndowsN~CurrentVersion\ ~CurreniVersion~on~Cache HKLM\SDFTWflRRNICRQED~Windows
MCl~xtensions NnCurrentVersion~o~ (all subkeys)
HKLM\SDFTWRREWIICRDSD~indows
HKLM~DFTWflR~lCRDSD~ ~CunentVersion~RE-Initialize HKLM\SDF7WRRRNiCRD5O~lndows
WlndowsNnCurrentVersion\Po~(all NnCurrentVersion\TypelInstaller
HKLM\SDFFWflRE\MICRDSOmWindows
subkeys)
N72CurrentVersion~CI HKLM\SDFTWflREWIICRDSO~Windows
HKLM~DFFWflR~MlCRD~DFn NnCurrentVersion~ro~le~is~
HKLN\SDFFWflR~lCRDSD~lndows
WindouJsNnCurr~ntVerslon\
NnCunentVerslonWICIExtensions HKLN\SDFTWRRE\MICROSO~lndows
Typellnstaller
NnCur~ntVersion\Windows3,1~igration
HKLM\SDFFWRREWIICRDSD~lndows
HKLM~DFTWflR~lCflDSD~ Status(al1 subkeys)
N T \ C u ~ e n t V e r s i o n(all
~ o ~subkeys)
WindowsNT\CurrentVersion\Pr~flleList
HKLN\SOFTWRflRMICRDSO~indows
HKLM\SDFTWRREWIlCRDSD~Windows
HKL~DFTWflRE\MlCRDSD~ NnCurrentVersion\WDW (all subkeys)
N71CurrentVerslon\Typellnstaller
WindowsNnCurrentVerslon\Wlndows
3.lMigrationStatus(all subkeys) HKLM~ystem\CurrentControlSet\
HKLN\SDFTWflflE\MICRDSD~1ndows
Services\UPS
N72CunentVersionV3rofileList
HKL~DFTWflfl~lCflDSD~
HKEY-USER~.d~faul~
WindouJsN~CurrentVersin\WDW(ail
HKLN\SDFTWflRRNICRDSD~lndows
subkeys) are restrictedto only authorized users.
N~CurrentVersion\Wlndo~s3,1Nigratlon
HKLM~ytern\CurrentControlSet\ Status (all subkeys)
Re~ornrn~l~ded Settings:
Services\UPS
HIII"\SDFTWflREWIICRDSD~Windows Creator Owner: Full Control
HKEY-USERS;de~auIt NnCurrentVe~ion\WDW(all subkeys) Administrator: Full Control
System: Full Control
1. Choose Securlty I Permissions HKLN\System\CurrentControISet\
Everyone: Read
from the pull menu bar. ServicesUPS
2. The permissionsshouldbein
HK~-USEfl~.default
accordance with corporate standards.
12 Security
Thelast u s e r n ~ and
eThere
increased
an
is risk
that Set the
A d ~ ~ s ~ a t i default
on u s e r ~ should
~ e not an unau~horizeduser may
Activities be displayed at login. gain knowledge of the
companydomainnaminvalueof 1 anddelete any
standards and a name to usein u s e ~ a m e c o n t ~ nwithin
ed
gainingaccesstothedomain the registrykey
last
the
username
if is ~ ~ f ~ u l t ~ ~ ~ r ~ ~
displayed at logon.
12 Security It should notbe possible to If users could shut down the Set the
A ~ ~ s t r a t i o nshut down the PDC without PDC without loggingon, no ~ ~ t h ~
Activities logging on. audit trail would be created, entry with a value of
0.
and unauthorized users might
be able to shut the PDC down.
12 Security The system should notbe In some cases,it might be Set the
A d ~ ~ s ~ a t i oshut
n down if the audit
lo necessary to shut downthe
Activities becomes full. server when the audit log registry entry witha value
becomes full, ensuring thatan of 0. A value of 1 should
audit trailis always in be set under certain
existence. However,it is not circumstances to shut
normally necessaryto enable down the machine but is
this on a PDC. normally unnecess~y.
12 Security
The
auditing
user
all
ofAuditing
user
allrights
will
Set
the ~ ~ l i ~ f ~ ~ i i ~
Ad~nistration rightsshouldbedisabled.generateaverylargenumber ~ U ~ ~ registry
t ~ fentry
l ~
entries audit of Activities with a value of0. A value
user rights, including Bypass of 1 should be set under
traverse checking, are certain circumstances to
enabled. audit all user rights but
is
normally unnecessary.
Techniques
Verify that theD o n t D l s ~ l a ~ L ~ s t Review <se~ername>.
~lnlogo~.txt
and ensure the value
1. Open regedt3~'
WithautLogan is
12 companies
Security
all If run Windows NT supports Set the L ~ C a m ~ ~ t ~ ~ ~ i ~ t y
Administration
Windows W,then only
LanManager
Challenge k v e l registry entry with a
Activities
Windows
NT
Challenge
Response and
Windows NT value of 2 if all companies
Response
authentication
Challenge
Response run Windows NT,
should
accepted.
be authentication.
Because
the Otherwise, setit to a value
LanManager uses a weaker of 1, which only sends the
form of encryption, a hacker LM hash ifit is required.
may potentially be able to
crack the password hash if Note: This requires the
they sniff it asit traverses the LM hot fix or Service
network. Pack 4.
12 Security
Only
administrators
should
The
schedule
service
could
Set
the ~u~m~tC~ntral
Administration
scheduling
be jobs. potentially
allow an registry
entry
value
with
a
unauthorized
user
Activities to execute of 0.
malicious code as an
ad~~strator.
12 Security
Individuals
should
only
be
Assigning
individuals to the
Grant
individuals
the
Adminis~ation members of the Ad~nistratorsgroup may minimum necessary rights
Activities Administrators groupif grant them excess user rights.to perform theirjob
absolutely
necessary.
These
excess
rights
mayallowfunction by placing
them
Individualsmanagingfilesthem to performunwarranted in appropriateusergroups.
and sharesshouldbeServeradministrativefunctions.
Operators. Individuals
managing accounts should
be Account Operators.
Individuals managing
printers shouldbe Print
Operators, and individuals
p e ~ o r ~ backups
ng should
be Backup Operators. These
accounts should not be
allowed to log on locally
except for Ad~nistrators
and Backup Operatorsif
backups of the PDC are not
done remotely.
Verify that the Review <servername>.isa.txt
LNCompatibilit~Level registry and review the value
(Set to2 if all companys are entry is set to a valueof lor 2 by LNCompatibilit~Level. If the
Windows W) by performing the performing the following steps: environment being reviewedis
1. Open regedt32. strictly WindowsN T , the value
2. Select the hive should be equal to2. If the
environment is mixed, the value
ControlSet\Control~S~. should be equal to1.
3. Verify that the key LN
Compati~ilit~Level
is set to 1
or 2.
4. Close regedt32.
3.
4. Close regedt32.
12 Security The Guest account should The System and Application Set the
Adminis~ation not be able to view the Event Log could contain ~ ~ S t f ~ C t ~ U ~ S t ~ C C ~ 5 5
Activities System EventLog and the sensitive information about registry entry with a value
Application Event Log. the PDC that guests could use of l.
to attack the system.
12 Security The “Access this Computer If an Administrator accountis Restrict who can access
Ad~nistration from the Network” standard compromised, it would not be the PDC from the network.
Activities user right shouldbe able to compromise thePDC
restricted to ensure the PDC from the network. In addition,
is secure from outside threats nonauthorized users will not
andthat if Administrators be abletoaccessthe PDC
accountsarecompromised,fromthenetwork.
the entire domainwon’t be.
C o m ~ l i ~Assessment
ce C o m ~ ~ a n ~erification
ce
~echni¶~es Tech~¶ues
Set theRestrictGuestAccess Verify that theRestrictGuest Review <servername>.
registry entry to a valueof 1 by Access registry entry is setto a event1og.M and ensure the values
p e r f o r ~ n gthe following steps: value of 1 by performing the R e s t r l c t ~ u e s t ~ c c is
~ sset
s to 1
1. Open regedt32. following steps: for the system, application, and
2. Select the following hives 1. Open regedt32. security entries.
independently: 2. Select the following hives
independently:
MKLMUSMstem\CurrentControl
SetUSe~ices\EventLog\ ystemUurrentControISet\
Applicat~on )3ervice~ventLog\application
12 Security
The“Add ~ o r ~ t a t i to
o nthe
Users
should
not
be
addingRestrict
whocan
add
A ~ ~ s t r a t i o Domain”
n standarduserrightmachines to thedomaincomputers to the domain.
Activitiesshouldberestricted to ensureunlesstheyareauthorized.
that unauthorized users They might be able to add a
cannot add miscellaneous domain controllerand
machines to the domain. compromise the SAM.
