400, NT, UNIX, Networks, and Disaster Recovery Plans

This Page Intentionally Left Blank

This book is printed on acid-free paper.

@

Copyright 0 2001 by John Wiley and Sons, Inc. All rights reserved. Published simultaneously in Canada.

form or by any means, No part ofthis publicationmay be reproduced, stored in a retrieval system or transmitted anyin electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107ofor 108 the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through paymentof the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4744. Requests to the Publisherfor permission shouldbe addressed to the I, fax Permissions Department, John Wiley & Sons, Inc., 605 Third Avenue, New York, NY 10158-0012, (212) 850-601 (212) 850-6008, E-Mail:P E ~ ~ E Q ~ ~ E Y . C O M . This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional be services. If legal adviceor other expert assistanceis required, the servicesof a competent professional person should sought.

Musaji, YusufaliF. Auditing and security: AS/400,W,UNIX, networks, and disaster recovery plans/ Yusufali F. Musaji. p. cm. ISBN 0-471-38371-6 (cloth: alk. paper) 1. Electronic data processing-Auditing. 2. Computer security. I. Title. ~A76.9.A93M87 2001 005.84~21 Printed in the United States of America. 10987654321

00-064922

This book is dedicated tomy g r a n ~ m o t h eMrs. ~ ~ulsumbai ~urbhai, so I could grow. who taught me to sacrgce

Io my mot he^ Mrs. ~ a t i m a ~ u swho a j i ,s a c r i ~ c e d h material er well-being so I could paymy school fees.

To my son, Ali Musaji, who taught me perseverance, patience, and the m a ~ e l s

ofl~~.

Io my w$e, ~ a oMusaji, ~ i for herlove, tolerance, and faith.

This Page Intentionally Left Blank

nd the big picture, see their roles within it, continuo

resources from hackers and computer thieves, corporations neglected the physical security aspects and as a result suffered financial loss from lack of physical security controls, thus becoming easy gamefor crooks. In spite of this, physical security continued be toregarded as being limitedto the perimeter controls and bodyguards at the front doors. Theft or damage to information processing resources, unauthorized d is c lo s ~ or e erasure of proprietaryinformation,andinterruption of support for proprietarybusin processes are all risks that managers who own or are responsiblefor i n f o ~ a t i o nresources must evaluate. Since physical access to information processing resources exposes a company to all of these risks, management must institute physical access controls that are commensurate with therisk and potential loss to the company. The objective of the physical security audit is to determine if mana~ementprocesses have been implemented, are effective, and are in compliance with established ins~ctions and standards as formulated in the company security policy. they ensure that the company’s information resources are protected from unauthorize Chapters 3, 4, 5, and 6 discuss auditing the most advanced platforms:AS/400, crosoft NT, and Unix. M y are system concepts and architecture important to understand? do not startby choosing a computer platform. They start by choosing map ss needs. Becauseof this, the computer system is very often consideredfirst. should the computer architecture matter? The accelerating rate of change of e and software technologies necessitates that the system selected has been designed with thefuture in mind. Do the platforms accommodateinevitab~e,rapid, and draatic technology changes with m i ~ m u mrelative effort? Are the systemsfuture-oriented? aradoxically, the characteristic of the most advanced design and technologyis subtle. It a c c o ~ o d a t e sthe rapidly changing hardware and softwarecompo~ents-permitting one to fully exploit the latest technologies. Is the operating system conceived as single a entity? Are the facilities such as relational database, communications andnetwor~ngcapabilities, online help, and so on fully inte~ratedinto the operating system and the machine? Successful audits of computer platforms are intended to provide an analysisof the computing and network hardware components with potential risks and re c o ~ e n d a tio n s . If the computing platformis not secure, neitheris the company’s data. Chapter 7 continues the discussion of auditing networks. ~ o ~ o r a t i o deploy ns networks to lower the total cost of network ownership,m ~ i m i their ~ e return onin~estment, provide seamless, enterprise-wide services, enable appli~ations,enhance their perfomance, control network resources, speed up project implementation, and minimi~erisk and riven by the rush to e-commerce, se rity has rapidly become a mission-critical component of the corporate IT infrast~cture. protecting these mission-criticalnetwor~s from corruption and intrusion, network security has enabled new business applicationsby reducing risk and providing a foundation for expanding business with intranet, extranet, and electronic c o m e r c e applications. Therefore, network security should be a continuous cycle, consisting of establis~ng a security policy that defines the security goalsof the enterprise, implementing security in a comprehensive and layered approach, and auditing the network on a recurrin sure that good network security is easier and more cost-effective, lso, network security should ensure that no irregularities have developed as the network evolves, and the results of the audits shouldbe used to modify the security policy and the technology implementation as needed.

i

Chapter 8 discusses auditing the disaster recovery plan. Large pools of shared databases, t i m e - s h ~ nvast ~ , teleprocessing networks, t e l e c o ~ u ~ c a t i oconnections ns to noncompany facilities, multiple distributed printers and systems, and thousands of users characterize the state-of-the-art computer centers in corporations. Disruption of service or the intentional orinadve~entdestruction of data could potentially bring business processes to a halt. Across this entire computer i n f r a s ~ c ~ rthe e , Information Security (IS) processes must be implemented to ensure the confidentiality, integrity, and availabilityof the company’s information assets. The responsibility for the implementationof an effectiveIS program is assigned according to the company’s goals and objectives. Generally, this responsibility is delegated to the information system because of its traditional role as Provider of Service. However, ISis often not the Provider of Service for smaller systems thatexist at a location. Regardlessof the organizational roles and responsibilities, corporate the information officer (CIO)is responsible for the overall implementation. With the emergence of disaster recovery planning, physical security is regarded as the cornerstone to developing a viable disaster recovery plan, The pundits have suddenly proureka,” and the dawnof physical security as the foundation on which the disaster recovery plan can be built has begun to take hold. Protecting assets from disasters is now one edge of a double-edged sword with the other edge preventing losses from theft and human errors, which in fact pays partly if not wholly for the costs of disaster recovery planning. The auditbr must ensure that the computing environmentssuppo~ingvital business processes are recoverable in the event of a disaster. Auditing and Security has been developedfor IT managers, IT operations management, andpractitioners and students of IT audit. The intent of this book is to highli~htthe areas of computer controls and to present them to the reader in a practical and pragmatic manner. Eachchapter contains usable audit programs andcontrol methods that can be readily applied to information technology audits. As an added value, two presentations are available onthe World Wide Web.The first presentation is a proposalfor investing in a disaster recovery plan and the second is a firewall selection guide. Please visit www.wiley.co~musaji.The user password is: auditing. These documents are in Powerpoint format.

Yusufali. F.Musaji is the Founder, Director and President of Mi’s Y, Consulting Inc., anIT and Financial Consultingf m specializing in computer consulting. Yusufalihas a strong computer science and financial background. He embraces full sthe pect~m of financial, operational, andIT disciplines requiredof a state-of-the-artorgani~ation.His functional and technical areasof expertise include system development and implementation, project management, computer security and financial systems. Yusufali F. Musaji is widely publishedin IT, financial, and securityj o u ~ a l re s ser Relations~ps,and has also developed numerous business continuity plans. e holds a Bachelorof Computer Science from York U~versity,Toronto, Canada, and is a C.G.A., CISA andCISSP.

information Security throu h Dynamic Culture Information Securi~ ~anager-L~ader Roles ~ y n a ~Culture ic Is a Prerequisite forG r o ~ h Sustaining Culture for Process Improvement ~ o c u sInward ~ynamicCulture Overview Leadership ~ e e d e d from IS ~anager-Leade~ ~ y n aCu~ture ~ i ~ Tra~sformation eco~ni~ing ~aits ~esired ~ehaviors~ Win, ~xecute,Team ~ y n a ~Culture ic Self-Assessm~nt ~ o r and ~ sValues S yst e~s,Structures, and Processes As~ump~ions IS an age^ Leade~or ~anager-Leaders ~ o t aJob l ~odel ~ u m a n R e s o u r c e s / ~ ~ p l Processes oy~es ~an~g~r-~eaders Accounta~ili~ ~ e w ole of the ~ a n a g e r S~aredResponsibility for~ R l ~ m p l o y e e Processes s ~oundational~ a i t and s A~ributes Specific Skills Required by IS ~ana~er-Leaders Personal Learning Sparks~rgani~ational Learning ~xecutiveSkills Versus~ a n a g e r - ~ a sSkills ic Conflict ~ e ~ o l u t i o n ~haracteristicsof ~ ~ r mConflict al Resol~tionPlans Conflict Awaren~ss

If

11

26

29 2 31 32 33 33

r ~ afor t ~ositive ~esolution

34 36 38

40 41

ical Access Controls the C o ~ ~ a lnst~llation n y ~ An~lysisand Accept~nce

42 43 47 49

52 53 3 57 58 59

59 63

64 65 65 67 7

69 70 70 70 77 77

78

AS/400 System Concepts andArc~itecture

System Concepts ~ u lIntegration l into the~ ~ e r a t i System ng and the~ a c h i n ased Operating System Aut~orityParameter (A~Ts~ A~plicationDevelopment ~001s System ~tilities A ~/400 ~~~~Y Initial Pro~rams ~ a m i n g~omenclature Libraries Backup and Recovery Auxiliary Storage Pools journal in^ Commitment Control Checksum Protection ~isk ~irrorin~ ~edundantArray of Independent ~ i s k sAID^ Security ~ y st emKey Lock ~ y st em wide S e c u r i ~ Values ~ y st emAuthority ~ s e~rofiles r roup Pro~les Authori~ationLists A ~ o pAuthority t ~ r d eof r Authority Checking ~ t h eSecurity r Issues ~ yst emValues

111 11

Summary

1

tiv

Operationa~Controls ~ r ~ a n i ~ a t i oStructure nal ~rogramDevelo~ment, Ac~uisition, and ~aintenance Access to Data~ i l e s usiness Continui~ General Controls Computer ~ o o m

Set Auditoni it or and Audit Log Parameters Off Turn Auditing On or Select Users to be Audited Select €vents to be Audited Select System Calls to be Audited Interpreting Audit Log Data ~ a n a ~ i Audit n g Log Resources Administering the Auditing System Using Auditing in a Diskless ~nvironment Backup and Recovery in a Secure Enviro~ment ~ a c k u pSecurity Practices Recovery Security Practices ~ ount ingand Un~ountinga File System Shu~ingDown a System Securely

vir

Internetworking over vie^ Devices Con~rol Re9uire~ents Different Typesof Networks Local Access~ e ~ o r k Wide Access~ e t ~ o r k Internetworking Challen~es 0 ~ierarchyof etw works OS1 Model ~ommunicatingData through €ncapsulation OS1 Layer 7: Physical Layer OS1 Layer 2: ~ a t Link a Layer (TheVirtual ~ o r l d ) OS1 Layer 3: ~ e ~Layer o r ~ rt SI Layer4: ~ a ~ s p oLayer ~onnection-Orientedand Connectionlessc et work OS1 Layer 5: Session Layer OS1 Layer 6: Presentation Layer OS1 Layer 7: Application Layer

Audit ails ~ r i v i l e g eUser ~ ID Authori~ation

157 758

160

A ~ / 4 0 0Installed

165 168 4A.5 Other Objects rams thatA d o ~Authority t ~uthori~ation Lists bject ~ e v e l ~ e c ~ r i t y 4A.6 ~tilities

169

76 170 7 7’0 170

171 1.7

Job ~escriptions

172 173 174

4A.8 ~ e ~ Q~Qnsiderations r k

174

4A.9 ~ecurityAdministration ~ u ~Log i t

178 178

IntrQduction oni it or ~ecurity ~e~erence ~ecurity ~ccount ~anager ~ ~ s c r e t i o ~Access ary Co~tro~s ~ t ~ eat e tur res ~ecurityOverview on ~rocessand User entity ~ ~ j e cand t s ~ecurity ~er~is~ions Access Control Lists ~ e s i g nea tu res

182

182

183 184

185 186

188 788

i

Access Control:Securi~ ~anagement User Authentication

User Accounts User ~ i g h t s User Accounts, Groups, and S~curi~ ~lan#ing erm missions §ummary Policy Plannin~ Account ~ o i i c y User ~ i g h t sPolicy Aud~tPolicy §yst e~ ~olicies Share Ptannin~ Creating Shares Creating a~ e t ~ o r k

202

07 207

S~are

207

Se~ingFile SystemPerm~ssions nag in^ Groups §pecial ~ r o u p s ~ a n a ~ i User n g A~~ounts ~ e t ~ o r k and e d Local Users ~pecial ~uilt-In Accounts Creating User Accounts copy in^ User Accounts ~isablingand ~eletingUser Accoun~s ~ e ~ ~ mUser i n gAccounts n v i r o n ~ ~Profiles nt ~ o g o nScripts ~ome ~irect~ries Creatin~User ~irectories ~ u m ~ a r ~

omains and Trust Su~ported~ e ~ ~ sport o f k Protocols A~acksand Defenses Services that~nhaffceor Impact Security eat tu res of Secu~i~y Security Certifications

12 2l2

272

273

75 76 277 217

240 240

336

Introduction

336 336 339 340

tion ~ a n a g e~r e v i e ~ e ~ i n g a Secure S y s t e ~ ~~

ecure System ~ a i n t ~ n ~ n c Cre~ting~ r o ~ u ~ t ~ e Files scri~~ion V e r i ~ i File n~ Syste~ Consistency for C ust o~i~ed ~ile set s ing User Acce~sto System and Files ss~ord Se~urity File ~ e r ~ i s s i o n s ~rotectingKey S ~ ~ s y s ~ e ~ s Criteria for ~ o ~ e s e~urityConsi~erationsfor ~ e v i c e ~ i l e s

340 3 4 ~ 344

344 5 3 ~ 6 34

34 349 350 350 351 352

352

353 354

355 356 356 ~ 5 6 357 363

. .. 111

'

P~ysicalAccess to System Unit System Key Lock ~ y st emConsole Dedicated ServiceTools Security Level AllowUserDomainObjects ~ a s s ~ o r d ~ o r mRules a~ing ~ a x i m u mSign-On A~empts Limit SecurityO ~ c eAccess r emote Sign-On ~ontrols Limit umber of Device Sessions Automatic Configuration of Virtual Devices Automatic Confi~urationof Local Devices A~ention Pro~ram Violation Reporting and~ollow-Up Default Public Access Authori~ is play ~ign-Oninformation Job ~me- O ut ~ y st em or ti on of Library List User ~ ~ r t i of o nLibrary List l ~ ~ - S u p ~ lUser i e d~r~files Special UserPro~les User P r of i~e~ roup ~ r o ~ l e s Li~raryAccess ccess to D a t ~ Access to ~rogramLibraries Authori~ationLists Job ~escriptions

131 137 132 732 732 133 133 134 135 135 135 136 136 136 137 73 139 139 140 140 147 14I 742 144 1 145 1 4 ~ 746 747

lniti~lProgram C Support Output ~ u e u e s Sensitive Commands a c ~ u pand ~ecovery

148 749 149 150 750 151 752 153

753 User Verific~tion

155

N ~ e ~ o r k i Topologies ng lmple~enting ~thernet Token Ring A ~ S I ~ j~istrjbuted ber Data lnte~ace

3 463 464 46

464

N e ~ o ~ k l n ~ ~ ~ ~ c e s Physical Layerlnte~ace at^ Link Layerl n t e ~ ~ c e

464 64 465

asic l ~ t ~ r n e ~ o rDevices kin~ CiIiClJ outer Lab ~verview Power Up and Basicouter Access UsingFlTP ~ e r v e r A Look lnsi~e Internet ~ F e r a t i n System ~

irewall What Is a irew wall? curity Policy o ~ m Internet ~ n Thre~ts irew wall Arc~itectures Stateful Inspection Packet ~ilters ~ircuit-Level~ a t e ~ a y Application~Levelatew way Stateful InsFectionAdv~ntagesand ~ i s a ~ v a n t a ~ e s

hoosing a Firewall Securi~ Audit lving the ~uFeruser ~roblem ~ ner a/ Bac~groundInformation ~etworki~g

~onductingBusiness across the Internet ~onfiguratjon an slat ion ~ e t ~ oAddress rk ~onitoring

474

476 477 477 478

479 479

4 4

NT ~ecurity ~ e t w o Information r~ Services ~ o c u ~ e n t a ~ heckl i o n list irew wall C ~ e c ~ l i s t ~ilters ire wall Tests Technical Audit Program lnterna~and Firewa~lConfi~urationSecurity

i

486 487 487 #89 490 490 490

~~i~

Introduction merging Technoio~ies ~ n d " ~ sCompu~ing er ~etwor~s ~tronic~ a t Interchange a

493 493 493 493

#94 494

Key Com~onentsof a Successful Disaster Recovery Pian ~ ~ n a ~ e mCommitment ent andF u n ~ i n ~ ~ecoveryTeam ~ i s ~ s t erer pa redness ~ u i l d i an ~Case for Disaster ~ecovery usiness l ~ p a Analysis c~

494 494 496 496 498 498 499 499 500

test in^ the Disaster Recovery Plan

501 501

~etting O~~ectives De~~in the g ~oundaries Test re requisites ~yste~ ~o Checks dule ~ n a l y ~the i n Test ~ uditing the Disaster Recovery Plan eneral ~uestions Documentation ~uestions Plan ~r gani~at ion and Assignments: For~-~ine-Point Checklist usiness ~rocessOwner uppliers of u er vice

503 504 505 507 510

512 512 515 515 518 519

This Page Intentionally Left Blank

What drives revenue and profit in today’s economyis undoubtedly the mix of hardware, software, and services. Often the di~erentiatorfor this mixis the highly skilled, motivated, leading-edged employee whod e t e ~ i n e the s company’s competitiveness and its growth in the marketplace. Growthis linked to satisfied customers whose loyalty is the foundation for success. Thus, thefactor that d e t e ~ n e as company’s growth andits customer satisfaction is the quality of its employees. Employees arec o ~ t t e and d highly motivated when their work e n v i r o ~ e n tenable s them to go the extra for mile their customers, their company, and their colleagues.is This what builds a network of d y n ~ employees c who strive tobe the best at providing valueto their customers. Simil~ly,what mobilizes the employees to understand the elements of the security cultureand to see its relevance to the company’s business success as well as their own per sonal success are the dedicated ~ o ~ a t i Security o n (IS)mana~er-leaders.It takes dedicated S mana~er-leadersto guide the~ a n s f o ~ a to ~ ao dynamic n security-conscious culture. Employees continueto be a company’s greatest asset, perhaps more so now than ever before. That’swhy IS manager-leaders must not allowthe urgency of their daily workload to take precedence over the impo~anttime needed for the employee aspectsof their roles. ollowing are five factors thatcon~ibuteto customer satisfaction:

. Image

, . Value

f these, image is considered tobe four times moreimpo~antthan anyof the other factors, Image is a composite of four e loyee-related issues:

. Highly skilled employees whoare committed to excellence.

loyees who are responsive and helpful and who take charge. . A company thatis customer oriented and easyto do business with. . A company you can trust.

~ u l ~ l l i ncustomer g satisfaction on thesefour issues, e s p ~ i ~ l y ~ i r stwo, t is very de-

class.It is not them m nt processes are world S, rather it is the employee It is i m p o ~to~ di~erentia t o share responsi~ilityfor their collectives u ~ c e s ~ .

IS manager-leade~roles, at is the missio~of IS m ow does their~ i s s i o nrelate toa c would a security-conscious culture/co~pa~y look like?

n ~ o ~ a t i dynamic on culture oles versusjobs and titles d ~ t u expectations ~ e

ny suc c ess~business l s ~ a t e is ~ geared y tow

orations-attributed to failure to an sf om cultures in conjunction with ffo~s-has been high.

-shap~dchart in E ~ i b i 1.2, t shows the four factors that must be present for be effectively im~lemented.It is not enoughto only have reengiprocesses willfail without the accompanying changes job in acoring methods, andnoms and values embedded in the intangible cultural factors below the surface depicted by the ered processes as the visible tip of the iceberg above the surods and ideas on employees will not work, especiallyif the e than half the reengineered efforts have failed the cruciali m ~ o ~ a nof c ethe cultural factors belowthe surto squander their huge investments in the new processes if estment is dismal. ~onse~uently, attention to cultural unS is b e c o ~ i mandatory. ~g e word t r ~ n s ~ o r ~isi nintended g to capture both the journey and the needfor dylture. This requires modeling the new culture in the way res new relations~ps,and adds value inthe evolvloyees ”+ ~ a t i s ~ e d ~ u s t o ~ e r s .

ts from a dynamic c u l t ~ e ~ m p l o y e ecustomers, s, and the shareange the e ~ t e ~en~ironment al unless you t is becoming increasinglya p ~ ~ etonthe t e success of employees and the success of the organization are e n s ~ ~ that n g employees are seen as drivers of the organization, ustomers and investors, is pivotal to creating d y n ~ work c ene ~ p l o y e esatisfaction a central driver in the organization d e ~ a n d as

to your customer^.^' eir ~ i s c r e t i o n a ~ ein ~ ogoals r t t~atbot^ nd ~ ~ ~ the i ~c oi ~z~ ea nsuccess. y ~ s It is this “voluntee~sm”

S

of IS m~ager-leaders that enable the these roles, and why a~entionto empl points that provide the outline of a d y n ~ culture: c

ribe a “ d y n a ~ i c c ~ l t ~ r e / c o m ” : ~ The a n y ~ e e -la y e re d viors, noms and values, and assumptions-provides a ired dynamic culture.

ent

pliance, A dynamic culture/company unleashesthe pot en ti^ of employees who are comto clear, relevant, andm ean in g ~purposes l that they have helped shape. mployees will committo the new dynamic culture when four factors arein place: ~ Z ~ rStaff members i ~ :understand what nthe is-the characteristics of the culture areclear to them andthey ate them to others, eZev~nce: StdT members see the relevance ynamic culture to the com'S business success-they see how it wi z the company's customers elp the c o ~ p a n ygrow. ~ ~ i Staff ~ g members ; see the personal m e ~ i n gof the new what it means to thempersonal~y,and they canget excited about it. ~nvozve~ent:Staff members want to be, and are, involved in the shaping and deployment of the new dynamic cul~re-without involvement9 noco~mitment. it is impractical to involve everyone in shapingl a e-scale change, theirchos r~sentativesmay be involved. Giving employees the choice to be involved is the key point, evenif they choose not to be.

The need shouldbe for everyone, especiallyIS manager-leaders, to help § u s t ~ the n journey and notslip back-to be comfortable reinforcin ,evolving, and nurturin culture/company. In summary, I manager-leaders enable the dynamic culture that generates a dynamic company9 producing highly satis~edand loyal customers that fuel company growth.

Transfo~ationis about change. There are man mo change and organizational change.The Change that are ah e l p ~ context l for cultural change. tural change as follows:

els that describe S

den ti^ needs. This phase is su~portedpush theth of external the environment. There iscomalso hethe pany9shuge investment in reengineerin

~ h a s Ie;

state” willbe described

manager-leaders also touches on the follow in^:

owever, given that real culture transfo~atio quire much iteration.

hase 2 suggests thatif we want a d y n a ~ culture/com~any, c we would look like. T r a n s f Q ~ nany g or~ani2ationto a rogress can appear to be unattai~ablecomplishe~a step ata time. The Lure is made up of behaviors, norms and values, and as to bring to the surfacenorms, values, andassum~tions namic culture/com~any.(See Exhibit 1.

he most obvioussi r l e ~ and ~ e valuable les on m a ~ a g e ~ e n t ,

izations. To help understand these behaviors in the cont are o r g ~ i z e daround the three foundationalo and team. as shown i ynarnic company has six core elements dynami~ cul~re/company uzzle are as follows: Its employees arean energetic global te It leads in creating valuefor customers. wins thro~ghtechnolo t builds share~oldervalue. It is involved with our~ o ~ u n i t i e s . t expects teamwork, integrity, respect, a S

on the right things. t is invigorat~dby work that helps it wi It works by p~nciples-not rules. t is proud of its products and services. t uses what it sells. Its employees are diverse. S and leverageshowled

1s accounta~le.

cons~icuouslyshares credit for results, oyees earnco m ~ etiti~ pay e and benefits. ecurits comes fromits success withits customers. t bas choices to make in ~alancingits work and personal priorities. ts l e a ~ e create ~ s and c o ~ u ~ c aa twinning e strategy.

ts lea~ers~ a l k the talk

loyees need to demonstrate in a dynamic culture.

itment; concern for the truth even when it’s un-

o-workers; ability tocapitalize on

ositive ~ s w eto~ the s c ~ e ~ k l i sthe t , foll

n ascale of 1 to 5, with 1 be

w- e r f o ~ ~ can e being ”

% n a ~ i c ~ ’ ~ sthe s e enss

#in

objectives

1, Focusing on winnin~creatingbestcustomervalue

* * *

*

Putting 2. customer

~ i r s ~ c o ~ p secondunit any third

4

Established Examples Targets Results Accoun~~bility

3. Setting aggressive targets 4. Insisting on results

5. Holding employees accountablefor their co m ~ t m en t s Execute 6. Showing concernfor quality and productivity

0

* *

*

7. Using and beingloyal to the company’s products

*

8. Co~municatin~listening efEectively

4

0

9. Welcoming the truth 10. Capitalizing on change 1l. Showingdisgust with bureaucracy

4

* *

* *

~ e s t ~ c t u ~ n g /and s ~ scale ze Flatter organization “Fit in fast” checklist “Fit for you” card Delegation of authority Skills process Skills focus ~rofessionalcareers Expert professions Job news Global processes Workloadstudy/module

12. Putting never-ending attention to skills improvement 13. C o ~ i t t i n to g being a process-managed business 14. Modeling a worwlife balance Team

* 0

15.W a ~ n the g talk on respect, integrity,t e ~ w o r k , and excellence

* *

16. Valuing diversity

* * *

17. Sharing and leveraging knowledge

18. Acting unburdenedby b o u n d ~ e s 19. Empowering individuals and teams 20. Energetically buildingcross-functiona~global teamwork

* *

Diversitycouncil Diversitytraining Flexible work options Team implementations Teamsymposiums Teambased rewards 360-degreefeedback Peer recognition Roles versus job

o you focus on w i n n i n g ~ being n the leader in creating the bestfor value your cusorners, using technology, integrated solutions, and services? Are you visibly puttin the customer firs~company secon~unit third inall decisions? Are you involved with your co~unity? e you driven bya c o ~ o vision n of your purpose? o you insist on results versus effort? o you earn competitive pay and benefits based on personal and company results? Do you hold employees accountable for their c o ~ t m e n t s ?

Do you showb once^ for quality and productivity? Do you havea fierce loyalty tothe company’s products and services? o you proudlyuse what you sell? o youpracticeoutstanding co~munications~istening with c u s to ~ e r sand colleagues? Do you elc come the t ~ t heven , when it’s unpleasant? Is provocative inquiry encouraged? Do you capitalizeon change and quickly adopt new jobslroles and structure? e you open to new ideas? o you show disgust with bureaucracy? Do you h o w what to do and do it? o you work continuously to improve your skills? Does your management andmeasu~ementsystem support you becominga processmanaged business? e you modeling worldlifebalance? Do you work onthe right things? re you invigoratedby your work? Are you making intelligent choices about balancing your personal life p ~ o ~ t i e s ?

o you model respect, integrity, teamwork, and excellence personally? o you expect respect, integrity, teamwork, and excellence from your colleagues? o you value diverse, dynamic colleagues? o you share and leverage~ o ~ l e d broadly? ge . Do you act unburdened byb o u n d ~ e of s place or thought? o you conspicuously sharecredit for results? G. Do you willingly help others in your global c o ~ p a n y ? Are you empowe~n individuals and teams?

by ~ r i n c i ~ l enot s , rules? you ener~eticallyand visibly dis~layin cross-~nctional te~work? valuable to assess iscussions with others in the CO c and to decide what

he three c o m ~ t m e n t of s the n o m categories

. Execute . Team The four values are

The result in^ acronym helpsr e m e ~ b ethat r spect and excellence,may appear to have the reinforces the need to engage in dialogue to u~derstoodby all.

systems, stru~tures,and ~rocessesto o o ~ ~ a n i require es these include thefollo~ing: agement and measurementsyste archical or tea~-basedS

hese are strong levers toaffect behavior since they culture, oftenim~licitly.They en s yste~ s9 st~ ctu res, S, cultural tran sfo ~ ati

tions are like 44givens,’9 and in that res he ~ a r ~ e t ~islthe a c drivin e t the core, a c o ~ ~ a depe ny

with a ~

i

~of bui ~

ever lose s i ~ hof t its s t r ~ t e g~i ~i s i o ~ . arly when they work as

Id be re~ectedin the more di~lcultto disabout them-it’s our unconscious9 builtnclude latent biases and

ct on a~proachestoward team-

n many co~panies9 the terns Z e ~ ~and er~

~

~are ~used g interchan e r

business processes.

u

~

1

ne Set of ~ s s ~ ~ t i o ~ s ABOUT H

U NATURE ~

Employees basically dislike work, are lazy, need to be coerced and controlled, and prefer tohave superiors make their decisionsfor them.

*

Employees basically love being challengedby meaning~lwork, and are energized when they help make decisionsdecting their work environment.

*

Trustwo~hyemployees who displaycharacterand competence, andwho encourage and open two-way dialogue earn trust.

ABOUT TRUST e

Trustistied to positionpower;superiorsarenot questioned becausethey must have good reasons for their actions or views.

ABOUT M O ~ A T I O N Extrinsic “carrotsand sticks’’ are what motivate employees.

e

Intrinsic satisfactionis what motivates employeesrewards are “hygiene factors.”

ABOUT TIME! FR.AME e

Short-termsurvivallsuccessisparamount; we can save ourway to profits; daily~uctuationsof the stock price affectmy mood.

ABOUT ~

T C O M PEE ~ ~ O N ~

*

Long-term surviva~successis paramount; webaseour actions on the lifetime valueof customers and on principles; trends in customer and employee satisfaction affectmy mood.

e

Internal competition destroys teamwork, inhibits sharing and leveraging knowledge, and demora~zes team members; reward systems should promote collaboration.

~

Internal competition brings out the best in employees and should be encouraged to stimulate high performance; reward systems should promote trying todo better than peers.

T e ~ i n o l o g yin the area of leadership andm ~ a g e ~ ecan n t be a semantic minefield. Thousands of articles have been written about managers, leaders, and executives.There has been an explosionof books, videos, and speeches about leadersh,especially in the last fifteen years. Unfo~unately,most authors areless than crisp in defining th ever, drawingfrom the essenceof what the expert^'^ say, thefollo overall distinctions between leading and managin *

*

*

s aging is getting there. eading is setting the ~irectiQn; Leading focuses on the ZQng-ter~ hQrizQn;managing focuses on sho~-termbottom line. Leading e ~ ~ Z ~ y emanaging es; processes, systems, ands t ~ c ~ r e s . Leading is coac~ing,e ~ ~ o ~ e r i n g , f a c i l i t ~ t i ~ gmanaging , s e ~ i nisg ;~lanning,controlling, directing. Leading is doing the ~ i gthings; ~ t mana Leading change, ~ e ~~ aer aed istatus g~ ~ms ; quo, within paradigms.

~~ituationally with earned power based on co~petence;m ~ a g i n gfrom apiness of innovation; m ~ a g i n g craves order.

w directions; managing demands proof. ing relies on control. ?” ; managing is asking “

gmentstothese characte~stics. do notneed either leading or ~ ~ a g i nrather g 9 we need both as shownEinx ~ b i 1.9. t The label ‘‘com~leteleader” for the person that embodies a rich blend of both leadities is preferred. The term co~pZete~ a n a g e would r be equally blend of leadin and managing is further reinforcedby the quote at the eo The Powerof ~ s i o n : Vision wit~outaction is only a dream; Action without visionis just passing the time; Vision with action can change the world.

m the ‘6com~lete leader” label in Exhibit 1.9, it is noted that the term ing, managing, and doing.The working de~nitionof l e a ~ e r s is ~p

“ t ~aeb i l i ~to e~ectivelyS directionand ~ o d einterpersonal l behaviors ( ~ a d i n g ~ , s h business rea l i g ~ ~ a n business a ~ e an loyees processes to a c c o ~ p ~ i desired n ~ ~ i nand g ~contribute , ers son ally to de~iredbusiness results ( ~ o i n g ~ . ~ ~

Administrator

Complete Leader

A~dicato~

Dreamer

HIGH

ws that varying degrees of leading, managing, and doing skills are is, leadership is the umbrella tem-leading, managing9 and doing are ~ u ~ s eoft scredible leadersh ibit 1.10 alsoindicatesthatleadership is expected outthe organi~ation-it ust theprerogative of senior mana~ersandexecume employees may assume the role of a leader temporarily,in a given situation. nent leaders, such asin senior positions or on some teams. In all nts that will ensure business success are the same. The conc~usionis that “ c o ~ p l e t e m ~ a g eare r s ”required to lead and “complete leaders” are required to ma nag^. In termsof the typicalor~anization,“manager-leader” applies

\

\ \

0%

\ \ \

\ \ \ \ \ \ \ \ \ \ \ \ \ \

t i

es are, at least situ-

\

\

\

\

~l ig n in gthe culture with the desired direction and strate sults for the orgmization ~ e a d i n gby e ~ a ~ p l e / ~ e aday din to~day, This role consists of sonal lead ers~ in p hundreds of daily “momentsof truth’’ with in leading, ~ ~ amd ~ doingg roles. , effect”-every action of a n gorg the mmager-leader whois ~ m s f o ~ an a. b. c.