Restrict user rightsby performing Verify who hasthe “Backup Files Review the <sewern
the following steps: and Directories” user right by rlghktxt and ensure only
1. Open User Manager. p e r f o r ~ n gthe following steps: authorized users are granted the
2. Choose Policies from the 1. Open User Manager. “Backup Files and Directories” user
pulldown menu and choose 2. Choose Policies from the right. The following guidelines can
User Rights. . pulldown menu and choose be used:
3. Scroll through the Rights and User Rights. . * Backup Operators
find “Backup Files and 3. Scroll through the Rights and
Directories.” find “Backup Filesand
4. Edit the Grant To list to be Directories.”
commensurate with corporate 4. Verify that the listof users is
standards. commens~atewith corporate
standards and best practices.
Industry guidelines state: 5. Click Cancel.
* Backup Operators 6. Close User Man~ger.
5. Click OK on the new window Industry guidelines state:
to confirm changes. * Backup Operators
6. Close User Manager.
Compliance Assessment
Control Objectives Sk Cont~olTechni~~es
l2 Security The “Change the System Accuracy of the system time Restrict who can change
Adminis~ation Time’, standard user right is a prerequisite for an auditthesystemtime.
~ctivities should be r e s ~ c ~ because
ed trail because knowing who
anyone with this user right was accessing resources at a
can change the system time, specified time could implicate
which in turn could a user. The entire audit, event
misconfigure the timeon all monitoring, and logging
member servers. system is based on time and
therefore requires that time
not be tampered with.
Security policies, suchas
those for account lockout and
expiration, are basedon the
system time
12 Security
The
“Log on Locally”
Individuals
that
interact
with
Restrict who
can
interact
A d ~ n i s ~ a t i o nstandarduserrightshouldbethe PDCcanusuallygetwiththePDC.
Activities
restricted so that
normal
access
very
tosensitive
users cannot interact with thesystem resources or create
PDC. denials of service.
~ o ~ ~ l i a Assessment
nce ~om~~ance ~e~lcation
Tech~ques Techniques
Restrict user rightsby performing Verify who has the “Change the Review the <se~ername>.
the following steps: System Time” user right by rights.txt and ensure only
1. Open User Manager. performing the following steps: authorized users are granted the
2. Choose Policies from the 1. Open User Manager. “Change the System Time” user
pulldown menu and choose 2. Choose Policies from the right. The following guidelines can
pulldown menu and choose be used:
3. Scroll through theRights and User Rights. . * Admi~s~ators
find “Change the System 3. Scroll through theRlghts and * Server Operators
Time.’’ find “Change the System Time.”
4. Edit the Grant To list tobe 4. Verify that the listof users is
c o ~ e n s u r a t ewith corporate co~mensuratewith corporate
standards. standards and best practices.
5. Click Cancel.
Industry guidelines state: 6. Close User Manager.
* Administrators
* Server Operators Industry guidelines state:
* Adminis~ators
S. Click OK on the new window * Server Operators
to confirm changes.
6. Close User Manager.
Restrict user rightsby performing Verify who hasthe “Log on Locally” Review the <se~ername>.
the following steps: user rightby performing the rightrj.txt and ensure only
1. Open User Manager. following steps: authorized users are granted the
2. Choose Policies from the 1. Open User Manager. “Log on Locally” user right. The
pulldown menu and choose 2. Choose Pollcies from the following guidelinescan be used:
User Rlghts. . pulldown menu and choose * Ad~nis~ators
3. Scroll through the Rights and User Rights. .. * Backup Operators (onlyif the
find “Log on Locally.” 3 Scroll through theRig ts
I h and backups are performed locally)
4. Edit the Grant To list to be find “Log on Locally.” * Server Operators
c o ~ e n s u r a t with
e corporate 4. Verify that the list of users is
standards. commensurate with corporate
standards and best practices.
Industry guidelines state: S. Click Cancel.
* Ad~nistrators 6. Close User Manager.
* Backup Operators (onlyif the
backups are performed locally) Industry guidelines state:
* Server Operators * Administrators
* Backup Operators (onlyif the
S. Click OK on the new window backups are performed locally)
to confirm changes. * Server Operators
6. Close User Manager.
NO. ~ontrolObjectives sk ~ontrol es
12 Security The “Manage Auditing and There should be a segregation Restrict who can audit the
A d ~ ~ s t r a t i o Security
n Log” standard user PDC.
between
of duties
Activities so
right should be restricted Ad~nistrators,users, and
that only designated auditors individuals who can audit the
can view and delete the PDC’s logs. Since individu~s
PDC’s logs. with this right can clear a
security log, they have the
ability to attemptan attack on
the system and then delete the
log, althougha security control
inherent in WindowsHT is
that theErrst entry in the new
log states that the old was log
cleared and by whom. Only
authorized individu~s,such as
the Security Officer or the
Internal Auditor, should be
given this right. Those typesof
individuals should be members
of an Auditors group.
12 Security The “Restore File and There should be a se~regation Restrict who can add
Administration Directories” standard user of duties
between
restore
files
from
backups.
Activities right should be restricted Administrators, users,and
because anyone with this individuals who can restore
user right can bypass files. ~ndividualswith this
resource ACLs and read and user right can bypass the ACL
write toall files. of a file and read or writeto
any file on the PDC.
Com~lianceA$$e$$ment Compliance ~ e ~ f i c a t i o n
Technique$ TechNque$
Restrict user rightsby performing Verify who hasthe “Manage Review the <servername>.
the following steps: Auditing and Security log” user right r/ghts.txtand ensure only
1. Open User Manager. by performing the following steps: authorized users are granted the
2. Choose Pollcies from the 1. Open User Manager. “Manage ~uditingand Security
pulldown menu and choose 2. Choose Pollcles from the Log” user right. The following
pulldown menu and choose guidelines can be used:
3. Scroll through the Rights and User Rlghts. .. * Auditors (must be created)
find “Manage Auditing and 3. Scroll through the Rights and
Security log.” find “Manage Auditing and Review the <servername>.
4. Edit the Grant To list to be Security Log.” rights.txt and ensure only
c o ~ e n s u r a t ewith corporate 4. Verify that the listof users is authorized users are granted the
standards. commensurate with corporate “Restore File and Directories” user
standards and best practices. right. The following guidelines can
Industry guidelines state: 5. Click Cancel. be used:
* Auditors (must be created) 6. Close User Manager. * Backup Operators
Restrict user rightsby performing Verify who hasthe “Restore File and
the following steps: Directories” user right by
l. Open User Man~ger. p e r f o ~ n gthe following steps:
2. Choose Pollcles from the 1. Open User Manager.
pulldown menu and choose 2. Choose Policies from the
User Rights. .. pulldown menu and choose
3, Scroll through the Rights and User Rights. ..
find “Restore Fileand 3. Scroll through the Rlghts and
Directories.” find “Restore File and
4. Edit the Grant TOlist tobe Directories.”
c o ~ e n s u r a t ewith corporate 4. Verify that the listof users is
standards. commensurate with corporate
standards and best practices.
Industry guidelines state: 5. Click Cancel.
* Backup Operators 6. Close User Manager.
5. Click OK on the new window Industry guidelines state:
to confirm changes. * Backup Operators
6. Close User Manager.
es
12 Security The “ShutDown the Individuals who can shut Restrict who can shut
~ d ~ n i s ~ a t i System”
on s t a n d ~ duser right down the PDC could cause a down the PDC
Activities should be restricted to denial of service or degrade
prevent unautho~zed the performanceof the
individuals from shutting network dependingon the
down the PDC and causinga BDC c o n ~ ~ u ~ a t i o n s ,
denial of service.
12 Security The “Bypass Traverse If Everyone is removed from Ensure that Everyone has
~ d ~ n i s t r a t i o nChecking” advanced user this userright, POSIX- therighttobypasstraverse
Activities compliantapplicationscouldchecking.
right shouldbe available to
Everyone. cause a denial of access when
they trytraverse
to Note: The “Bypass
ote: This is a divergence subdirectories.
Checking”
right
Traverse
from the book, which allows WindowsNT to be
specifies that the configured in a POSIX-
Ad~nistrator7 Server compliant manner. It
Operator, and Backup allows users to traverse
Operator groups are the only subdirectories regardless
ones to have bypass traverse of parent p e ~ s s i o n s .
checking on the PDC.
Restrict user rightsby performing Verify who has the “Act as Part of
the following steps: the Operating System” user right by
l, Open User ~ a n ~ ~ e r . p e ~ o r ~ the
n gfo~~owing steps:
12 Security
“Modify
The Firmware
“Modify
The Firmware
Restrict modify
who
can
Administration Environment Variables” Environment Variables” right firmware environment
Activities advanced user right should allows usersto modify the variables.
be restricted so that users system environment variables
can’t modify the system that affect certain programs.
environment variables that If a variable is modified, it
affect certain programs. could be set to point ato
batch program that launches
a Trojan horse or denial of
service.