Coach (which, in turn, requires ~ o ~ s i ~ e r a t i Change agent (whichrequires ~ o ~ ~ o ~ i t ~ e n t ) CoElaborator (whichrequires ~reativity,

u

n

~ a g i business ~ g pr~cesses.This role consists of

anaging c o ~ t m e ntot the defined waysof doing things ~hallengingbusine§§ processesthat do not support the delive lutions to satisfied customers ma~ing ~nancials ~nitiatinrequired ~ improve~entsto achieve businessresults There is an ac~owledgedparadox that reenginee but once major new processes are operation^, they cludes i ~ p l e ~ e n t i n g c o n t i n u o ~ s i ~ p r o vand e~ent§ of the business. Eoyees processes. This role ensures that the five manage~entprocesses, described later,are e ~ ~ c t i v eexecut ly

S

role consists of ~ e ~ oS ecific ~ i tasks, n ~ alone or

d to as “employees leaders” and “process

their time andthe focus of their

anager-leaders that do notfit in the abovecategories. rnore effective in the next six months with a different aders enable them to accorn lish their rnission of transxhibit 1.12 shows how the roles contribute to the t ~ e n t ybehaviors of a ~ y n a ~ c c o~tlined ~ l t u ~earlier. e

I 1

Win "

1. Focusing on

w i n n i n ~ ~ r customer e avalue tbest i~g

2. ~ u t t i n gcustomer ~ s ~ c o msecondhit p ~ y third

H

H

H

H

H

H

H

M

M

H

L

L

H

H

M

L

L

H

L

M

H

H

H

M

M

I Execute "

I Capitalizing 1

9. Welcoming the truth 10.

1

Modeling 14.

I

on change

balance a worldlife

Team

Walking talk 15. the on respect, integrity, teamwork, Mand excellence (the 'RITE9values)

1

1

17. Sharing and knowledge leveraging

M

H

H

M

M

18. Acting unburdened by boundaries

M

H

H

L

M

H

H

H

L

H

H

H

M

19.E~powering individu~s M teams and

Energetically 20.building cross-functional/global teamwork

H

'

)~mployeesprocesses merit more explanation because of their are processes, there are consistent steps thatconstitute the best esses, therefore, involves ensuring that the steps are the goalof the resulting acronymof which R ’ than those who strive to make it Better.

~ ~ l r e~s o n~ r ~~This ~ se . process consists of * Inco~oratingplanning for the right level of resources directly into the business processes. Making sure the approp~atestaffing solutio~~rocess is used, based on the work that needs tobe performed. * ~ n d e r s t ~ d i when n g to staffin te~ a llyand when touse external resources and following the appropriate policies and processes when doing so. * Recruiting and hiring employees using s~ll-basedcriteria and reflecting on the diversity in the marketplace. Ensuring the optimum balance of employment options, both full and part time, and respecting diverse needs. 0

0

\

\

ø sing employee development processes the way they are intended. siness needs to add to stafEng levels and to release employees from the business and doing both with sensitivitygood and judgment. i s i o ~ ~ s s i o ~ ~ a l u e s / o b j e c of t i vemployees es with the objectives of

loyees to theirnew work environment, reating an environment that accommodates each individual’s diverse needs and esires so that they are engaged and energized. nvolvement issues with em-

the unit as a whole. he necessary complementof skills to serve uppo~ingand foste~ngthe ~ndividualSkills Plans (ISPs) of unit members. A s s i ~ ~ developmental ng activitiesto employees that align with these skills plans. odeling theway by visibly using theSkills tools and enhancing personal skills. ssessing p e ~ o ~ a n against ce the plannedc o ~ ~ e n twith s , the help of feedack from others. n s u ~ n gperformance is rated equitablyand fairly within and among related units.

ompen~ating em~loyees fairly and equitably by establishing their correct job levels and followingthe compensation guidelines. unicating ande ~ p l ~ n i the n g totalset of compensation programs, in an open responsive ~ a n n e r . electing a p p r o ~ ~ arewards te and t ~ l o ~ recog~tion ng to the stated preferences of employees. o~icitinginput from the unit colleagues on who should be recognized, and how. advanta~eof the full range of formal awards offeredby the organizations. special attentionto the simplest, most valued, and most underestimated of all recognitions-a sincere “thankyou.”

ager-leader is defined as “a person whose job includes accountability for manage~entof employee processes andlor business processes” to achieve business results, This accountabilityis n o r m ~ l yaccompanied with a shared responsibility

l attain~entof the b ~ s i n ~results, ss

oyees in ~

~ cases. n y

managers need tobe network-savvy practitioners not job hol sense. elationships built on trust are vital.

The f ~ a g ~ e n t a ~oifothe n t~a~itional ~ a n a ~ e ~job e namong t several mental tothe new c o n s ~ c t , E x ~ pofl specialized es mana ~ e s o ~ r c e c o o r ~ iThis n a t operson ~ is often not aman has the responsibility to deploy employees with valu ~ ~ ~ j e c t / ~ r o p o s a l l e a ~ e ~This / ~ aperson n a g eov ~ work. Employees movefrom project to project, so during the course of the year. Some are knowledg and others are not, depending on n athe ~ r of e the p

someone whois steeped in their discipline, can know what associationsto join, and so on. In S Elsewhere, it’s less formal. This role builds the Proce~ses’~ role. ~ e ~ s o n a l ~ e v e l o ana p ~ eage^ n t An individual who ove~sees with employment, transfers, assessment and evaluation, intro so on. Theyensure that all five ucation, handling increases, and

This phenomenon of splitting management they move to a virtual, project-basedconstruct, S

ome TeamLeaders (TLs) and their teams have in which they share or assume many mana true when the TL‘s business and technical ay-to-day basis and the manager-leade~sspan of suppo new and working with a teamthat is in its early stage o ager-leader may need to be more involved. This spectr c m be seen inExhibit 1.14. Exhibit 1.l5 shows how the fra~mented mana~ cific to Team” statement under the TL role in the ch of defining a one-size-fits-all role for TLs thro derfully diverse set of team implementations t bl~eprints.The team leader might be the ‘

ties

HIGH 0 does the task, without team leader/ team input

2

l ~ager-Leader doesthe task, with team leader/ team input

Team leader/ team does the task, with ManagerLRader input

3

Team leader/ team does the task, without ~ a n a g e r Leader input

described in this chapter.

to ensure that new processes are ith ~ a n a ~ ~ r - l e a to ~ eacco~plish rs ain accountability for the ~rocesses

of the n n i n ~of any job is the personal~aits/att~butes

1

dGR

* *

L FRT

~ ~ t ~360-degree r ~ n input e sources,~ e c h ~ i c s

*

Gather ~ e ~ f o data-~60-de~re~ ~ ~ c e input ~ e t e ~ i overall n e evaluation

*

Adclress c o ~ ~ tissues/oppo~unities ~ e ~ t

*

~ ~ t e ~a i ~n e~ ~a co~ o~w l~e di~ ~~e n~t e Deliver a c ~ n o ~ l e d g m e n t ~ n g o i n g

*

RC

issio~values/objectives U ~ d e ~job s linkages-busin~sslpersonal t ~ ~ Establish specific objectives

I

*

EE

Role Legend: MGR EE

TL

= ~o~le-Holding ~ ~ a g e r RC = Resource Coor~nator PTL = Proposal Team = Employee PRTL = Project Team Leader = Team Leader

A = Accoun~ble(ensure it is done; has a u t h o to ~~ delegateit) R = Responsible (does it)

emonstrate the courage of your convictions.

trive togrow and improve.

e the initiative and lead the way.

alance personal needs.

onsider them as “gating factor^^^^ anies look for the desiredtraits W them by the time theyjoin or~anizations some blend of rehiring n~tureor celebrated, and valued in rei~orcing a cultural environment.

attributes are important,how can theybe developed and improved?To answer 1.16compares wayson how both skills and ~aits/attributesmight be improved. should hastento acknowle~gethat ways to improve both skills and traits/attributes are very similar. ~ e l e c t i is o ~i m p o ~ ato ~ tboth. F u n d ~ e ~tot both ~ l is some formof ~ n ~ i ~ s eand ~ i ~n t e r ep e~r s ~o n~~ lc~ ~~i ~ ~ ~ c e . is~ ~ ep re hr iaethe ~nscmajor e contributor in both ena as, given high-~ualityfeedback and aclimate that motivates oneto ch improve. The personal desire to chan e and continuouslyim~roveoneself is esse for lasting learning to occur.

Skills

Selecting, tr~ning,mentoring, coaching, reading, studying, practicing, applying ,personali~edfeedback from assessment tools

the

T r ~ t s / ~ t ~ b u t eSelecting s employees with the desiredtraits; receiving 360-degreeinput; reflecting on ~ ~ ~andothers’ ~ being ~ coached n and/or ~ mentored e s by rolemodels; being r e ~ ~ for ~ disp e d traits; receivinghonestfeedbackandcoachingwhen the desired traits are not exhibited; personali~edfeedback from assessment tools

3

-~acilitateorganization change

2

uild shared c o ~ t m e n t

3 3

*

~om~unication-presentation

3

-Com~unica~ions-written

3 3

*

Leaders~p(not key because it is coveredby the other key skills)

3

*

Create client-driven vision

3

-Co~~any visio~~ssio~strategy

3

evelop c o m o n go~s~ategies/plan

3

1 *

Apply business conduct ~uidelines

3

3 3

3 3 *

Encourage a l e ~ n i n gorganization

3

*

~ l i ~ n ab~iers/inhibiters te

3

*

Coaching

3

*

g go ti at ion

3

*

~nte~ersonal communication

3

*

Fac~litatemeetings

3

*

Risk awareness/t~i~g

3

*

Understa~dglobal ope~a~ions siness initiatives

*

Apply basic financial concepts

*

~rgani~dtio~business assessment

*

3

~ p l e m e nHR t processes

3

*

Recruit employees

3

*

Release employees from the business

3 4

~ ~ i n v o l v e / ~employees”) ~~age *

Delegate tasks/responsibi~ties

3

3

( “ e ~ ~ h a s iand z e foster skills development”) *

Use skills dev~lopmentprocess

3

*

Give career advice

3 3

( ~ ‘ ~p e~ ~ ao r ~m ~e of c eemployees”) 3

(“ackno~ledge employee con~butions”)

-Analyze problems/situations -Client relationships -~uality/proble~ prevention --Apply project ~ a n a ~ e m epractices nt *

Internal supporttools

shows e ~ e c ~ t i v ejobs s ’ with a wider b ers. The skill tem~latesfor ~ r s t - l i man ~e r, the~xecutives’ski1 The e x ~ e ~level t e ~of ~ r o ~ c i e n for c y an exec~tiveis hi ecutives are moreencom~assin

e proficiency levels are as follows:

oficiency: Expe~ence:

No skill. None.

vel l: oficiency: Limited skill. xperience: None. vel 2:

~roficiency:

Limited ability to perform. Has general, conceptual knowledge only.

Expe~ence:

Very limited.

Level 3: ~roficiency :

performwithassistance.Hasappliedknowledge.

Expe~ence:

performedwithassistanceonmultipleoccasions.Hasperformedinroutinesituations

vel 4: oficiency: Can perform without assistance. Has in-depth knowledge. Can lead or direct others in performing. Expe~ence:

Repeated, successful.

Level S:

oficiency: Can give expert advice and lead others to perform. Is sought by others for consultation and leadership. Has comprehensive knowledge with ability to make sound judgments. Expe~ience:

Extensive, co~prehensive.

er scope implied in the skills for executives than for first-line maners because of the larger size of the organizations and business results for which they are accountable.

manager-leaders be involved inconflict resolution? ecause conflict in any endeavor that requiresthe interaction of two or more discior, for that ~ a t t e rrninds , is inevitable. A s the complexity of security increases, the ood of differences in opinion and approach increases as a function of the numberof d the ~ o u noft time requiredby the employees in their involvement or after i~plementationof projects. Nomally, these conflicts arise during impleion becauseof people’s natural resistance to change, scheduling pressures, or initial ulty of the systemto support existing reportingcriteria or func~onality. at should the IS manager-leaders look for in conflict resolution strategies? The rs thisimpo~antquestion.

com~onentsin e n ~ ~ r i nr o ~ u c t i v ~

e m ~ l o ~ edu es

t in c o ~ ~ ir~solution ct will set

critical step in buildingconflict resolution strategiesis a formal declaration to the members of the probability of conflict anisms being established to c amounts to ‘6flushin sibilit of hidden agendas or toke that conflict is inevitable on, the employees involv or concern to remain buried, which often allows di~lcultiesto fement and blow out of proconflict resolution complete issue res

. A discussion of the q u ~ ity -o ~ en te d

b e nof e ~conflict ts resolution. tions the team as a whole can mdce individual contributions

olution. an organized procedure is designed and will be implemented inorder to allowall t e r n members to achieve their personaland cu~ulativegoals.

stablish the attitude and approach that both thete hen, presentthe structured planfor enactment guidelines to be followed durin To validate theimpo~anceof the resolution tasks, e plan should be presented at the beginning of the project as a formal, written struc~re. ople n o ~ a l l yoperate c o mf o ~ round rules are clearly defined and und ood by all players at the outset. elines, the misconception of different s t a n d ~ dfor s different peoall team members o c o ~ o ~ a bcom~unication le ground with ult task and is depe ent on the quality and integ~tyof leaderperience has always indicated that lip service is usually the case. can be repercussions, whichis the main reason whyconflict n theory but improbable in practice and why it fails to secure the desired results. n the verbal co~ponentof the conflict plan,the team leader should pay specialatto the use of “”I” statements asa positive toolfor c l ~ ~ c a t i oofnthe conceptof ornized,structured conflict resolution.onflict is alwaysintegr d with emotion~ity, en if it is couched in totally professional, business-directed tern feel,’, or “”Im confident that our approach to resolutions will ng a personal emotion^ c o ~ e c tio n . mation (e.g., twelveor more p~icipants),it is more bene~cialto r than to have the project team leader assume duties the of logging, ~ o n i t o ~ nand g documenting , each issue that arises. am leader is the appropriate individual to present the issue resolution struc oordinator should then n the mec~anicsand steps being usedto ensure complete reso~ution.The ideal issue natorshould be a teammemberwithhighcomp d credibilitywith the other teamme~ b ers.

ted that may have a ~ i n a t o ~a’ tst ~ n t i o ~ ,

L

ssive silence shouldbe employe to the viewpoint and inp ’or inter~ptingshould be allowed, so that o state their viewpointop d by each person sho estions shouldhelp t to elicit and e x a ~ n is to avoid presen other person’s perspe ution of the u~derlyi should e bec be employed reserved moreby what is ponse body language means using open., r

mework. The questions to be conflict disc~ssionare as follows: e relative importanceof the issue to each dissenti a discussion to a successful conclusion so

odated by the other party. this may be the solution e conflict orthe i~sue-causingpractic of this p~ticulartopic)? It find the solution than to fi

hat would be affected by a change in each relatived e p a ~ m of people involved has been resolved, the de ms, or tech~iquesthat would be at is the view from the top?This should be a “best guess” relative to that ay be pr~sentedby ma~agementconcerning theissue at han e ~echanismsthat t e ~ i n e dthat the considerations -approximately the same numbe lowing question should be asked: point and concernor to maintain cooperationWI or de part~ e~ t(s)? CO rcise of examinationdiscussion,whenfocused ly by facilitating systeminte practices, raising the levels of c creasi~gthe levelof c o ~ p a n yloyalty and employeec o ~ t m e n t .

bear in mind that thisis a review for the auditor. Depending onthe nature of the resolution processmay require far more sophisticated procedures such as nflict resolutioncan be addressed.In such a case, it becomes the audito comunicate the existence of such tension inthe workplace. In all g how conflicts are managed and resolved adds value to the client’s man-

anies need IS manager-leaders. They need IS manager-leaders who are o m ~ ~ toe their d transformation to a dynamicculture and who inspire that ent in others. They need IS manager-leaders who coZZ~~o~ate with their global they pursue their customers’ long-term loyalty and the attainment of their siness results. They need IS manager-leaders who understandthe big picture, ithin it, continuously improve their skills, and coach and mentor others’ need dynamicIS manager-leaders who know how and when tolead, mand are role modelsfor a dynamic company’s core values. Dynamic IS maner-leaders enable dynamicorga~zations!See Exhibit l 19 for a s u m a r y of the IS man*

l

fine the security policies, practices,and procedur~s ducts to support these policies and practices, it is evaluate, select, and i ~ p l e ~ eproduct nt s ~ c ~ ~ t y ative procedures andfor appropriate controls in application syst~ms. ation was processe

ired technical ex-

c ~ ~ continued crooks. In spite of this, ~ h y s i s~curity y ~ u ~ atd the s front door.

hich in retrospect paid

s ~ oinclude: ~ l ~

escription of the controlled accessed areas within the p r e ~ s e sw 9 trolle~access areas are,md what they contain. denti~cationof risks ( ~ r e a t sand ) conce~ about their likelihoodof ontrols to guard again$t ese risks and the costs associated if measurable. sks that are being tolerated and accepted andthe risk analysis. e physic^ security plan withits accompanying ~ocumentationis a sensi that contains d etail~ d in fo r~ atio about~the co mp a ~ y 9 s ris ~ c o n ~ o l me a s ~ re s has to be in a neatlycompar~entalizedform so that youdo not have toobtai owever,inpracticeaynot be the case,and ce the computerm 'S risk analysis whenp l ~ ~for i its ~ disaster g r con~actsfor disaster re cove^ services an nd expe~ence conce~ing the pitfalls that the i ~ ~ o r t a n of c ejudgment in review hasized. This is because the issues ractice~,and protections~aredifferent for practically e ifferent from or mization to organization because the ri e~uently9 always remember to be astu your risk assum~tionswhen evaluatin any theoretical model. No amount of theoretical owle edge is a substitute for real-world experience that corn keeping your eyes and ears open and mostly ~ n albeit ~ skepti , r the inexperience^, bear inmind that audi the information to be obtaine the course of your work before jumping to any r judgment about risks and m conclusions.

f u l in the cornan

Are thei~ormationassets protectedf o ~ i t o u s l yor by design? The physical s e c u ~ typlan should contain the measures taken to rotect the i n f o ~ a t i o nassets. us eth hods of protectin and restricting access toinfo ze the risks of loss. The main methodsof restricti eter controls such as fenced b u i l ~ i nsites, ~ he perimeter of the facilities of s e c u ~ n gthem implemented. identi~ed,risks explored, and the method

nce the corn uter facilities are p d from u~authorizedaccess9subse~uent ~easures areas into controls ' er essential ~ i ~ ebas r e n t need-to-have a on of protection given to thesec o n ~ o l l eaccess ~ areascan range fromfull protection and close (i.e., loose~y se ,e,, tightly secured areas) to l i ~ t e protection d ally, companies have divided internal spaces into two or three have established standards that dictate the kind of e a ~ o r d e dto each nated controlled areas. For example

rs must have an alarm system,

owner or equivalent level executive.

imum, thisins~ectionsho ness requirementsfor access to

access these areas. one 2 areas are located within

from the outsideat all times, st be restricted to only those au

Access is controlled to limit entry to perso procedures vary, depending on the level of all cases, only persons on the approved For Zone 1 and Zone 2 areas, personsall son are considered to have one-time authorized access. Persons with authorized access to a controlled access area must have ness requirementfor access. The owner is expected constitutes a business requirementan tion was made.The Zone 1 area own mining valid business requirementsfor access to the Zone 1 area an access based on these criteria. Individuals who haveroutine access to and who do not meet the documented c Access authorization mustbe reviewed as follows: * For Zone1 area the accesslist is to be verified and signed ( by the class ownerat least every six months. Persons with removed from the accesslist on a timely basis. 0 For Zone 2 area the re However, persons wh implicitly throught e ~ n a t i o nof emp list on a timely basis. e :The definition of ti~eZyis subjectto int~rpretation,butin fic standard it will generally be defined as “at the earliest forded by management control processes.” Emergency exits for Zone 1 area must h For both safety and security reasons, the alarms must operate on e and alarm events must initiate investigative action. Period gency exit alarms are functioning should be p e ~ o ~ and e d area owner mustensure that thereis an annual reviewof all em For Zone 1 area an accurate, currentlo flects the visitor name, time of entry, purpose of the log is to provide a historical record of access andis trol tool. Therefore, there should b If a badge exchange process is used, the control over theissuing, retriev nonroutine accessto Zone 1 area must be retained for the current Proper operationof the Computer AccessS responsibility of the CAS service provider. area owners (e.g., malfunctioning d curity or the CAS service provideri ~ e d i a t e l y .

To ensure that system integrityis effective and to avoid compromi controls provided in the system, the installation must assume res mation processing resources that are housed within the computer These physical access control require men^ are app~cable to the and midrange environments. The m ~ environment ~ includes ~ e

aster consoles (i.e,,~ t e r a c ~ dev ve without havin~ iclen~~cation and s include thefollow in^:

onnectio~media, suchas wiring, ~beropticsand wirelessco~nections

ri~~eral

~include: evic~s

nnection for p ~ n t ~and r s plotters

er ~ ~ ~as used e ~ services on behalf of

~

c

e

e and valueof the service p r o v i ~

er

I Tele~~one lines

x

I

t

Systems that are essenti~lto supporting vital business process

High Zone Area

1in or an office room is lockedwhen unattended

All network c o ~ u n i c a ~ i control on units regardlessof system service being supported

High Zone Area

lin or an office room that is locked when unattended

All n e ~ o ~ k control its

High Zone Area

1in or an office room that is lockedwhen unattended

co~~~nication

VPe B

Area Medium Zone

Type c

AreaZone Low

that

2

3

ecision has tobe made on whether toi lement protective measures or assume the risk with the associated e x p o s ~ e . order to demons~ate ical access control process, managers responsible for computing facil tain the follow in^ minimum documentation: ntification of the area,its use, the levelof i n f o ~ a t i o nsuppo equipmen~se~ice, and the level of control required. The means of communicatinlevel of i n f o ~ a t i Q n s u p ~ o ~ e provisions andrequire~ents ~ ~ ~ The ~ tinformation e : s y s t e ~ senvironment is continually erefore, risk analysis should becQme an on~oingprocess thatis cted and reevaluated on a periodic basis ensure to that thecost assQciated with im~lementationis ac~ ev in gthe projected benefitsto timate decisionof what riskto accept and what risk to ement, risk analysis requires a total team effort. in~ividualswho can help to evaluate the risk.

ons within the precedin and d e t e ~ n ife addichanges

to review the site’s process to these ~uestionswe requiredto ade

temal systems range from l of ~ersonal com~uters. A ronments, the i n f o ~ a t i o n s e c u ~process ty must be implemented to

rocesses have been

on assets orequipment est

efer to the secu ~ typolicy for details volvement with this document.

i n t e ~ aolr restri~te requires approp~at i ~ ~ t i oare n s revalidated ona re st:

tected by sec~redspace.

r inclusion in yours ~ ~ l e :

a samplefor c ~ e naccess t au~oriz ess list v e ~ ~ c a t i o n ~ eby rfo~ed sure that valid ~ ~ s i ~re~uirement ess for access c t h o ~ ~ a t i is o nreviewed in accordance with ments. For n o n - ~ ~ ~ c o n t r o stems are considered

If volume is suf~cient,~ o m ~ ~ t ~ r hoc mode to verify e

sure that all e n ~ ~ cand e sexits are s ~ c ~ r

access levelm e c h ~ i s m ,

hese co n ~ o lsare not applicableto individual§con troll in^ their own eir ~croproces§orsince the c~stodialrelationship does not exist.

neffective c o n ~ o lsover p o ~ ab lest0 cess to stored data.

e media could result inloss of or un

rocedures that allow tape removal without owner ap

§~o u n tedfor bu§iness for records retention,or c o n t ~ n

,media placed incust ,contains i n f o ~ a t i o n

le stor~gemedia may not be removedfrom the controlof from the owner of the data. The desi~nationof data as dication that the owner has approved its being mov tional sched~le.

dia av~labilityin case recovery trol process applied to media placed und

ackups area prerequisite for any compute^ ackup tapes is extremely vulnerable since unau checks and balances and protection to prevent After thei n f o ~ a t i o nis written on a backup tape, it ical possession of the tape. For this reason, bac~up uters t ~ e ~ s e l ~ e s .

guidelines for backup ~rotectionare: ackups should not be left unattended in a comp ntmst backups to only bonafide and bonded m b nsure backuptapes are sanitized be€ore ackups shouldbe stored at an OR-site stora~e

rified toensure that they contain vali that a sampleof backup tapes be checked at least once a ~ o n t to h en

The data storedon the backup tapes should you encrypt the backup of a file system you ~ f o ~ a t i stored Q n onthe backup willbe us media separationis not possible, then entory Control process desc~bedin e movement of media to andfro accounted for by means of trans mitt^ records or equivalent media mustbe ad ~ n isteredin away that prevents unauthori dard label processing, controlled use of bypass labelprocess~ng

ustodians of storage media are responsible for implem and p e ~ o ~ani accurate n ~ inventory reconciliationof t brary at leastbiannu~ly.The custodial m e ~ i alibrarian process with at least one person not directly i reconciliation must be able to demon st rat^ the inventQry (priorend in^ inventory)

ort of the custodial mediali-

ion and suppo~ing docu~e~tation e) mast be r e t ~ n e dfor a

ation is rocessable i n f o ~ a t i o n r e m ~ n i from n g prior use (e.g., deleted esidual con~dentialdata must be made ~ ~ e a d a b l e

often c o n t m ~ ~e ~ o ~ red i n f o ~ a ~ with o n approp~atecontrol se uences. A s a re-

~ ~into t such l ~ local sensitive ~ o ~ ~ ist~ ie o~ ~ucopied being aware of it and conse~uen~y not ~ r o ~ it.~ n g ation faster than p ~ n t e r scan p ~ n it, t printers are

ing whenthe printer is rs, and fax machines

ta on the tapes have been co~pletelyerased. es o v e r w ~ t ~ then ~ enti

lated for that p ~ i c u ~disk a r drive’s model num-

r a n ~ o mn ~ m ~ e r s .

,the tape can be deg

what they are doing. Info v~rsionsof operating syste

W

in ~astepaperbaskets

ia inclu~ing inve~tory ressable

info~ation rem~ni~

the po ~ ab lestorage m esses all po ~ ab lestorage media h t u ~ i storage, n ~ ~ and~ e s t ~ c t i o n . ntrols to ensure that bypass lab from u n a u t h o ~ ~ euse. d ~ ~ pre l e ia ~ansactionsto ensure that pr view the ~ ~ e c t i v e ~of ess tape remo~alprocedur processes, and proceduresfor m posal or non p ro p riet~use,

ed a classification or labeled to idencontrols ensure accountability for the and thati n v e n t o ~ records c o m p ~ to e phys-

rtable storage medialibr these invento~es,select ach inventory entry, ve so, select a sample of portable correctly on the i n v e n t o ~recor

tively to prevent unauthorized access to a is kept (e.g.,the tap trol re~uirements(e.

classi~eddata is st0 ti~cationif r e ~ u ~ e d .

and reconciled to the previous i n v e n t o ~at liations have beenpe~ormedwith appro liation records maintained (for libraries containing data

,an in v e n to ~of all p ~ r t ~media bl~ fy that ~ v e n t con~ols o~ exist.

rized copying, damage,dest~ction,or by the f o l l o w i ~ ~ : in a locked facility.

rasing obsolete data. or securely disposin~of console lo

physic^ access to theco~putingfacilities. You have now secured the

hat are theessential services required for the computers tob levels? ow will you provide these essenti~services? ow will you maint~nthese essential services? ow will ~ o oni u it or ~ e e s ~ $ e net i ~ services? out a doubt, the essential services are

puters require care and p on it or in^ like all complicated devices sical a d en~iron~ental c~nditions to operate at opti fail in unexpecte~and often undes y contin~eto operate,albeit e~atically, pain~lly pro~uci g valuable data. (For more i n f o ~ a t i o nabout essential xhibit 2.5 for more infor~ationabout risks

The powersupply can be blownout.at protection doyou have? ven if the power surge doesn't destroy the i n f o ~ a t i o non your 'on inaccessible until the computer systemis repai

I

Cabling

I

Telephone People

X

X

X

x X

X

ower surges fatally shorting out the utside andinside saboteurs ndalism

Electrical noise is usually generate can also come from fans and even ations in the power supply. For exa electrical outlet as a ~orkstation tion’s power supplyor even causi by other factors.No matter wh dent in. c o ~ p u t esystems. r Vib out of their edge connectors can come outof align.ment The control requirem There should be no d installedfor e

x

x

x

I

etective Fire

A l m s Fire

re~e~tive procedures Emergency

orrective extin~uishers

drills detector Smoke Fire ~aintenance

CO2 Water, dry-pipe Halon Sprinkler heads Disaster recovery plans Ins~ance

~ ~ r i ~ g

~ i r i ceilings trays, nSmoke ~detectors regulations Rules andSprinkler heads

regulations Rules and Cleaning ~~ntenance Maintenance

Vacuum cleaning

Mainten~ce Dust covers Alms

~aintena~ce

Vacuum cleaning

very saster cutoffs Automatic powertraceboard Circuit carrying voltage and a trace carrying ground Water Detectors

I

Insurance

1

hould be kept at least five feet from the largeco~puters,cables, ~ a n s ~ t t e such r s as cellular te~ephon~s, w ~ ~ e - t a l ~and es, nic devices cm causecomputerstomctionwhentheyare l ~ a n s ~ i ~can e r cause s ~ e ~ a n edn t c ~ a r ~ine ssome sealed fire extin

rotecting the physic^ access to the telephone computer to which the telephone line and its mode^ lines include: ct~hysicalaccess to the t e l e ~ h secure. All junction boxes should d in an electrical conduit, pull 1 areas.~ ~ t ~ dwho e r gain s p

b

spoof in^, as thisis called, the further c o m p r o ~ s ethe comp all the pe~inentin only tothe system the users are connected can be c o m ~ r o ~ i s e d . he t ~ l e ~ h o nline e s ~ o unot l ~ al telephone can bep r o g r a ~ e dto i n c o ~ telephone n~ calls to an0 ber that has been p r o g r ~ e td ing their u s e ~ a m e sand pass their calls to your modem line. Use lease^ line w ~ e ~ e s e c ~ ~ i ~

vided by the phone company. or receive calls. As such, it all does not allow~ y o n to e dial more expensiv~than regular li cost justified, Leased lines also provide fa ~ a n s ~data e r much faster than

e controlre~uirementsfor water are: e mounte~on all floors i well as on those adjacent to the area, ter detectors should be ~ o u n t e undern d and also aboveit. o a l a r ~ slocated , at should sound an alarm; the second a l m shoul

be in the basementsof buildings inar-

revents this buildup. Computer rooms should not the dischargeof which destroysi n f o ~ a t i o nand hich in many casesit does. Conversely, the comis causes condensationon the c o m ~ ~ t e r ’ s c i r c u i ~ , short causes too much current be pto u lle ~through ibly melts it. Shortsd a ma ~ the e electrical circuits ling too much current throu ative h u ~ d i t yof the computer room should be bet, which depends on ~ theb i e nroom t tempera~re. ty a l m that should ring when the h u ~ d i t yis out

r the air-conditionin reventative m~ntenance.

he c o n ~ o l

req~~eme~ts

irements for re-e~tinguishing e ~ u i ~ m eare: nt

to ~ u m a nbut s does not cause environmental degra-

though disks, tapes, and p~ntoutsthat arein the op at the comp~ter’spower be automatic~~y shut o

r-based sprinkler system.It keeps water ,and it is safer from disa§t~r§~ t e ~

Q

O

~

of~ the Y computer room.

rol re~uirementsfor smoke dama eads need to be positiQnedin the above the suspended

n

er e ~ u i ~ ~but e nalso t rele

o a good conductorof

ust cov~rsshould be used wherever~ o s s i ~ l e ,

ient temperat~earound thec 'S i n t e ~ acooling l s y s t e is ~~na~le Conversely, if the t e ~ ~ e r a t u r e en it is turned on, causi ters operate optimall~from 10" to 3 ways be referred tofor ideal t e ~ ~ e r a

e r a ~ r control e are:

t can be connected n u ~ b e r to s advise

S,

~~ntinuously ~ o ~ i tand o r recordthe c o ~ ~ u t~e 0r 0 ~ ’ s

rvices ~ersonnelto obtain infor~ationon. environ~environ~en.ta1controls and the f ~ n c t i o and ~ s ~rocedures

ce logs to verify that~ r e v e ~ ta tiv e ~ a in teis n ~t n c e~

n

~

.

I

.

otor ~ e ~ e r a toverheat? or . a

*

. . . (t

.

bo causes break-ins? bo writes computer viruses? ho steals passwords? h0 causes vandal is^^? o can be no~orious~ r e a t s ? Is it aliens from outer space?

tentional orinadve~entactions. The greatest threats are or e ~ h ~ ubut ~ from e s men and women,as fraud indic

The level of physical access privileges granted is based on. the cl people need to be grouped into d i~ eren ct sses com~ensurate which is based on their need to h o w or on scretionary access c e f e ~ s ~

~ r u s t e ~

~ o ~ ~ ~ t e r

S y s t ~ ~

~ v a l u ~

s access to objects base access control as “a ~ e ~ ofn restricting jects and/or groups to which theybelong. The controls a subject with a certain access p e ~ i s s i o nis capable of passin ne techni~uefor increasin~accountability in security ad~inistrationis to distribute security-rela d respon.sibi1ities a ~ 0 n . gdifferen fficer is responsible for overall S for the physical security and the

implementation of the logical controls. ond duct control m ~ a ~ e m e responsible nt for the computin~e n v i r o n ~ ~ ,data~aseadministration); processes and the physic

The security policy must ensure that mana ment awareness of all physical ace co~putingfacilities, i n t e ~ a systems, l and ta can be demonstrated and that

Various classes of m ~ a g e m e npositions. t

monitors auditing policy. hich users and events are audited. e secure password system. privileges on publicfiles. user accounts. ems for sensitive security programs.

0

* 0

*

0

0

I m p l ~ l ~ e naudit t s in^ procedures. Inspects and analy~esaudit logs. ~ ~ ~ n i s tgroup e r sand user accounts. Repairs d ~ a g e user d files and volumes. Updates system software. Sets sys~emconfiguration p~ameters. Collects various system statistics.

~ e r i o d i ~scans ~ l y file permissions. Deals with invalidsuperuserattempts and invalid network requests.

Installs security-relev~tsoftware.

erforms routine~aintenancesuch as backups.

Installs system upgrades. *

Pedoms dump analysis. Writes p r o ~ ~ a m that s conform to security criteria.