~om~liance ~ssessment
T~ch~ques Tec~niques
Restrict user rightsby performing Verify who has the “Log on as a Review the <servername>.
the following steps: Service” user right by pedorrning rights.txt and ensure only
1. Open User ~ a n a g e r . the following steps: authorized users are granted the
1. Open User Manager. “Log on as a Service” user right. The
pulldown menu and choose 2. Choose Policies from the following guidelines can be used:
User ~ l ~ h t s.. pulldown menu and choose * Replicators
3. Select the “Show Advanced User Rights. . .
User ~ i g h t 5check” box. 3. Select the “Show Advanced
4. Scroll through the right^ and User Rights” check box.
find “Log on as a Service.” 4. Scroll through the Rights and
5. Edit theGrant To list to be find “Log on as a Service.”
c o ~ e n s u r a t ewith corporate 5. Verify that the list of usersis
standards. c o ~ e n s u r a t ewith corporate
standards and best practices.
Industry guidelines state: 6. Click Cancel.
* Replicators 7. Close User Manager.
Restrict user rightsby performingVerify who has the “Modify Review the <servername>.
the foilowing steps: Firmware Environment Variables’’ r i g h t § . ~ and
t ensure only
S. user rightby performing the authorized users are granted the
2. following steps: “Modify FirmwareEnvironmen~
1. Open User Manager. Variables” user right. The following
2. Choose Policies from the guidelines canbe used:
3. ow Advanced pulldown menu and choose 0 Administrators
User Rights. ..
4. 3. Select the “Show Advanced
find “Modify Firmware User Rights” check box.
Environment Variables.’’ 4. Scroll through theR l ~ h t and
s
5. Edit the Grant To list to be find “Modify Firmware
commensurate with corporate Environ~entViuiables.”
stand~ds. 5. Verify that the list of users is
c o ~ e n s ~ awith
t e corporate
~ n d u s guidesines
t~ state: standards and best practices.
* Administrators 6. Click Cancel.
7 . Close User Manager.
6. Click OK on the new window
to confirm changes. Industry guidelines state:
* Ad~nistrators
omain ont troll er ~ e c ~ r i t y
4. Scroll through the Rights and 4, Scroll through theRights and e Debug programs
No. C a ~ ~ o rObjectives
~Control Sk
12 Security Services that compromise If the company has services Disable any unnecessary
Administration the securityof the domain running that compromise the or insecure services
Activities should not be started. security of the domain, there running.
is an increased risk that
domain resources willbe
compromised.
12 Security
Services
provide
thatCertain
services
(Messenger
The ~essengerand
Adminis~ation enticement information and Alerter) allow usersto get Alerter services andany
Activities should be disabled. enticement information about other services that provide
thedomainanditsresources.usersenticement
information shouldbe
disabled when possible.
Compliance ~ssessment Comp~anceV e ~ ~ c a t i o n
Tech~qMes TechniqMes
For all servers, enable the display Verify that an appropriate Legal Review <sewer~ame>.
of legal textby p e ~ o ~ the n g Notice has been created and cleared luinlog~n.~t and ensure the
following steps: with the Legal Department. Ensure I e g a l ~ o t ~ c e ~ a ~and
tion
1, Open the Registry Editor that the Legal Notice is implemented Lega~~ot~ceText values contain
(regedt~~.exe). on all machines by attempting to log adequate legal text.
2. Select the on to selected machinesand
Softluar~\Microso~\ verifying the existenceof a legal
UJindolus~urrentVerslon\ notice.
UJinlogon subkey of the
W KIM hive.
3. Enter the appropriate text in
the I e g a l N o t i c e ~ a ~ t ~ on
and
rm ~nvironmentof cooper~tin~
atically. Unauthorized persons
le havoc to the system.
it ~anagementto security.
ont~olphysical e ~ u i ~ m e n t .
what is expected of them.
Design administrative procedures to increase security.
~egregateand c o m p ~ m e n t ~ idata.
ze
Disconnect unused terminals and mass storage devices.
Never perform any task as super user that can be performed with a lesser privilege.
Do not trust what others can alter,
Require usersto be on the system purposefully, on“need-to-how”
a basis.
ave users reportany unusual or irresponsible activitiesto authorities. T ~ e s activi-
e
ties might include unaccounted-for programs or unexpected software behavior.
esides software features,ad~nistrativesupport is essential for achieving a workable
security policy.When drafting a security policy, be sure to address the followin
What facilities require protection?
ich data warrant protection?
o is allowed accessto the system and under what circumstances?
8 m a t permissions and protections are required to maintainsecurity?
can the system security policybe enforced by physical, procedural,md system
anisms?
levels.
rity ~ e a s u r e often
s force users to developloopholes to maintain
s y s t e ~a ~ ~ i ~ i s t r aist itoo ~ i s t r i ~ u t e
e syste
ollects v ~ i o u ss y s t e statistics,
~
S online t e r ~ i n
The system programmer,^ tasks are:
Installs system upgrades.
Performs dump analysis.
Writes programs that conform to security
criteria,
The procedures presented here cover all of the tasks required to implement a secure
(trusted) system.Deternine whether the following steps were followed:
lan prior to conversion.
Install the system from tape.
onvert to a secure ( t ~ s t e dsystem.
)
y risks? This is m a n d a t o ~
files should be exam-
ined r e ~ ~ l ~orl when
y , a security breachis suspected. How wasit d e t e ~ ~ thate d no
security breaches existed before proceed in^ to the next section?
. The file system s~ouldbe bac d up for later recovery of user files.
Insert
these lines if
theyare
not ert the subroutine
c
theend of the list of calls in the sectionandinthe I
this file.
To convert to a secure ( ~ s t e d system:
)
A u x i l i log
~ file switch size 1,000 kbytes h size for the bac
CAPS)
90%
trigger w ~ i n g s ill
ollowing is an exampleof the possible outputof the
~ l ~ o r This
i t ~field
~ . reflects the
er user to ese-
fck does not produce output unless it finds
discrepancies.
Examine the results, paying particular attention
to changes in:
* Mode permission bits.
-discrepancies.
This section covers basicinfomation on password security, system and userfile pemis-
sions, and file access control usingACLs.
bserve
the
following
gui
en c ~ o o s i na ~assw word:
t must containat least two~ ~ h a ~ e t i c
aracters cm include control charac-
choose
o not a wor youif spell it b a c ~ w a r ~ s .
I, or re~etitionsof your
t is a securit~ ~iolation
for users to sh
atelyafterentryand store
ssvvord is used inCO
o not leave executables where they were developed. Restrict access to executables
under development
work is con~dential.
e ~ s s i o to Use I
n general users.
oradirectoriessuch as
promote accoun~bility.
s it is ~ e c e stos deactiv
~ ~
ccount assoon as it is es
A user might have accounts on other systems that one does not admi~ster.Inform
other systemadmi~stratorsto removethe user.
Use
to
remove
the
account.
If ac~uiringa user from a system one does not administer, or the user is moving
from a less to more secure environment, check the user’s files carefully for
programs that might com-
promise security.
~ d ~ n ~work.
ial
When a file is created, three base accesscontrol list entries are mapped from th
cesspermissionbits to matchafile’s ow group
Base ACL entries can be changed by the I1and
) Base ACL entry for the file’s owner
) Base ACL entry for the file’s group
ase entryfor other users
(Except where noted, examples are represented in short
form notation.
ACL notation.)
358 UNlX
ACL Uniqueness
All ACL entries must be unique. For every pair of u and g values, there can be only one
(u.g, mode) entry; one (u.%, mode) entry for a given value of u; one (%.g, mode) en-
try for a given value of g; and one (%.%,mode) entry for each file. Thus, an ACL can have
a (23.14, mode) entry and a (23.%, mode) entry, but not two (23.14, mode) entries or
two (23.%,. mode) entries.
operator form Used to input entire ACLs and modify existing ACLs in a syntax similar to that used
by the chmod(l1command.
short form Easier to read, intended primarily for output. The chaclIll command accepts this
form as input to interpret output from the IsaclIll command.
long form A multiline format easiest to read, but supported only for output.
The base ACL entries of our example file are represented in the three notations as follows:
Operator form karen.%.= rwx, %.adrnin = rx, %.% = r
Short form (karen.%,rwx) (%.admin , r-x) (%.%, r- -)
Long form rwx karen.%
r-x %.admin
r- -%.%
Some library calls and commands use a variant format known as ACL Patterns (described
later in this section).
i ~ ~ use
be ~ o l l o wallows
space.
ies arnated.Forconsistencywithoperatorform,adot (.)is usedto
r and
entifiers.
n output, no spaces are printed except in names (if any). Identifier numbe~sare
printed if no matching names are known. Either identifier canbe printed as% for 66anyuser
or group.” The mode is always represented by three characters: (r, U,and X) and padded
with hyphensfor unset mode bits.If the ACL is read fromthe system, entries are ordered
by specificity thenby numeric valuesof identifier parts.On input, the entire ACL must be
delimited by quotation marksto retain its quality as a single argument, since it might con-
tain spaces or special characters such as parentheses. Spaces are ignored except within
names. A ate and
means either “no access”
“no
orchanges”
depending
contex
on identifiers
are
represented
operator
in
as form. The mode is
presented by an octal value of zero through seven orany combi
On input,the following ex
sets uJri
The following ss for user bill in any group:
for user 1
The following sets the entry
cl “l
r
The following setsthe base ACL entry for the file’s owner to allow both
capabilities for other (%,%)users:
L as in an earlier ex
r- - ~.~
control list,
S Unix commands, system calls, and sub-
, This section identifies issues critical
to us-
h access controllists are implemented. For
to the Unix ~ e ~ e ~~ e ~~ cn for
the detailed specifications, refer e ~thea specific
2 entry.
The general purpose commands and system calls are:
~ a n eun ~~i e s~
u n ~ e these
r cir
n t e ~ r ethe
t p r e ~ e ~ i nlisting
g as follows:
or e~ample,~ u ~ you
~ use
o s ~
allow only yourself
make an exception andall
other than yourself and
yo
ously specifiedby the
Create
new
a ACLentry
allowing
the
user CYC in group (%)r
any chacl ‘cyc.%=rw’rnyfile
write (=rw) access to rngfil
Modify an existing ACL entry allowing all users(94)in all groups (%)r
(+r) access to fooflle.
(%)in the
Modify an existing ACL entry denying all users
curite [-W) access to afile.
To S ecifthatyourer,who is in a d i ~ e r e n ~
access to
If a directory is writ le, anyone can removeits files, ~ardlessof the per
S. The only way to ensure that n files can be removed from a directory is to
p e ~ s s i o nfrom that directory. r ~ a s i ~ ~rotection
um this technique can
be lied to the d ~ r e c t oof~a user accou~t.
hide the directory’s name from
routi~eview, use a
. List the ~ e ~ i s s i o on
n sthe directory.
rectory.
ow ~ ~ a cwhat
t l ~they do.
nce the system has been convertedto a trusted system, periodical~ylook for pass-
omesho~ld
dire~tories not be w re~ove
files from them, To fin
‘\
m e ~ b e r sbe denie
..”m e ~ that
s theuser does not
as pre~entinganyone
readable or writable .r
’\
he principle of least privil requires each subject in a systemto be granted only as much
privile~eas is needed to pe authori~edtasks. Users should be able to access i n f o ~ a -
tion based only on a valid to how.” These criteria help to limit daxna
“need
accident, error, orunauthori~eduse.
ensure that individual users are heldaccounta~lefor their activities online,the conver-
usted
system creates
an
audit
identifies
every
user
uniquely
user
with
every
process inv
and
Unix. auditing
functional-
personnel
ed evaluate
to au w ~ i are
c ~actions
potentially
capable of allowing access to, generatin
tion on auditing including auditIDS,
of the file,
bit isw e d on, the privileges of the process
~ are
c h ~ ~ e ~
e data createdby a p r o g r a ~ .
y those values necessary
for the proper operation
t e ~ i n e dvalues:
ly useful c o ~ p u t epro
~
a ~ a ~ i l i ttoi ethe
~ d e t ~ ~ e
~ i l i t ahosts,
t ~ and
0 Protecting passwords when using RFA.
et: to restrict outside access.
0 Denying access with I
0 ~ o u n t i n gfiles in an NFS environment.
0 Safeguardinglink-levelaccess.
An a d ~ ~ s t r a t i domain
ve is a group of systems connectedby network services that allow
users to access one another without password ve~fication.An a ~ ~ n i s t r a t i vdomain
e as-
sumes their host machine has already verified system
vices assume security is established atthe system level.
ministrative domains.
d not enter a password to read anN
verified the password when the use
ad~nistrativedomain.
administrative domain.
in
Ad~inistrativ~
Domains
.
' \
LA
syntax and use of this file.
In earlier releases
ystem reside
for to
workstation
had
client
disk.
theon m now allows ma-
for
the
ining
the
jor and rninor numbers of a client-~ounteddevice to exist onthe server side. This opens
the possibility for someone to create a Trojan horse that overrides permissionsset on the
client’s ~ o ~ n t de d
server side.
~ssions:
or other misc~ief).
rovides t e c h ~ i ~for
~ ecs
i ~ e n t i ~and
y control an
administr~tived o ~ a i n .
for cor-
n reach on your network are named
at you are working aonma-
trative d o ~ a i ~ .
e in the a~ministratived o m ~ nA
. user
can be com~aredb -
n both cases,you
if see no ou files are consistent
and you are
done.
or
ad~isableto rein-
e ~ t e ~~e t ~w oer ~~ .
tive: f
of the l i s t e ~files are security threats.
B
invoked,
looks
system
in file, gets
phone
number
I)
on demand,thus sav-
cess completes its ex-
n to invoke processes
le.
securityriskbecausenopassword is requiredto re
* Nothaveanullassword.
lems
associated wi are
typically
the
result of
cause of the traffic c involve several factors:
ysical layer perform
e t ~ o r card
~ n perfo~ance.
~
ata c o ~ p t i o n .
tion of resources to a p ~ r o p ~ anodes
te and networks.
If the network a ~ p e to~ be
s p e ~ o ~poorly,
n any combination of the
may be the cause.
a echoes.
perly t e r ~ n a t cable.
~d
etectin~echoes with acable scanner.
§mitted toa host faster thanits networ~n card canbuffer the
cord user accessto objects. The resulting record can show such
S by a user to assume a levelof privilege that exceedsthe user’s
"I
I"
*I
"I
t*l
"l
time
ethe ~ r o is run,
~ r ~ r~turns
l l ~no
s ~ c c e s s f ~but , a u ~ i t i nrecor
~
efer
the to ~~~~ ~e~ere~c write
tohow
on
ation self-
For each event audited, the following
i n f o ~ a t i o nis recorded in the audit log file:
ate and timeof event.
of the user generating the event.
ubject (user/process).
Type of event.
uccess andlorfailure of event.
)for identificatio~authenticationevents.
Name of an object introduced to or deleted from a user’s address space.
~escriptionof modifications madeby the systemad~nistratorto the user/system se-
curity databases.
ther i n f o ~ a t i o nrelevant tothe event.
All auditing datais written to an audit log file. One can specify two files to collect auditing
data, the ~ ~ m alogr yfile and the option^) auxiliary log file. These files should reside on
two differentfile systems. The growth of these files (and the file systems on which they re-
side) is closelymonitored by the audit overflow monitor n,
that no audit data is lost.
The primary
log file is where be collected.
When
this file a -
proaches a predefined capacity (its
tem on which it resides approaches
size), the auditing subsystem issues a warning. When ei
primary log file is reached, the auditing subsystem atte
file for recording audit data. If no auxiliary log file is
hibits 6.7 and 6.8 show what happens as thisfile grows.
The example assumes that:
nly the p r i m ~ yaudit logfile has been specified.
0 It resides on a file system with no other user filesCO
auditloghasreached 90 percent of its M S si a,which is monitor-
ing the state of the auditing system, issues the warning message shown to the sys
The primary audit log has passed the first warning pointand reached
The system attemptsto switch to an auxiliary audit log file, but finding none
dicated m~ssage pe~odically to the system console.
In Exhibit 6.9, the primary audit log has grown past its size and reached 90 per-
cent of the space allocated to it on the file system. The mess ent indicates that the au-
dit file S stem is approaching capacity.
6.10,the primarylog file hasreached .The message shownis sent pe-
system console.If other activitiescon space on the file system, or the
file system chosen has insu~cient itch
point could be reached before the
AF
ncy to evaluatethe
nt of an overall security policy.
re the security re~uirementsof the W
re the written guidelines at both
fleet the realistic needsof the work site establi§hed?
W were all perso~el-adminis~ator§ an
ile ~ y s t e m
S % free
space I ~ e m pto
t
switch to the
backup
ded since it focuses choices
or dis~laysaudit file
- ~ =~ 1
nitor w ~ einterval
owable free space ~ n i r n u m
. The ‘‘User Audit Status” window now indicates the change requested.
to turn auditing on andoff when auditlog file and monitor pa-
hen changing audit logfile and monitor parameters, choosethe
.menu itemto make the changes and turn auditing on or off.