*

Uses the computer resources.

sed when there is no longer a b~siness justi~cation (e.g., at ent) in a timely manner. has to be current. At a ~ n i m u mthere , must be an annual rivileges and a quarterly process to assist inthe removal igned to employees who have separated or retired. All a l a ~ a n a g e may r have must be identi~ableto an i n ~ i v i d ~(e.g., ee physical access privileges). Physical access controls pancies, and the security standards s h o ~ l dstipulate the

I Operator Tasks

I

y with which owning mana ers should review the nonregular employ ld ensure that effective eir i n f o ~ a t i o nsecurity respons vider of Service senior executive approval should be de used in a~ositionwhere systemcontrols c res for completeness?a s s i ~ n m eof ~ tresp

.,who a u t h o ~ access ~ ~ s to a user to the CO ow resources areidenti~ed(e.g., who ownsa dataset, minidisk,or sub

ow users are“ ~ a p p eto~ resources ’ (e.g., whoa u t h o ~ ~users e s to or

1 and unsuccessful) that

controls have theyd e t e r ~ n e dare re~uired). ures shouldade~uatelyaddress control points specificto cess to the computin~facilities and resources.

.

ctive physical access privile l'

t

le to an owner.

eview documentatio~ vent ~ n a u t h o ~ ph ze~ procedures ~escribin

at here^ or obtaine~.

cedures existto ensure that onlyautho~ze cilities, thatis, the ph~sical sec~rity view proce~uresoutlinin access to the controll~d physical secu ~ typlan ( ,,c o ~ p ~ tfacilities, er c room, tape library9 forms storage area9 ~er iscussions with them a n a ~ e ~ eonftthe c o ~ p ~cen lowing environmental controlchec~ist: all entry pointsto the computer~acilitiessecur~ ow are they secured (i.e., electronic access control 2. Are these e n t r ~ c e s m o ~ i tby. o r ae central ~ s~ste~?

during power failure? ter room maintained duringshifts?

nauthorize~ ~ersonnel?

cility record violatio~ atte~pts?

d to reportallknown intentional andin-

eness of the access control system.

sical security measures have been ~ i n how e to access these pr locks, and electronic control of the ~hysicalsecurity pl ative ~ r o c e d ~for es c ys are issuedand who can autho~zec the computer enter, ~ o c u ~ ean nt

g. Accounting for all security keys, h. Verifying that security keys have o y been issued to autho~zedusers. 3. Select a sample of twenty-~vepersons hav sec~ritykeys and authorization is appropriate basedon their j . Select a sample of fifteen employee te~nations/resignations/transfersand verify e sec~ritykey return proced~reswere followed. . Verify that the security system can placetime and day rest~ctionson specific acS cards andis able to logically deactivate access cards. in and review the access log and verify: aff movements in the building are recorded. b. Violation attempts are recorded and investi rocedures exist to ensure that visitors’ access to the computer centeris con~olled. S, maintenance personnel, cleaning crew, consultants, contractors, vendors, and others who have temporary accessto the computerfacilities and its contents are, ina nutshell, outsid~rswho posethe same if not greater risk than those in the outside world because they are now inside the guarded territory and withp e ~ s s i o nEvaluate . the risks of theft from these people withtemp or^ access and d e t e ~ i n what e detective and preventive controls are available. At very the least, no one from the outside shouldbe allowed u ~ e s t ~ cphyst~d ical access to the computer and network equipme~t. btain and review visitor sign-in procedures. discussions with the management of the physical security, complete document and assessthe adequacy of a. Visitor sign-in and escort procedures rocedures for maintenance personnel

3. Select a sample of twenty-five visitors over a two-week period and verify that signin procedures were followed. escorts requiredto a c c o m p ~ yvisitors aroundthe computer center? t visitors wait in an outside lobby for their escort to arrive? isitors have to present anyI to pick up their temporarycardkeys? d. Are visitors requiredto sign in? e. Are visitors required to signout? visitors treatedthe same as ordinary visitors with respect to:

g. Are visitors res~ictedfrom the p r e ~ s e after s n o ~ aworkin l h. Are repair or maintenance personnel employedby ~ u ~ p l i e~r se ~ i tentry t e to ~ critical areas onlyafter proper identi~cation?

c o m ~ ~ tise ra valuable ~ o ~ ~ oand d yet i t ~ y for a thief to steal it or steal from it the i s h or, ~ o r s still, e the s y s t e ~ ’ s

own accounts* forwarding e-mail; c h a ~ ~ i n ise r e ~ o v i n gaccess 1s quite sudden and dr~matic.Someone may show a security guardwaitiwith a box containready been deleted, ser’s office phone number is no longer on in ~nancialservice indus-

ses with a low-cost, ~ g h - p e ~ o r m a ncomputing ce 0 clients, with secure connections to the ~nte~et. Offers d e p ~ e n t and s small businesses a robust solutio^ that is to i ~ p l e ~ e nand t , cm u~grade to morethan ~ u a d ~pep l ~ del 73Q/74Q;~ n t e ~ r i s e - c l a s s p e ~ oin~ a an cage e able, a ~ o r ~ apackage. ~le res eight-way or twelve-way processor confi urationss~ecifically tuned for increasedprocespowerandmemory. 0 1’70servers designedfor exceptional price and pero wor~oads.The first serversin the industry built just for *

a variety of computin~ enviro~ents, i~cluding desktop omino servers, and Java servers, can be a challen 1400 provides a simple solution to this complex task. ~ ~ / 4 greatly 0 0 simplifies PC s u p p o ~by prov ndows PCs. No special hardwareor software is re print~rssimply show up in their Network Neighborhood. For

y tightly integrating hardware, sofiware, ~ d ~ l eand ~ the ~ eoperating , system, /400 providesa co~binationof power,flexibility,and eas thatcanhelprunthe operationssmoothly.Thisdesignalsomakes it possible for tokeepabreastwith

create a more manageable information t e c ~ o l oy infrastr~ctureby consolidating /~OOewith its seamless s u p p o ~ for

ogical p ~ i t i o n i nlets ~ you run multiple indepen ce§§ors, memory, anddis~s-within a singles y m ~ e t ~ server consolidation, business unit consolidation, ed clusters, as well for as suppo~in otecting your business fro

not run on earlier

and to reduce the

.All i~stancesof these objects are stored

processor (which itself can be com~risedof twelve separate proceswritten to any U 0 device. That rear ~croprocessordedicated to that U 0 device. application p ro g ra ~ . storage access times. ntinues with executing anothera ~ p l i c a ~ opron econds ( second). This designprovides the in the c o ~ e r c i a l ,ans sac ti on-based environcomputing, and oneof the main characteristics it is U 0 intensive rather than compute intensive. nefit of outstan~ingp e ~ o ~ a n in c ethe business environment, an elegant methodof int~gratingdiverse environmentsinto a sin-

on a card9which enables

an A ~ / ~ Oare O unawareof underlying hardware characteristics beso unaware of the ch~acteristicsof any storage devices on concept of single-level storage means that the knowledgeof the the hardware storagedevicese storageis auto~aticallymanopwork withobjects (see the next section on object-based ss. No user interventionis ever ss the numberof bytes ~,~099551,616. There1,616 bytes, or 18.4 ~uintillion

bytes. To put this into morem e ~ i n gtems, ~ l it is ~ m a t e l y6 trillion miles e enables another ex stence means that the tem forever. An ordinary machine requires tern if the i n f o ~ a t i o nis to be sharedor if i objects is extremely impo~antfor future sup to continue to exist evenafter their creator to exploit this characteristic of object per mechanism that requires them to store their all the attendantp e ~ o ~ a nimplications. ce

Logicalpartitioning is also for companiesthatwanttorun serverworkloadsin a single Q system.Logicalp formance of an AS/4OQ system tobe flexibly allocat tems havea p r i arti ~ it ion ~ with all resources initi agingsecondary p ~ i t i o n processors, memory, andi only an initial progr put output processors operateindepende L A N ~ A Nfaciliti munications betw 14.00 is licensed oncefor the entire system by number of pa~itions.Li V4R4 must be installed on partition.

As the p e r f o ~ a n c eof an en te~ riseclass server gr that p e ~ o ~ a n to c erun multiple workloads indepe has becomec o ~ o n p l a c in e the mainframe market Typically, separate partitions are usedfor test rele ple business units orcompan~esfrom a single server. The AS/4QQ’simplementation is an adaptati with flexible and granular allocation of system resourc~s.The plementation introduces both the flexibilityto a1 speed internal c o ~ u n i c a t i Logical p ~ i t i o ~ n( g stances or p ~ i t i o n s(each metric multiprocessingA can now be a ~ ~ e s s in e da single machine to achi solidation, mixed production and teste n v i r o ~ e system values can be set in a difFerent primary orsec0

rogram must be restri

to authorized personnel.

can also be used to perform

S an interactive screen-design tool that allows e, and maintain a ~ ~ lic a tioscreens n and menus. ,numeric, a l p h ~ u m e ~and c ) di utes (e.g., color, flash, nondispl sensitive help. These features be used to limit application~rogram-dependentdata validation. Therefore, tion reviewsit may be ne cess^ to e ~ a ~ screen n e sourcemem~ers.

implications, arediscusse~in ities listed ~reviously,many S utilities, productivity aids,t r ~ n i n gtools, and other system S uti~tiesor ~ a c ~ a gintroduce es additio~alsecurity c o n c e ~ s . U ~ programs lity andopera tin^ system functions that are of interest to a~ditorsare as follows:

at facilitates the creation and maintenance

to ~ ~ ~ ~ o ~ersonnel. rized

s i m ~ l i ~database es in~uiryprocedures. allows users to interactivelyspecify criteria for the e~ ~ actio n , s u mm~ z a tioand n , resenta at ion of database

erating randomnum~ers(

ty parameterfor each user (

nter Function (APF)is a utility that allowstb. codes, createslogos, and createsbar graphs. trol impact,

Within the user profile, ~an niti~

P andlor r o g r an ~ Initia

on to the system, th can display a series ment, or a control mandatory menu. This control f e a ~ r is e

be inapprop~atefor many A u ~ o ~ist designated y as

es

ta of

d to all system

after images of changes,

,all entries stored in thejo abase so that it will bein the same state as it was ,all the transactions isk space andj o ~ a l need s to be he command to review thej o u receivers ~ ~ on the system is

hen a single ans sac ti on updates multiplefiles, there is a risk that dataCO should the s y s t e ~ crash before all the files are updated.~ o ~ ~ tCO~ e n t t e c ~ i ~ utoe srecorddata until the transaction is compl data c o ~ p t i o by n e~suringthat the transactionis CO atabase is updated pen-nanently.

ecksum protection uses ana1 e data residin~on several othe use the redundantdata to reconst~ctthe data to store the entire system. This savesa considerabl ever, use approximately 1596 of ~ e m toom ~ a g eThe . cost of ch time utilized andaddition~ldisk storagespace,

S

method of protection stores duplicatedata on separate disks. hould One of the disks

,processing continues usingthe mirrored disk.The cost of this 1 el of protectionis that

all write operations are d licated and av ~ la b lestorage is halved. This option is utilized when it is critical for the systemto be up and~ n n i n gUse . of this option results in increased perfon-nance for read operationssince there are two places to read i n f o ~ a t i o nfrom.

7 disk units offer redundant m a y of independent disks ( uses data detection and correctiontechni~uesin such a m ~ n ethat r if one of e con~gurationfails, the system is able to reconst~ctthe data and continue the disk is repaired or replaced. is i his operationis similar to checksum, but the performance impact checksum) ~ o u g hardware h f e a ~ r e on s the disk unit.

400, a level of security canbe chosen to meet a customer’s needs.

inimal s e c ~ t y passwords ~ ~ o are used, an any user can p e r f o ~ any asswords are used, but users can erf0n-n any function.

ste

1. Manual

3. Secure

2. Normal

4. Auto

Yes

NO

NO

Auto IPL

Yes

Yes

NO

Remote P L

No

S

NO

Power Switch(Off)

Yes

NO

NO

Power Switch (On)

Yes

Yes

0

PWRD~NS~S

Yes

Yes

Yes

Run Dedicated Service

Yes

No

No

wity officer may set the = 10,20,30,40,or SO).

in almost all cases,

ed from the factory with the

stem value containsa list of libraries allowed to contain user do.'These object types are user strict the objects of type * which is a temporary objectat level 50, and, there~ore,canl data between users.

rd f o ~ a t t i n goptions. Theseoptions can. help improve ords more difficult to guess. assw words can be cong an egective combination of the following options: :~ontrolsthe ~ n i m length u ~ of a password.

m a ~ i ~ ulength m of a password. asswords from being the sameas any of the previto ten installation-defi~edcharacters that cannot apForces each character in the new password to be di~erentfrom the ame positionin the old password. acters from being usedmore than once wit hi^ a passrevents a user from specifyinga password with numbers(0 to 9) :~mplementsa password validation programto perform additional

l new passwords have at least one numeric character.

ds for user profiles to expire by using the system value m number of days that a password is valid. hed for a password, the system auto~atically

user to select a new pa vent usersfrom ch number of days un value can be overri n ~ iv id ~ al’s user profile with needsdi~erentfrom the system value.

eter er (

It is possible to prevent users wi

number of workstations accessi~leby users with specialautho~ty.

tion is sent with an automaticsi~n-on.

system value specifiest attention key.

security r e ~ u i r e ~ e n t s .

is used to display to tion (e.g.,date of last sign-on, number of invali ~ a s s ~ oexpires, rd if less than seven days)i

If a job is inactive for a specified number of ~ n ~ t e s tomatica~l takes action bas >*

specifies the system portion of ects in the syst~m s ~ a r c ~ first, e d before anyl i b r ~ i e sin the user portionof the

ortion of the ~ i b r list a ~have been

at is either a t t ~ ~ to h the e~

ere are eight ~pec~c ~ that u ~ aore~d vt i e s thorities. To work withan object, a user must have ct ~uthoritiesare:

remove users and theiraut~oritieson a list of users authorize^ to access anobj

ata Authorities. Theyare use

rities. The user can The usercan run a p is prevented from ch

or display the o ~ j e ~ t ’ s

ect an stern A u t ~ o ~ t i e s .

~ities derive theto

A

x

x

X

X

X

X

X

x

x

x

x

x

x

x

No system authorities given

uthority e~plicitlyprevents a user or a group of users from accessing the ified, no other autho~tiescan be g r ~ t toe the ~ object ns should set the public access p a r ~ e t e for r produco assure that onlye~plicitlygranted accessis al g r ~ t i n g of access basedon public access.

It level of authority thatis granted if access to an objectfor a up has not been explicitlyg r ~ t e dor denied access.This dethority library parameter X command that was after creation.The

the system, control the objects they can access, control how the system appears to them is their user profile. user’s ability to access objects on the systemis allowed or denied based onthe inon user profilecontain^ the i n ~ o ~ a t i about of a group profile) andthe objects the user or group 0 security, a “useris anyone using the system, both ers, system op~rators)and end users (e.g.,

on of the A ~ / ~ Ooperating O system,each user proa user’s proof the user’s capabilities are defined within s profile also defines the user’s work enviro~ent l menu, ~ ~ i secondary ~ u m storage, user prior-

disable the user as possibleand the user profile deleted.

may be of i ~ t ~ r etos t

0 operating system does not auto profile and password. Therefore among ~r o u pof s individu~s. duces user accountability. Thus, sharing of us should be dis~oura~ed.

If a numberof users on the system. requi members of one group profile.This m.etho thorities by con~olling multi~le users at th A group profile is a user profile thority to multiple users. This is accomplishedby file level and thena s s i g ~ neach ~ individualuse up profiles is that th

to have the same levelof access to an ject in a group profile and then assi one of the users requires a different level of

adminis~ativel complex wi

An au~orizationlist is a m.eans ofspeci files. The a u ~ o ~ z a t i olist n feature is us user profiles (and their associated autho~ty)that can access t~orizationlist. Two key features of an authorization list are to each user is independent of other users on to allobjects securedby the list.

shown in Exhibit3S .

S

Users may be assigned di~erentaccess rights.

All users are assigned the same access rights.

ned the same access rights for all objects secured by thelist.

A user (as part of the group) may have a different access

Users may be listed on multipleautho~zationlists.

Users can only be assigned to one group profile.

Objects can onlybe assigned to onea u t h o ~ z a ~list. io~

Objects can be secured by multiple group profiles.

Objects mustbe ex~licitlyadded to the authorizati~nlist.

Objects are authorized automaticallyto group members when created by a group member if up setto do so.

right for each object secured by the group profile.

on the screen.

~ ~ e t eand r sEvents

Authority failures are logged. Object create operations are logged. Object delete operations are logged. Actions that affect job a are logged. Object move and rename operations are logged. Changes to the system dis~butiondirectory and office mail actions are logged. ~ b t a i ~ i nauthority g from a program that adopts authority is logged. ~ ys t e mintegrity violations are logged. ~ ~ n t i an spooled g file and sending output directly to a printer are logged. Restore operations are logged. ecurity-related operations are logged. Using service tools are logged. Actions performedon spooled files are logged. Use of system manage~entfunctions is logged.

ybelogged on a system~idebasis by including o e s y s t e ~value. For this logging to take place, the L as one of its p~ameters.See xhibit 3.6 for parme-

ged on an individual user basis by includi user profile p~ameter.For this logging to as one of its p ~ a m e t ~ rSs .

value for the determines

S

~ystemvalue contai~sthe p ~ m e t e * r user profile p ~ a ~ e tand e r the all users accessingcritical objects on the

meters and Events

Command strings arelogged, Object create operations are logged. Object delete operations are logged. Actions that affecta job are logged. Object move andr e n ~ n operations e arelogged. Changes to the system dis~butionrecto^ and oEke mail actionsare logged. Obt~nin~

a from u ~ oarpi r~o g r that ~ adopts autho~tyis Logged.

Restore o~erationsare logged. ecu~ty-relatedoperations are logged. Using service tools are logged. Actions pe~ormedon spooledfiles are logged. Use of system management~ n c ~ i o are n s logged.

Vdues and P ~ a ~ e t e ~ s

None

None

Nolle

None

Change

Change and Use

C ~ ~ g e

Change

Change

Change andUse

Change and Use

Change and Use

r the following protocols:

LC (

~networks) ~ ~

N

The following c o ~ u ~ c a t i facilities on are a v a i l a ~W l~ OS1 ( O ~ e n S y s tlnterc e~s c o ~ u n i c a t ewith other

'onal s t a n d ~ dorgani~ation. s

rity level.

e distributed until the target system becomes a~aila~le,

in any of the three scenarios d e s c ~ previo~sly. ~e~

the s i ~ n - contro~s 0~ in efYect 00 c o ~ u ~ c a twith e s other the system. The n e t ~ o r kat-

n ordinary workstation

ts has exceeded the

L indexes, stored ~rocedures,userabase e n h a n c e ~ e ~ t s ) d a ~ ~ l i c a t i oand n networksecurity (TC

ial~ ~ t h oand ~ t the y

ossible v ~ l ~ are: es

all function with user *

autho~ty no theabove y. The default value

is

-one secu ~ tysystem values are listed in alphabetic^ order. ri~ ison of unctions at d i~ e re n t s e c ulevels.

allowed domain

ttention-~ey-han~ling p r o g r a ~is used by the user. perational Assistantis used. The program specified willbe exettention-~eyduring an interactive job. n ~ e non t the specificre~uirements.

e t e ~ i n whether e audit in^ is performed on the system. Itis the opera tin^ system. It serves toturn the fQllo~ing attribuser profile parameter. objects by means of the Change Document d, the Change Object Auditing ( ed for users by means of the Cha

*

ossi~levalues are: ting of user actionsor objects is perfo ed for objects sp

by means of the

ctions specified the in L sysindividual user profile ~arameter,while using the

ecific re~uirements,

system valueis reset to

I

l m value d e t e ~ n e the s ~ e ~ u e n wi c y which new auditj o ~ n aentri om ~ e m toodisk. ~ This will enablethe stem ad~nistratorto control of audit i n f o ~ a t i o nthat couldbe lost if the system endeda b ~ o ~ a l l y . is based on i n t e ~ asystem l perThe system d e t e r ~ n e ill determine the n u ~ b eof r auformance. A number between1 written to auxiliary dit journal e n ~ e that s can accumul e number, theless impact there willbe on systemp e r f o ~ ~ c e . value: ~ependenton the specific re

nes the type of events recorded in nts asspeci~edby the system value a1 users based on the user profile paramet~r ese include oneor more of the following: bject create operations are logged.

Object delete operations are log Actions that affect job a are lo Object move and rename operations lo are Changes to the system distribution directory and o b t ~ n i n gauthority froma progr tegrity violations are 1 Printingaspooled file and se estore operations are logged. related operations are logged. ice tools are logged. Actions performed on spooled files are logged. Use of system ~anagementfunctions is log e c o ~ e n d e value: d ~ e p e ~ d eon n tthe specificre~uirements.

The systemvaluedetermines the devicename of theconsole. It is r e c ~ ~ ~ at e the console be located in a secure physical environment.

ossible values are:

0

The publicmay view but not change the created object. The public may change the created object. The public may perform any functionon the created object. The public is specifically excluded from ~ e ~ o any ~ n g efault value: * e c o ~ e n d e value: d

hanging the parameter to a differenta u ~ o ~will t y not chan ing objects created with the authority as defined by the existin

'This system

S the auditing value for a new obj the library is system e value is also the default uments withoutfolders. Possible values are: * o auditing is performed for the object.

*

*

~ u d itin gis based on the user profile ~ a r a ~ file accessing the object.

ect is changed, an auditjournal entry is written. of the object is changed, an auditj o u ~ a l e ~ist ~r yr i t ~ e n . ndent on the specific r e ~ ~ i r ~ m e n t s .

alue in minutes that aninterac~vej n on to the system within th sconnected, but users will be bro e time thata jobwill r ~ m disconnected. ~ n

t on the specificre~uirements.

tio on is not displayed.

the time thata jobis inactive.

e t e ~ n e the s action to be t n by the S stem when system valueis reached. econdary jobs, andor group job(s) is ended. Theingroup job(s) is disconnected. The actually endsthe disco

ecific re~uirements.

ines the action takenby th empts as s ~ ~in the c i

~

~

~

Possible values are: he n u ~ b eof r i n c o ~ ~ c t s i ~ n - o n isa unlimite~. tte~~ts

ossible v~luesare: It.

A value of 1 to 365 This represents the number of days before a password ex efault value: "N ecommended value: 30or higher

This system value canbe used to prevent a userfrom specifying a password with numbers (0 to 9) next to one another (e.g., 12345). Possible values are: *

0 Adjacent n u ~ b e r are s allowed. 1Adjacent numbers are prevented.

ependent on the specific requirements.

Specifies up to ten installation-defined characters that cannot appear in a password (e.g., A, ).Possible values are: P e r ~ tany s available character to appear in a password. Up to ten restricted characters, A throughZ,0,9, #, $,@, and --. e c o ~ e n d e value: d Dependent onthe specific requirements.

e c o ~ e n d e dvalue: 30 or higher ( rity, and 50 equals high security.)

set values: 10 equals low secu-

/400e is brilliant inits architecture. There are many examples of where AS the architecture has deliveredon its promise of making the most advancedtechno1 and continuo~slyavailable to its cust tomers to give Internet access to exis T ~ o u g ah product known H as S can access and runAS1400 application crosoft WindowsNT, firewall, and Lotus All customer solutions require a range of hardware and software products from a variety of vendors. The AS/400, through inte~ratingthese mixed environments, simplifies the task of managing them. The~ S / 4 0 can 0 move fromCISG processor technology to RISC processor technology witho~t eding to recompile programs. r o g r a ~ sare saved off the systems, restoredon the SG systems, and run as full 64-bit applications. chines reco~pilationis necessary (sometimes somerew~ting),and the resultingp r o ~ r ~ s do not fully exploitthe 64-bit hardware.The AS/4OO's fu~re-o~iented arc~itecture has en-

l'

50

10

0

30

User profile created automatically.

Yes

No

No

No

No

User profile name required.

Yes

Yes

Yes

Yes

Yes

Password required.

No

Yes

Yes

Yes

Yes

Active password security.

No

Yes

Yes

Yes

Yes

Active initial program and menu securityLNTCP

No

Yes

Yes

Yes

Yes

Active limit capabilities.

No

Yes

Yes

Yes

Yes

Active resource security.

No

NO"

Yes

Yes

Yes

Users have access toall objects.

Yes

Yes

No

No

No

Security auditing available.

Yes

Yes

Yes

Yes

Yes

Programs may not contain restricted instructions.

Yes

Yes

Yes

Yes

Yes

~rogramsmay not use unsupported call interfaces.

No

No

No

Yes

Yes

Enhanced hardware storage protectionis available.

No

No

No

Yes

Yes

No

NO

No

No

Yes

NN system value determines the libraries where the objectsWSRSPC, *URDX, and USRQ may be created.

Yes

Yes

Yes

Yes

Yes

Pointers inp ~ ~ e t eare r s validatedfor user domain programs running in systemstate.

No

No

No

No

Yes

Enforcement of message handling rules between system and user state programs.

No

No

No

No

Yes

A program's associated space cannot be modified directly.

No

No

No

Yes

Yes

Internal control blocks are protected.

No

No

No

Yes

Yes

l i b r is ~ a temporary object.

*At ~ 5 E ~= ~ 20, resource R l ~securityis active but may not be effective since default"RLLOBJ Special A u ~ ~ o is~ granted ty on user profile creation.

e rapidly changing hardware and software tec~ologiesin its stride. This same tecture will continueto serve its users wellby enabling its customers to continue to deploy the very latest technologies while causing the mini mu^ possible d is ~ p tio n to their work. 1400 ~chitecturehas another advantage besides speed: it makes the it lets AS1400 assign a unique, nt of data and applications easier. Why? e addresstoeverypiece of dataandappinsidethesystemusing a techel storage. Imagine what would happen if you were mayor of a town g s state law re~uiredyou to identify them using~ree-digitadthat had 10,000~ u i l d i ~ an dresses and no street names bviously, you couldn't give every ~uildingits own address.

ine how d i ~ c u litt would beto deliver mailor respond to e leve it or not, manyof today’s mode^" servers face a si assign a unique addressto every object in memory or on dis g r a m ~ e r have s found clever waysto work around these pro p r o ~ r a ~ time, n g added complexity, added costs, and err0 sin~le-levelstorage lets ~ ~ /mark ~ Oevery O object, whether age, witha unique, permanent address.This reduces the tim S the entire system mn mo developandenhance ap~lications.It pecially when~ n n i n gmultiple tasks. oftware failures. As one custo eneral ~rotectionFault.”

A s y s t values ~ ~ report,

ment should be designed to provide segregation between ns, systems and applications p r o g r a ~ i n g a, data control. Often in midrange installations, there are a limited nu m~ e of r personnel, and control concerns he segregationof duties. trols thatmay address or monitor alack of segregation of cess to production objects is limited to read-only by using in-built sysccess to source production programs and compilers is restricted using in-built systted only with ~anagement’s istory logis reviewed by managementfor unauthorized useof tern ~ r o g r a ~utilities, s, and compilers, ~ n u s activity u ~ is logged by user and/or ect and is investigated. are restricted to an initial program and/or an initial menu capabilities and attention-key-handling areset to prevent program a n ~ oan r initi~lmenu. of last change, are compared periodically to sole is limited to authorized

he modemseither are turned al security features, such asdial-

f no in-house program. development is p e r f o ~ e duse , of purchased softwareor thirdrs may provide an appro~riatesegregation of duties in the IS ng controls thatmay address or monitor a lack of segregation of ser and IS d e p ~ m e n t are: s ssigned aninitial program andlorinitial menu that restricts options availes and attention-key-handling areset to prevent difying theirinitial program andlor an initial menu. Management rs from accessing~ r o d u c t i odata ~ files by using system security of reconciling inputs and outputs (e.g., use of batch controls, rent of authorizing and entering transactions, are responsible for r~con~iliation and review procedures.

Access violations are investigated promptly by appropriate management personnel, he security officer profile is assigned to only one individual and Special ned to a limited number of management personnel who have sec urity ~ n c t i o n may s be p e ~ o only ~ efrom ~ a limited numberof terminals. ublic Authority to production data files is * are assigned an Initial ~ r o g andlo r ~enu limit in^ accesstoonly ~ n c t i o n necessary s to perform their work. Limited ~apabilitiesand atte~tion-key-handlingare set to sonnel from modifying their Initial ~ r o g r andlor a~ anInit to the systemis controlled after business hours ~ o u g the h use of automated and c o ~ u n i c a t i o nlines c o ~ a n d s . .,dis~ettes,tapes) is r ~ s ~ c t etod a u t h o ~ ~ e d system is p r o g r a ~ e dto cancel or deactivate interactive jobs (i.e., t e ~ n asesl )if there is a specified periodof inactivity. 01Control rights are lirnite to appropriate auuthorization to use restore commandsis limited toa~propriatepersonnel. se of data-altering utilitiesis restricted to authorize^ personnel and from production nv~ronm~nts, and their usageis closely monitore~. obs are executed duringschedule^ time frames, and deviations from scheduled pro-

nizations are placing more reliance on i n f o ~ a t i o nprocessing facilities to s u p p o ~ i nav~labilityof critical business applications. heref fore, it is important to ~ ~ n t athe this information and the associated processing facilities and to be able to promptly restore critical i n f o ~ a t i o nprocessing systems in the eventof an interruption of service. tional controls related to business contin~ityinclude: rocedures should be in place to regularly measure and assessthe impact of interrupted i n f o ~ a t i o nprocessing on the business. sponsibilities should be assi ned and contingency plans prenction and userd e p ~ m e n t s . ontingency plans shouldbe documented and tested to ensure timely, con~olledrecovery of critical i n f o ~ a t i o nsystems. n-site and off-site backup for critical information and materials shouldinsti~ted. be should be developed, and preve tive measures should be age and mitigate the impact on the usiness froma disaster or

he systeme n v ~ o ~ eisnadequately t secure.

bserve the adequacyof ments depend on size an

e following requirements in the computer room(roomrequirese of the A~/~OO(s)):

azard detection toolsand eq~ipment ~otectionfrom risks of water d ~ a g e

bserve the physical

a su~oundingthe system unit and evaluate whetherit resides in a

,access by unauthorized individualsis restricted).

ter with its peripherals located? hat physicalsecu ~ tymeasures are used to reduce or prevent access? Are visitors (nonco~puterroom personnel) e n te ~ n gthe computer room requiredto out and bea c c o ~ p ~ e d ?

00 is eq~ippedwith a four-position ystem Key Lock. Each of the positions allows for a different levelof system control.

is not set to manualor normal, and thekey to the~ y s t e m is ~ ~ n t a i n in e da secure location.

e t e ~ n whet~er e the ~ y s t e m y Lock is in the auto or secure position. y is maintained ina secure location. here is the key to the System

y Lock maintained, and who has access toit?

hat procedures are use~followedwhen the position of the chan~ed? hat is the positionof the

e ~ sensihe system consoleis situated ina physic~lysecure location. Certainr e s ~ c t and e d this we opera~onscan be p e ~ o ~ only e d from the systemco~sole.All jobs s ~ b ~ i t tfrom 0, and it can be usedto control jobs and spool files. The if the profileis disabled becauseof on to the system console, even

at is the value of S

the device specifiedin the

Ts) are not usedto provide accessto sensitive data,

with the assistance of the client,o It passwords to ensure that they have T and to ensure th ave the default passwordsfor

to provi he s y s t e ~ security levelis set at a sufficient level

S

are well controlled.

s report to ~ e t e r ~ ~ e o a list of l i ~ ~ ~tha i e s

red to change their password at least once a quarter? e history or audit logs reviewed for possible password violations? S each user have a unique user ID and password? port tod e t e ~ n the e following: p ~ ~ e thas e rbeen changed from "N to a reasonab~enumber of days. a new password to be different from the previous32 passwords is activated (i.e., N) parameter is not lower than5. parameter is greater than8. ation p r o g r is ~ used, ensure that the additional validation checking persult in users being forced to use pass~ordsthat c o n f o to ~ a f o ~ athat t assword validation program has a security risk that v~idation progra~ during inputof a new password. owing parameters have been set to ac o ~ ~ ~ i n a tthat i o n reasonably prevents

number of unsuccessful sign-on attempts is not set too high. When the maxof unsuccessful sign-on attemptsis reached, the user IDis revoked and/or

at is the valueof ho is authori~edto change the valueof value onthe system values report and determine if the maximum et to a reasonable number. The ma~imumnumsful attempts. In addition, determine whether iews allunsuccess~lsign-on attempts.

ew the client's follow-up procedures

value on the system values report to er of unsuccessful sign-on atte

parameter has been chang n on to any workstations

* *

What isvalue the of Is this value ever changed?

?

value on the system values parameter has been set 1.toVerify that chan

parameter has not been chan unauthorized accessto the system via a remote workstation.

What isvalue the of ? Is there a need fo rs to signon to the system? p a r ~ e t efrom r the system Obtain the value ofthe g h toS display station p a s s - ~ o ~ users se If users to access the system, the value *

*

parameter has been changed to preventus ing on to more than one wor~stationat a time.

* *

What is the value of In what kind of situations do users need to sign onto more than one time? n to multiple~orkstations? values to the

at is the value of at is the valueof s i ~ a t i o do ~ §v i ~ u adevices l nee ured

auto~~tica~ly?

on the S st^^ valu~srep

ete er has been set to a v

t is the value of t ~ ~ that ~ the n e

hat is the valueof

he system will write security-related events to e history journal if it has been activated.

journal and also to the audit

olations are reviewed and followed up on in a complete and timely manurnal has been activated. Allap~ropriateactivities are bein

f e a ~ r activated? e ow often andby whom are history logs/audit j o u ~ a l reviewe s at security-related events are being recorded for users of the system? e followed when a security violation is noted? cted fromunautho~zedaccess an

ogging of specific users’ activiti Is there a need to monitor the use of and changes to specific objects by users? Is there a need to m o ~ t othe r useof andchanges tos p ~ c i objects ~ c by S eview the settings to the following system values onthe system eva~uatethe appropriatenessof the settings: the parameteris set Eo ei L. It should be set to * if either specific user and/orall user activityis be-

appropriate to satisfy the needs of the or-

.If the organization’s sely preventing any further it journal, the p ~ ~ e t e r .Such a recommendation should only be made afences of such a setting.