To
An audit flag is set to on for all existing users at initial conversion to a trusted system.
change the selection of audited userson the systemdo the following procedure.
iting a ~ c ~ ~ u l aa tlot
e sof data.
want to view.
The initial lines identify i n f o ~ a t i o nfor which the audit logfile was searched. Following
in t a ~ uform
l ~ the record shows:
he year, month, and day (inthis case 1989,June, 20th).
ime of day (in this case 1400 hours, 31 ~ n u t e s30
, seconds).
S when a d ~ i n i s t e ~ n
eview the audit logfor unusual activities such as:
4 Late hours login.
* Loginfailures.
Failed access to system files.
* Failed attempts to perform secu~ty-relatedtasks.
ickly remove users who no longer have access to the system.
nt overflowof the audit file by archiving daily.
e current selectable events periodically.
Revise audited users periodically.
t follow any patternor schedule for event or user selection.
. Set site guidelines. Involve usersand management ind e t e ~ n i n gthese guidelines.
diskless
a context
nare
files
log
Audit dus
clients, each cluster
data.
audit
node All
merged into a single audit
when using the“View Audit Files’, wind
I/.
ify thecdf wanted. For example, type
Since implementing Unix security features requires thatone completely install (not update)
Unix pera at in^ System, one needs to back up and recoverthe entire file s y s t e ~ .
tion provides security guidance tosupple~entother i n f o ~ a t i o nsources and p
curity guidelinesfor file system manage~enttasks such as:
ackup and recovery.
ounting and unmounting file
a system.
h ~ t d o is
~ used
n to halt the system in an orderly fashion for ~aintenance,installation,
down, without adversely a ~ e c t i n the file s y s t e ~After
, a
ne cess^ to p e r f o their
~ tasks.
system- define^ saturation
private c ~ ~ a c tstring
e r used toau
i~e~tity.
The current file usedby au
data.
ven ~ a ~ ~that
a gs ei ~ ~ l
1 Check
for
the NI5 is a distributed database
existence of NIS with system that letsmany computer
/usr/~in/~puthlch. systems share password files,
group files, and other files over
the network.
2 Review the
output of Domainnamesand MS Server
names D o m a i n n ~ eshould
be
hard to
command: domalflnam~. guess.
easy
are
toguess.
used
can
be
with
It
NIS
to
grab password files.
5 Duplicate UIDs are not permitted Duplicate UIDs increase the risk
NI
and should not exist in the that unauthorized users will modify
password file. or delete files created
by another
user, and accountability is in
jeopardy.
7 Review the
script
output End users are not provided command Access to the commandline via a
at p a 5 5 ~ d line accessto the Unix operating shell (the commandline inte~reter)
Identify users system. increases the risk that users access
access have that unauthorized
to the comands, data, and
shell (i.e., access to files. configuration
8 Review thescriptoutput The use of genericuser identifica~on Generic user identification codes
surd codes is notpermittedand not limit accountabilityon user action
commandandidentifyevidentwithinthesystem. performed while logged in asa
generic user identification generic user. Evenif the systemis
codes, Review the listof logging all events of the generic
generic users with the user. In addition, default, generic
system a d ~ n i s ~ a tto
or
define their use identi~cationcode aren o ~ a l l y
and purpose. targeted by intruders atte~ptingto
gain access to a system.
port” of 21.
Review
13 output
the of only properly
configured
and Many t ~ r d - p software
~ y packages
approvedservicesarebeingprovidedrequiretheability to ~ o ~ u ~ i c a t e
inthenonprivilegedportrange.tootherhosts on thenetworkwithin
(Ports greater than 1,023.)
ports increase the risk that
unauthorjzed users willgain access
to the system.
~ .~
authorize
valid,
Only
14 t Review Unneeded or unauthorized hosts in
of 17
output Review
provides the ~ f o ~ a on ~ o n
pmxding.provides It host. the infor-
mation on how busy the machine is
and on login accounts an intruder can
use in an attack.~ baccountt ~ ~
~ obenused by a scanner
i ~ o r ~ a can
or attackerin a brute force attack.
(Network ~ f o m a t i o nService)
contains data suchas host files, pass-
word files, andemail aliases for entire
19 Review output
the of The
password
file
should
Unshadowed
be password
files
shadowed and does not include increase the riskthat unautho~~ed
encry~tedpasswords. users will attemptto gain accessto
systemthe field
Note
second
if the by c r a c ~ user
n~
in the file contajns passwords.
“X, *,I” or an encry~ted
22 Of duplicate
that
Verify UlDs are not riskDuplicate
the
crease
wd for p e r ~ t t and
e ~ do not exist in the that unaut
users
will
modify
local
password
delete
created
files
orfile. by another
i s in
user, and accoun~abili~
jeopardy.
23 Review thescriptoutput End usersarenotprovided command Access to the command line via a
lineaccess to the Unix operatingshell(thecommandlineinterpreter)
Sers system, risk the increases access
that users
access
that have unauthorized
to the c o ~ a n d sdata,
, and
confi~urationfiles.
The systemad~nistratorshould
immediately assign passwords to these
accounts, then notify each user
of their
assigned password and ask that they log
in and change their password.If no user
is associated with the user ID, the user
ID should be removed from the local
password file.
In order of effectiveness:
1. Replace the shell locatedin the last
field of the password file with a menu
program.
no
2. Give users a restricted shell with
access to cd, rm, cat, and other
sensitive commands.
NO.
32 General W S
Finding Control T ~ c h ~ ~ ~ e s
40 Review theoutput of Ensure that only necessary services are The standard Unix “out of the box”
the command: running on the hostout of the con~gurationleaves many
cat /et~~ne~d,con~. inetd daemon. unnecessary services running which
could open the server up to denial of
service failures as wellas additional
entry ori n f o ~ a t i o ngathering
points to an intruder.
The systemadminis~atorshould
remove the finger ernon on from
the system start-up files or
0. st
absolute ~ a t h n a ~Iteseaches
. the
ne I
For example,if the file ~ a ~ n a l were
be allowed.
g I
one de~iedmatch s t ~ t i n with
iew theaboveoutput.SystemidentificationcodesshouldSystemuserswhoarenotlisted in
Note
the
system usersbe
restrictedfrom
using FTP, the / e t c / ~ ~ u s efile
rcan
stransfer
This
network.the across filesReview
inclu~ed
it. within
he
ncreases
systemthe with list the
the across
transferred
a ~ ~ n iare
s t r a tto
ofiles
rdetermine
o users which system
system administrator to
d e t e ~ n which
e users
~-
The systemad~nistratorshould reduce
the permission settingson these filesto
51 Review the
output of the SUlD files
are
authorized,
inventoried.
Files
that
increase
the
risk
that
the U ng
the
file
will
escape to a shell. Once at the shell
prompt, the user would retain the
same accessas the actual ownerof
the file.
52 Reviewthe
output of theApplicationanduserfilesshould This increases
theriskthat
command: find not
writable any by user
other
than
unauthorized
users
modify
delete
or
rm -2 I -type I -print. owner. these files.
55 Review theoutput of the Users are restricted from exiting Improperly set traps allow users to
preceding commands. start-up scripts prior to their completion.break outof login shells or scripts
and access thec o ~ m a n dline. Once
command line accessis achieved
users can read sensitive
con~gurationfiles and attemptto
gain further system privileges.
56 Review
output
the configured
isable
of the
preceding commands.
e system ~ d ~ i n i s ~ ashould
t o r correct
or cons~ct
The system a d ~ n i s ~ a tshould
variable so that directories are
(if neede~).
t no time should a world w~tahle
directory he included in any user
e script outputof th
has beenunco~m~nted.
the file.
e s y s t e ad~inistrator
~ s sable
any u n ~ o w orn unaut~oriz
rams ~ n n i on n ~the system.
0. t sk
59 Review
the
output of the
All
network
interfaces
are
This
increases
the
risk
that a
commands:
configured
appropriately
network
(i.e.,
sniffer is
could
beactive
or
promiscuousmode is notenabled),activated by anunauthorizeduser.
61 of
authorized
Only
the hosts
should network
Unknown
the
beon
hosts
available to communicateontheincreasestheriskthatunauthorized
system.
the access
tonetwork.
gain
will
are
users
hosts
allVerify
that
appro~riate.
6 output
e of the
Ensure
that
users who access root Users
accessing
root
have
the
ability
have that access logged and that the to modifyordeleteanyfileonthe
m / ~ u l o ~log is reviewed
on a regular basis.
system.
with theAdm~istratorto
ensure that only authorized
users are accessingroot.