S

0

uate the settingsinexistenced de te r ~ in which e objectsand ed. Ensure that activity loggi meets the organization’s secu xamine thedocu~entation suppo~ing the regular reviewof the history( or audit journal. Determine if the review is des d for detection and u n a u t h o ~ ~ access ed attempts,unauthori~eduse unscheduled processing. m~agement’sassistance, a t t e ~ p t on to sensitive objects U userprofiles.Reviewthehistory ( log or audit journal for attempts. btain the access authority the to audit and history journals and j o u ~ a ensure that access to themis ap p ro p ~ a terestricted. l~ e t e ~ i n which e system users have been assigned* the temine that it is approp~atefor these users to be given move auditing values for both user profilesand objects that relate to audit logging, Use the Display User Profile ( taining all user profiles. With utility to print a sampleof this file. For the sample of use *

ter has been changed from is a r e ~ u ~ r e ~that e n tan ser accesses a specific logging will take p

*

,even though user profile thepa-

LVLp ~ ~ e thas e rbeen c h ~ g e from d the default setting twelve avai~ablevalues if additional monitoringof indie appropriat~nessof the para~etersettings and ensure that the p~ameter settin~s meet the needs of the or~anization’s security r e ~ u i r e ~ e ~ t s . ts on the system, use the c o ~ to de~ d alue is approp~ateso th *

user profile parameterif the c the user profile parameter is set to To ensure that auditlog the object, the setting ry may be developed to help pe

UT is set to a value that does not created objects.

ho authorizes changes to for production programs and files been

chan es to this system valueare authorized.

that thein~vidualaccesses allowed are appropriate.

p a r ~ e t e has r been set to 0, preventing the displayof si mation.

0

hat is the valueof Are users instructed when es the sign-on information indicates that ID, or when the date unsuccessful sign-on attempts have been made using their user of last sign-on is inco~ect? eter on the system values report and ensure that it has

been set to 1.

Unattended t e r ~ n a l are s bein timed out; thus no opportunity is created for an unauthorized userto gain access to the system by way of an active but unattendedwor~station,

0

Are inactive jobs cancele~disconnected? After how many ~ n u t e is s an inactivejob cancele~disconnected? After how many minutes is a disconnected job canceled? hat is the valueof What is value the of ? What is the valueof

view the s y s t e ~ values report to

p ~ a m e t ehas r been set will function like an *

sure because theli-

o a ~ t h o ~ z e s c ~toa n ~ e s

list are authorize^.

The user o ~ i o n othe f librar list is s e ~ c ~ e

c o m ~ a n ~ , ~ e t e rwhether ~ i n e the access to the en appro~riatel~ restric eness, ~ e ~that i ~allych user p o ~ i o n the o f library list are a ~ t ~ o ~ ~ e ~ .

The passwords for thesix-supplieduserprofileshave supplied user profiles are not used as user or group profiles.

*

Have the passwords for the

Determine thatthe passwords for ~ ~ o ~ l e

ser profiles using the -supplied user profileis set to*

User profiles with certain special autho~tiesprovide unlimited access to vi pects of the AS/400. Users do not have accessto profiles wit levels of access greater than required by their job function.

* *

What users have been assignedSpecial A u ~ o ~ t i e s ? Do all users with Spe their job function?

Review all responsibilities of individuals assigned the ( Special Authorities for ap

used as a group profile, use the

field is not set to * .If it is, discusswiththesen for the setting andw h e ~ e the r p r o ~ l eis still neceswill be disabled but are still valid for process in^, such

the objects createdby the user profile. at the e~ployee’sInitial Progr

gned does not allow the

not be set if not use

If audit loggingis being used, referto the section on historylogs and auditj o u ~ a l s in what audit procedures need to be carried out on the and parameters.

ityofficer may define a groupprofile for a group of esamecapabiln a user is assignedto a group,theuser is giventheritiesdefined in the group profile. Therefore, the authorities assi~nedto the group should be appropriate for all g r o ~ p ~ e ~ b e r s .

Users have not been granted levels of access by a group profile greater than those required to perform theirjob function.

at policiesand procedures are usedfor the a s s i g ~ ~ eof n tindivid~alsto up embers ship reviewed on a periodic basis (or when transfers, te or pro~otionsoccur)? Are the access rights assigned to the group reviewed on a periodic b~sis? e group profile passwordsset to * splay Authorized Users ( group profiles. For aS ects authorized by usi rfom the follo~ingaudi

4

ew reasonableness of objects authorized Check that group p parameter is set to epeat the audit stepslis profile ~ a r ~ e t eare r s appropriatefor the g r o ~ pprofile.

ted levels of access greater than those required to p function.

Which libraries contain sensitive information? S the public authority to these libraries appropriate? o is authorized to access sensitive libraries?

Using obtain a list of all li staff,asce~ainthe si

I, client i n f o ~ a t i o nsystems object and source libraries braries and willbe installation specific.The following standard syshat access authorities to them ,as well as any p r o g r ~ n g

d e t e ~ n the e following: blic Authorityis no higher than* Usershave a maximumauthority o

tosystemandutilitylibraries(except

m e r s have a ~ a x i m u mauthority system and utility

libraries, o production objectlibraries, to production source libr *

n data libraries source libraries. Note that or an i n t e ~ aprofile l without a password, such as uld be the owner of libraries. Also, note that most vendor-written so ,and data libraries will have an owner that may also be a group profilefor end users. This means that userseffectivelyhaveauthorityover endo or-written ects, and thereforeaccessto ugh pac~age-basedcontrols (e re s ~ c tio nofmenuoptions). usersmust be controll

fault public access

is set to

(if the

data.

Users are not granted levels of access greater than those required to perform job func~on. their

are user access rights d e t e ~ n e dand granted? hat default levelof public accessis granted to users? W is production data segregated from test data? w are programmers preventedfrom testing programs in prod~ctivelibraries in a live environment? W

eview andeval~ate

same profile to access the s y ~ t e ~ ) : e t e ~ what n ~ objects the ~ r o ~ l ~ object i d e n t i ~ previo~sly, e~ use rofile is allowed read-onlyaccess.

at policies and procedures are used for crea ow are authori~~tion lists del Are authori~ationlists reviewe ist ofsensitive authori~ation the lists on theser lists, obtain a listing of all use d to these lists and verify the appro

ilities as-

A job des~riptionrepresents a otential se name s~ecifiedin the job ~ e s c r i ~ t i can o n su p~a m e t e of r the job description.

y using job descriptions, users can not obtain

Is the security level30 or lower? Are job descriptions used to grant acces hat proce~uresare fo llo ~ edto establi Are job descri~tions reviewed on a regu riptions on the syste

a

level curity 30 or obtain and list of e the user profile parameter

1400 opera ti^^ system allows a prog feature allows a user who system authorities as the authority could run a Therefore, the program adopt

uthority feature, users cannot obt data files and~ r o g r ~ s .

rity de-

rocedures are followed to authori~ethe useof Adopt ~ ~ t h o ~ t y ?

systems are ed to avoid

lly removed when the to redefine accessau-

lders for ( t e m ~ o r ~ lnone~istent y) files and usethis cathey sh o ~ ldnot have.

lders r ~ ~ o v in e da timely manner? )c o ~ a n to d list all m136 mode and Au

access ~arametertotheCreate

e unless this authority is revoked by is ~ansferred.In certain si~ations, ners should be revoked. For example, a en thepro~ramis reviewed ~ a n s f e ~ to e da production

ority to ~roduction pro~rams

are t r ~ s f e ~ into ed le?

ownership e

also transferred to a

re objects owned at the user levelor the group level? hat procedures are followed when ownershi Who assumes ownershipof owned objects whenan own ~dentifyprocedures p e ~ o by~ installation ~ d ~ersonnelto ensure that c ership of an object does not CO r o ~ s installation e securi ewing user profiles, incl

C C ~ S Sto sensitive utility pro ata andlor programs and compilers, is ap

hat users have access to sensitive utilities? 1s the use of sensitive utilities log ed andfol~owedup? S re~uired to produce audit trails? Are all

access p ~ ~ e t1se r

ed by installa~onpersonnel

ned to user profiles or are not c o ~ a n d or s other objects

Users do not have accessto the operatin

ich usersare able to accessthe CO ich users havelimite Are the c o ~ a n d listed s onusermenus hich c o ~ a n d can s limit the capabili th the client’s assist~ ce,use the er p ro ~ leshave bee re may be pe~ormedon a

for their job functions?

Evaluate the proprietyof the Initial Program assigned based the on individual user's job function. Review the Initial ogram assigned, usually a menu9to options allowing the user to access p r o g r a ~or s data files c o n ~ icwith t th regation of duties conventions. eview the limited capabilitiesp ~ ~ e tand e rve fy that it has a setting verify that the CO users have been granted the use of a d d i ~ o ncomm ~ a p p r o ~ ~ aca~abilities* te 'I

upport is the utility program that allows users to use a ~crocomputer instea

mal'' workstation to access an AS/400. For PG upport to p e ~ functions, o ~ ~ a n s f e ~ i of n ga data file, PC Support ignores menu security.

G Support users do not store their ~ S / 4 0 0 password in a C file that can easily be *

The installation has secured production programs and data files usin lists or Specific Authorities. * ~ S / 4 0 files 0 are secured in thePC environment. * Users are not able to bypass security by using the submit remote ( PC Support usersare not able to freely download and upload data files.

upport used to transfer files? o has access toPC Is secured data stored data uploaded to the ~ S / 4 0 0 ? hat datais downloaded? elect a sample of microco

and production data files.

in which it resides has been set to *

Users do not have accessto sensitive and confidential ~ a t while a it is he1

CO

sensitive or con~dential info~ation in spooled fileson the system? ave user^ been assigned * Lspecial authority that gives them access to all inrmation contained in output queues? re the contents of output queues restrictedto authorized users? tem are used to print sensitive and con~dentialinom the client, review the following output queue parameters:

nsure that thepara~etersettings are appropriateto achieve the desired levelof sequeues that hold spooled filescont~ningsensitive and con~dentialin-

ensitive systemc o ~ ~ d s .

eview the authorities over the following sensitive c o ~ ~ dusing s , the at such c o ~ a n d are s appropriat ~ ~ s c ~ i p ~ i ~ n

Add Authorization List Entry upport User toDistrib~tion Change Au tho ~ z a tioList ~ Entry edicated Service Tools~ a s s ~ o r d atabase File (using D W ) hange Network Attributes C h ~ g Object e Ownership

lear Logical File Member Clear Library

Create Authority Holder Create Authorization List

p procedures for critica~vitalinformation andm

rary listin~sto ensure that l i b r ~ i e are s being saved.

:Saves all ~on§ystem li~rarie§. ified).

cannot be saved via users outof the

At least a whole syste tion’s backup scheme. eview backup retenti A listing of the backu where (e.g., copy of tape index o content of each tapeis easily dete Verify that j o u ~ a l i n g( c o ~ t ~ econtroln t

Verify that off-line b curity no longer ap

be Access Control Facility for the AS

Verify that only authorized individuals either have :This capability requires (to change a user pro~le),an

security the used byofficer authority unless access the to

or someone with the been additionally res must be accou~tableto individuals (i.e., if a rofile is p e ~ i t t e d each , in~ividua~ in the Group ofile must be authorized). If a ,especially one ~ n ~ i with n g adopted authority, used to perform this function, individualscanruntheprogram. ~rograms~ n ~ n under the program owner’s user profile. done concurrently with the~ ~ v i l e g user e d 1 Authorization Test of this test is to verify that those individu~ tually p e ~ o ~ i n ~ tasks have the responsibilityensure to that a p p ro ~ ~ a te ma n a g e ~ e n t ation for the business need exist. S

with the users authorized to users. The list of privileged . .

The s~ecification of the

/400, there is a user p ro ~ leThis . profile may contain the following

nsure that pa§§wordinte

in the systern values. eview the § y § t e values ~ speci~edin the systern v

Ensure that there is appro riate control for the use o f “ s h ~ e d esour stern. out ~ o c ~ ~ e nprocedur~ ted controls.

tain the proceduresfor man tion userof the

nsure that all objects on the systern have a responsi

of owned by R e t e ~ n if e the n u ~ b e r objects

a u ~ o r i to ~ the e ~u

e

Determine if procedures for findingvalidowners N are adequate.

for allobjectsowne

e: Object ownership canbe viewed using the

Allresources on the AS/400 are called objects.The system m~ n ta in the s followin of information onallobjects:

wner (a useror grou ublic Authority(* Specific Authority (individual users or groups) ~uthorizationList bject Type (file, user profile,p r o g r ~library, , andso on) This information identifies the object owner; any individuals authorize to access publicly, speci~cally,or through anautho~zationlist; and the type of object. Sound security policy requires that all resources be protected from general access unless explicitly required, withformal docu~entationof the businessjustification for all exceptions (e.g., system broadcast functions). This implementation relieves not only owners from there~uirementto identifythe highest classificatio~level of their the supplier of service organization fromthe requirement to “scan,,for tial data. Objects on an AS1400 cannot exist without an o ~ n e rFor . o not be deleted untilall objects ownedby that user are deleted ~ircumstancesmay arise in which the system cannot dete ( stance, the system assigns ownership to the default owner owned by a useror group profile.

Verify that the access method is effective.

W

the system values, system exits used, and group s t ~ c t u r for e for a sampleof objects. group, user, and autho

e: Also ensure that appropriate control mechanis Location onf figuration List and Directory) are usedfor c o n ~ o l l i nac~ corporate backbone network. f applicable, obtain from ~anagementa regis siness case seems reasonable. Follow wi up owners. Reviewthe object access authorizationsfor the exceptions andcritical sy~temresources.

bjectauthorizationscan be displayedusingthe UT cornand. AUt h o ~ z a t i olists ~ can be dis la edusingthe Lcornand. Systemvaluescan be disLcommand.

of controlling access toor exclusion from C specific or list authorization. Specificauon. List autho~zationis a irements for system values, eview the exception list n onlybe in one group. Usersrnay be on multiple authorizationlists. Memlist can have different object can have a sins a mem er.

the basic authorities have been given separate names. They are as follows: ted access tothe data in the object. :Allows no access to theobject or its data. he autho~zationsearch order is as follows: asic autho~zation)

a u t ~ o ~for t y the object authority for the a u ~ o ~ z a t i olist n associated with the object :The first authori%ation entry found, matching the user andobject, is taken. There rnay e otber ~ a t c h e of s hi her or lower authority, but they are not used.

that ade~uateaudit trails are generated and audit trail histories are maintained to proa n a ~ e m ~andlor nt legal with s u ~ ~ i edocumenta~on nt for security incident follow-up and resolution. The re~uirementfor a documentation retention period should be documented in the~ f o ~ a t i o ~

Audit trails are maintainedi which controls secu~ty-re1 ng j o u ~ a lAny . user a j o u ~ a entr l ~ ~ ~ l i c a tdesign ion alter cannot t ~ a overa~l n s y s ~ se e~c ~ r i ~ . ince the use of journals is relate auditor needs to understand the site’s tten toj o u ~ aall l the activityof the S tem audit save andrestore information9authorization failures, deleted objects,or securityrelated functions.

and is c u ~ e ~The t, istrative a u t h o ~ t y ~ ’ of the access control system: at is general1usedinthe erdministrativeauthority is therivi of ad~ing,del et in^, and a1 e individual own in^ a us strati on^, they arestill considered to not have the job responsibility of ireme~tsfor its authorization. have this privilege and mustCO /400 attributes, as escribed ~reviously,can often e co~sideredas the re~ ~ i r e m e noft ssystem su ntrol systemis not considered “priviccess to componentsof the ever, by the potential ability to circumin the explicit sense of the te with access to these components should he access control system itself,

e ma~agement autho~~ation for eac ~ e nwith t follow-u~control assess ent i ~ t e r v i e ~ (with s ) the system security owner as necessary. eview written justi~cationsfor lon an two weeks) and s h o ~ - t(less e~ than two weeks) use. Lon e~ergencyor s h o r t - t e ~ esi~nee.

the ~ a n a g e ~ e n t a ~ t h o ~and ~ a business t i o n rationalefor p r o g r a ~ s ~ n n i n to ~ r o g r a owned ~s by

e ~anage~ent autho~-

~ o ~The~ ith adopteda ~ t h o ~ t y ,

thorities are not

to all s y s t e ~ resources.

and other users’jobs.

strator oro f k e r

d

.

com mies will survive, and even then, only by rest~cturin usiness. The laurels will go to those companies with adapt themselves tothe changed industrylmdsca~e.

Successful auditsof ~ n f o ~ a t i o n analysis of the physical environment potential risks and recommend The objective of the au sary to successfullyp an age bility for all services relate mounts, andso on), the ope that ~uaranteesoptimum

infras~cture, specify audit will The puting e n v ~ o ~on ~ an t and creases the availab ing will be brought into

stan~ardsi

stablish a com-

I

The following isa list of reports that have audit significance. They can be printed and used to audit the AS/400 platform:

*

All Libraries On The System

*

Library Save And Restore formation

*

A Specified Library Description

*

All The Objects In A Specified Library

*

The LibraryList For The User SignedOn The Basic Information From An Object’s Description

*

The Full ~ f o r ~ a t i From o n An Object’s Description

*

Service I n f o ~ at i o nFrom An Object’s Description

*

Users AuthorizedTo A Specified Object

*

Access ranted By An Authorization List

*

asic I n f o ~ a t i For o ~ A User Protile Display AllParameters For All User Profiles

*

Au~orizedUsers In User Profile Sequence

*

Authorized UsersIn Group Profile Sequence ions On The System

*

AI1 Devices On The System

*

Program I n f o ~ at i o n

*

P r o ~ a That ~ s Adopt The Owner’s Authority

*

AuthorityHolders Date Of Last Change For All Programs In A Library ystem Statistics

*

Disk Statistics

*

ActiveJob Statistics

*

NetworkAttributes

4

C o l ~ a n Infor~ation d

*

Local ~ardware

*

IBM Software Resources List

162 166 169 170 171 173 175 179

ote ~ ~ s i ~a e~ s~ s1 i ~ a tmn. io~s

is r e c o ~ ~ e 3nmax ~ e ~ ~ s not effectivefor users

~ i n i 6 ~characters u ~

be the same as previousones,

The fol1owing value is r e c o ~ e n ~1.e ~ :

that may notbe used. Valid

more than once.

me of the validationpr andensurethat it does

is found to be onero~s.

ow someusersto

e t e r ~ i n if e the syste tions for profiles wi

ity to linnit access to workstaspecial authorityis being

thority cannot sign onto any display orized to the display station. autho~tycan sign on to any dis~lay

a ~ t ~ o r ifor t y objects createdin a library:

s y s t e value ~ takes

)for the libraryis set to *

is recommended, but clientm this change becauseall (e.g., device descripti normal operation. e systemwide attention"k:ey-handling program:

.No attention-~ey-h~~ling program. 2.10

user-w~tienprogram that will handle the attention inte ,which d e t e ~ i n e whether s objects ~ e t e ~ isystem the n evalue that are security-sensitive t may be restored to your system by a user with a proper ty-sensitive objects, such as system state pro be restored to the system. System state objects may be restored to the system. :Objects adopt auth that ' theto the however, ifended; es pro the value should be set to

nd

o reflect IT anduserdment org~ization, e ns u~ngthat appropriate segregation of duties is maint~ned. file att~butesand special autho~tiesshould reflect users' business functions. profiles oup

3.1

by e n te ~ n gthe CO

This willlist all group profile names and user profile ~ a ~within e s each group any user profile of users. It willalso list at the bottom 3.2 Evaluate each group profile to ensure that it represents a common group of users with the same or similar business~ n c tio n s . Where group profiles are used, ensure that the group profiles to prevent anyunautho~zedsign-on. 3.3

Check:thatthefollowing changed:

supplied profileshavehad t h ~ iori r

User Pro le

lease password of QS/400V3

3.4 the that passwords heck securely, stored changed, are

following forenthe and are on1

neers:

Ori inal assw word

3,

heckthat the passwords for ~ ~ / 4 key 0 0is held by the position.

ilityhavebeenchanged or that the and thatthe key lock is in the “Nomal”

Passw rd

*

For service representati~eor operator to use functions that do not

3.6

nsure that usersare members of appropriate groups relatedto their business ~~nctio~s. 3.6.2

3.6.3

assword E~piration~ n t e ~ a l ) ecific interval has been set for the system default specified in

*

.The secu~tya ~ ~ ~ s t ~ a t o r .4

pecifies which user profile is the ownerof objects createdby this user

3.

the i~itialmenu, the

er c m change all the values in the user profile with the

will prevent user a from dropp aborts. Ensure that users have

User profile can be used. :User profile cannot be used. and so on must beset to

) ~ ~ p r o p r i aaccess te a u t h o ~should t~ be d e ~ ~ ate the d l i ~levr ~ data files and programs are ~ r o t e ~from t ~ du n a u ~ o ~access ze~

4.1

ibraries that willbe searched when the system for which a library name has not been ex~licitly

nds withthe correct name. L d e t e ~ i n e the s initial s~ttingsof the system

e c o n ~ o l p r o c e ~from u r ~ sthe implementationof new programs or files from ~ e v e ~ o ~ mtoe n~roduction t

y of a ~ r o ~ u c t i oorno users security omise ad by priate grams should beres~ictedto autho~zed se the integrityof ~ r o d ~ c t i osystems. n *

~

*

o to review ~ any programs ~ dthat adopt the author

.~ c c e s to s the query ~ e ~ n i t i o should ns be ~ r ~ v e n t e d .

security-related c o ~ a n usin ~ s

nistrators haveuse of rities are usually requiredto exe-

c m use thisc o ~ ~ a n ~ .

nds should be*

6.

ority of work in the system is d e t e ~ i n e by d job d e s c ~ ~ tio n s .

S for a sample of production job y n a m e / n ~ of ~ ejob description) to obtaina listing of the job desc~ptions: na~~/job ~esc~~tion)

~~~

7.

7,

7.

7.7

7.

7.

7.10

.1

of network filesfor the receiving ay, cancel, or receive thejob stream into a database

the input stream was using the values in the to display the system arameters are: means allow any address. e userto whom it was sent.

sure that the user profile does

e t e ~ i n ehow s the system meter is as follow

*

C requests from remote

,but they are controlled

ort is actually used.If it is not,

co~munic~tions network entry~ o u which ~ h PC

user can use the“ s u b ~remote” t command facility without havactive wor~stationdis lay emul~tionactive.

8.4.

d e ~ n ethen ~ , the subsyste~ target system allows the source user ~ ~ e c i in~ the e dc o ~ u n i c ~ -

then the sources ~ s t will e ~ send a u ill be under the authority of this user

8.

syste~ allo~s ~ccess ~ith

.6

.S.7

.5 *

is s ~ e c i ~ and e d the s e c ~ ~level t y is 30,then no ~ a s s ~ o r are ds

the first available vir^^ device that has been con~g~~ed

is not set to 0 be-

urces are ~ e c o ~ d in e d the auditmd S s h o ~ ld be revie~edon a reg-

s ~ s t valu~s e ~ that control audit l o ~ ~ i n ( s y s t e ~value)

E ~ i b iS.t 1, in which le for enforcing all access valthority. In this way, the S validation code, and itis the only copyof that S ensu~esthat all ~ r o t e c t i o is~provided unirovides services for valid at in^ access to ob-

that will be used d

~ thatn session. ~

s c r ~ t i o n access a~ c o ~ t ~( o~s control who can accessr ~ s o ~ r c e s

be the File Name, data it co n t~ n s,and the

Network shares

object has anACL that thority to access that object.

the e logon process defines the to user can access.~ e ~ i s s i odefine ns the oper often, the operationsthe programs can performon ~ i n d o wNT s manages access controlby ass ogy, an access token is the security identifiers (which are to whichthe user belongs. manager on the computers h ~ n g cess control list of the requested object.If o rity token matches an access control access. For example, suppose a user members of the e n g i n e e ~ ~do g member of the engineeri

dows NT assigns the user an ~ccessto n (i.e., a representa~onof group to whichthe user belo compares the individual S cess control list (locks) to to access the object.

' I 'object, they containatt~butes to the system and~rovidetheir s e ~ i c e s . Utes in the accesst o ~ include: e ~ S

represent in^ the l o ~ ~ e d - ouser's n group me~berships e r ~ s s i o n s a l l o ~for e dthe user

ue s~curity identi~ers for each user roup in the S are uni~ue,if an nt or t retain the same er be repeated, so the syste

~ s eaccounts r

other.

and accessco~trole n t ~ are ~ scov-

a l l o ~the s sp e c i~ c

S

if the user is a t t e ~ ~tot10i ~ ~

. The ~ a s s ~isobr ~

1.

S

None

No access to files and directo~es

None

Llst

Not specified

List directory contents Change tosubdirec~ories No access to files unless granted explicitly

Read

List directory contents Change tosubdirecto~es Read data from files

Rdd

WX

Not specified

Create subdirecto~es Create files No accessto e~isting files unless granted explicitly

RWX

RX

List directory contents

Read data fromfiles

List directory contents

RWXD

Ch an ~ to e subdirectories Delete subdirectories Create subdirectories ead data from files Create and modify files Execute programs Delete files All

All

Alldirectory ~ e ~ s s i o n s

All filep e ~ ~ s s i o n s Change p e ~ i s s i o n s Take ownership

is the only file s y s t e that ~ slh that treats each file and a ~ ~ ~thatt are e sstored with the object, sac

of an object orpart of

~ l o w to ~ daccess an object (as

ncept, there are additional levels

a user’s identit?,i s th ill facilitate a c c ~ s to s i ~ p a c tan^ types of s ~ s t~e n~~d~ ube addresse~ ~ t and awareness ~ ~ o ~ r a ~ s .

the account exists, the

ass~o~ is drun th

for the session. Changes to a user’s

.Fromthe console

of control.

a n o n y ~ o logon ~ s to the

ince the acco~nti a ~

e

~

case it is a c c i d ~ ~ t a l l y ~ e e nThe a~~ed. S if it is ena~led and has no ~ a s s ~ o r d .

-

,and groups shouldbe created to give users gn p e ~ s s i o n to s groups and allow access em m e ~ b e rof s the appropriate groups. Groups nare o ~ a l l based y on ani~ationfunction^ units (marketing)

ating shares because p e r ~ s s i o n scan be ass the groups already exist.

ires that consistent and coherent n ention has the~ollowingthee charac the n a ~ n convention, g they stand. If users don’t understand n a ~ n convention g should b able to c o n s t ~ can t object r users, the name may incl e their full name and funcnter, the name may include the model number and concation inthe build in^, and the kind of work the printer have obvious and meaningful relationships with sent printers, then a ~ e should s CO erJet I11 ~ ~ n ton e rthe oor). If objectsareuser c o ~ e s ~ o n to d sJohn A. to ~ e t e ~ i that n e JAS co~ventionsthat producem~aningfuln ~ e for s objects is fairly easy; conventions that translate easily in both directions is more difficult.

uring resources fromunauthori~e~ access. There are two aprs are allowed m ~ i ~ pu em ~ i s s i o nto access information S in which i n ~ o ~ a t i should on notbe availa~leto them. wher~inusers are allowed to access only thei n f o ~ a t i o nthey need to

.The nature of the organization and the work it ~ e ~ o r m s thod to choose. For example, gove~mentsfollow the pesbecause access to their i n f o ~ a t i o ncould pose a security risk to their ,most medium to small businesses use theo ~ t i ~ s tapproach ic because at would be useful to anyone o~tsidetheir or~ani~ation.

revents access to the shared directo~regard~essof o ~ eallo~ed r per~issiolls. Allows viewing of c o ~ t ~ n files e d and dir~ctories,loading of files, and execu~n

~ s s i o n plus s creating,d ~ l e t i nand ~ , c ~ ~ ~contained i n g directories and files. p e r ~ s s i o n plus s c ~ ~ file g s~y snt e ~ e ~ i s s i o and n s takin

Prevents any access to the directory and level full control.

Allows view in^ and browsing the direct or directoryp e r ~ i s s i o ~ s .

nes access

ined per-

securing files. Use the t use file system secu-

Id be reservedfor sharing h

~ de-

s s u c as ~ e ~ t i r he

licy, r in

iversal s ~ c u r i t ~ s e t tfor i n ~user s ac e forced toc

ass~ o rd as userm ~ srQtate t amo~~.

h

~

~

~

~

~ i ~ u assw r nword assword Agenever expires

Expires in x days Allow changes immediately Allow changesin x days elmit blank password

~ a s s ~ o at r dleast six ch~acters

At leastx c h ~ a ~ t e r s assw word Uniqueness

o not keep password history

e ~ e ~ten b ~assrwords

e m e ~ b exr passwords Account Lockout

N o account lockout

Account lockout selected

Accou~tlockout A~countLockout Account Lockout Lockout ~uration

Lockoutafter x bad logonattemptsLockoutafterthree attei~pts eset count afterx ~ n u t e s rever (until

bad l o ~ o n

~o~rs)

a d ~ nunlocks) . Select forever

uration n ~ n u t e s Forcibly disconnect remote elected users from sewer when logon hours expire

Not selected

Tied to logon hoursspeci~edwhen user account was created

Users must log on in order to change password

Selected

Select

Not selected *Sixty days would be ap e ~ i s s i b l epassword change rate onlyif strong passwordsare imple~ented.Strong passwordsmay only be implemented under~ i n d oNT ~ s4.0 at the domain controller. Strong passwords may be i~plementedusing the p sr;R II.dl I program available under service pack2 oftVindows NT 4.0. The strong passwords providedby p ~ s s f i l t . ~arlel further describedin the section on password filtering.

~ i n i s ~ ~ tori oban

Access this computer from network

Adminjstrators, Everyone

Add workstations to domain

No default group Administrators, Backup Operators, Server Operators

ack up files and directories ~ h a n g the e system time

Adminjstrators, Server Operators

Force shutdown froma remote system

Administ~ators,Server Operators

Load and unload device drivers

Ad~nistrators

Log on locally

Account Operators, Administrators, Backup Operators, Print Operators, Server Operators

anage auditing security and log

Ad~njstrators

Restore files and directo~es

Adminis~ators,Backup Operators, Server Operators

Shut down the system

Account Operators, Administrators, Backup Operators, fint Operators, Server Operators

e ownership of files or other directories

Ad~nis~ators

~ocesses(such as la~nching ap~lications)

thr nt from the other policies in that they are managed in~oduced in ~ ~ d o wWs 4.0. conve~entway to edit system policies that were previ

, which was

Files private to membersof the Admin department ~ s t ~ l applications ed to be run from the server C ~ ~ m ~ n lneerin~ Finance

to public Files

e domain v e ~the o n in e

Files private to theEnginee~ng global group Files privateto the Finance global group Files private to theM ~ k ~ t i n g global group

Res~arc~

Files private to the Research global group Applications that can be installed off the network onto local computers

temp

Files used by Windows NT and server resident software

User

~ o n t ~ nfor e r subdirectories private to each user The system directory containing ~ i n d o w NT s

directory is now shared in

No access is necessary. This directoryis not shared.

No explicit accessis necess~y. This directory is not shared.

onsarenotavailable

in the~

i for that ~ drive. ~

o

~

t ~ e nint an or-

each ~

e access.~ This ~

~

S

ctio

e Local

Members can administer domain user and group accoun~s.

Local

Members can fully administer the server and the domain.

Local

embers can bypassfile security to archive files.

Global

Members cana d ~ n i s t edomain r accoun~sand computers in the domain.

Global

st rights to all domain resources.

Global

All domain users are part of this group.

Local

embers have Guest access to the domain.This group shouldr e ~ a i n empty.

Local

Members can administer domain printers.

Local

A special goup for directory replication.

Local

Members can administer domain servers.

Local

Server users.

in the

users are a c c o ~ tatta s o not have an account.

input box,

uest

cco~nt~ in these

t in u n ~ o w npasswords. As with the field displays asterisks.

are both checked.

t ical users.

count, butit cannot be set.

0

S

the user can log on to the network ion date and theacco~nttype.

User accounts aread ~ n isteredwith the tive tool.

The follow in^ illustration showsthe process of creatin l ust r ~t i o~ ins this chapter assume that you have alre

thesystem,deleteeuser’saccount instea y all user preferences and p e ~ s s i o n sso , stem beforedel~tingthe account.

The process for del et in^ a user accountis as follows:

environment profiles allow the change of so e users that arelog file location basedon the c u ~ e nuser t or to mapa drive letterto a user’s a s e ~ eifr the person is log~ingon to a network. User e~vironmentprofiles also allow y es as each user logs on. This batch drive ~ a p p i n go sr for any other p S not use user environment profiles less the profile somehow dependson the user’s name, The od for ~ n n i n g p r o gautomatically. r~s

r.

in the text box. Replace the (S

and the user direc-

c ~ ~ aatnew e sh

etween ~ o l u ~duri es

cure environ~ent.

ng up too much space.

th function works

220

WINDOWS NT SERVER: SECURITY FEATURES

Profiles User profiles control Windows NT features such as desktop colors and settings, program groups and start menu settings, and network connections. Because these settings are different for each user, storing them separately allows users to customize and control their Windows NT environment. Bob will always log on to the same environment, even if Susan changes her wallpaper.

Local Windows NT stores each user’s settings in special directories contained in the Profiles directory under your Windows NT System W INNT-ROOT directory. Each user’s local profile is stored in a subdirectory named after the user. These directories contain all user-specific settings. A special directory called All Users stores the settings that are global to all users. Each profile contains many subdirectories. Applications such as Word and Excel store user preferences in the Application Data subdirectory so that shared copies of these applications can maintain different customized features for each user. NetHood contains persistent network connections. Many other directories may exist and contain other settings such as Start menu programs and program groups.

Roaming Roaming profiles are stored like the local profiles, except that they are stored on a Windows NT Server. Storing one profile on the server, instead of storing a local profile on each of the Windows NT computers that you use, means that changes to your environment will be in effect for all the computers you use rather than just the one on which you made the change. When specifying a roaming profile in the user settings for your user account, the profile is downloaded from the server every time you log on. Changes you make are then sent back to the server so that they will still be in effect the next time you log on and download the profile. Windows NT profiles affect only Windows NT. Logging on to a Windows 95 computer will not bring down the Windows NT roaming profile. You may want each user’s home directory to contain the user’s profile. The %username% environment variable can be used when creating User Directories to automate this process (see the list discussed earlier on the steps to create a user directory). To create a roaming profile, follow these steps: Select Start -+Programs -+ Administrative Tools + User Manager for Domains. Double-click Administrator. Click Profile. Type \\name-of-your-server\winnt\profiIes in the User Profile Path input box. (Replace name-of-your-server with the share name of your server and replace winnt with the name of your Windows NT directory share name.) If your Windows NT directory is not shared, use the following path: \\name-of-your server\c-drive-share\winnt\profiIes . 5. Click OK to close the User Profiles window. 6. Click OK to close the User window.

1. 2. 3. 4.

SUMMARY

221

7. Close the User Manager for Domains. 8. Log on as Administrator on another Windows NT machine in the domain to observe the results.

SUMMARY Just as providing service to network users is the primary purpose of a network, creating a coherent, secure, and useful user environment is the primary function of network administration. Windows NT Server creates such an environment by using group accounts, security permissions, user rights and policies, and network shares. Effective groups make administering large numbers of users easy. Rather than assigning permissions to individual users, you can assign rights to groups and simply indicate membership in different groups for each user. Windows NT will manage the combinations of rights for users with multiple group memberships. Security keeps resources from being exposed to unauthorized access. An optimistic security policy allows maximum access to information and secures only specific information. A pessimistic security policy secures all resources and grants access only where necessary. Both approaches are valid, and the choice will depend on the physical security environment. Windows NT supports two types of secured resources: network shares and file system objects. File system objects provide more control over security than shares do. When resolving conflicting file system and share restrictions, Windows NT chooses the most restrictive permission. Policies are the general security characteristics of Windows NT. Policy changes affect the entire system, not just individual users or groups. Windows NT implements four types of policies: Account Policies control access to user accounts, User Rights permit or restrict security-related activities, Audit Policy controls the auditing of user activity, and System Policy controls all other security-related system settings. Setting specific permissions for many users of a network can be an error-prone and time-consuming exercise. Most organizations do not have security requirements that change for every user. Setting permissions is more manageable with the security groups concept, in which permissions are assigned to groups rather than to individual users. Users who are members of a group have all the permissions assigned to that group. Windows NT implements two types of groups: those local to the machine and those global to the domain. Global groups are stored on the primary domain controller and replicated to all backup domain controllers. User accounts allow you to control security on a per person basis. Every person who accesses a Windows NT domain receives a user account through which identity is established to the network and by which permissions to resources are granted. Windows NT also provides two types of user accounts: accounts local to the machine and accounts global to the domain. As with groups, global accounts are stored on the primary domain controller and backed up to the backup domain controllers. User accounts can have logon scripts, home directories, and roaming user preference profiles to allow users to work comfortably at any computer in the network.

DOMAINS AND TRUST A domain is a set of computers with a central security authority, the primary domain controller (PDC), that grants access to a domain. Usually a domain also contains one or more backup domain controllers (BDCs) that provide distributed authentication services to continue authentication services in the event of failure in the PDC as well as load balancing for authentication services. As a rule many types of systems may join a domain, but the PDC and the BDC must be Windows NT systems because of the compartmentalized security they can offer.A domain can be set up to ease viewing and access to resources, to share a common user account database and common security policy, and to allow administrators to enforce a common security stance across physical, divisional, or corporate boundaries. Once users are authenticated to the domain, using either the PDC or a BDC, they can gain access to the resources of the domain, such as printing and file sharing, or access to applications across all of the servers within the domain. This concept of a domainwide user account and password eliminates the need for every machine to provide its own authentication service. Instead, the authentication processes are passed through to the domain controllers for remote authentication against that user account database. This allows machines to be dedicated to servicing individual applications or programs without the overhead of authentication. The primary function of the PDC is to maintain the security database. A read-only copy of this database is replicated to each BDC on a regular basis to maintain consistency in the environment. Because of the importance of maintaining the security database on the PDC and BDC, strict logical and physical access controls should be implemented. Trusts are one-way relationships that can be set up between domains to share resources and further ease administration. These relationships allow a user or groups to be created only once within a set of domains yet access resources across multiple domains. There are a number of trust models used to configure domains. The first is the single domain model with only one PDC and, by definition, no trust relationships (see Exhibit 5.10). The next model is the master domain model for companies who desire centralized security administration. In this configuration, all domains, known as user or resource domains, trust the master domain. The master domain maintains security resources for all of the domains within this structure. This configuration can support up to 15,000 users. There is one trust relationship for every domain that trusts the master domain (see Exhibit 5.11). The multiple master domain model is designed for larger organizations that desire some centralized security administration. With more than one master domain, administra-

222

DOMAINS AND TRUST

223

Exhibit 5.10 Single Domain Model

Exhibit 5.11 Master Domain Model

Exhibit 5.12 Multiple Master Domain Model

tion needs increase as a result of the need to create all network accounts on each master domain. The two master domains in this case trust each other, while the resource domains have one trust relationship with each of the master domains (see Exhibit 5.12). Finally, there is the complete trust model. This is designed for larger companies that desire totally decentralized security administration. This configuration presents considerable

o m ~ nhave s two-way trust relationships with each other. This concept essentially er-to-peer domains (see Exhibit 5.13).

tocols but alsois compliant .One of the top consideracols to install and use.Pro-

or challenge facedby operating system vendorsis how to m&e a secure, stanproduct while possibly relying on old, insecure protocols.This has been an onr all operating system vendors.Essenti~ly,Windows NT does not attempt to esses inany protocol,.~ o m p e n s a t controls, ~g such as theuse of link- or applicatio~-level enc~ption, may be a necessary additionfor secu~ty-conscious organi~ations.

oss business and in d u s~ yincreases, WindowsNT Server has come under ny than ever regarding possible security flaws and holes. Exhibit 5.14 examous attacks on the Windows NT Server operating system and the defenses put ts to mitigate them. has been vulnerable to various Denialof Service (DOS) and other atattempt to retrieve sensitive i n f o ~ a ~ or o nattempt to gain access with perthose that the attackers own. To provide a secure environment, Mithe formof patches and service packs. After being notified of the rosoft issues fixes. Exhibit 5.14lists some of the more widespread entified and the associated fix that has been released.

Anonymous User Connections (red button) is used to gain informationreg~dingthe administrative account and the network shares that are available.

Insert key into registry that prevents the anonymous user from making a network connection to the server: t.1KLM~~1stem\CurrentControI ~e~trict~nonYImou~*

D Value: l Remote Registry Access attemptsto gain access to the registry, either to retrieve passwords or to change system settings.

Remote registry access is prevented in Windows NT Server version 4.0by the additionof a Registry key. This key is presentby default in a new installation of Windows NT Server 4.0 but is not presentby default in Windows NI?Workstation 4.0. It mayalso not be present in a computer that has been upgraded from Windows NT Server 3.5 1. WI(LM~ystem\CurrentControISet\ControI ~ i p e ~ e ~ e r ~ ~ l n r e ~

Password Theft and Crackingis an attempt to capture hashed passwords and crack them in order to gain further accessto a system.

Increase password encryption in the SAM by applying the featuresof SP3. Remove onymous access to the system and tighten registry security.

Weak and Easily Guessed Passwords

Enforce a strong password policyfrom the domain controller usingp~ssfllt.dll.~ ~ s 5 f i i t . d isl available l from Service Pack2 onward. Rollback may be used as a Trojan horse, and it should be deleted from all systems.

con~gurationback to installation settings. GetAd~n-The GetAdnnin program was recently released from a Russian source. GetAdmin allows a regular user to geta d ~ n i s ~ a t i rights ve on the local machine.

A security hotfix to patch both GetAdmin and the follow-on issuehave been released byMicrosoft.

A follow-on to GetAdmin that may bypass the hot fix has just been released. Services running under System context could be used to gain access to the registry and other parts of the system as"

Run Services as accounts other than system wherever possible.

U ns ec~ edFilesystem access using either a DOS-or ~inux-basedtool gives accessto the NWS file system without any security controls,

Physically secure the server to prevent access to the diskette drive.

Server Message BIock(SMB) NetBIOS access. These access ports that are required for file sharing may present an access path, especially when exposed to the Internet orwhen used in conjunction with a Unix server~ ~ n n i the n g Samba toolset.

Apply Service Pack and 3 disable TCPand UDP ports 137, 138,and 139 on any server connected to an outside network.

,I

ttac

efense

Denial ofService Telnet to unexpected ports can lead to locked systems or increasedCPU usage. Telnet expects connections to be made to port 23 only. By default, WindowsNT does not support a telnet daemon.

Apply Service Pack 2 or 3.

This problem was resolved in SP2. The Pingof Death (large ping packet). An attack that has affectedmany major operating systems has also been foundto affect Windows NT. The Ping of Death is causedby issuing ping packets larger than normal size. If someone wasto issue the pingc o ~ a n d , specifying a large packet size (> 64 bytes), theTCP,” stack will cease to function correctly. This effectively takes the system off-line until rebooted. Most imple~entationsof ping will not allow a packet size greater than the 64-byte default; however, Windows‘95 and NT do allow this exception and can therefore cause or be vulnerable to such a system denial. A recent versionof this problem has affected Windows NT Server version4.0 SP3 systems that run IIS and are exposed to the Internet. This was due to a fragmentedand improperly formed ICMP packet.

A new hot fix has been released, post-SP3, called the icmp-fix.

‘SW?’ Hood Attack-A flood of TCP connection requests (SYN) can be sentto an IIS server that contains “spoofed” sourceDp addresses. Upon receiving the connection request, the IIS server allocates resources to handle and track new the connections. A response is sent to the “spoofed” none~stentIP address. Using default values, the server will continue to r e t r ~ s m iand t eventually deallocate the resources that were set aside earlier for theco~nection189 seconds later. This effectively ties up the server, and multiple requests can cause the IIS server to respond with a reset to all further connection requests.

Service Pack 2 provides a fix to this vulnerability.

Apply Service Pack and 3 the subsequent OOB-fix. Out of Band Attacks-Out of Band (OOB) attacks, in which datais sent outside the normal expected scope, have been shown to affect Windows W.The first OOB attack was identified after Service Pack 2 (SP2), and a patch was released that was also included in SP3. This attack caused unpredictable results and sometimes caused WindowsNT to have trouble handling any network operations after one of these attacks. Since the releaseof SP3, another problem has been identified network driver that caused Microsofr networking clients to remain vulnerable to variations of the OOB attack, coming from the Apple Macintosh environment. The OOB attack crashes theTCPm protocol stack, forcing a reboot of Windows N T . A subsequent hot fixwas released to counter this attack.

fense ~ e p ~ m e n tArpanet, ’s which was first created in the traffic was allowedon it for the first time. With commercial use and the subse~uentdevelopment of the hypertext transpo~protocol andthe World b that usesit, companies began to connect their corporate WANs to the Internet. visible co~ectivityand accessibility to corporate networks by large numbersof people have createda number of changes incorporate views of data security. The primary y short time,nontec~icalpeople started talking about one of aw~eness.In They also started as about the security of their connections. The hype and misinfo~ation su~ounding the Internet’sfeatures and risks have created the need for technology solutions and education about technology and security. Anyone can become a content publisher almost overnight. Sharing data with employees, strategic p ~ n e r scustomers, , and even competitors has become very easyto do. Naturally, this introduces or enhances the risks to an organi~ation’sdata.

he addition of Internet Information Server (11s) to the base ndows NT operating sysndows NT Server with new functionality as well as exposing Windows sks of the Internet. 11s is integrated with the Windows NT operating alternative to expandNT Servers toWeb servers for in ~ a n eand t the udes standard TCPm servers for FIT and Gopher. ThisWeb clienta method toutilize Windows NT to provide i ~ o ~ a t i to o npeople on the internal n e t ~ o r kas well as on the terne et. ell-known security risks associated with the Internet, and IIS alws NTto be exposed to them. However, becauseisIIS coupled with Windows Server, it allows for the use of the security features found in the operating system. applications and protocols have been developed ain~ ean m pto t limit S. A few of these applications and protocols have been explored in sections as an exampleof icrosoft’s role in Internet tec~ologies,As always, any system exposed to the Internet should be protected using multiple layers of security.

logerver offersfeatures such as site filtering, access control, request ging,multipleInternet pr support,caching,andremoteadministration.Thisapplicationalsointegrateswith theWindows NT operating system. The Proxy Server is an optional product, not included with the base operating system. The Proxy Server assists in preventing network penetration by masking the internal network from other external networks. Client requests can be verified tobe sure that they are coming from the internal network. I packets with destination addresses not defined are sing computers on theinternal network. This helps to prevent spoofcan limit accessto specified network addresses, address ranges, subnet masks, or Internet domains. The Proxy Server provides two levels of activity or secug. ~ser-levelauthentication is provided between the client and Proxy Server.

lines and the ~nte~et, se-de~icated c o r n

Or

eliminates the need on servers because

ensive, leased-line can be used over

o nhardware and so is a combination of the c o n ~ g ~ a t i of are five subtrees in the registry. es and their purposes areas fo eps all the con~gurationi n f o ~ a t i o nfor the specific eps each user's i n f o ~ a t i o nwho has ever logged on

the m a -

chine. ins in fo ~ a tio n p e r ta i~ n gto the Contains i n f o ~ a t i o npertaining only to the c u ~ e n t ns i ~ o ~ a t i o n p e to r t the ~ ~ nhard g changes hardware the user is chan~ingthe reg t-end tools to change the registry rather than c o ~ because ~ d the us

elp prevent users and others from causing problemsfor alues, inadvertently or otherwise. All users must have readacof the registry in order to function in the Windows NT environment o change all registry valuesor make new registry entries.

The registry supportsthree types of access p e ~ s s i o n s : ers can edit, create, delete, or take ownershipof keys. read any key value but makeno changes. Users canbe granted oneor more of ten specific rightsto a specific key. These ten specificrights are listed in Exhibit5.15.

Query Vdue

Read the settingsof a value entry in a subkey

Set Vdue

Set the value in a subkey

Create Subkey

Create anew key or subkey within a selected key or subkey

Enu~erateSubkeys

Identify all subkeys withinkey a or subkey

Notify

Receive audit notifications generated by the subkey

Create Link

Create symbolic linksto the subkey(s)

Delete

Delete selectedkeys or subkeys

Write DAC

Modify the discretionary access control list (DAC) for thekey

Write Owner

Take ownership of the selectedkey or subkey

Read Control

Read securityi n f o ~ a t i o nwithin selected subkey

techni~uesshould be used for securing the registry: isable remoteregistryediting

by verifyingexistence

or creating:

~~~

ecure the root keysas shown in Exhibit 5.16. ecure registry subkeysto limit the accessof the Everyone group as shown in Exhibit .l6 using the following keys and subkeys:

egistry Key

efadt Setting

HK€Y-LOC~L-~~CHI~E

HKEY-CL~55€5-RO~T

HKEY-USEFI5

Administrators: Control Full

Adminis~ators:Full Control

System: Full Control

System: Full Control

Everyone: Read

Everyone: Read

Administrators: Control Full

Administrators: Full Control

Creator/O~ner:Full Control

Creator/O~ner:Full Control

System: Full Control

System: Full Control

Everyone: Read

Everyone: Special Access (defined following)

ControlAdministrators: Full

No Change

System: Full Control Everyone: Read HKEY-CURRENl-U5ER

Adminis~rators: Control Full

No Change

System: Full Control User: Full Control HKEY-CURRENT-C~NFIG (Windows NT 4.0 only)

Ad~nistrators:Full Control

No Change

System: Full Control User: Full Control

*

Allow special access only to the Everyone group with only four of ns: Query Value, Enumerate Sublceys, Notify, and Read Control. NG: Using the Registry Editor incorrectly can cause serious, systemwide problems that may require reinstallationof Windows NT. Microsoft cannotg u ~ a n t e ethat any problems resulting fromthe use of the Registry Editor canbe solved. Use this tool at your own risk. *

Windows NTis designed to provide an operating system that could be used in many types of implementations, from local application servers and LAN file servers to r e ~ o t eaccess e ss e c ~ t desi~ned y servers and~ t e ~ e ~ i n t r aWeb n e t servers. WindowsNT has f ~ a ~ rfor to providethe user with choicesof a limited or extensive control implementation, depending on the business needs. Exhibit5.17 lists the features and their descriptions that either control or implement security,

The LSA is also referred as the security subsystem and is the heart of the WindowsNT ewer subsystem. TheLSA provides the following services: *

Creates access tokens during the logon process

*

Enables Windows NT Server to connect with third-p~y validation packages

0

Manages the security policy

*

Controls the audit policy

*

Logs audit messages to the event log

The SAM maintains the security account database. SA user validation services that are used by the LSA. SAM provides a security identifierfor the user and the security identifier of any groups that the useris a member of.S Kernel. The SAD contains informationfor all user and group accounts in a central location. It is used by the SAM to validate users. Duplicate copies of the SAD can reside on mu~tipleservers dependingon whether a workgroup or domain model is implemented and the type of domain model implemented. Passwords stored in the SAD are stored using a 128-bitc ~ p t o ~ a p h i c a lstrong ly system key. SIDSare createdby the security accountm ~ a g e during r the logon process, They are retired when an account is deleted. If an account name was created with the same name as an account that was previously deleted, theSEI created will bedi~erentfrom the§ID associated with the deleted account. The SRM is the WindowsNT Server component responsible for enforcing the access validation and audit generation policy held by the LSA. It protects resources or objects t'rom unauthorized access or modification. Windows NT Server doesallow not direct access to objects. TheSRM provides services for validating access to objects (files,~rectories,and so on), testing subjects (user accounts) for privileges, and generating the necessary audit message. TheS W contains the only copy of the access validation code in the system. This ensures that object protection is provided uniformly throughoutWindows NT, regardless of the typeof object accessed. Discretionary access controls provide resource owners the ability to specify who can access their resources and to what extentthey can be accessed. Access tokens are objects that contain infor~ationabout a particular user. When the user initiates a process, aofcopy the access tokenis permanently attachedto the process. ACLs allow flexibility in controlling access to objects and are a form of discretiona~access control. They allow users to specify and control the sharingof objects or the denial of access to objects. Each object'sACL contains access control entries that define accessper~ssionsto the object.

The interactive logon process is ~ i n d o wNT s Server’s first line of defense against unauthorized access. In a successful l process flows fromthe client system to the server sys exposing the user’s passwordin clear text overthe network. The entire logon processis described inan earlier section entitled “Logon Process.’’

Y

The Windows NT ServerEegistry is an access~controlleddatabase containing configurationdata for security, applications, hardware, and device drivers. The registry is the central point for storing these data. The registry contains all user profile information as well as the hashed user password. Windows NT Server auditing features record events to show which users access whichobjects, the typeof access a~empted, and whetheror not the attempt was successful. Auditing can be applied to:

S

*

System events suchas logon and logoff,file and object access, use of user rights, user and group management, security policy changes, restarting and shutting down the system,and process tracking

*

File and directory events suchas read, write, execute,delete, changing permissions, and taking ownership

*

Registry key access to subkeys

*

Printer access events suchas printing, takingfull control, deleting, changing permissions, and taking ownership

*

Remote AccessService events such as authentication, disconnection, disconnectiondue to inactivity, connection but failure to authenticate, connection but authentication time-out, disconnection due to ans sport-Ievel errors d ~ n the g authentication conversation, and disconnection due to inability to projectonto the network

*

Clipbook page events such as reading the page, del contents of the page, changingpe~lissions,and ch audit types

*

Events of significance canbe sent to a pa security and systems staff

Three logs record system-, security-, and a~plication-related events:

1. The system log recordserrors, warnings, or information generated by the Windows NT Server system. 2. The security log records valid and invalid logon attempts and events related to the use of resources such as creating, opening, or deleting filesor other objects. 3. The application log records,errors, w ~ i n g sand , i n f o ~ at i o n generated by application software, suchas an electronic mailor

database app~ication.

ibit

The size and replacement strategy can be modified for ofeach the logs. Each logged event’s details can be displayed.

roeess solation

Windows NT was designed to provide process isolation to prevent individual processes from interfering with each other. This is accomplished by providing each process with its own memory space withno access to any other process’s memory. This segregation of memory is also designedto prevent data from being captured fromthe memory space. There is an option to overwrite an individual user’s swap or temporary diskspace after logout to prevent anyone from reading that user’s temporaryfiles and data.

User Aecou~t~ e c ~ r i t ~

User account security policies are managed through the user manager and consistof account policies and user rights policies. *

Account policy controls theway passwords must be usedby all user accounts. The major account policy controls include m in i~ u mand maximum password age,~ n i m u m password length, password uniqueness, forcible disconnection beyond logon hours, and account lockout.

*

User rights policy allows the granted user to &ect resources for the entire system. The basic rights offered by Windows NT Server include access from a network, backing up, changing the system time, remoteforcible shutdown, local logon,ana aging the audit and security log, restoring files, shutting down the system, and taking ownership of objects. Windows NT Server ais0 contains many advanced rights.In total, there are twentyseven rights that may be assigned to users.

Windows NT Server offers two built-in accounts: the Guest account andthe Administrator account. These accounts were created for specific uses and are by default membersin a number of default groups. The Guest account is disabled by default. The user properties feature allows the administrationof user accounts, passwords, password policies, group membership, user profiles, hoursof logon, the workstations from which the user can log on, and the account expiration date. In addition, password filtering canbe i~plementedto increase the strength of password security policy. User profiles enable the Windows NT server to structure and manage the user’s desktop operating environment and present the identical environment without regard to the workstation. file This is loaded on logon. The user profile editor allows disabling Run in the file menu and disabling the Save Settings menu item, shows common groups, changes the startup group, locks program groups, restricts access to unlocked program groups, and disables connecting and removing connections in the print manager. Home directories can be assigned to each user for storage of private files.

Logon scripts are executed on logon by a user. They provide the network administrator with a utility for creating standard logon procedures. Groups allow an administrator to treat large numbers of users as one account. Windows NT Server utilizes two types of groups in its tiered administration model: *

Local groups are defined on each machine and can contain both user accounts and global groups. Windows NT supplies a number of built-in local group accounts.

*

Global groups are defined at the domain level and can contain only user accounts from the local domain but not from trusted domains. Windows NT supplies several built-in global group accounts.

In a WindowsNI7 network environmentit is possible to implement two different network models: the workgroup modelor the domain model.

Feat~re

*

The workgroup model allows peer-to-peer networking for machines thatdo not participate in a domain. Each Windows NT machine that participatesin a workgroup maintains its own security policy and SAD.

*

The domain model isan effective way to implement security and simplifya d ~ ~ s t r a t i oinna network environment. The domain allowsthe sharing of a common security policy and SAD.

~esc~ption The domain model establishes security between multiple domains through trust relationships. A trust relationship is a link between two domains causingone domain to honorthe authentication of users from another domain. A trust relationship between two domains enables user accounts and global groups to be used in a domain other thanthe domain where these accounts are located. Trusts canbe uni- or bidirectional and require the p~icipationof an ad~nistratorin both domains to establish each directional trust relationship.

ain Controllers

eplication

Windows NI7 Server provides domain authentication service through the useof primary and backup domain controllers. If communications to the primary domain controller break, the backup domain controllers will handle all authentication. A backup domain controller may be promoted toa primary domain controller if necessary. Windows NI7 Server uses replication to synchronize the SADs on various servers. This process is automatic. Replicationis not restricted to the SAD but can be used to create and maintain identical directory treesand files on multiple servers and workstations. The replication feature contains a security tool to control the import and export of files and directories.

The server manager tool enables the following types of adminis~ativeactivities: e

Display the member computersof a domain

e

Select a specific computer fora d ~ i n i s ~ a t i o n

e

Manage server properties and services, including start and stop services, and generate alerts

e

Share directories

e

Send messages to systems

These adminis~ativefunctions requirea d ~ n i s ~ a t i access. ve

TFS

NTFS is the more secureof the two writablefile systems supported by Windows NT Server. NWS is the only file system to utilize theWindows NT file and directory security features, is a log-based file system that offers recoverability in the of event a disk fault or system failure. The nextmajor release of the operating systemwill provide an option for file-level encryption. "he legal notice featureis provided to strengthen the legal liability of in~vidualswho may attempt to access a system withou~ authorization. The feature displays a message to the user &er the C T ~ L ~ ~ L keystroke T ~ ~ E combination L during the logon process. When the legal notice appears, the user must acknowledge the notice by selecting theOK button in the message box presented. Windows NI?Server has fault tolerance features that be canused alone orin combination to protect data frompot en ti^ media faults. These features are disk ~ ~ o r i ndisk g , duplexing, disk striping with parity, and sector hot-sparing. The Tape Backup enables backing up and restoration of files and directories. Backups can be full, incremental, d i ~ e r e n t icustom, ~, or on a daily basis for those files changed on the of daythe backup. The lastknown good con~gurationfeature allows the restoration of the system to the last working system con~guration.When used, it discards any changes to thecon~gurationsince the last working system configuration. This feature is automatically updated after any system boot. The emergency repair disk allows the restoration of the system to its initial setup state. The emergency repair disk can beif used system files are corrupt and the useris unable to recover the previous startup configuration. Securing thee~ergencyrepair disk is of utmost importance since it contains a copy of key pieces of the security accounts database. The Ul?S feature allows for the connection of a batte~-operated power supplyto a computer to keep the system ~ n n i n gduring a power failure. TheUPS service forWi~dowsNT Server detects and warns users of powerfailures and manages a safe system shutdown when the backup power supply is about to fail.

E ~ h i ~5.17 it (

~

o

~

~

~

~

e

~

)

Net~orkMonitor

The Network Monitor allows examination of network traffic to and from a server at the packet level. This traffic can be captured for later analysis, making it easier to troubleshoot network problems.

Task M a n a ~ ~ r

The Task Manageris a toolfor monitoring application tasks, key performance measurementsof a WindowsNT Server-based system. Task manager gives detailed i n f o ~ a t i o non each application and process running on the workstation, as well as memory and CPU user.It allows for the terminatio~of applications and processes. The performance monitor tool enables monitor the in^ of system capacity and prediction of potential bottlenecks.

Network Alerts

Alert messages can be sent to designated individuals. These messages can report on security-related events, such as too many logon violations or performance issues. This set of encryption APIs allows developers to develop

applications that willwork securely over nonsecure networks such as the Internet.

~oint-to-Point~ n n e l i n ~ otocol (PPTP) ~istribu~d Co~ponent Object Model( ~ C O M )

P P V provides away to use public data networks, such as the Internet, to create virtual private network connecting client PCs with servers. PPTP provides protocol encapsulation and encryption for data privacy. Windows NT 4.0 includes DCOM, formerly known as Network OLE, which allows developers and solution providers to use off-the-shelf and custom-created OLE components to build robust distributed applications. Most i~portantly,it utilizes Windows NT Server’s built-in security.It addresses a problem that was frequently associated with OLE applications trying to run as services under Windows NT: Windows NT Server’s built-in security did notlet OLE servicesc o ~ u n i c a t between e applications because most applications are launched from a desktop running a different security context from the services. Using DCOM, WindowsNT 4.0 now allows c o ~ u n i c a t i o ~ between different security contexts. The Windows NT diagnostic tool is used toe x ~ n the e system, including i n f o ~ a t i o non device drivers, network user, and system resources.

Services A d ~ n i s t r a ~ o ~

The Service Manager enables the access and administration of network and operating system services.

Feature

esc~ption

( emote Access Services

A d ~ ~ i s t r a t i Tools on

The M S administration tools control the remote connection environment. The following tools are used in M theS config~ationand ad~nistrationprocess: *

Network Settings enables the installation and configuration of network softwareand adapter cards andthe ports inw ~ c they h reside.

nte

*

Network Con~gurationcontrols theRA§ inbound and outbound protocols as wellas encryption require~ents.Each protocol has subsequent dialog boxeswith con~gurationand control features.

*

The Remote Accessa d ~ i n i s ~ a t i otool n enables~onitoringof rts, a~inistrationof remote access permissions, and on of any callback require~ents.

ITS is mWindows add-on to NT 4.0. Integration of TISNT with 4.0 allows IIS to have full use of NT 4.0 Server securityand directory services. The integration supports logging server trafik to NCSA Common Log File Format as well as any ODBC database. IIS provides Web, FTP, and Gopher services to the Windows NT system. Windows NT Server supports the TCPfiP protocol and IP address format. The TCPlIPCon~gurationtool ad~inistersTCP/IP as well IP routing, tradition^

to theG2 security standard.

t wrote a series of ~ a n u a l so omputer security over the nbow Series” of manuals different colorof cover. This how to desi n, build, choose, analyze, ando rate a trusted system, cember 1985 and discussedW criteria to use toev uals were subse~ue~tlyroduced that expanded the generalterns used mn .They are the Red book, which int book with relation to S, and the Blue book, which book with rel~tionto sub~yst~ms. book divides security into four S hile class Ais verified protectio and C2, controlled access prot follow in^ ~eas-~ecurity AccouPolicy, c~me~tatio~a system must able to be do i r e ~ e n t of s that fines what a system is evaluated agai~stthese crit n is created and used for the ev ~ u a tio the appropriate level of securi

S

of resource isolation.

ilure, access cone s ~ s t e mto enforce access controls toob-

3ce~ification,the source code of the systemis available for review as well as alldevelopment process. Some of the critical concepts to understmd are:

0 0

0

Out of the box many operating systems (including ndows NT) are considered insecure, C2 compliance may or may not meet an organization’s security need. A C2-level security configuration (this includes no floppy drive andno network connectivity) may be impractical or inappropriate to use in many organizations. There are other controls such as physical and ~onitoringcontrols that must be addressed for compliance but are not operating system components. Av~lability,which is often critical in mmy corporat~ environments, is not oneof the criteria for C2 ce~ification. An organization must assess the level of risk ~ssociatedwith the data they are attempting to protect, have a policy in place to define what security is appropriate level in their environment, and have monitoring controls in place d~termine to if the policy is being complied with. Using thesecrit~ria,a c o ~ p a n y capp~opriately m decide if the level of s e c u ~ tythey have implementedis too much, appropriate, or needs additional controls, such linkas level crypto~raphybetween a client and a server. In this t, the question is not “is product C2 certified” but “will this operatin lone or with additional M or t h i r d - p ~ ytools, meetthe security need

Cowarts, R.Windows lW4.0 Se~er-~orkstation ~nleas~ed. Sams ~ b l i s h i n g1997. , .~igratingto Windows ~ 4 . 0Duke . ~, and W., et al. ~indowslW Sewer 4: S e ~ u r iTrou~les~ooti~g, Windows lW Sewer 4 ~ n l e a s ~ e d . Grant, G., et al. Troubleshooting with Microsoft:G dows NT ~ ~ g a ~ i n e . Karanjit, S. Windows W Sewer ~rofessional Corporation. Windows NT ~or~sta~on W4.0: ~xplorethe N ~ weat tu res. S NZ’ S e ~ u rIssues. i ~ So ~ a r s o fCorp. t Sheldon, T. ~indowsNT S e ~ u~~a ni d~~ o o k . Sutton, S. A. Windows N ~ S e ~ u r i ~ Trusted ~ u i d eSystems, . 1997,

Microsoft Security(www.~icrosoft.co~sec~rity)

sk 1

System All servers the domain in Older servers, such All as Configurationshould beWindowsNT 3.51 WindowsNT3.5orLANLAN orhigher;no LANManagerManager,maysubjecttheshouldbe orWindows W serversWindows NT environmenttothe previous to version 3.5 l undue security risk. should exist within the domain.

W~ndowsNT and 3.5 ~ a n a g e servers r e l i ~ n a t e dfrom domain orupgraded i~ediately.

1

System latest Microsoft The service Configurationpacksand hot fixesshould be installed and properly configured. Service packs and hot fixes should be reapplied after each new software inst~lation.

Current versionsof the operating system contain processing and security enh~cements.Service packs correct bugs thathave been c o ~ u n i c a t e dto Microsoft. If the versionof the operating system is not current, there is an increased risk thatan unauthorized user may be able to exploit weaknessesin the operating system. Certain service packsand hot fixes require systemad~nistration intervention such as the running of an application or the manual entryof a registry key into the registry.

Obtain the latest service pack and hot fixes from ~icrosoftand properly install and configure the service packand appropriate hot fixes. The latest service packfor Windows NT3.51 is5, and the latest service pack for Windows NT4.0 is 3.

1

System Configuration

The systemkey feature of Enable the syskey option Service Pack 3 provides stronger encryptionof the SAM database. Enabling this option decreases the risk that password hashes will be cracked if obtained.A utility has been released that can extract the Windows NT password hashes even with syskey implemented; therefore, this risk is only mrtiallv mitigated.

The “system key” options of Service Pack3 (SP3) should be implemented.

T~chni~u~s Upgrade allLAN Manager and Windows NT 3.5 servers to Windows NT version 3.51or higher.

Verify, through discussion with the company and physical inspection, that each severis running the Windows NT operating system version 3.S1or higher. This document is only applicable and effective for said versions.

Verify, t ~ o u g discussion h with the company and physical inspection, that each severis ~ n n i n the g Windows NT operating system version 3.51 or higher. This d o cu ~ enis t only applicable and effective for said versions. During specific server reviews, refer file to verify the version of the operating system.

rowse the Microsoft home page and download the latest service pack. ~dditionaliy,view available hot fixes and determine which are necessary to install on target systems. Install the service pack and applicable hot fixes on a test machine to ensure compatjbility with existing applications. Ensure that the hot fixes are installed in the correct order by referring the to hot fix documentation and install only after thorough testing.

Determine, by searchingthe Microsoft home page, the latest available service pack and hot fix versions. Ensure that appropriate patches are installed on each Windows NT server. Confirm that procedures exist to update service packs and hot fixes as new versions are release and new software is installed on the system.

hotf~x.txtfiles to ensure that appropriate service packs and hot fixes have been applied. Confirm that procedures exist to update service packs and hot fixes as new versions are released and new software is installed on the system. Refer to guidance material and the Mjcrosoft home page to determine the latest service pack version and hot fixes available.

Determine, through discussion with Ensure the system key options are Determine, through discussion with the networkad~inistrator, if this installed by reviewing the setting the networka d ~ n i s ~ a t oifr this , option was considered. If syskey was of the ~ ~ L ~ ~ y s t e m \ C u r r e noption t was considered. If syskey was d e t e r ~ nto e ~be viable in this d e t e ~ n e dto be viable in this instance, examine the boot registry key. Ensure, in a test instance, verify that the proper c~~~ern~rne~. environment, that this feature is option is set in the registry: Isa.txt file and ensure the value co~patiblewith all installed ~~L~ystem~urrentControiSet\ applica~ions.After testing and ControlU5~~ecureboot. Ensure installation, update the repair disk. that sufficient regression testing to 1. Note thatSP3 will no longer be occurred on a machine outside of the Verify disketteis protected, if used. uninstallable. production env~onment. Choose one of the three methods Verify the choice of the key storage. for storing the system key: * obfuscated key on machine * obfuscated key on diskette * password protected key at boot

Verify knowledge of boot password for the key.