(~icrochannel~ c ~ t ebus-based
c ~ e on the originalIBM’s P52)
S for the ~acintosh)
(~c~itecture
I
~nshieldedtwisted
pair Low Easy if inside walls, outside
walls, around corners
I
High (ii) Satellite
1 5
Infrared-la se^
" "
(ii) power,
High
single
High Diffcult
frequency
10 Mbps 30
therefore
Low,
nodes
per
Moderate
long-
vulnerability
segment of cable
distance
transmission
Up to 10 Mbps;
can 2 nodes
per
segment
High,
therefore
short-
High vulner~bility
go toMbps
(i.e.,
155 2 connections,
distance ~ans~ssion
one at each end of
cable, pointto point)
l Mbps
155
toup 2 nodes
per
segment,
High,
therefore
short-
Moderate
vulnerability
or point to (point
Mbps trans~ssion
hub)
Resistance to trafficon
the network. High
attenuation meanslow
distances, low
attenuation means long
distances
EM1 (interference):
noise gets in or
~ o ~ sniEed ~ out
o n
(e.g.,
Mbps
1-10 2 nodes Depends onatmospheric
High vulnerability
between two large conditions (e.g.,
buildings) ~ ~ d e ~ t o ~ )
Mbps,
1-10
larger 2 nodes Depends on vulnerability
High
distances atmospheric conditions
Application
Depends on
Vulnerability
light = 0, only
affected quality dependent by intense
light vulnerableto
interception.
than
Less 1Application
MbpsDepends onVulnerability
light = 0, only
intense
lightaffected
by
purity
dependent
and
quality
vulnerable to interception.
1-10 Mbps
1-10 Mbps
High 2-43Mbps
secure than (i)or (ii)
above
he second building block g is interoperability.
co~passesthe ability to e tion on between si
S stems. The most well- ability solution is the In
er ability solution is
e t e ~ i n how
e the esign of the netwo
much thought was put into
selected and how?
deareanetworks ( S) interconnected L
r media), thereby inter~onnectin ~ogra~hically ~isperse~
users.
* TI,T3
us
Today, high-speed LANs and switched internetworks are becoming widely
cause they operate at very high speeds and support such high-b~dwi
voice and videoconferencing.
Internetwor~ngevolved as a solution to threekey problems:
. Isolated LANs
. Duplication of resources
. Lack of network management
Isolated LANs made electronic c o ~ u n i c a t i o nbetween different offices or
impossible. Duplicationof resources meant that the same hardwar
supplied toeach office or department, as did a separate support st
management meant thatno centralized methodof managing and
existed.
OSI MODEL
OSI (Open Systems Interconnection) is a standard description or reference model for how
messages should be transmitted between any two points in a telecommunications network.
Its purpose is to guide product implementors so that their products will consistently work
with other products. The reference model defines seven layers of functions that take place
at each end of a communication. Although OSI is not always strictly adhered to in terms of
keeping related functions together in a well-defined layer, many, if not most, products in-
volved in telecommunication make an attempt to describe themselves in relation to the OSI
model. It is also valuable as a single reference view of communication that furnishes every-
one a common ground for education and discussion.
Developed by representatives of major computer and telecommunications compa-
nies in 1983, OSI was originally intended to be a detailed specification of interfaces. In-
stead, the committee decided to establish a common reference model for which others
could develop detailed interfaces that in turn could become standards. OSI was officially
adopted as an international standard by the ISO. Currently, it is Recommendation X.200
of the ITU-TS.
The ITU-T (for Telecommunication Standardization Sector of the International
Telecommunications Union) is the primary international body for fostering cooperative
standards for telecommunications equipment and systems. It was formerly known as the
CCITT. It is located in Geneva, Switzerland.
The V Series Recommendations from the ITU-TS are summarized below. They in-
clude the most commonly used modem standards and other telephone network stan-
dards. Prior to the ITU-T standards, the American Telephone and Telegraph Company
and the Bell System offered its own standards (Bell 103 and Bell 212A) at very low
transfer rates. Another set of standards, the Microcom Networking Protocol, or MNP
Class 1 through Class 10 (there is no Class 8), has gained some currency, but the devel-
opment of an international set of standards means these will most likely prevail and con-
tinue to be extended.
OSI MODEL 455
An industry standard, Integrated Services Digital Network (ISDN) uses digitally encoded
methods on phone lines to provide transfer rates up to 128,000 bits per second. Another
technology, Digital Subscriber Line, provides even faster transfer rates.
The main idea in OSI is that the process of communication between two end
points in a telecommunications network can be divided into layers, with each layer
adding its own set of specially related functions. Each communicating user or program
is at a computer equipped with these seven layers of function. So, in a given message
between users, there will be a flow of data through each layer at one end down through
the layers in that computer and, at the other end, when the message arrives, another
flow of data up through the layers in the receiving computer and ultimately to the end
user or program. The actual programming and hardware that furnishes these seven lay-
ers of function is usually a combination of the computer operating system, applications
(such as the Web browser), TCPIIP or alternative transport and network protocols, and
the software and hardware that enable a signal to be put on one of the lines attached to
the computer.
OSI divides a telecommunications network into seven layers. The layers are in two
groups. The upper four layers are used whenever a message passes from or to a user. The
lower three layers (up to the network layer) are used when any message passes through the
host computer. Messages intended for this computer pass to the upper layers. Messages
destined for some other host are not passed up to the upper layers but are forwarded to an-
other host.
7 A~~iic~tion
Layer
L
~resentati~n
ng and syn~hroni~~tion
s ~ s s i o ndistm
V35 The trunk inte~ace between a network access device and a packet network at
data rates greater than 19.2 PS. V35 may use the bandwidths of several
telephone circuits as a group.There are V.35 Gender Changers and Adapters.
~ a l ~ e
~ ~ i m cable
u m length 50 feet
Interface D'IB-DCE
in today’s r e ~ l - ~ o r net-
ld
a y ~ 1r and
~ 2 com~in~d
low control~ontrols info~ation
o ~ in the
r networ~
~ computer to use the
y a calculation thatis
~ ~ e n t i fcommunication
yi~~
e t e ~ i n i resou~ces
n~ available
ynchronizi~~ co~mu~icatio~
S
e
10 Base 7: UTI?
10 Base F 10 Mbs Star Fibero~tic
stand~d versio~,
specified as
terfaces t
have a p t
tolerance, and the use
of ~beroptics.
eci~cationsinclude:
ee cells.
103 \ R&D
= Ter~in
1 =Term
I
The basic i n t e ~ ~ t ~devices
o r ~ nare:
~
router § ~ ~ c i ~ c a t iare:
on§
7 an
S
103 and 10
Layer 1-
Layer 2- tru
owest level ofaccess
~on~guration re~ister
is
here are
scores of threats on the inte a few
of more insidio~sprob-
the
lems that a firewall will attempt to fix:
ort service. There are
iI has often been the hacker’s choice of entry (via its security
tion that han~lesall
c o n ~ oal connection ed on the source and ~estinationad-
used in thatsession, acket-~lter~ r e w(which
~ l is one of
one that inspects each
ssion d e s to grant or
a second destination ad
l, but it makes upfor that in
t have to do any thin^ special,
fined as accepting traffic, the
rough. This also means that
e port number could pass through the firewall.
the “’state’, and “context” of the user’s request so that when the data are returned via the
firewall, it is able to verify whetheror not the data was speci~callyrequested.
spection attempts to track open, valid connection without the need to process a rule for
each packet.
n a ~ l t e r environm~nt
s (such as
isk or data~asefile
lowing securityproble~s:
quires s u p e ~ s e rpri
t ~ o ~ ~the ~ netw
o u t
retaliation.
a s e c ~ r elevel by elixni-
These software and hardware barriers stand etw wee^ the privatei ~ t enetwork
~ ~ l and
its connection to the outside worl such as thei n t e ~ e tThe
. ~ ~ e w a l l ~ ~ oanv iextra
d e s layer
of protectio~and regulates andcontrols c o ~ u n i c a t i o n .
ow do users who have an internet connection ensure that tr c between their net-
d the outside worldis secure and controlled? If one can tolerate the restrictions
im-
posed with this typeof connection, use it to reduce the e
ronment.
Leased line networks and remote accesse~uipmenthave been replacedin favor of virtual
private networks(VPNs) offering substantialin~rast~cture and suppo~in
enable secure privatec o ~ u n i c a t i o n simplement
, the following:
* Authentication
Enc~ption
Key management technologies
ecause these technologies are ‘~battle-hardened~9
not V
will remainso until the emerging protocols, standards, and products mature.
Three critical VPN components are:
e Security (access control, authentication9and enc~ption)
. Traffic management (makingsure that critical applications are delivered reliably and
with the highest possiblep e ~ o ~ a n c e )
. Policy-based network management (the ability to manage the entire network from
one central console to one easy-to-install turnkey solution).
ow does one stay familiar with
the latest viruses and fixes as well as other security issues
b sites such aswww.ce~.orgor www.NTSecurity.net? The enemy is likely more ex-
a prevention cango a longway. Often the technology,
perienced, but little like firewalls that
ess have not been
process that also offers the opportunity to qualify or authenticate the request or match it to a
previous
request. NAT conserves
also o addresses
that a company
needs and lets the company use a sing1
NAT is included as part of a rou is often part of a CO
ad~nistratorscreate a NAT table that does the global-to-local andlocal
dress mapping.NAT can alsobe used in conjunction with policy routi
ically defined,or it can be set up to d y n a ~ c a l l translate
y from and to a PO
allows internal internet addresses or internet protocols to be hi
firewall will appear to have been sent from the ~ e w ~external' s ad-
ender invisible to the internet, which makes it d i ~ c u lfor
t hackersto
track down the network i ~ o ~ a t i and
o n addresses required.
Statefix1 inspection is the most sophisticated technology availab
around this technology interrogate the packets based on source, dest
c o ~ u n i c a t i o n port.
s Is stateful inspection tec
based on source, destination, protocol,
oesthe
design provide both
router
andurations?
The routersetup is
most c o ~ o for n c o ~ e r c i afirewalls
l that receive a packet, compareit to the rules defined,
and either permitor deny access to another network. This scenariorequ~es often several net-
work changes including managing static routing tables, and it can makeit an easy targetfor
hackers. To address these issues, the firewall was built on top ofa s e c ~ operating
e system.
The critical security tasks include network protocol analysis and security
networ~
and man-
agement solutions.
These tasks should be followed during all sta es of network development and secu&y
from planningand design toimple~entationand ongoing management. They include:
per at ion^ tasks
oftware distributions
Event alerts
System monitorsof Total Virus Defense from within the
IT env~onment
e they reside on the system witha
s the a ~ ~ ~ i c a t iand
o ~ n e r of o n susers,
locking distributionof viruses, spam, andother inappropriate message content.
E-mail cannow be used tod i s ~ b u t confidential
e or inapprop~ateinfo
can raise a number of serious legalissue Can di~erentfilters be applied to
of people at different timesof the day? ow is the corporate policy implemented and cen-
trally controlledby the company’s IT that the filter is effective and has-
~ t t e m pto
t overwhelmit with
les are well designed and
d y n ~ port
c selecti
allis often di~lcult,but solutions i~cludede
masks let you define the nextse uence o
e
a
~ cinterchange(€331)
c ~ o data
sig~fi~antly in the past five
replace paper~ansactions with
routine business~nctions may
ystem is not operating.
ecause today's~utomatedinfor-
in momentsof a d i s ~ ~ t i in
o nsys-
ader d i s ~ i b ~ t i oofn
r the sole provider
no longer isolated in the controlled environ-
sources affected. It is possi
worst-case s c e n ~ o sThis
.
of approp~ate
plan, availa~i~ity
w e ~ e s s e in.
s the e~istin
~ ~ nthe~ o ~~ ~r ~ sn i z~ ~ t inoto~se
~ its i~n f o ~la t i o ~n t e c ~ n o l o ~ yc ~ ~ s e s
~~~ s i ~ n ~ c
loss of ~ s s ~ ~ ~ i ~ l s ~ ~ i c ~ s .
h it might be perceived as such. Thus,there
are classificationsof exposu~e:
ant i n t e ~ p t i o ndepending
, on its duration and
a1 of the o~ganization.
ing a disasterinclude the degree of dependency placedon
er canp e ~ required
o ~ recovery tasks.
uld be as co~prehensiveas possible and should d o c u ~ e npreestablished
t
ions in a crisis atmosphere. The plan should also provide
e ~ p h a s i the
~ e actions intended to protect the organiza-
se who would take ad-
Fraud
Te~oristactions
Theft
00
~ gpotentia~impact of a disaster is to i~entifythe es-
e t e ~ n i the
at need prot~ctio~.ne way to do this is to p e ~ ano impact
~ study. Some
498 DISASTER RECOVERY PLANNING
essential assets (e.g., facilities, hardware, and software) might be tangible and easily iden-
tified and their value easily calculated. However, the value of data is more difficult to as-
sess because it depends on its relative value to management. The following categories
should be considered when developing an inventory of essential assets requiring protection:
Facilities
Data
Software
Personnel
Data processing hardware
Communications circuits
Communications hardware
These assets are susceptible to any of the threats listed as probable causes of business in-
terruptions. Management is responsible for recognizing the probable causes of business
interruptions and, to the extent possible, taking steps necessary to protect critical infor-
mation technology operations. Auditors should assess the risk of exposure and the ade-
quacy of precautionary steps to prevent or minimize the effects of disaster. It can be ex-
pensive to develop and maintain a DRP. Designing a DRP is a labor-intensive task and can
take a year or more to complete.
STRATEGY SELECTION
Disaster recovery strategies range from providing fully functional alternate sites to “quick
ship” programs, which may be internally or externally provided. Based on the BIA, a suit-
able strategy should be selected to provide the organization with the necessary recovery re-
sources within its predetermined recovery time objectives (RTOs).
Audit should review the strategy to ensure that it is in line with the overall business
process and fits the organization’s bigger picture. Audit can also perform independent re-
views of vendor contracts and agreements as well as liaise with procurement and legal de-
partments during this process. The key is to ensure that the selected recovery strategies and
all assumptions surrounding those strategies have been adequately and independently re-
viewed.
These assumptions may include:
Assuming that the alternate facility will be available at crisis time.
Assuming that the alternate facility is a certain distance away and unlikely to be affected.
Assuming that key personnel will be available to facilitate recovery.
Assuming that identified vendors and alternates will be available to provide products
and services.
Audit should work with the disaster recovery planner to ensure that there are no “surprise”
audit findings after the DRP program is implemented. It is far more efficient and effective
to build audit requirements into the DRP process during development than to retrofit a DRP
program with audit-required controls.
PLAN PREPARATION
Since individual business managers are ultimately responsible for the successful execution
of the plan in the event of disruption, they should assume ownership of the plan. They
should provide the time and resources to clearly document the detailed recovery procedures
necessary to resume and continue critical business activities.
plans have never really been
te
excuse withor~anizations
r e re ~ e n t
a s ~ ~ p ~ i e r a ~for
The ~ e t h o d o l o ~describ
y
to prove the accuracy and
is to keep pace with chan
testing is to verifythe validity and functionality of the recovery procedures
components are combined,If you are able to testall modules, even if you
e ~ o r ma h11 test, then you can be confident thatthe business will survive a
when aseries of co~ponentsare combined without in-
~pplicationrecovery
un production processing
efore any test is a~empted,it must be verified that the recovery plan is fully documented
m all sections, includin~all appendices and attachrnents referencedto each process. Each
~ i c i p a t i nteams
~ in a test must be aware of how their role relates to other teams,
when and how they are expectedto perform their tasks, and what tools are permissible. It
is the responsibility of each team leader to keep a logof the proceedings for further irn-
provement and top r e p ~ bettere for future tests.
o you h o w the recovery point (e.g., OD or end of day [EOD] checkpoint recov-
ery?) Is this documente~in the plan?
Can you recover the databases to the SOD?
~pplicationrestore
* Databaserestore
et unit addresses
Perfom restarts
oes the site have a security system and do you h o w how to p r o g r ~ u s eit?
Are all the cables, phones, ower, telex, and modems of the a
u a n ~ t yto meet recovery needs?
ave you verified as functional, the air conditioners,li
cient floor and office space to meet your needs?
ave you checked the access for en and exit of equipment and s t a ~ ?
o you have a d i a g r showing
~ th tworkhystem c o n ~ g ~ r a ~ ando nflo
o you h o w the e ency ~vacuationprocedures of the sit
hting equipment meet the required s t ~ d ~ dand
s , hasit
While testing is in itself beneficial, an effective recovery plan canbeonly achieved by con-
structive analysisof each test andthe test’s results through a postmortem. Thisalso main-
tains the momentum gained from the test, whichis critical to the process of buildin
able plan.
any staffs see disaster recovery as an additional workload; however, with time
con~tructiveand regular involvement, staffs develop a greater commitment.
Each team leader has the responsibility of maintaining alog of events during eachtest, The
i n f o ~ a t i o ngat here^ from these logs, in addition to the postmortem reportby the test man-
eas of i ~ ~ r o v e ~are
e nnt
en a realisticco~pletion
an i ~ e d i a tupdate to the
controls.