1

System The Primavy Domain Running applications on a PDCs should utilized be ConfigurationController(PDC)shouldnotPDCopensthePDC to any forauthentication and be utilized for other purposes vuln~rabilitiesthatexistinrelatedservicesonly. except those directly related that application. Additionally, to authentication, suchas if the PDC is used for other address assignment or name purposes than authentication, there is an increased risk that lookup. the server may not possess enough resourcesto perform both functions adequately.

1

System System services shouldbe Coll~guration running undera secured started, there are context. they when

2

Networking Workstation and time Restricting users based on ~orkstationand time restrictions should be workstations and time reduces restrictions should be enforced when possible. the risk that unauthorized enforced when possible for access will be obtained. These typical domain users. controls shouldbe enforced for users that utilizeonly one workstation during set hours of the day.

If services are allowed to interact with the desktop

No services should have the “Interact with the is desktop” check box an increased risk that domain checked. Services should resources may be not run undera global compromised. In addition, if account but rathera local the service is compromised, account. Accounts created the service will be running to run asa service should with too much authority. not be allowed certain rights such as LogOn Locally unless required.

~om~liance Assess~ent Tech~ques Verify that thePDC is onlyused for authentication by p e r f o ~ n the g following steps: l. Open server manager. 2. Select the PDC and choose Services. ..from the computer pulldown menu. 3. Review each running service to determine if it is usedfor a purpose other than authentication.

Verify that the PDCis only usedfor authen~cationby reviewing the <servername>.5ervic en su ~ n gthat only authentication related services are installed and started. Also,review the <servername>.pulist.txt file to ensure only authentication-related processes are running.

W e n services are startedthey should not have the allow service to interact with desktop option selected. Open server manager for each server in question. Open services from the computer pulldown menu. Double-click on each serviceand verify the settings for LogOn As.

Verify that services cannot interact with the desktopby performing the following stepsfor all servers in scope: l. Open server manager. 2. Open 5ervices. . fromthe computer pulldown menu. 3. Double-click on each service and verify that theAllow services to Interact wlth the ~esktop option is not selected.

Verify that services cannot interact with the desktopby revi~wingthe Services Report portionof <senrername>,uJinms~.~t and noting any services with a Service Account Nameof anything other than Localsystem or any services with a ServiceHag of Interactive.

When enteringnew users orto change existing users perform the following steps: l , Open User n nag er. 2. Open theUser P r o p e ~ ~by es d~uble-clic~ng on the usernarne. 3. Click theHours button. 4. Select the appropriate time and click theAllow and Disallow buttons as appropriate. 5. Click OK to confirm changes. 6. Click LogonTo button. 7. Verify user accessby stations.

Verify the user Logon hours by performing the following steps: l. Open User Manager. 2. Open u5er Properties by double-clic~ngon the users username. 3. Click the Hours button. 4. Verify that the hours listed in Blue meet corporate standards. 5. Click the Cancel button to close. 6. Click Logon To button. 7. Verify user access by stations.

Verify the user Logon hours and workstation restrictionsby reviewing <servername>.users.txt and d e t e r ~ n i n gwhether workstation or time restrictions are enforced for any system. on the

Ensure that allPDC servers are only performing authentication.

Allowable applications include DHCP, WINS, and DNS.

3

Networ~ng

Users should forcibly be Having users automatically Enable th disconnected from servers disconnected system from the acco~~t cl when their login hours when their time expires feature in account policies, ensures that network expire. resources will not be accessed unless the user is specifically authorized for access during those hours.

User M ~ ag em en t

All users and groupsin the domain should be known and documentedby the group responsiblefor maintaining the Windows NT environment.

If users and groups exist An inventory of users and within the domain that are not groups should be known or documented, there performed periodically is an increased risk that the and checked against an security of the domain may be approved listing of users compromised. and groups. If “rogue” users or groups are found they should be investigate^ ~mmediately.

User Management

All user and directory management should be performed through Windows NT native tools.

Certain versions of nonWindows NT native administration tools (Windows 95) create user accounts and user home directories in an insecure manner.

User Management

All user accounts should have an applicable, informative full name and description.

Requiring all users to have Add an applicable and descriptions and full names informative full name and minimizes the possibility that description to each user an extraneous, unneeded user account. accounts willbe created. Such a user could bypass system administration and be used for unfavorable purposes.

administration tools should be used to administer users and groups and create directories.

Enable the Forced account Dlsconnect feature in account policies by p e r f o ~ n the g following steps: 1. Open U i e r ~ a n a g e r . 2. the user pulldown menu. 3.

4. Click OK. 5. Select account from the

policies pulldown menu. 6. Select the~ o r c i ~ l y is connect remote users

7. 8. Close User ~ a n a ~ e r .

~ o ~ ~ l i a Assessment nce ~ech~ques

Compli~ce ~e~fication Tech~ques

Verify that the Forced account Disconnect feature in account policies has been enabled by p e ~ o ~ i the n g following steps: 1. Open User Manager. 2. Choose Select Domain. .. from the user pulldown menu. 3. Enter theAuthen~cation omain in the Domain: box. 4. Click OK. 5. Select Account. ..from the policies pulldown menu. 6. Verify that theForcibly dlsconnect remote users from server urhen logon hours expire check box has been checked. 7 . Click OK. 8. Close User Manager.

Verify that the Forced account Disconnect feature in account policies has been enabled by reviewing c5ervern~me>. pollcies.txt and ensuring that the “Force logoff when logon hours expire” controlis imple~ented.

Document all users and groups in the domain.Verify that all users are presently employed with the company by obtaining a list from Human Resources.

Compare user inventory with an actual employee list from Human Resources and verify that all users are current employees. Also determine if there are procedures in place to periodically check the users and groups in the domain against this listing.

Utilize native Windows NT adminis~ationtools to administer users and groups and to create directories.

Determine, through discussion with the network administrator and physical reviewof the system, which tools are used to administer the network. Ensure that all tools are designed specificallyfor Windows NT.

When creating users, fill in the full ame and Description fields for the new account in the User Manager.

Verify that all users havefull names and descriptions in the appropriate fields by viewing the usersin User Manager by performing the following steps: 1. ChooseSelect Domaln. .. from the user pulldown menu. 2. Enter the Authentication omain. 3. Click OK. View all users and verify that they have full names and descriptions.

Verify that logon hours are set for users.

Compare user inventory with an actual employee list from Human Resources and verify that all users are current employees. Also determine if there are proceduresin place to periodically check the users and groups in the domain against this listing. Determine, through discussion with the network administrator and physical reviewof the system, which tools are usedto administer the network. Ensure that all tools are designed specificallyfor Windows NT. Review cservername>.users.txt and verify that all users have applicable andfull names and descriptions.

No.

C a t ~ ~ o r ~ Control Objectives

Risk

3

User Management

Having all users with the same naming convention increases network security, as users can easilybe identified and accounts that do not adhere to the naming standard are easily identified. Setting up temporary accounts for con~actors,consultants, and vendors with an identifiable naming convention allows these accountsto be easily identified and purged if warranted.

3

Naming conventions should be established and followed for all user accounts. Naming conventions should cover end users, contractors, consultants, and vendors.

Name all user accounts in accordance with established n ~ i n g conventions.

accounts User User should only Having all user accounts Remove all user accounts Managementbeenteredinthe centrally administeredby from resource domains, Authentication Domain’s domain increases network servers, and workstations PDC and noton and move them to their security because resource workstations or servers. allocation can be controlled. respective au~entication The only accounts that should domain. exist outsideof the domain, on local workstations, are the built-in Guestand Administrator accounts.

Name all user accounts in accordance with established naming conventions.

Verify that all users are named in accordance with corporate policy by viewing the users in User ~anager by performing the following steps: 4. C h o o s e 5 ~ l e~~ o t m ~ i .n.. &om the user pulldown menu. 5. ~ u ~ e ~ t i c a ~ o 6. 7. View all users and verify that they have been named in accordance with corporate policy.

Move all user accounts from the Note whetherthe naming resource servers to the conventions providefor the ability to authentication domain by identify employees, vendors, and performing the following steps: temporary IDS. 1. Open User ~ a ~ ~ ~ e Verify r . that there are no user 2. Choose Select Domain. .. accounts on each server and from the user pulldown menu. wor~stationby performing the 4. Click OK. 5. Double-clic~user account. 6. Write down all visible info~ation. the Enter 3. 7. Close user information. 8. With the user account 4. highlighted select Delete from the user pulldown menu. 9. Click OK. 10. Repeat steps 5-9 until all 5.

..

1s.

enu. 12. 13. 14. Select Neu User. .from the userpulldo~nmenu. 15. Enter all user information. 16. Click Rdd. 17. Repeat steps 14-16 until all m

server on name. Verify that the only accounts listed are the Default Ad~nistratorand Guest accounts. Repeat steps 2-4 until all server and workstations have been verified. 6. Close User Manager.

Obtain a copy of the company’s user naming conventions and ensure they are being enforced on all user Note whether then a ~ i n g ~ conventions providefor the ability to identify employees, vendors, and temporary IDS.

~ern~me>.~sers.txt and ensure that end user accounts are only created in the Authentication Domain.

ain ~ontro~ler ~ e

~ o ~ t r~o~lj e c t i v e s

ory

~

~

~

t

y

sk

3

User Any account Inactive not that has accounts often are ~ a n a g e ~ e n t loggedintotheauthenti-used by intruders tobreakinto network. a If a useraccount cationdomain for an extendedperiod of timehasnotbeenutilized for some should be disabled. time, the account should be disabled untilit is needed. This minimizes the possibility that an unauthorized user will utilize the account.

3

User Accounts ~anagement

Disable allaccounts that have not been logged into in accordance with corporate standards. Industry guidelines state that if an account has not been used for 90 days, it is inactive. Enablean account only after being contacted by, and verifying, the useris appropriate.

of individuals who Having outstanding accounts Delete unneeded all no longer needed accounts, including vendor are no longer employed or that are do not need their accounts increases the risk of accounts, t e r ~ n a t e d deleted. be should unautho~zedemployees, access. and contractors.

~o~~liance Tech~que~

~ssess~ent

Disable stale user accounts by Verify that all inactive user accounts performing the following steps: have been disabledby performing l. At the command prompt, issue the following steps: the net user<User Name> 1. At the command prompt, issue command for each user. the net user<User Name> command for each user. 2. Note the last login time.If the account has not been logged 2. Note the last login time. If the into in a specified periodof account has notbeen logged time (in accordance with our into in a specified period of time best practices), this account (in accordance with corporate should be disabled. policy or out best practices), this account should be disabled. 3. Disable the accountby issuing the net user<User 3. Verify through the useof a tool when the last valid logon time Name./~ct~ve:no> was. Note: If a user often authenticates to aBDC rather than the PDC, then this proceduremay not provide the true last logon time. Remove unneeded user accounts from the authentication domain by performing the following steps:

~ o ~ ~ Ve~ficatio~ ~ ~ n c e T~c~ni~ue~ Verify that all inactive user accounts have been disabled by reviewing <servernarne>.user5;.txtfor accounts with a“ T ~ u e ~ a s ~ o g o n Time” that exceeds the corporate policy.

Verify that there are no unneeded Verify that there are no unneeded user accountsin the authentication user accounts inthe authentication domain by obtaining a listingof domain by p e r f o ~ i n gthe following recently departed employees from steps: 2. Highlight the unneeded 1. Open the User ~ a n a ~ ~ r . the HR department and ensuring that account and selectDelete the former employee’s account have 2. Review the list of users. from the user pulldown menu. 3. Discuss these users with the been removed or disabled from the network adminis~atorand 3. Repeat until all unneeded Authentication domain. This accounts have been removed. human resources to determine information can be found in the approp~ateness. appropriate < s e ~ e r n a m ~ ~ . users.txt file.

No.

Cate~o~

3

default User The Administrator The ~ d m i n i s ~ a tGuest and or Rename the default Administrator and Guest ManagementandGuestaccountsshouldaccountsareknowntoexist be assigned a strong accounts. Assigna strong on all WindowsBIT systems. Consequently, they are one of password to both the password and renamed the first accounts that an immediately after accounts. Addan account installation. named “Adminis~ator” intruder will altemptto use. The A d ~ i n i s ~ a taccount or on and assignit no user rights and no group Windows NT has all system rights and therefore shouldbe memberships. Having an the most protected account on account named the system. If these accounts Administrator with no user rights will aid intruder are not renamed,all an detection by writing to the attacker would have to audit log. accomplish is brute force guessing a password. Depending on other system settings, this might be easy to achieve in a relatively short period of time without being detected.

Control ~bjectives

isk

EN

Rename the default accounts by performing the following steps: 1. Using User ~ a n a g e r highlight the Rdminlstrator account. 2. Choose the rename option under theUser pulldown menu. 3. Enter a new account n ~ e , which conforms to corporate standards, in theChange box. 4. Click RK to confirm changes. 5. ~ouble-clickon the 6. d 7. S. 8. Choose NeuJ User from the User pulldown menu. 9. Enter A~~inistrator in the Username box. 10. Enter a full name in accordance with corporate e

.

11.

12. PassuJord boxes. the User Must e PassuJ~rd atnext box is not selected. 14. he PassuJord Never Expires check box. 15. Click the Groups box. 16. groups the under Of: box. 17. Remov~ button. 18. Click the OK button to confirm changes. 19. Click the Close button.

13. that

Co~pliance Assess~ent TechNques

Co~pli~ce Tech~ques

Vetify, with the network a d ~ n i s ~ a tand o r physical inspection, thatthe Administrator and Guest accounts have been renamed and assigned strong passwords.

Review <servername>.users.~t and ensure the default Ad~nistrator and Guest accounts are renamed. Also ensure the accounts have been assigned a strong password by executing LOphtcrack against the <servername>.passusd.txtfile if permitted.

A cracking program canbe used to determine if passwords exist and how strong they are. Some companies may not allow password cracking programs tobe run. In thatcase you may have to accept the word of the system manager regarding password strength.

Ve~~cation

ain ~ontroll~r ~ecu~ty

0.

3

Cate~ory

Control Objectives

default Guest account The User Management should be disabled immediately after installation.

sk The Guest account is known to existon all WindowsI W systems. Consequently, it is one of the first accounts that an intruder will attempt to use, If enabled,an attacker will attempt to login as the Guest and compromise the system.

Disable the default Guest account on all Windows NT systems. The account should remain disabled at all times.If the Guest account is needed for any types of services (i.e., printing), definea new account for that function,

By default, Windows NT 4.0 disables this account; however, a blank passwordis set. 3Replicator account The User Management should be adequately secured.

The Replicator account If the directory replicator should have a secure account and password used by usemame and password this account are not and should notbe allowed adequately secured, thereis an to override default increased risk that the securitypassword policy. The Replicator account should of the domain may be be a member of the compromised. Replicators group. (The Replicators group will not have “log on locally” or ‘‘access this computer over the network” userrightsonly “Log on as service.”)

Tech~~ues Disable the Guest account by performing the following steps: 2. Disable the a

changes.

Rename the Replicator account and secureit by performing the following steps:

2. Choose the rename option under the User pulldown menu. 3. Enter a new account ~ ~ which conforms to corporate standards, in theChange box. 4. Click OK to confiim changes. 5. Double-click on the Replicatoraccount.

Verify thatthe Guest accounthas been disabled by performing the following steps: 1. Open User Manager. 2. Double-click on the Guest account. 3. Verify that the Rccount Oisa~led check boxis selected.

Verify, through discussion with the network ad~nistratorand physical inspection, thatthe Replicator account has been renamed and assigned a strong password. Also ensure that the Replicator account is only a member of the Replicators group. These can be accomplished by performing the following steps: el. Open , User ~ a n ~ g e r . 2. Verify that an account named Repl~cator does not exist. 3. Double-click on the renamed Replic~toraccount, 4. Click on the Groups button. 5. Verify that this account is only a member of theReplicators group.

7. Ensure that the User Must

A cracking program can be used to determine how strong the password for this accountis.

Expirescheck box. 9. Click the Groups box. 10. Select all groups under the ember Of:box. 11. Click the Remove button. 12. Add the Repllcatoraccount to the replica tor^ group. 13. Click the OK button to confirm changes. 14. Click the Close button.

Some companies may not allow password cracking programsto be run. In that case you may have to accept the word of the system manager regarding password strength.

Co~~liance ~eri~cation Techniques Review <seTVername>.usefs.txt and ensure the Guest account is disabled.

Review <servername>.users.txt Replicator account security settings and ensurethe account hasa di~lcult~to-guess username, belongs only to the Replicators group, and is not overriding default account policies. Also ensure the account has been assigned a strong password by executing LOphtcrack against the <sen/ername>.passlud.txt file, if permitted.

rima^ ~ o m a i nCo~trollerSecurity

ry

Risk

Control Objectives

3

User Automatic logon options ~anagement servers should be not enabled.

3

User The default values Even for ~anagement automaticlogonshould present. password may be

for

not

There is an increased risk that Ensure the value of the an unauthorized user may AutoA registry key is to set 0. gain knowledge of a usernarne and password for the domain as the use of this option embeds the password of an account in the registryin clear text.

if automatic the logon Ensure that option is disabled, the default still exist in the registry.An unauthorizeduser may gain access to this key and compromisethe system.

the

Def~ultPa

Def~ult~~ d Def~ultD~ registrykeys do not exist.

ti0

Ensure the valueof the ~ following set to0 by p e r f o r ~ nthe

txt and ensure the value ~ U t ~ ~ ~ m ~ nisLset a to g 0. an

2. Select the hive: N~~inlagon. 3. Determine if the value of dm~nLogonis set to 0. 4. Close r e g e d t ~ ~ .

Ensure that the

keys do not existby p e r f o r ~ n g thefollowinrocedures:

Verify that the DefaultPassuJor~, do not exist by performing the following procedures:

2, Select the hive N~Winlagan, 3. Delete the keys mentioned above.

N~~~nlogan. 3. Verify that the keys mentioned above do not exist.

Review <sen/ernamer.uJlnlogon. txt and ensure the values DefaultU~erNam~, DefaultPass~ord,and DefaultDo~ainNameare blank.

o. 3

C ~ t e ~ o r ~ ~ontrol

Risk

Anonymous User Credentials Null The that users Logon ~anagement connect with the Null gives individuals a method of Credentials Logon shouldbe procuring every share and denied access to all systems username that existson the in the domain. system. In addition, group members~pscan alsobe Null session pipes should be discovered. With his disabled. info~ation, can attackers start brute force guessing passwords and attemptto compromise the system.

Add the regisbykey Re5tr~ct~nan~mau5 to the ~ ~ L ~ ~ ~ 5 t ~ m \ Cafltrai\L5~\po~ion of the registry. The value of this setting should be1.

Review the values on the null session restrictions registry keysin the ~KL~~~5tem\Curr~nt Note: Some softwaremay not C a n t r a l 5 ~ t 5 \ ~ e ~ i c ~ 5 \ function after these changes. f i a n m a n s e ~ e ~ Additionally, the abilityto ~arameterportion of the registry. change passwords may be lost. Ensure compatibilityby testing. Also, users may be unable to proactively change their password.

Com~liance ~s§e§sment Techniques Add the registry key n o n y m o u ~to the ystem\CurrentControl\ ontrol\LSA portion of the registry by performing the

Technique§

Verify registry the thatReview key R e ~ t r i ~ t A n o n y m has obeen uensure ~ the value added to the~ ~ L M ~ y s t e m \ furrentControl~et\ControlUSR portion of the registry by performing the following steps:

2. Select the key ~ K L ~ ~ y ~ t e m \ CurrentControl~et\ Control\LS~. 3. Verify that the registry key RestrictAnonymour:RE[;__D ~ 0 R O : ~isxlisted. l

7. Enter 1 in the Data: box. 8. Click OK. In addition, verify that the Null Sessions Access has been restricted by p e r f o ~ n gthe following steps:

CESS is set

the default.

to 1.

In addition, verify that the Null Sessions Accesshas been restricted by performing the following steps: 1. Open r e ~ e ~ t 3 ~ . 2. Select the hive M~ L M ~ S l E M \ CurrentControlSet~eric LanmanServeNJarameters. is set to 1. 4. Close r e ~ e ~ t 3 ~ .

cservern~m~>.i

Sk

4

Password The maximum password age Without forcing users to ~ a n a g e ~ e n t shouldbesetinaccordancechangepasswords,therisk withcorporatesecuritythatapasswordwillhavean standads andguidelines.unlimiteduseful life after Industryguidelinesstate days.

4 and

standards security

60

~

increased. ~ d uguidelines s ~ state 60 days.

~ n i ~ password u m Having an adequate password Set the m i n i ~ u m length should be set in length increases the difficulty password length in accordancewithcorporaterequired to guessapassword.accordancewithcorporate standards security guidelines.

Password The Ma~agement and

Industry ~uidelinesstate 7 characters.

4

Set the m ~ i ~ u password age in accordance with corporate security standards and guidelines.

Industry guidelines state7 characters.

Password The ~nimum password age Having this feature enabled Set the ~ n i m u m ~ a n a g e l ~ e n should ~ besetinaccordancepreventsauserfromchangingpasswordagein with corporate security theirnewpasswordbacktoaccordancewithcorporate the original password, thereby security standards and standards and guidelines. bypassing password theguidelines. Industry guidelines state3 uniqueness control, Industry guidelines state3 days. days.

guidelines.

ssessment For all servers, set the maximum password age parameterby performing the following steps:

e. This shouldbe set in accordance with corporate standards. 3. Click OK to confirm changes. Industry guidelines state 60 days. For all servers, set the~ n i m u m password length parameter by performing the following steps: l. Using User Manager, select the Rccount. .optionofthe Policies menu.

This should be set in accordance with corporate standards. 3. Click OK to confirm changes. Industry guidelines state7 characters.

For all servers, verify the maximum password age parameter by pe~ormingthe following steps: 1. Open User ~ a n a g e r . Select the Account. .Option under the Policies menu. Ensure that thePassword xpires in X days radio button is selected. View the number of days for the Maximum Password Age.This should be set in accordance with corporate standardsor our best practices. Click OK to exit.

Compliance ~ e ~ ~ c a t i o n Techni~ues Review <se~ername>. policles.txt for compliance with corporate polices relating to maximum password age. Ifno corporate policy exists, use60 days as a baseline.

<se~ername>. policies.txt for Compliance with Forallservers,verifytheminimumcorporatepolicesrelatingto password length parameter by minimum password length. If no performing the following steps: corporate policy exists, use 7 Open User Manager. characters baseline. a as Select the Account. ., Option under the Policies menu. Ensure that the A t Least X Characters radio button is selected. View the number of characters required for the Minimum Password Length. This should be set in accordance with corporate standards or our best practices. Click OK to exit.

Industry guidelines

state 60 days. Review

Industry guidelines state 7 characters. For all servers, set the minimum password age parameterby performing the following steps: l. Usi the the 2. Ent the Thi accordance with corporate standards.

Industry guidelines state 3 days.

For all servers, verify that the minimum password age parameter has been set by performingthe following steps: 1. Open User Manager. 2. Selectthe Rccount. ..Option under the Policies menu. 3. Ensure that the Rllow Changes in X days radio button is selected. View the number of days for the Minimum Password Age.This should be set in accordance with corporate standards or our best practices. 4. Click OK to exit. Industry guidelines state 3 days.

Review <se~ername>. policies.txt for compliance with corporate polices relating to minimum password age. If no corporate policy exists, use 3 days asabaseline.

262

APPENDIX 5 8

Windows NT Primary Domain Controller Security Review Program

No.

Category

Control Objectives

Risk

Control Techniques

4

Password Management

The password uniqueness should be set in accordance with corporate security standards and guidelines.

Requiring unique passwords prevents a user from recycling old passwords that may have been compromised in the past.

Set the password uniqueness in accordance with corporate security standards and guidelines. Industry guidelines state 6 passwords.

Industry guidelines state 6 passwords.

4

Password Management

The Service Pack Enhancement, passfilt, should be implemented to enforce strong password controls.

Having a high degree of password strength decreases the likelihood of passwords being guessed by intruders.

Enable passfilt so that not just lowercase letters are required for passwords. Be aware that with Windows 95 companies, passfilt does not enforce casesensitive passwords. Additionally, the error messages produced by passfilt are often unclear so administrators must stay alert. Finally, know that administrators can create their own dll with their own password rules.

APPENDIX 5B

263

Implementation Techniques

Compliance Assessment Techniques

Compliance Verification Techniques

For all servers, set the password uniqueness parameters by performing the following steps: 1. Using User Manager, select the Account. . . Option of the Policies menu. 2. Enter the number of

For all servers, verify that the password uniqueness parameters have been set by performing the following steps: Open User Manager. Select the Account. . . Option under the Policies menu. Verify that the Remember X Passwords radio button is selected. View the value entered in this field. This should be set in accordance with corporate standards or our best practices. Click OK to exit.

Review <se we mame>. policies. txt for compliance with corporate polices relating to password uniqueness. If no corporate policy exists, use 6 passwords as a baseline.

Industry guidelines state 6 passwords.

Review <servername> Isa. txt to ensure the value Notification Packages contains the passfilt.dl1 entry.

passwords for the Password Uniqueness. This should be set in accordance with corporate standards. 3. Click OK to confirm changes.

Industry guidelines state 6 passwords. For the PDC, enable passfilt by performing the following steps: 1. Open regedt32. 2. Select the Key HKLM\ System\CurrentControI\ Set\Con tro I\LSA . 3. Edit the Notification Packages value name. 4. Add passfilt to the Value name.

For the PDC, check for passfilt by performing the following steps: 1. Open regedt32. 2. Select the Key HKLM\ System\CurrentControI\Set\ Contro I\LSA . 3. View the Notification Packages value name.

If the Notification Packages value contains an entry of FPNW CLNT.d II, inquire with the company if this is required for connectivity between NT and Novel1 servers. Also, ensure that the FPNWCLNT.dl1exists within the system path and is properly secured. Ensure that the FPNWCLNT.dl1is the proper size, date, and version based on the service pack and any hot fixes that are installed.

ontrol ~bjectives

Sk

Password 4 The account lockout feature Locking out accounts after a ~anagement should be enabled,andthespecifiednumberoffailedfeatureandset related parameters shouldbe login attempts decreases the set in accordance with risk that user accounts will be corporate security standards compromised through brute force attacks. and guidelines. Industry guidelines state 3 bad logon attempts and to reset the counter after 1,440 minutes. Accounts should be locked forever or until an administrator manually unlocks them.

~ontrolT e c ~ n i ~ ~ ~ s Enable the account lockout the appropriate parmeters in accordance with corporate security standards and guidelines. Industry guidelines state3 bad logon attempts and to reset the counter after 1,440 minutes. Accounts should be locked forever or until an administrator manually unlocks them.

Password 4

The resource kit utility, ~anagement passprop, should be utilized to enable lockout on the Admi~stratoraccount overa network connection.

Password 4

The password for the The renamed Administrator ~anagement Administrator account account oneach server is the maintained oneach server most privileged account on should be changed in the system. Therefore, extra accordance with corporate care should be taken withits standards and guidelines and use. Changing the password be unique across all servers. periodically limits the useful life of any compromised passwords. Requiring unique passwords on different systems limits the exposure to the system if one adminis~atoraccount is compromised.

The Administrator account is Enable passprop’s susceptible to an infinite ~ m i n l a ~ ~ afunction. ut number of password guesses over a network connection unless passprop is implemented. Regardless, Administrators should not be able to “access this computer from the network,” but thisis a good supplemental procedure. Require that the password for the Administrator account on each serveris changed periodically and is unique for all servers.

~ o m p ~ a n ~c es s e s s ~ e n t

~ec~~ques

For all servers, verify the account For all servers, set the account lockout parameters by performing lockout parameters by performing the following steps: the following steps: 1. Open User Manager. I. Using User Manager, select 2. Select the ~ c c o u n t ...Option under the Policies menu. 3. Ensure the ~ c c o u nLockout t 2. Ensure the Account Lockout radio button is selected. option is enabled. 4. Verify the settings for Lockout After Bad Logon ~ttempts, Reset Count After Minutes, and Lockout Duration. These settings should be set in accordance with corporate settings shouldbe set in standards or our best practices. accordance with corporate 5. Click OK to exit. standards. 4. Click OK to confirm changes. Industry guidelines state3 bad logon attempts and to reset the counter after 1,440 minutes. Accounts should be locked forever or until an ad~nistratormanually unlocks them. From thec o ~ a n d prompt, type passprop/ a~minlockout.

Review <sENernam~>.polici compliance with corporate polices relating to account lockout.IC no corporate policy exists,use the following as a baseline: * Industry guidelines state 3 bad logon attempts andto reset the counter after 1,440 minutes. * Accounts should be locked forever or until an administrator manually unlocks them 1,440 minutes equals 24 hours.

Industry guidelines state3 bad logon attempts and to reset the counter after 1,440 minutes. Accounts should be locked forever or until an ad~nistrator manual~yunlocks them. Verify that pa55prop has been used to enable lockout of the administrator account overa network connection.

Review <SEN passproP.txt to ensure the Adminis~atoraccount lockout control is enabled.

From the command prompt, type P ~ ~ ~ and P ~view O the P results.

Change the passwords on the Ad~nistrator-levelaccount by performing the following steps: 1. Using the User Manager, open the user account that requires a change of password 2. Enter the ~e~ passwo both the PassuJord and the Confirm PassuJor~fields. 3. Click OK to close the User ProPE~ies.

Verify, with the network administrator and administrator equivalent users, that Administratorlevel account passwords are being changed in accordance with corporate security standards andare unique across all servers. In large multidomain implementations of WindowsN T , this maynot be a practical policy. An alternative might bea different password within different domains.

Review <servername>.users.txt and ensure the A d ~ i n i s ~ a t o r accounts are required to follow default account policies. Also review cservername>.passuJd.itxtand ensure theAd~inistratoraccount password hashes are unique across servers.

ectives 4

Password Managem~nt

4

Password Privileged user passwords Distribution privileged of M ~ a g e m e n t should not be widely account passwords multiple to dis~ibuted. the weakens users effectiveness of a stringent password policy and reduces user accountability.

4

Password User-level overrides user-level If ofoverrides of manage men^ passwordpoliciesshouldnotpasswordpoliciesareallowed, be enabled for any user there is an increased risk that accounts except for service unauthorized accessby users accounts. will be obtained.

4

Require all new user Password All new user accounts should Requiring new users to accounts to change their Managementberequiredtochangetheir change their passwordupon password on first logon, password on &st logon. login ensures that the There should not be generic temporary password will not or predictable passwords usedbe in use. Additionally, by as a new default. Each new having users create their own account should be created passwords, the chance of their with a unique and diEcult to remembering their password is significantly increased. determine password.

4

Password Controls should be Managementimplemented to ensurethe A d ~ ~ s t r a tpassword or is available for emergencies.

Default passwords supplied with software packages should be changed upon installation. attacks.

Application default passwords Change all default are widely known and application default typically initial targets for passwords upon applications. installation of The that risk unauthorized access willbe obtained is increasedif these passwords are not changed.

System adminis~a~ors should provide a mechanismto obtain the Ad~nistrator password inthe event of an emergency to reducethe risk of significant downtime. These passwords should be stored on and off site. They should residein a physically secure location.

Only distribute privileged account passwords to users who require this access for a legitimate business purpose. Each user with a privileged account should have a unique ID and password. Change Pas5ward and Password Never Expires user overrides of the default password policy.

Write down the Administrator password, place it in a sealed envelope, and keepit in secure locations, on and off site, in the event it is needed in an emergency.

Change the passwordson the a p ~ r o p ~ aaccounts te by p e r f o ~ i n gthe following steps:

Properties. Implement a procedure for distributing privileged account passwords to only users who require this accessfor a legitimate business purpose.

Verify, with the network ~ d ~ n i s t r a tand o r through physical inspection, that default application passwords have been changed in accordance with corporate security standards.

Review the account password distribution procedure.Verify that privileged account passwords are distributed onlyto those individuals with a legitimate business need for such access.

For all users, verify that the user overrides of default password policies have been disabledby p e r f o r ~ n gthe fo~lowing steps: 1. Open User ~ a n a g e r . 2. Double-click on the user open the user account. account. 3. Verify that the User Cannot Change Passu~ordand the P a s ~ w o r dNever Expires options are not enabled. If options are not checked. they are enabled,they should be unchecked to disable them. 4. Click OK to exit. 5. Repeat for all users 3. Click OK to confirm changes.

and ensure thatany default accounts are required to follow default account policies. Also review <sen/ername>.pa~suJd.txland ensure that these default accounts’ password hashes are unique across servers.

Review the account password dis~butionprocedure. Verify that privileged account passwords are distributed only to those individuals with a legitimate business need for such access.

For all servers, disable the user overrides of default password policies by performing the ~ol~owing steps:

Review csen/ername>.u and ensure there areno end user accounts that are allowed to override default account policies.

For all new users added to the Verify, with the network PDC7 require that they change admi~strator,that the User Must their password on initial login by Change Password at Next pe~ormingthe following step: Logon box is checkedwhen new 1. When creating a new user accounts are created. with the User ~ a n a g e r ~ t i l i t y , re the User Must

Inquire with the company regarding the proceduresfor creating new user accounts. Determineif the accounts are required to change their password on &st logon. Also review the <sen/ername>.users.txt for users who are required to change their password on next logon.

Establish a procedure for keeping the A d ~ n i s ~ a tpasswords or written down and ina secure location. Establisha second procedure for obtaining the passwords in the eventof an emergency.

Verify, through discussion with the network administratorand inspection of written policies, thata procedure exists for the storage and retrieval of the ad~inistrator password. Verify that this procedure is followed and that the passwordis stored in a secured location. Ensure that the retrieval processis known to seconda~/e~ergency administrators.

Verify7 through discussion with the network administratorand inspection of written policies, thata procedure exists for the storage and retrieval of the administrator password. Verify that this procedure is followed and that the password is stored ina secured location. Ensure that the retrieval processis known to second~y/emergency administrators.

ain ~ o n t r o ~ Sec~rity er

No.