As mentioned before, audit should be an ally in the disaster recovery process.
the case, a reevaluation andrede~nitionof roles mightbe in order. Audit shouldbe the in-
dependent group to monitor and report the progress and effectivenessof the disaster recov-
ery program. They should also confirm that senior management is receiving the right mes-
sage and not a false sense of security when it comes to disaster recovery readiness. The
following statements shouldbe considered “warning signs” that may indicate afalse sense
of security among anorgani~ation’s manag~ment:
have a disaster recovery planfor te~hnology.~’
conduct annual plantests at our vendor facility.”
software package,”
Tf I am affectedby disaster, so are my competitor^.^^
Statementssuchastheseindicatethatthecompany’sprogram maynotbecompre-
hensive. Audit should recognize these symptoms r and e c o ~ e n solutions
d for b~ngingthe
DRP pro~ramto the appropriate level. Audit should work with disaster recovery planners
and business managers to identify synergies with other ente~rise-wideactivities, such as
corporate standards, self-assessment compliance p r o g r ~ s , a w ~ e ~ e s s DRP p r oex-
~r~s,
pense reporting, plan development, and the development andofuse monitoring tools.
Audit may often feel like 6‘referees9’ in a largec o ~ o r a t eeffort. They are r e ~ ~ l a r l y
asked to “enforce the rules’’
of a well-con~olledand operated environment.
ery planningis clearly one area in which audit can shed the “striped shirts,”
pany9s“team colors,” and participate and add value to the critically import
embers of disaster recovery teams and senior managers should receiveofathecopy com-
sider providing copiesof the plan to external groups
at may help with disaster prevention and recovery.
ed a prop~etarydocument, and they should not be
distri~uted indisc~~nately, either i n t e ~ a ~or
ly
As describedin the previoussection,thehouldnot be dependenton the par-
ticipation of any individual or team, A disaster could result in the unavailability, injury,or
death of key recovery team members.It is also possible that essential membersof the re-
covery team may findthe recovery process o v e ~ h e l ~ and n g resign from their positions.
Therefore, to help prevent chaos following a disaster, the S should contain enough de-
tail to allow available staff to begin implementing the recovery process as quickly as pos-
sible f o l l o w i ~a ~disaster.A complete, up-to-dateset of plans should alsobe maintained in
an accessible off-site location ensure to accessibility when needed.
Is the DRP designed to protect and recover d all levels within the organiza-
additiontoaddressingmainframe-based data S shouldalsoprovidepolicies
and proceduresfor protecting and recovering programs data
and developed by end users for
use on personal computers.
oes the DRP also describe maintaining communications with the value-added net-
nerd c o ~ ~ ~ n~rocedure§
ity desi~ned
to notifythe entire workforce, by
in the eventof a seriou§ disaster?
Are management personnel able to run the computer center in the event that non-
management personnel are unavailable?
S a personal skills inventory been conducted to identify special employee skills
at could be used during anemer~ency?
Is access to the data library restricted to designatedl i b r ~ a ~even
s , during disaster
periods?
as a recovery team beenassi~nedso that they can begin work immediately in the
event of a disaster?
Is user management heavily involved in computer disaster recoveryp l ~ n i n g ?
Are computer personnel in key positions of authority bonded?
as the staff been trainedfire inalarm, bomb threat, and other emergency procedures?
Has the staff been adequately instructed in what to do when an emergency alarm
sounds?
e computer center personnel been trained to protect con~dentialdata during pe-
s of disaster recovery?
Do all security procedures remain in effect during a disaster recovery period?
Are disaster recovery responsibilities includedthe in appropriate job desc~ptions?
Are new or transferred employees immediately trained in disaster recovery proce-
dures and assigned appropriate responsibilities?
of allsupplies and copies all
Is there a complete listing of forms av~lableat a second site?
been reviewed by senior management and approve by all responsible
managers?
If extracopies of the disasterrecoveryplanaremaintained,aretheyregularly
updated?
In the eventof a disaster, havesuEkient funds been allocatedfor transpo~ation,op-
erating expenses,emer~encysupplies, andso on?
The following questions must be answered by members of management who are suppliers
of services essential to the recovery of the vital business process (i.e., information systems
services, site services, site security) and who must negotiate service levela~reementswith
owners of vital business processes defining servicesc o ~ t t e ind the period followinga
disaster untiln o ~ aoperations
l are restored.
ave you negotiated service level
agree~entswith ownersof vital business processes
ho are on your service/system?
(C)
are disaster recovery plans covering their service commitments and protect it
oE-site.
ou havea disaster recovery plan for your servicelsystem that will recover
the vi-
tal business processes as c o ~ i t t e in
d the service level agreement?
(6)
S your disaster recovery plan
for y
upd~tedwithin thelast twelve mo
o nthe effort in
In a ~ ~ i t i to
(C>
(A) Targetdate
e C10 when testing is not in compliance
(A) Targetdate
(AE) Target date
See E x ~ i ~8.1
i t for a sample disaster recovery plan.
U
$
.i
c
b E
E Y
Access, 129, 144, 145, 146 diskless enviro~ent, 414
Access control, 191 enable auditing, 342
Access control lists (ACL), 188 event types, 399,410
ACL entries, 360 key concerns, 386
ACL notation, 358 mounting and unmountinga file system, 416
ACL patterns, 362 select users, 409
ACCs and file~ ~ s s i o n357
s, system calls, 410
file mode permissions, 358 system parameters, 404
long form of ACES, 361 turn on or off, 408
operator form of ACL, 359 Authority holders, 148
short form of ACL's, 360 Authority parameter, 89
ACL Functionality Authori~ation lists, 108, 146
c o ~ ~andd programs,
s 363 Automatic c o ~ g ~ a t i o136
n,
network environment, 365 Automatic sprinkler system, 66
Unix core programs, 364 Auxiliary storage pools, 96
ACL, (see Access control lists)
Account policy, 202 Backup and recovery, 96, 152
Accountability, 24 Behaviors, norms & values, 5, 14
Admi~strative domains, 382 rowser, 484
Adopt authority, 109, 147 Build a case for disaster recovery, 498
Airducts, 78 Business continuity, 130
Application development tools, 89 Business impact analysis, 498
Application layer, 462
Architecture, 83 Carbon dioxide, 65
Assumptions, 14, 16 CHACL commands, 367
Attacks, 374 Change model,6,7
Attacks and defenses, 224 Checklist, 5 15
Attention program, 136 Checksum protection, 97
Audit, 479 Classification, 70
Audit approach, 73 C o ~ ~ e 5, n 11
t ,
Audit checklist, 73, Compliance,5
Audit policy, 204 Computer room, 13 1
Audit tests,49,57, 153 Con~g~ation, 485
Auditing, 398,512 Conflict awareness, 33
administering, 413 Conflict resolution,32,33
audit record,400,403,408 ~onnection-oriented, 146
auditing tasks, 406 Connectionless, 461
ontrol re~~rements, 53,452 File system consistency, 345
ontrolled access areas,44 File system export, 385
onv version plan, 341 Filters, 477
Fire, 65
Firewall, 474,476
Focus inward,4
us tom er satisfaction, 1, 14 FTTP, 470
Function keys, 56
Gateways, 478
General controls, 127,131
Glass walls, 78
Glossary of Unix terms, 419
Ground rules, 36
Group profiles,108
Guidelines:
evice sessions, 135 adding a group, 355,356
network security breaches, 385
isabling and deleting user accounts, 216 overallrisk m~a~ement, 373
isaster ~re~aredness,496 user account, 353,354,355
isaster recovery, 498
iscretionary access control, 70, 183,373 Hardware, 82
accountabi~ty, 374 High-risk utilities, 149
least Privilege, 374 Home directories, 2 18
objects, 374 Hub, 474
subjects, 373 Human resources, 19,22,23,25
Hu~difier,65
~ - s u ~ ~ profiles,
l i e d 141
is~osingof media, 56,73 Info~ationsecurity, 1,2
ocumentation questions,5 15
omain objects, 133
o m ~ nand
s trusts, 222 ~nstaIlin~ the system, 341
ropped ceilings, 77 Integration, 85
ust, 67 Interfaces, 464,465
y n ~culture,
c 1,2,4,6,8, 10 International0rga~zationfor
ynamic cultureat~ibutes,10 (Em),453
ynamic culture self-assessment, 11 Internet operating system, 472
Internet threats, 475
- c o ~ e r c e494
, Internetwor~ng,448,453,468
lectrical noise, 60 Intro~uction,8 1
lectronic data interchange, 494 I S 0 (see International0rgani~ationfor
§tandardi~ation)
Issue ~oordinator,34
End-user c o ~ ~ u t i493
n~,
Environmental controls, 59 Job descriptions, 147
Ethernet, 463 Job time-out, 139