~ate~ory

5

Group The Users local group Both the Users local group Add ~anagement should only contain the and Domain Users global global group are built into the local group. Domain Users global group group from the PDCof the system. All domain users are Authentication Domain. by default membersof the Domain Users global group. There is no need to have additional accounts inthe Users local group, and doing so increases the risk that a local system resource will be abused.

the Domain Users to the Users

5

Group user accounts, All with the Having all user accounts ~anagement exception of thebuilt-in contained within global accounts of Guest and groups increases network Administrator, shouldbe in security by simplifying global groups only. Global admi~stration.User accounts groups should be assigned to should never appear in local local groups. groups or have Access Control Lists (ACLs) withany The renamed Administrator object. account shouldbe the only user account in the Ad~nistratorslocal group.

Remove all user accounts from local groups and move them to a respective global group,

Control Objectives

Risk

~ontrolT e c ~ n i ~ ~ e s

The renamed Administrator account should be the only user account inthe Administrators local group.

~ech~~ues

Com~~ance ~eri~cation Techni~u~s

Add the Domain Users global group to the Users local group by performing the following steps:

Verify that the Domain Users global group is listed in the Users local group by performing the following steps: 1. 1. Open User Manager. 2. Choose Select Domain. ,. from the user pulldown menu. 2. Chooseselect Domain. . from the user pulldown menu. 3. Enter theserver n ~ intoe 3. Enter theserver or workstation the Damain box. ame into the Domain box. 4. 4. Click OK. 5. Double-click on the Users 5. Double-click on the Users Lacal Graup. Local Group. 6. Domain users should be 6. Verify that Domainusers is present. present as a member of Users. 7. If domain usersis not present, 7 . Click Cancel to close. click theAdd button. 8. Close User ~anager. 8. Select theAuth~ntication Domain in the List Names Frarn:box. 9. Highlight theOornaln Users Global group. 10. Click theRdd button. 11. Click OK to confirm the changes. 32. Click OK to close theLocal Group ~ r o p e ~ ibox. es 13. Close User ~anager.

Review cservername>.groups.txt and ensure the only end user accounts in the Users local group are those accounts contained within the Domain Users global group from the Authentication Domain.

Ensure that all user accounts are Remove alluser accounts from members onlyof global groupby local groupsand move them toa performing the following steps: respective global groupby 1. Open User Manager. performing the following steps: 2. Choose Select Domaln. . 1. Open User Manager. from the user pulldown menu. 2. Double-click on the appropriate Local Group. 3. Enter theserver orworks~tion name into theDomainbox. 3. Domain users should not be 4. Click OK. present. 4. If domain usersis not present, 5. Double-click on the Users click theAdd button. Local Group. 5. Select theAut~enti~at~on 6. Domain users should be present. Domain in theLlst Names 7 . Click Cancel to close. From: box. 8 . Close User Manager. 6. Highlight the Domain Users GIabal group. 7. Click theAdd button. 8. Click OK to confirm the changes. 9. Click OK to close theLocal Graup ~ r o ~ e ~box. ies 10. Close User ~anager.

Review <servername>.groupf;.txt and ensure that all end users accounts assignedto local groups are done so by the useof global groups.

ory

~ o n t r o~l b j ~ ~ t i v e s

Sk

5

Group User accounts should be Global groups simplify Create global groups the in Management logically grouped through network administration by Authentication Domain theuse of globalgroups in cont~ninglogical groups of andadd all applicableuser the Authentication Domain. users. Users should be accounts to these groups. grouped accordingto similar job functions, department, or access requirements.

5

Group Management

5

Group Each group should have a ~anagement descriptionprovided by the application or business manager.

Naming conventions should Global group names, which Name all local and global be established and followed can be easily identified, groups in accordance with for allglobal and local established network simplify na~ng ad~nistration.This increasesconventions. groups. Global groups should have different namingsecurity because nonstandard standards than local groups. groups can easily be identified. Groups shouldbe named in sucha fashion that the typeof group, group purpose, and/or department could be identified. Requiring all groups have to Add an applicable and descriptions ~ n i m i the ~ s i n f o ~ at i v ed esc~ p ~ ifor on possibility that extraneous, allgroups. unneeded groups will be created. Such a group could bypass systemadminis~ation and be used for unauthorized activities.

Tec~~ques Create global groups according to corporate policy and access needs and add all applicable users accounts to these groups.

Verify, through discussion with the Inquire withthe c o ~ p a n yregarding network a d ~ i n i s ~ a t and o r review of procedures for grantingusers access written policies, that global groups to resources. Ensure that these have been created and are utilized in procedures requirea ~ ~ ~ s ~ to a t o r s add end user accountsto global accordance with corporate policy. groups (in the Authentication Ensure compliance with said policies through physical inspection Domain), global groups to local groups, and local groups to resource via User Manager. permissions.

Name all groups in accordance with established naming conventions.

Verify, through discussion with the network a d ~ n i s ~ a tand o r reviewof written policies, that all groups are named in accordance withcorporate policy. Ensure compliance with said policies through physical inspection via User Manager. Note whether the naming conventions distinguish between local and global groups and provide for the abilityto identify employee, vendor, and temporary groups.

For all servers, providean applicable and informative description for all local groupsby p e ~ o r ~ the n gfollowing steps: 1. Using User ~aflag@r, open the appropriate Local GfRUp

Verify that all servers have an applicable andinfor~ative description for all local groups by p e ~ o ~ the n gfollowing steps: 1. Open User Manager. 2. Double-click on the Local Group name. 3. Verify that an applicable and informative descriptionexists in box. the D~~criptiRfl 4. Click OK to exit. 5. Repeat for each local group.

2. the D ~ s c r i p t ~ obox. n

3. Click OK to confirm the

changes.

Obtain a copyof the company’s group n ~ n conventions g and ensure that they are enforced on all local and global groupsby examining the <se~@rname>.grRup Note whetherthe n ~ i n g conventions ~stinguishbetween local and global groups and provide for the abilityto identify employee, vendor, and temporary groups.

and ensure thatallgroups havean applicable andi~ormative description,

ain ont troll er ~ e c u ~ t y

Risk

5

5

Backup Operators, The Group ~anagement

Group special The group Everyone ~anagement

Server Operators, Account Operators, and Print Operators local groups should only contain global groups that are authorized for this purpose.

Control Techniques

The Backup Operators, Server Add the authorized global Operators, Account Operators, groups to the Backup Opand Print Operators local erators, Server Operators, groups have several privileges Account Operators,and associated with them, such as Print Operators local the ability to log on to groups on each server in systems interactively. the Authenticationand ReTherefore, caution shouldbe source Domain and any exercised when adding users workstations in the netto these built-in groups. work environment. Having only global groupsas members of these groups helps to ensure that the groups will be properly restricted.

Using the special group shouldnotbeused.Using Everyone isvery broad and specialized groups will allow could inadvertently allowan the Administrator to have intruder to gain access to better control over files and system resources. directories. If more broad group naming is Note: Certain applications, required, the Authenticated as well as the Windows NT Users groupmay be used as a system directory, will not substitute for Everyone. function without the Everyone group in the ACL. This is more appropriatefor data directories.

Replace references to the special group Everyone with Domain Users or Domain application groups.

Note: Certain applications, as well as the Windows NT system directory, will not function without the Everyone group in the ACL. This is more appropriate for data directories.

Verify that the authorized global Review the <servernam groupsaremexnbersoftheBackup ~ r ~ u ptxts and . ensure that only Operators, Server Operators, authorized users are members of Account Operators, and Print these groups. Operators local groupson each server in the Authentication and Resource Domainand any workstations in the network environment by performing the following steps: l, l. Open User Manager. from the user pulldown menu. 2. Choose Select Domain. .. 3. Enter thes e ~ e name r in the from the user pulldown menu. 3. Enter theserver namein the 4. D ~ m a ~box. n: 4. Do~ble-clickon the Backup 5. C l p e r ~ tlocal ~ r group, 6. Select theautho~izedglobal 5. Verify that only authorized global groups are listed. 7. 6. Click the Cancel button. 7. Repeat steps 4-45 for the Server Click theCl# button, 9. Re eat ste S 4-43for the Clperator5group. 8. Close User Manager. 10.

Add the authorized globa to the Eackup Operators, Operators, Account Operators,and Print Operators local groups on each serverin the Authentication esource Domain andany worksta~onsin the network env~onmentby p e ~ o r ~ the ng following steps:

estrict default group access to application and system files and directories by p e ~ o ~ i the ng following steps: l. Open the ~ i n ~ o NT ws Explorer. . Right-click on the file or directory to set the security per~ssionsand select the properties option.

security p e ~ i s s i o n that s you select on all files and subd~ectoriesunder the selected directory, while the that all files containedin the directory have the selected security per~ssions. roup has access that you want to remove, doso by ~ i g h l ~ g ~ tthe i n gapplicable group and clicking

Verify, with the network a d ~ n i s ~ a t othat r , the special group Everyone has been replaced with Domain Users or Domain application groups. If more broad group narning is required, the Authenticated Users group may be usedas a substitute for Everyone.

Review < s ~ r v e r n a m e ~ . p e r ~ s
omain ~ o ~ t r o ~~l e er c u ~ ~

No.

Cate~o

5

Group Other than the built-in global Global groups simplify Delete global all groups Management groups, no global groups network a d ~ ~ n i s ~ a tby ion of should exist outside of thecontaininglogicalgroups authentication domains. users. There is no need to create global groups on resourcedomains.Doing so only decreases the ability of the network managerto effectively manage the network.

Control Objectives

Risk

Control T e c ~ ~ ~ ~ e s

(other then the default globalgroups)contained in resource domains and re-create them in the AuthenticationDomain.

emave button. "he special group everyone's permissions should be removed from all files and directories on the system.If all users require this access, it should be granted to theUsers Local Click theAdd button to include thea~plicablegroups to be grantedpe~issions. When you have selectedall the applicable groups, click Grant theTgpe of Access for each groupby ~ghlighting he hese Pefmlss~ansshould be set in accordance with corporate system standards. Click theCIK button to confirm these changes. After the security permissions have been changed, click the OK button to close the fileand directories propertieswindow.

ote: Certain appl~cations,as well as the WindowsNT system

directory, will not function without the Everyone group in the ACL. This is more appropriatefor data directories. Deleteallglobalgroups(other Ve~fy,throughdiscussionwiththe Review the < s e ~ ~ r n a m e > , thenthedefidultglobalgroups)network ad~nistratorand physical groups.txt and ensure no global containedinresourcedomainsandinspection,that no globalgroupsgroupsexist in nonauthentica~on exist re-create thethem in in resource the domains. domains. Au~enticationDomain.

Sk

5

Group Management

Access Control Lists (ACLs) In WindowsNT, only local Utilize local groupsto for filesand directories groups should be granted grant p e ~ i s s i o n to s files should only specify local rights to resources. All users and directories. groups as having access. should be placed in global ACLs should not specify groups, and global groups individual user accounts or should be placed in local global groupsas being groups. This ensures that the granted or revoked access. environment hasa s ~ c t u r e d method of adminis~ationand decreases the possibility that users will be granted excessive rights.

6

File System Access and ~anagement

The WindowsNT File System (NWS) should be used on all partitions. Additionally, there should be no unformatted spaceon the drive.

NTFS associates permissions with each file and directory. Using these permissions, different levelsof access can be granted or denied to different groupsof users. Under NT,file access is based solely on file permissions.

All File Allocation Table (FAT) or High P e r f o ~ a n c eFile System (HPFS) partitions should be converted to the Windows NT file system (NTFS). HPFS is not supported under WindowsNT 4.0. Any file systems in that format would haveto be converted during the3.51 to 4.0 upgrade.

6

File System Access and Management

Application and system directories should notallow Write, Delete, Change Permissions, orTake Ownership to users. The built-in special group should have no permissions.

Granting excessive permissions to applications could leadto their abuse or deletion.

Set the default permissions for users to beas restrictive as possible on application directories. Remove all permissions for the built-in special group of Everyone. If these typesof permissions are needed, create new groups that contain the appropriate usersand have the requiredpe~issions.

6

File System Access and Management

Data files shouldbe stored in segregated directories external to the application and system directories, possibly in the data owners’ home directories, or the applica~on-specifieddata directory.

Data files shouldbe placed in separate directoriesto help prevent the changingof directory permission levels that may accidentally flow down to executable program files. Itis also good practice to separate data from application files in order to grant the appropriate level of security for each type of file.

Separate application files from data files.

plianee ~ssessment

niques

Implement a procedure to utilize Verify thata procedure exists to .txt and ensure that ensure that permissions for files and local groups for granting p e ~ i s s i o n sto files and directories are only grated to local only local groups are granted access directories. groups. Make certain, through files to and directories. discussion with the system ad~nistrator,that this procedureis followed.

Verify that theNWS file systemis Review the <s being used and that there is no .txt and ensure that unformatted or nonpartitioned space drives revieweduse the ~ F ?fileS a d thatthere is no by performingthefollowingsteps:system 1. Open Disk ~ d m i ~ i ~ t r ~ t a r . unformatted or n o n p ~ t i o n e dspace. Issue the following command to 2. View thepartition infor~ation convert the FAT p ~ i t i o n to s S: At thecommandpromptandfilesystem for alldrives. enter the following command: Open Disk Administrator view to the partition informationand file system for all drives.

Implement a procedure to set default pel~issionsfor users to be as restrictive as possible on application directories and to remove all permissions for the built-in special group Everyone. If these typesof p e ~ i s s i o n are s needed, create new groups that contain the appropriate users and have requiredpermissio~s.

Determine, with the network ad~nistrator,the appropriate (most restrictive) levelof permissions for application and system directories. Verify that this level of access is granted. Ensure that the special group Everyone hasno file system permissions. Under certain circumstances, ensure thatnew groups are createdto manage relaxed permissions.

Determine, with the network a d ~ n i s ~ a t othe r , appropriate (most restrictive) levelof p e ~ s s i o n sfor application and system directories. Verify that this level of access is granted by reviewing

Impleme~ta procedure to place data files in separate directories from the application and system directories.

Verify thata procedure exists to ensure thatapplica~onand data files are segregated. Ensure, through physical inspection, that application files and data files are located in separate directories oron separate drives.

Verify thata procedure existsto ensure that application and data files are segregated. Ensure, through physical insp~tion,that application files and data files are located in separate directories oron separate drives.

ensuring that end users are not allowed excessive permissions to application filesand directories. Under certainc~cumstances,ensure that new groups are createdto manage relaxed permissions.

Control Techniques 6

File ~ y s t em Certain directories that Access and contain sensitive Windows ~ a n a g e ~ ~ nNT t system files shou~dbe secured (these directories are listed in theimplementatio~ checklist).

If unautho~zedusers gain

Restrict accessto sensitive access to sensitive system Windows NT directories files, they could executea (listed in the Trojan horse or createa denial implementati~nchecklist). of service on the P I X .

~ N p l e r n e n ~ ~Techniques on

CoNpliance As§e§sment ~ech~que§

Restrict access to the following directories by performing the following steps: 1. Open the WindowsNT Explorer. 2. Right-click on the file or directory to set the security permissions and select the Properties option.

Verify that permissionson the following directories comply with the recommendationsby performing the following steps: 1. Right-click on the directory in Explorer. 2. Choose Properties. 3. Select the Security tab. 4. Click the Permissions button. 5. Compare the current permissions to the r e c o ~ e n d a t io n s . 6. Repeat for all listed directories.

The following directories should be secured: C:\ c:\uJinnt\ C:~innt~y~tem3~

Directories: C:\

Reco~~ended Pe~issio~s: Ad~nistrators Full Control Server Operators Change Read Everyone Creator/Owner Full Control ControlFullSystem

C:\uJinnt\ C:\uJinnt~ystem3~ The following permissions should C : \ u J i n n ~ y s t e m 3 ~ r i v e r s be set: Reco~~ended Pe~issions: Full Control Ad~nistrators Ad~nistrators Full Control Server Operators Change Server Operators Change Read Read Everyone Everyone Full Control Creator/Owner Creator/Owner Full Control Full Control ControlFullSystem System 3. Click the Permissions button of the 5ecurity tab. 4. Select the Replace

Permissions on 5ubdirectories. and the Replace Permissions on Existing Filescheck boxes as appropriate.The Replace Permissions on 5ubdlrectorles will place the security permissions that you select on all filesand subdirectories under the selected directory, while the Replace Permissions on Existing Fileswill ensure that all files contained in the directory have the selected security permissions. 5. Click the OK button to confirm these changes. 6. After the security permissions have been changed, click the OK button to close thefile and directories propertieswindow.

Directories: C:\ C:\uJi~nt\ C:\uJinnt~yst C:\uJinnt~y~

ry 6

File System Access and Manage~ent

~ontrol~ ~ j e c t i ~ e s users gain The c : ~ l n n ~ y s t ~ mIf unauthorized ~ ~ \ canfig directory contains the access to this directory,they SAM, audit files, and other could view the audit filesor registry files. These should attempt to get access to the SAM if theycrash the server. be secured from unautho~zeduse.

Restrict access to the c:\wi canfi prevent unautho~zed access.

by

S:

l. Open the ~ i n d o w N s"

Explorer. 2. Right-click on the file or directory to set the security sions and select the rties option. '

The followingper~ssionsshould be set: Ad~nistrators Everyone Creator/Owner System 3.

4.

Full Control List Full Control Full Control

Verify that permissionson the Review the <servername> following directory comply with the c ~ e r r n ~ < ~ drive y~te~ reco~~endations by performing the Ietter>.txt and ensure the following following steps: permissions are in place for: l. Right-click on the directory in Explorer. Directory: 2. Choose ~ r o ~ e r t i e s . C:\uJinn~ystern3~~~nff~ 3. Select the 5ecurlty tab. ~e~omme~ed Pe~issi~ns: 4. Click the ~ e r r n i s s ~ o button. n5 Ad~inistrators Full Control 5. Compare the current List Everyone permissions to the CreatodOwner Full Control recommendations. ControlFullSystem 6. Repeat for all listed directories.

Directory: C:\uJinnt\systern3;?\rronflg

~ecommended Pe~issions: Ad~nistrators Full Control List Everyone Creator/Owner Full Control ControlFullSystem

select on all files and subdirectories under the

directory have the selected security permissions. 5. Click the OK button to confirm these changes. 6. After the security permissions e been changed, click the button to close the file and directories propertieswindow.

rimary ~ o r n a~i o~ ~ t r o l l ~ r

o,

C ~ t ~ ~ o r y Control ~ ~ j e c t i v ~

Sk

6

File System The c : ~ ~ n n t ~ ~ sIftunauthorized ~ r n ~users ~gain Restrict access to the Access and spool directorycontainstheaccess to thisdirectory, they ~ : ~ I n n ~ ~ ~ t ~ r n Management printer drivers and files. could gain access to printer spool directory to prevent These should be secured settings and drivers. unauthorized access. from unauthorized use.

6

File System The replication directories unauthorized If users gain Restrict access the to Access and contain login scripts, access to these directories, re~licationdirectories so they could gain access to user that only authorized users Manage~ent policies, and other usersensitive data thatis data, policies, and login have access. replicated among servers. scripts. That type of These should be secured information could contain from unauthorized use. password information or be replaced with Trojan horses.

. "

mplemen~tionTechni¶ues

Compliance Assessment Techniques

Compliance Verifica~on TechNques

Verify that permissionson the Review the <servername>. following directory comply with the perms<system drive letter>.txt recommendation by performing the and ensure the following following steps: permissions are in place for: 1. Right-click on the directory in Explorer. Directory: 2. Choose Properties. C:\luinn~y~em3~pool 3. Select the Security tab Recommended P e ~ i s s i o ~ s : 4. Click the Permissions button. Administrators Full Control 5. Compare the current Print Operators Full Control The following permissions should permissions to the Read Everyone be set: r e c o ~ e n d a t io n s . CreatorlOwner Full Control 6. Repeat for all listed directories. Full Control Administrators ControlFullSystem Full Control Print Operators Directory: Read C:~inn~ystem3~pool Everyone Full Control CreatorlOwner Recommended Pe~issions: Full Control System Administrators Full Control 3. Click the Permisslons Print Operators Full Control button of the fjecurity Read tab. Everyone CreatorlOwner Full Control rmissions on ControlFullSystem bdirectorles and the place Permissions on sting Flies check boxes as appropriate. TheReplace P e r ~ l s s i o n son Subdirectories will place the security permissions that you select on all filesand subdirectories under the selected directory, while the place Permissions on sting Files will ensure that all files contained in the directory have the selected security permissions. 5. Click theOK button to confirm these changes. 6. After the security permissions have been changed, click the OK button to close the file and directories propertieswindow.

Restrict accessto c:\luinnt;\system3~~pool by performing the following steps: I. Open the WindowsNT Explorer. 2. Right-click on the file or directory to set the security permissions and select the Properties option.

Restrict access to replication directories by performing the following steps: l. Open the WindowsNT Explorer. 2. Right-click on the file or directory to set the security Permissions and select the Propertles option.

Verify that permissionson the following directories comply with the r e c o ~ e n d a t io n by s performing the following steps: 1. Right-click on the directory in Explorer. 2. Choose Properties. 3. Select the Security tab.

Review the <servername>. perms<system drlve letter>.txt and ensure the following permissions are in place for the following directories: Directory:

C:\luinnt\system3~epi

Control Objectives

~mplemen~tiQn Tec~ni~uesCQmpliance Assessment Tec~niques The following directory permissions should be set: ~:\winnt~ystem3~epl

Ad~nistrators Control Full Server Operators Full Control Read Everyone Full Control CreatorlOwner Full Control System

4. Click the Permlssions button.

Recommen~edPermissions: Ad~nistrators Full Control ServerOperatorsFullControl permissions to the Read Everyone r e c o ~ e n d a ti o n s Creator/Owner Full Control 6. Repeat for all listed directories. ControlFullSystem Directory: Directory: C:\winnt\system3~~epl

5. Compare the current

Recommended Permissions: Recommended Permissions: Administrators Full Control Administrators Control Full C:\~innt\system3~epI\ ServerOperatorsFullControl Server Operators Change import Read Everyone Read Everyone CreatodOwner Full Control Full Control Administrators Creator/Owner Full Control ControlFullSystem Server Operators Change ChangeReplicator Read Directory: Network No Access Everyone Full Control CreatodOwner C:\winnt\systern3~~epl\im~ort ControlFullSystem Change Replicator Rec~mmendedPermissions: No Access Directory: Network A d ~ ~ s t r a t o r s Full Control Full Control C:\winn~y5tem System Server Operators Change C:\winnt\system~~epl\ Recommended Permissions: Read Everyone Administrators Full Control export Creator/Owner Full Control Server Operators Change ChangeReplicator Full Control Ad~inistrators CreatodOwner Full Control Access No Network Server Operators Change Read Replicator ControlFullSystem Full Control CreatodOwner ControlFullSystem Read Directory: Replicator Full Control C:\winnt\system3~epI\E?xport System Re~omme~ed Pe~issions: button of the 5ecurlty tab. Administrators Full Control 4. Select the Replace Server Operators Change Permissions on CreatodOwner Full Control Subdirectories and the Read Replicator Replace Permissions on FullSystem Control Existing Files check boxes as appropriate. TheReplace Permlsslons on 5ubdirectories will place the security permissions that you select on all files and subdirectories under the selected directory, while the Replace Permissions on Existlng Files will ensure that all files contained in the directory have the selected security permissions. 5. Click the OK button to confirm these changes. 6. After the security permissions have been changed, click the OK button to close the file and directories propertieswindow. 3. Click the Permissions

6

File System The Access and ~ ~ a ~

6

File System Access and Mana~ement

c : ~ i n n ~ ~ unauthorized ~If ~ ~ users rgain Restrict access the to of the directory contains a backup access to a backup copy ecopy ~ of ~the nSAM t and needs SAM, they canrun a to beprotectedagainstpasswordcrackerandpossiblyusers unauthorized access. guess user passwords.

The default system shares for tile systems shouldbe disabled and re-created under standard share security. The default admin level shares are:C$, D$. .. and Admin$.

~ : ~ i ndirectory n ~ so that only authorized have access.

Windows NT creates special Document the default ad~n~strative-level shares by shares and their directories. default thathave preset security levels. These shares provideaccess to therootDisablethem pe~anently level of each NI'drive and the if they are not required. NT system root directory. Re-create new shares to those directoriesif needed with appropriate permissions.

~

~

~

~

"

es Restrict accessto c : \ ~ i n n t ~ e p a i rVerify that permissions on the by pe~ormingthe following steps: following directory comply with the recommendations bypedorming the l. Open the WindowsNT following steps: Explorer. 1. Right-click on the directory in 2. Right-click on the file or Explorer. the security 2. Choose Prope~ies. and select the 3. Select the Securitg tab. tion. 4. Click the Permissions button. The followingpel~issionsshould 5. Compare the current be set: permissions to the recommendations. Ad~nistrators Change 6. Repeat for all listed directories.

p ~ r m 5 < 5 g s t edrive ~ letter>.~t and ensure the following permissions are in place for: Directory:

C:~~nn~epair Recom~ended Pe~issions:

Adminis~ators

Change

Directory:

C:\~inn~epair Reco~mended Per~issions:

A d ~ n i s ~ a t o r s Change as appropriate. TheRep1 ~ ~ ~ i r e c t o will r i e splace the security permissions that you select on all files and subdirecto~esunder the selected directory, while the ermissions on

that all files contained in the directory have the selected security permissions. these changes. 6. After the securityper~ssions have been changed, click the K button to close the file and directories propertieswindow. Disable the shares in the registry Verify the existenceof the default shares by checking theShare button under the Server Manager. 2. Select the Keg If none exist, verify the registry key by checking the valueof the ~wices\LanmanSeweh

5. Change value to0. 6. Click OK. Create new shares to these points if necessary,

The value should be0.

Review <s~wername>.~hares. txt to ensure only authorized users are allowed access to the shares.

o m ~ nont troll er ~ e c ~ ~ t y

No,

Cate~o~

Cont~olObjectives

7

Sensitive Permissions on shares must System not allow Write, Delete, Privileges and Change Permissions, or Take Utilities Ownership to the special group Everyone. Permissions on shares shouldbe equivalent to thep e ~ i s s i o n s on files within the share.

Risk Shares allow usersto access resources remotelyon the network. ~onsequen~y, care should be takenwhen granting share rights.In particular the default system groups should not be granted permissions thatwould allow members of these groupsto abuse the system.

Set the default~ e ~ i s s ~ o n s for the default group Users in accordance with permissions seton the files within the share. The builtin special group Everyone’s access should be removedon all share permissions.

Com~liance ~ssessment Te~hniques Verify that share permissions are Restrict share permissions by properly restrictedby performing the pedorming the following steps: following steps: 1. Using the Server Manager, highlight the applicable server 1. Open 5erver Manager. 2. Highlight the applicable server and select the shared and select the shared directories directories option under the option under theComputer Computer menu. menu. 2. Highlight the shareand view 3. Highlight the shareand view its its propertiesby selecting the properties by clicking the Propert~esbutton. Propertles button. 3. Click on thePermiss~ons button to view the Users who 4. Click on thePerm~ss~ons button to view theUsers who have accessto this share via have access to this share via the the network. network. 4. Click the Add button to include the applicable groups 5. Verify that only appropriate groups have been granted access to be granted accessto this to this share.Verify that the share and select the groups special group Everyone does not you wish to grant access to. have access. When you have selected all 6. Click the Cancel button to the applicable groups, click close. the OK button to confirm these 7. Repeat for all shares. additions. 8, Close 5erver Manager. 5. Grant theType of Access for each groupby high~ghtingthe applicable group and selecting the access from the Tgpe of Access box. These Permlss~onsshould be set in accordance with corporate system standards. 6. If the special group Everyone has access to the share, this access should be removed by highlighting the memberand clicking theRemove button. 7. Click the OK button and then the Yes button to confirm these changes.

C o m ~ l i ~Verification ce Techniques Review <se~ername>.shares. txt to ensure only authorized users are allowed accessto the shares. Permissions should onlybe granted to groups. The special group Everyone should notbe allowed access to the share.

o

~ ont troll ~ eri ~ e c~ u ~ t y

isk 7

Sensitive System Privileges and Utilities

8

~ ~ n t e n a n c e If standard user profiles are If standard profiles are and used they should be utilized they should resideon maintained on the PDC. the PDC, where their access Operations can be controlled and changes can be monitored. Having standard user profileson local systems can easily, lead to their modification, and/or abuse.

Access to sensitive system utilities should be removed from all users who do not require this accessfor a legitimate business use.

es

If useraccountsaregrantedRemoveuseraccess to access to potentially sensitive system utilities that do not utilities, there is an increased require this access for a riskthattheusermaygainlegitimatebusinessuse. i n f o ~ a t i o nthat could be used to compromise the securityof the domainor perform actions that may affect the security and productivity of the domain.

Move all standard user profiles, if implemented, to thePDC in the Aut~entica~ion Domain.

~ o ~ ~ l i aA§§e§s~ent nce Tec~ni~~es For all servers, disable the ability Verify, through discussion with the for normal users to access sensitive network administratorand physical system utilitiesby p e ~ o ~ i the n g inspection, that sensitive system utilities are properly restricted. following steps: 1. Open the Windows NT Sensitive utilities include: Explorer. 2. Right-click on the utility to be restricted and select the

ri~cation

and ensure the sensitive system utilities are properly protected.

Pal~dit.~x~

User Managerfor Domains Server Manager Resource kit utilities 4. Click the Add button to include the applicable groups Auditing tools to be granted security pe~issions. 5. Select the groupsyou wish to add to the security permissions. m e n you have selected all the applicable groups, click theOK button to confirm these additions. 6. Grant ihe Tgpe af Access for each group by highlighting

These per~ssionsshould be set in accordance with corporate system standards. 7. If the special group Everyone or the group Users have p e ~ i s s i o n to s the utility, they

these c h ~ g e s . 9. After the security permissions have been changed, click the OK button to close the file properties windo~s. ove all standard user profiles, if If standard profiles are used, verify, through discussion with the network i~plemented,to the PDC in the ad~inistratorand physical authentication domain. inspection, that all such profiles reside in the Authentication Domain and obtain the applicable policies and procedures.

If standard profiles are used, verify, through discussion with the network administrator and physical inspection, that all such profiles reside in the ~uthenticationDomain and obtain the applicable policies and procedures.

0.

Y

8

~ ~ n t e n a n c e Windows NT’s screen saver and should be enabled with the pera at ions password protection feature turned on.M e n not being used, accounts should be logged off from the system console.

Enabling theWindows NT screen saver with the password protection ~ n i ~ z the e schances thatan unattended servers and workstations will be broken into.

Enable the Windows NT screen saver with the password protection feature active.

9

Fault Tolerance Backup and Recovery

A disaster recovery plan should be setin accordance with corporate security standards and guidelines.

Without a properly con~gured and tested disaster recovery plan, the system is open to extended downtime.

Establish a proper backup rotation planin accordance with company policy. The registry mustbe backed up using a ~ r d - backup p ~ ~ tool or the regback utility from the resource kit. Backups should be cycled through an off-site storage location along with the copies of the emergency repair disks.

9

Fault Tolerance Backup and Recovery

An uninte~uptedpower supply must be used with all Windows NT PDCs. This will provide power for the system to be shut down in the eventof power loss or degradation.

Not using a W S will make the system more open to corruption and will increase the riskof losing user data in the eventof a power loss.

An ~ t e power ~ p ~ supply thatis fully compatible with Widows PIT should be used. Ushg Widows PIT-compatible UPS will allow for a graceful shutdown of the Widows PITsystem, ~ m i the~ g amount of system file c o ~ p ~ and o ndata loss.

l0

Physical Access

Two copies of the Emergency Repair Disk should be made with each placed in a physically secure location.

The Emergency Repair Disk contains criticali n f o ~ a t i o n referencing users andfile system details.This i n f o ~ a t i o ncould be d e ~m en t alif an unauthorized user obtainedit. Two copies of the disk shouldbe made: one for on-site storage and one for off-site storage. Both copies should be located in physically secure areas.

Create two copies of all critical WindowsNI? systems’ Emergency Repair Disk. Store one copy on site and another at a secure remote location.

Com~liance ~ssessment ~~ch~ques Verify that policies existto mandate Enable the native Windows NT thatpasswordprotectscreensavers screen saverby p e r f o ~ i n gthe areenabled on allmachines.Attempt following steps: on a l. Right-click on any blank area to disable the screen saver r a n d o ~ yselectedmachineandtheto of the desktop. option. PDC by moving the mouse or 2. Select thePrope~ie5 pressing akey on the keyboard. 3. Select theScreen Savetab of the Display Prope~~err Verify that you are promptedfor a password. box. 4. Select a screen saver from the pulldown box. 5. Click on the Pa55w~rd Protected check box and set an appropriate time to enable the security featureof the screen saver. 6. Click OK toclose theDl5play P r o ~ e ~ ibox. e5

txt and ensurethevalues screen§aver~ctiveand 1,

Note: Be sure to run RDISWS before backups are createdso that the Repair directoryis up to date.

Inquire with the company regarding policies and procedures for updating of the Emergency Repair Disk on periodic basis. Check the file dates in the repair directory to assure they are not outof date.

Inquire with the company regarding policies and procedures for updating of the Emergency Repair Disk on periodic basis.Review the <~e~ername>,dir<5y~t drive>.txt and ensure the dateson the files in the< ~ y ~ e ~ drive>:~innt~epair are current.

NIA

Inquire with the company regarding the controls in place to mitigate a loss of power. If the serveris protected by an individual U P S , inquire whether the UPS is integrated with Windows NI’ operating system. Then, ensure that the PDC is connected to a functioning U P S system.

Inquire with the company regarding the controls in place to mitigate a loss of power. If the serveris protected by an individual UPS, inquire whether the UPS is i n t e g r a t ~with WindowsNT operating system. Then, ensure that the PDC is connected to a functioning W S system.

Run RDISK and click“Create ~ e p a i rDirrk.”

Ensure that a procedure is in placeto create, update, physically secure, retrieve, and utilize the Emergency Reminder: RDISK only creates the Repair Disk. Verify that the default i n f o ~ a t i o non the disk Emergency Repair Disk exists, is not when the /S switch is not used. out of date, and is physic~ly secured. Ensure that proper individuals are aware of the recovery process.

Ensure that a procedure in is place to create, update, physically secure, retrieve, and utilize the Emergency Repair Disk.Verify that the Emergency Repair Disk exists, is not out of date, and is physically secured. Ensure that proper individuals are aware of the recovery process.

m y

~ontrol~ ~ j e c t i v e s

es

11

Au~ting, Logging, and Monito~ng

11

Auditing, Auditing should be enabled A hacker might be trying to Enable auditing for logon Logging,andforLogonandLogoff.guessa user’s password and and logoff, for both Monito~ng success system.the to accessgain and failure. Without auditing, this might go undetected.

1l

Auditing,Auditingshould be enabled Without auditing on files and Enable auditing for file Logging,and for FileandObjectAccess.objects,hackersmighthave and objectaccessfor ~onito~ng time enough to figure success out a and failure. way around compensating controls. For example, hackers might tryto access files they do not have read access to. In addition,it is possible to detect a virus outbreak if write access auditing for program files,

If network managers are It is important to note that If theWindows NT system being used, SNNlP should be SNMP should not be run with is equipped withSN installed in a secure fashion. the defaultc o ~ u n i t yknown ensure that the access to as“public.” This wouldbe a this service i n f o ~ a t i o nis potential security breach. The limited to daily monito~ng S ~ database P of errors and and alert w ~ i n g to s alerts must be protected if management. used in the Windows NT environment becauseit can contain informationon host or router operating systems, network interfaces, address translation, and protocol software. This i n f o ~ a t i o ~ could be used to compromise an environment by “spoofing” or “denial-of-service.”

.dl1extensions, is enabled.

C o ~ p l i ~Assess~ent ce Tech~ques Inquire with the company whether Verify that the defaultcom~unity Remove the default community SNMP is being used to monitor the “public” is not being used by “public” and input the correct server. IfSNMP is being utilized, name by p e ~ o r ~ the n g following p e r f o ~ n gthe following steps: inquire whether thec o ~ u n i t y 1. Open Control Panel. steps: Panel’s 2. Double-click the~ e t ~ o r ~ name has been changed from 1. Open Control “public” to adi~cult-to-guessname. applet. 3. Choose the1Servlces Tab. 2. 4. Double-click theSNMP service. 3. service. S. View the community settings. “public” Disable 6. Click OK. 4. the com~unityand enter the 5.

Verify that Auditing has been enabled for system logons and logoff by p e r f o ~ i n gthe following steps: 1. Open User Manager. 2. Select the Fiudlt option from the Policies menu. 3. Ensure the Audit These Events radio button is selected. Events button is selected. 4. Verify that both theSuccess 3. Enable both theSuccess and and Fallure check boxesfor Logon and Logoff auditing option have been selected. option. 4. Click the OK button to confirm S. Click theOK button to exit. these changes.

Review <senrername>.policies. txt to ensure auditingis enabled for successes and failures for logons and logoffs.

Verify that Auditing has been enabled for system file and object access by p e r f o ~ n gthe following steps: 1. Open User ~ a n a g e r . 2. Select theAudit option from the Policies menu. 3. Ensure the Audit These ents button is selected. Events radio buttonis selected. 4. Verify that both theSuccess Failure check boxes forFile and Failure check boxes for ct auditing and O b ~ ~Access File and Object Ficcess option. auditing option have been 4. Click theOK button to c o n k n selected. these changes. 5. Click theOK button to exit.

Review <servername>.policies. txt to ensure auditingis enabled for successes and failures for file and object access.

Enable the~uditiugfor system logons and logoff by performing the following steps: 1. Using the User Manager, select theAudlt option from

Enable theAuditi~gfor file and object accessby performing the following steps: 1. Using the User Manager, select theAudlt option from the Policies menu.

omain on troll er ~ecurity

0.

Cate~ory

Control

isk

Control ~ e c h ~ ~ ~ e s

1l

Auditing, Auditing failures should be Logging,andenabled for UseofUser ~ o n i t o ~ n g access Rights. have

A user might try taking Enable auditing ownership of filesthey do notUserRights to intoorder edit them. Or, a user who somehow got physical access to a PDC might try logging in locally, Without auditing, these events might not be detected.

l1

Auditing, Logging, and ~onitoring

If a user is granted access above what they deserve,it would be important to know who made those changes. Without auditing User and Group ~ ~ a g ~ m eit nwould t, be impossible toknow within Windows I?".

l1

Auditing, Auditing should be enabled If changes are made to the Enable auditing Logging,andforSecurityPolicyChanges.SecurityPolicy,whereusersSecurityPolicyChanges ~ o ~ t o r i n g failure. and success to access are granted resources they should not have been,it is important for an ad~nistratorto be able to determine who made those changes.

Auditing shouldbe enabled for User and Group ~~agem~nt,

for Use of failure only.

Enable auditingfor User and Group~anagement success and failure.

for

~o~~liance Tec~ni~ues Enable the Auditingfor Use of User Rights byp e r f o r ~ n gthe following steps: l. Using the User Manager,

~ssess~ent

Verify that Auditing has been enabled for Use of User Rights by performing the following steps: 1. Open User ~ a n a g e r . 2. Select the Audit option from the

txt to ensure auditingis enabled for failures for Use of User Rights.

2. 3.

4. Click the OK button to confirm these changes.

Events button is selected. 4, Verify that the Failure check box Use of User ~ i g h t s auditing option has been selected. 5. Click the OK button to exit.

Verify that Auditing has been Enable the User and Group Management byp ~ ~ o r the ~ n g enabled for User and Group ~ ~ a g e m eby n tpe~formingthe following steps: following steps: l. Using the User Manager, 1. Open User nager er. 2. Select the A ~ d ioption t from the 2. 3. 3.

4. Click the OK button to c o n ~ r m these changes.

Enable the Auditingfor Security Policy Changes bype~ormingthe following steps:

4.

5. Click the OK button to exit. Verify that Auditing has been enabled for Security Policy Changes by p e r f o ~ i n gthe following steps: l. Open User ~ ~ n ~ g e r . 2. Select the Audit option from the

3. d. 4.

auditing option. 4. Click the OK button to confirm these changes.

txt to ensure auditingis enabled for successes and failures for User and Group ~ a n a g e ~ e n t .

auditing option have been selected. 5. Click the OK button exit. to

Review < s ~ ~ e r n ~ m e ~ . ~ n l i ~ i e txt to ensure auditing is enabled for successes and failures for Security Policy Changes.

ll

Auditing? Auditing should be enabled Logging?and for Restart, Shutdown, and ~ o n i t o r ~ n g System.

l1

Auditing, Logging, and onito~ng

Only authorized users should Enable auditing for have the capability to change Restart, Shutdown, and the stateof a system. This System for success and activityshouldbeespeciallyfailure. scrutin~zedon all servers.

Auditing shouldbe disabled Process Tracking will not help Do not select successor for Process Tracking. much in determiningany failure for Process breaches. security It is more Tracking. useful for debugging a program that doesn’t function correctly. If used, Process Tracking will generate thousands of audit entries in a few seconds, thereby flooding the log.

C o ~ ~ l i a nAsse§§~ent ce Techniques

Techniques

Enable the Auditingfor Restart, Shutdown, and System by pel~ormingthe following steps: l. Using the User Manager, select theRudit option from the Policies menu. 2. Ensure the Rudit These Events button is selected. 3. Enable theboth the Success and Failure check boxes for Restart, 5 h u t ~ o and ~~, 5ystem auditing option. 4. Click theOK button to confirm these changes.

Verify that Auditing has been enabled for Restart, Shutdown, and System by p e ~ o r ~ the n g following steps: l. Open User Manager. 2. Select the Rudit option from the Policies menu. 3. Ensure the Rudit These Events radio button is selected. 4. Verify that both theSuccess and Fallure check boxes for Restart, S h u t d o ~ n ,and System auditing option have been selected. 5. Click theOK button to exit.

Review <sen/ername>.policies. txt to ensure auditingis enabled for successes and failures for Restart, Shutdown, and System.

Disable auditingfor Process T r a c ~ n gby performing the following steps: l. Using the User Manager, select theRudit option from the Policies menu. 2. Ensure the Rudit These Events button is selected. 3. Deselect both th ess and Failure che S for the Pracess Tr auditing option. 4. Click the OK button to confirm these changes.

Verify that Auditing has been enabled for Restart, Shutdown, and System by performing the following steps: 1. Open User Manager. 2. Select the Rudit option from the Policies menu. 3. Ensure the Rudit These Events radio buttonis selected. 4. Verify that both the Success and Failure check boxes for the Process Tracking auditing option have been deselected. 5. Click theOK button to exit.

Review <sen/ername>.policies. txt to ensure auditingis not enabled for successesand failures for Process Tracking.

~ o ~ t r~o~lj e c t i v e s

Sk

S

11

Auditing, Logging, and ~onitoring

Logs containing auditing i n f o ~ a t i o nshould be secured.

Audit logs may contain Logs should be secured to sensitive i n f o ~ at i o nabout prevent them from being the system and can be used toviewed or deletedby compromise the system.In unauthorized individu~s. addition, if logs are unsecured it would be possible to delete them in order to eliminate an audit trail.

11

Auditing, Logging, and ~onitoring

All audit files shouldbe archived and purged in accordance with corporate standards. will

Having all reviewed audit filesAfter audit files have been archived and purged ensures adequately reviewed in that if they are needed they accordance with corporate be standards the available guidelines, and atand sametimeguaranteesthatallauditfilesshouldbe unauthorized users cannot archived and purged. pursue the audit files to identify system patterns.

~ o ~ ~ l i aAssessment nce Tec~niques

~ o m ~ ~ a Ve~fication nce Tec~~ques

The Auditorsand System groups should haveFull Control of the following filesand no other permissions should be specified:

Verify that permissionson the Review the < s e ~ e r n a m e > . ~ e r m s following files comply with the <system drive letter>.txt and r e c o ~ e n d a t io n by s performing the ensure the following: following steps: 1. Right-click onthe file in Explorer. Files: 2. Choose Properties. c:~inn~ystem3~~nf~g\ 3. Select the Security tab. ~~PEVENT.Em 4. Click the Permissions button. c:\uJlnnt\Eiystern3Stconflg\ 5. Compare the current permissions 5ECEVENT.EVT to the recommendations. c:\Luinnt\l3ystem3~config\ 6. Repeat for all listed files. SYSEVEN1.M

Note: The System groupis a builtin special group,and the Auditors group will needto be createdby an administrator.

Files:

Reco~~ended Pe~issions:

c:\uJinnt\l3ystem32\config\ Read ~PP~ENT.EVT c:\Luinnt~ystem3~~onfig\ SECEVENT.Em c:~innt\Eiystem32\confl~\ SYSEVENT.EVT

Auditors System groups Change

Reco~mended Per~issions:

Read Review the audit filesin accordance with corporate standards and guidelines. Properly back up the audit logsand then purge them from the system.

Auditors System groups Change Ensure that policies exist to archive and purge audit files. Verify, through discussion with the network ad~nistrator,that these procedures are followed.

Ensure that policies exist to archive and purge audit files. Verify, through discussion with the network ad~nistrator,that these procedures are followed.

omain Contro~er~ecurity

No.

C

11

Auditing, Auditing of sensitive system Auditing access to sensitive Enable Windows NI' Logging, and and application filesand system and application files native auditing featureon directories shouldbe and directories increases the all sensitive systemand ~onitoring unauthorized and application that chances enabled. files accesstothesystemwillbedirectories. detected and terminated in a timely manner.

a

~

~

o Control ~ Objectives

Risk

Co~trolT e ~ h ~ i ~ u e s

~ l e r n e n ~ ~Techniques on

C o ~ ~ ~ aAssessrnent nce Tech~ques

Co~~li~ce Techniques

Enable WindowsNT native auditing feature on all sensitive system and application filesand directories. Identify these directories per the corporate standards. In addition, the following Windows NT system directories and files within should be audited:

Verify that the Windows NT native auditing feature has been enabled for all sensitive systemand application files and directories by performing the following steps: l. Right-click on the directory in Explorer. 2. Choose Properties. 3. Select the Security tab. 4. Click the ~uditing button. 5. Compare the current audit settings to the recommendations. 6. Repeat for all listed directories.

Review the <servemame>.perrns <system drive letter>.txt and ensure the sensitive system files are being audited for the following actions:

The following items should be audited:

Directories:

~ecommendedSettings: Write: Select Success& Failure Delete: Select Success& Failure

Write: Select Success& Failure Delete: Select Success& Failure Change Permissions: Select Success & Failure Take Ownership: Select Success& Failure

Those stated in the best practices, plus

Reco~mendedSettings: Write: Select Success& Failure Delete: Select Success& Failure

Change Permissions: Select Success & Failure Take Ownership: Select Success& Failure

~er~cation

Directories:

Those stated in the best practices, plus

Change Permissions: Select Success & Failure Take Ownership: Select Success& Failure

Objectives Control 12

ry

Risk

Control

ues

Auditing, Auditing of sensitive system Auditing access sensitive to Enable ~ i n d o wNT s Logging, and registry keys should be system registry keys increases native auditing featureon enabled. the chances that unauthorized all sensitive system Monitoring access to thesystemwill be registrykeys. detected and terminatedin a timely manner.

NT native Verify that the Windows auditing feature has been enabled for audi~ingfeature on allsensit~ve by system registry keys. Identifjr these all sensitive system registry keys keys per the corporate standards, performing the following steps: portions of the registry are being 1. Open r ~ ~ ~ d t ~ ~ . audited for the following actions: In addition, the followingkeys should be audited: u ~ i t ~.n.from ~ , the Irltys: Those stated in the best practices, 4. Compare the current audit plus settings to the ~ K L ~ ~ 5 T E ~ r e c o ~ e n d a ti o n s . The f o l ~ o ~items i ~ g shoul~ be ~ K ~ ~ D ~ W 5. Repeat for all listed keys. audited: HKCR Kf2Y.S: Set Value: Select Success ~ e c o ~ ~ e nSettings: ded Those stated in the best practices, Failure Set Value: Select Success& Failure plus Create Subkey: Select Success Create Subkey: Select Success& Failure Failure Create Link: Select Success & Create Link: Select Success & Failure Failure Delete: Select Success& Failure Delete: Select Success& Failure ~ e ~ o m ~ e nSettings: ded Write DAC: Select Success& Write DAC: Select Success& Set Value: Select Success& Failure Failure Failure Create Subkey: Select Success& Failure Create Link: Select Success & Failure Delete: Select Success& Failure Write DAC: Select Success& Failure

~

~

Control ~ e c h n i ~ ~ e $ 1l

Auditing, Logging, and ~onitoring

The event viewer should be If events a e ove~ritten allocated sufficient spacefor before they can be reviewed, audit logs. there is an increased risk that continuous unautho~zed activity may go undetected.

The event viewer should be allocated adequate disk space to store allaudit logs. The disk space needed should be based on size of the domain and review intervalsof the audit logs.

12 Security Unauthorized individuals There is an increased risk that Set the winreg registry Ad~nistration shouldnotbeallowedto an unautho~zeduser may key ~ e ~ i s s i oto n scomply Activities remotely edit the registry. gain knowledge about the with corporate standards. PDC anddomainandevenIndustryguidelinesstate attack the system with denial that only Adminis~ators of services or Trojan horses,if have full control. they can access the registry.

Verify that suflcient space is allocated for log files by performing the following steps: 1. Open Event Viewer. 2. Select Log ~ e t t i n g .~..from the Log pulldown menu. 3. Select appropriate logfile in the Set the log settings according to C ~ Settings ~ fornLo ~ corporate standards. The following box. are industry guidelines: 4. Compare current settings to the recomtnended settings. 5. Click Cancel. after 14 days) 6. Close Event Viewer. System: 1-2 MB (Overwrite after 14 days) Log: Security Application: 1-2 MB (Overwrite Settings: 5-10 M B (Overwrite after as needed) 14 days)

Set the amountof space thatis being allocatedby performing the following steps.

3. Click Close.

Log: System

ote: If a log is set in the above manner, for example, Security Log 5MB, 14 days, the log can be filled the first day, and no events would be logged for the next 13 days.

Log: Application Settings: 1-2 MB (Overwrite as needed)

Settings: 1-2 h4B (Overwrite after 14 days)

MaxSize and ensure adequate disk space is allocated Log: Security ~ e t t ~ n5-10 g ~ : M B (Overwrite after ~14 days)

14 days) Log: Application Settings: 1-2 MB (Overwrite as needed)

ote: If a log is setin the above manner, for example, Security Log 5MB, 14 days, the log can be filled the firstday, and no events would be logged for the next13 days. Log sizes should be based on the system including then u ~ b e of r users if logon and logoffis going to be tracked.

Log sizes shouldbe based on the size of the system including the number of users if logon and logoff is going tobe tracked.

Note: If a log is set in the above manner, for example, Security Log S M B , 14 days, the log can be filled the firstday, and no events would be logged for the next 13 days.

Secure thewinreg registry key by performing the following steps: 1. Open rege~t32. 2. Select thekey ~ ~ L ~ y CurrentControl5et\Control\

Verify an appropriate security setting on the winreg registry key by performing the following steps: ~ e m \ 1. Open regedt32. 2. Select the key ~ ~ L ~ y s t ~restricted m \ to only authorized users. CurrentControl5et\Control\ 5ecure~i~e5e~er~ ~ e ~ o ~ ~ e n ~ e d S e ~ t i ~ ~ : WinReg. Administrators: Full Control 3. Choose Permissions. ..from the Security pulldown menu. 4. Compare the permissions to the recommended settings. 5. Close regedt3~.

3.

ecurity I

per mission^ from

the pulldown menu bar. 4. The permissions shouldbe in accordance with corporate standards. Industry guidelines state: ~ d ~ n i s t r a t o rFull s : Control

R e ~ o ~ ~ e n Setting: ded Administrators: Full Control

on 12

ves

sk

Partsof the registry run With its default permission Set the Security A d ~ i ~ s ~ a t i oprograms n at startup should levels, any locally logged on R ~ f l ~ f l registry ce keys Activities ured to not allow user can change the value of permissions to comply u ~ a u ~ o users ~ ~toe dedit the ufl key topointto a withcorporatestandards the list of programs. Trojan horse program. This or industry guidelines. Trojan horse can be anything from malicious code to a program that, when run as a d ~ ~ s ~ aequivalent, tor dumps the password hash.

I ~ p l e m ~ n ~Tech~ques tio~

Comp~ance~ s s e s s ~ ~ n t Tech~ques

Secure theRun and Runonce registry keysby p e ~ o ~ i the ng following steps: l. Open regedt32. 2. Select the followingkeys inde~ndently :

Verify an appropriate security setting on the Run and R u n ~ n c registry e keys by performing the following steps: l. Open regedt32. 2. Select the appropriatekey. 3. Choose Perrnlssions. from H K L ~ ~ O ~ W ~ R ~ i c r o s the o ~Security \ pulldown menu. Windour~CurrentVersion\Run 4. Compare the permissionsto the r ~ c o ~ e n d settings. ed o ~ w ~ R ~ i c r o 5 o f n5. Close regedt32.

Windows\CurrentVer5i~n\ Run~nce

Kt?J)s:

Comp~anceV e ~ ~ c a t i o n Tech~qu~s Review < 5 e ~ e r n ~ r n e > . r u n . ~ t and ensure the following: KqS:

H K L ~ ~ O ~ W ~ R ~ i c r ~ 5 o ~ \

Windours\CurrentVersion~un

H K L ~ ~ ~ W ~ R ~ ~ ~ c r o ~ o Windours\CurrentVersion\

Run~nce

~ e c o m m ~Settings: ~ed

Creator Owner: Full Control

~ K L ~ O f f ~ ~ ~ ~ i c r oAdministrator: 5 o ~ \ Full Control

3. Choose Securitg I System: Full Control Windours\CurrentVersion\Run P ~ r r n i s s i o n from 5 the Everyone: Read pull-down menu bar. HKL~O~W~R~~crosoft\ 4. The permissions should be in Windour~CurrenWer~ion\ accordance with corporate unOnce standards. Industry guidelines state: Creator Owner: Full Control Administrator: Full Control System: Full Control Everyone: Read

5. Close r e ~ e d t ~ ~ .

Reeomme~edSettings:

Creator Owner: Full Control Administrator: Full Control System: Full Control Everyone: Read

ry

Control Objectives

Risk

Co~trol~ ~ c ~ ~ i ~ ~ e

12

Parts of the registry contain If an unauthorized user could Set the registry keys’ Security systemi n f o ~ a t i o n read these registry keys, they (listed in the A ~ s ~ a t i o sensitive n n Activities like performance data, the might gain access to sensitive i ~ p l e ~ e n t a t i ochecklist) logon process, and security system resources or be able to permissions to comply info~ation.Theseregistrylearninformationaboutthewithcorporatestandards configured should bekeys to industry guidelines. or PDC. not allow unauthorized users to edit the listof programs.

12

Security Certain registry keys should If an unauthorized user could Set the registry keys’ A ~ s ~ t i o ben secured to prevent read these registry keys, they (listed in the a implementation checklist) Activities unauthorized access to the might be able to launch PDC’s configuration. denial of service attack permissions or comply to horse. with corporate standards upload a Trojan or industry guidelines.

Secure the following registry keys Verify that appropriate security settings exist on the following registry keys by performing these independently: the 5ecurity pulldown menu.

4. Compare thep e ~ i s s io n sto the

r e c o ~ e n d e dsettings.

WindolusN~CurrentVersion\

and ensure the following:

Keys: HKL~O~UJAR~lCRO~Om UJIndolusN~urrentVerslon\ Pe~Lib HKL~oft~are~icorso~\ Windolu~N~CurrentV Set\C~ntroI\LS WKLM\Syste~\CurrentControI S e ~ e ~ i c e ~ a n ~ ~ n 5 Shares R e c o ~ ~ e n d esetting^: d

Wini~gon

4. The p e ~ ~ s s i o should ns be in accordance withcorporate standards. ~ ~g ~si ~t e ~~ state: i~es Creator Owner: Full Control Administrator: Full Control System: Full Control Everyone: Read

I

Creator Owner: Full Control Ad~nistrator:Full Control System: Full Control Everyone: Read

Reco~~ended Set~~ngs:

Creator Owner:Full Control Ad~nistrator:Full Control System: Full Control Everyone: Read

5. Close r Secure the following registry keys Verify that appropriate security settings exist on the following registry keys bype~ormingthese steps: indep~ndently:

..from the 5ecurIt.y pulldown menu. 4. Compare the p e r ~ s s i o n sto the recommended settings. 5. Close regedt.3~. 3. Choose Permissions.

PC (and all subkeys)

Review ~ ~ e ~ e r n ~ m e > . h k i m . t x t and ensure the p el ~ ssi o n son the values HKCR (all subkeys) HKL~O~WARE

H K L ~ ~ ~ U J R R ~ ~ l C ~ O ~ O RPC (and all subkeys) HKL~~O~WAR~lCRO5Om Windo~sN~CurrentVefsio~\ H K L ~ O ~ W A R ~ I C R ~ WindoursN~CurrentVerslon\ AeDebug

Control

ory

~ ~ j e c ~ ~ e s isk

Control ~echni~ues

C o ~ ~ l i a~~scsee s s ~ e ~ t Tech~~ues HKLM~DFFWflREWIlCRDSD~ WindowsM\Cum2ntVefsionWeDebug HKLM~DFTWflREWIlCRDSD~ WlndoursNnCurrentVersion\ Compatlbliity HKLM~DFTWflREWIlCRDSD~ WindowsNnCurrentVersion~rivers HKLM\SDFTWflREWIlCRDSD~ WlndowsNnCurrentVersion\ ~mbedding HKLM~D~WflflEWIlCflDSD~ WlndowsNnCurrentVerslonts

Industry guidelines state: Creator Owner: Full Control Adminis~ator:Full Control System: Full Control Everyone: Read

5.Close regedt3S. HKLM\SDFTWflREWIICRDSD~P~ (and all subkeys) HKLM\SOFFWflREWIICRDSDmWindouJs ~CunenWersion\ HKLM\SDFTWRREWIICRD NnCurrenWersionWeDebug

Creator Owner: Full Control Administrator: Full Control System: Fnll Control Everyone: Read HKL~DFTWflREUVIICRD5~~~indows NnCurrentVerslon\Compatibility

HKLN\SOFTWRREWIICRD5D~indows NT\CurrenWersion\Drivers HKLM\SDFTWRRRNICRQED~indows NT\CurrentVersion~mbedding

HKLM\SDFTWRRRMICRQSD~Window sNnCurrentVersion\Fonts HKLM\SOFTWflR~ICflDSD~Windows N72CunentVersion\Compatiblllty HKLM\SDFTWflflEWIICRDSD~Windows N~CurrentVersion\Font5ubstitutes HKLM\SDFTWflRRMICRDSD~indows HKLM~DFTWflREWIlCRD~Om NnCunentVersionMrlvers HKLM\SDFTWRfl~ICRDSD~indows WindowsNnCurrentVersion~ont NnCur~ntVersion~ontDriver~ HKLM\SDFTWflR~ICRDSO~Windows Drivers NnCunentVersion\Embedding HKLM\SDFTWflREWIICRDSD~indows HKLM~D~WflREWIlCRDS~m N~urrentVersion~ontMapper H K L M \ S D ~ W f l R R M I C R D S D ~ ~ i n d o w Windows~urn?nWefsion~ontMapper sNnCurrentVerslon\Fonts HKLM\SDFTWRRE\MiCRDSD~WindouJs HKLM~DFTWflREWIlCRDSD~ NnCurrentVersion\FantCache WlndowsNT\CurrentVersion~ontCache HKLE\/RSDFTWflflEWlICRDSD~Windows NnCunenWerslon~ontSubstitutes HKLM\SOFTWRR~ICRDSD~indouJs HKLN\SDFTWflR~lCRDSD~ NnCurrentVerslon\GRE_Initialize HKLM\SDFTWRRRNICRQSD~indows WindowsNnCurrentVersion\ ~CurrentVersion~ontD~vers ~flE-lnitialize NnCurrentVersion~Cl HKLMLSDFFWflRRNICRDSD~Windows HKL~DFFWflRRMlCRD~Dm NnCunentVersion~ontMapper WindowsNnCurrentVersionVvlCi HKLM\SDFTWflREWIICRD5O~indo~s N72CunentVersionWICIExtensions HKLM~DFTWflREWIlCflDS~m HKLM\SDFTWflRRNICRDSD~Windows WlndowsN~CurrentVersion\ ~CurreniVersion~on~Cache HKLM\SDFTWflRRNICRQED~Windows MCl~xtensions NnCurrentVersion~o~ (all subkeys) HKLM\SDFTWRREWIICRDSD~indows ~CunentVersion~RE-Initialize HKLM~DFTWflR~lCRDSD~ HKLM\SDF7WRRRNiCRD5O~lndows WlndowsNnCurrentVersion\Po~(all NnCurrentVersion\TypelInstaller HKLM\SDFFWflRE\MICRDSOmWindows subkeys) N72CurrentVersion~CI HKLM\SDFTWflREWIICRDSO~Windows HKLM~DFFWflR~MlCRD~DFn NnCurrentVersion~ro~le~is~ HKLN\SDFFWflR~lCRDSD~lndows WindouJsNnCurr~ntVerslon\ NnCunentVerslonWICIExtensions HKLN\SDFTWRRE\MICROSO~lndows Typellnstaller NnCur~ntVersion\Windows3,1~igration HKLM\SDFFWRREWIICRDSD~lndows HKLM~DFTWflR~lCflDSD~ Status(al1 subkeys) N T \ C u ~ e n t V e r s i o n(all ~ o ~subkeys) WindowsNT\CurrentVersion\Pr~flleList HKLN\SOFTWRflRMICRDSO~indows HKLM\SDFTWRREWIlCRDSD~Windows HKL~DFTWflRE\MlCRDSD~ NnCurrentVersion\WDW (all subkeys) N71CurrentVerslon\Typellnstaller WindowsNnCurrentVerslon\Wlndows HKLM~ystem\CurrentControlSet\ 3.lMigrationStatus(all subkeys) HKLN\SDFTWflflE\MICRDSD~1ndows Services\UPS N72CunentVersionV3rofileList HKL~DFTWflfl~lCflDSD~ HKEY-USER~.d~faul~ WindouJsN~CurrentVersin\WDW(ail HKLN\SDFTWflRRNICRDSD~lndows subkeys) are restrictedto only authorized users. N~CurrentVersion\Wlndo~s3,1Nigratlon Status (all subkeys) HKLM~ytern\CurrentControlSet\ Re~ornrn~l~ded Settings: Services\UPS HIII"\SDFTWflREWIICRDSD~Windows Creator Owner: Full Control HKEY-USERS;de~auIt NnCurrentVe~ion\WDW(all subkeys) Administrator: Full Control System: Full Control 1. Choose Securlty I Permissions HKLN\System\CurrentControISet\ Everyone: Read ServicesUPS from the pull menu bar. 2. The permissionsshouldbein HK~-USEfl~.default

HKL~DFFWflR~lCRDSD~ WindowsNnCurrentVerslon\Font Substitutes

accordance with corporate standards.

entries

12

Set the

1 anddelete any u s e ~ a m e c o n t ~ nwithin ed the registrykey ~ ~ f ~ u l t ~ ~ ~ r ~ ~

12

Security It should notbe possible to If users could shut down the Set the A ~ ~ s t r a t i o nshut down the PDC without PDC without loggingon, no ~ ~ t h ~ Activities logging on. audit trail would be created, entry with a value of 0. and unauthorized users might be able to shut the PDC down.

12

Security The system should notbe A d ~ ~ s ~ a t i oshut n down if the audit lo Activities becomes full.

12 audit

Security The last u s e r n ~ and eThere increased an is risk that A d ~ ~ s ~ a t i default on u s e r ~ should ~ e not an unau~horizeduser may Activities be displayed at login. gain knowledge of the companydomainnaminvalueof standards and a name to usein gainingaccesstothedomain last the username if is displayed at logon.

of

In some cases,it might be necessary to shut downthe server when the audit log becomes full, ensuring thatan audit trailis always in existence. However,it is not normally necessaryto enable this on a PDC.

Set the registry entry witha value of 0. A value of 1 should be set under certain circumstances to shut down the machine but is normally unnecess~y.

Security The auditing user all ofAuditing user allrights will Set the ~ ~ l i ~ f ~ ~ i i ~ Ad~nistration rightsshouldbedisabled.generateaverylargenumber ~ U ~ ~ registry t ~ fentry l ~ with a value of0. A value Activities user rights, including Bypass of 1 should be set under certain circumstances to traverse checking, are audit all user rights but is enabled. normally unnecessary.

Techniques Verify that theD o n t D l s ~ l a ~ L ~ s t Review <se~ername>. ~lnlogo~.txt and ensure the value ained within the registry key u l t ~ s e r ~ abymp ~e ~ o r ~ n g

to 1.

1. Open regedt3~'

of 0 by pedorming the following

S~~tdo~nWit~a to 0.

WithautLogan is

Verify that theCr~shOnRuditFail registry entryis set to a valueof 0 by

Review the < s e ~ e r n ~ m e > . l ~ txt and ensure the value C r ~ s h ~ n R u d ~ist Fset ~ to l l 0. and review the value FullPrivlegeRuditing.If it is a highly secure server, the setting should be 1; otherwise, it should be 0.

the Select

hive

Verify that the FullPrlvllegeAudltrngregistry entry is set to a value of 0 or 1 by p e ~ o r l ~ i nthe g following steps: 1. Open r e g e d t ~ ~ .

Note: Setting this value to1 greatly increases the numberof events logged in the Event Viewer.

ry

Control ~bjectives

Sk

Control Techni~~es

12 companies Security all If run Windows NT supports Administration Windows W,then only LanManager Challenge Activities Windows NT Challenge Response and Windows NT Response authentication Challenge Response should accepted. be authentication. Because the LanManager uses a weaker form of encryption, a hacker may potentially be able to crack the password hash if they sniff it asit traverses the network.

Set the L ~ C a m ~ ~ t ~ ~ ~ i ~ t y k v e l registry entry with a value of 2 if all companies run Windows NT, Otherwise, setit to a value of 1, which only sends the LM hash ifit is required.

12

~u~m~tC~ntral registry entry value with a of 0.

12

Security Only administrators should The schedule service could Set the Administration scheduling be jobs. unauthorized user Activities

potentially allow

an to execute malicious code as an ad~~strator.

Note: This requires the LM hot fix or Service Pack 4.

Security Individuals should only be Assigning individuals to the Grant individuals the Adminis~ation members of the minimum necessary rights Ad~nistratorsgroup may Activities grant them excess user rights.to perform theirjob Administrators groupif absolutely necessary. These excess rights may allow function by placing them Individualsmanagingfilesthem to performunwarranted in appropriateusergroups. and sharesshouldbeServeradministrativefunctions. Operators. Individuals managing accounts should be Account Operators. Individuals managing printers shouldbe Print Operators, and individuals p e ~ o r ~ backups ng should be Backup Operators. These accounts should not be allowed to log on locally except for Ad~nistrators and Backup Operatorsif backups of the PDC are not done remotely.

(Set to2 if all companys are Windows W) by performing the

Verify that the LNCompatibilit~Level registry entry is set to a valueof lor 2 by performing the following steps: 1. Open regedt32. 2. Select the hive ControlSet\Control~S~.

3. Verify that the key LN

Review <servername>.isa.txt and review the value LNCompatibilit~Level. If the environment being reviewedis strictly WindowsN T , the value should be equal to2. If the environment is mixed, the value should be equal to1.

is set to 1 Compati~ilit~Level or 2. 4. Close regedt32.

Verify that the~u~mitControl registry entryis set to a value of 0 by performing the following steps: 1. Open regedt32. 2. Select the hive

Review <servername>.l5a.txt and ensure the value SubmitCofltrolis set to0.

3. 4. Close regedt32.

Review the <E;ervername>. right5.Mand ensure only following: authorized usersare granted User Rights. Verify the following: Individuals managingfiles and Individuals managing files and Individu~s managing files and shares should be Server Operators. shares are Server Operators. shares are Server Operators. Individuals managing accounts Individuals managing accounts are Individuals managing accounts are should be Account Operators. Account Operators. Individuals Account Operators. Individuals Individuals managing printers managing printers are Print m ~ a g i n gprinters are Print should be Print Operators, and Operators, and individuals Operators, and individuals individuals p e r f o r ~ n gbackups p e r f o ~ n gbackups are Backup performing backups are Backup should be Backup Operators. Operators. These accounts should Operators. These accounts should These accounts should not be not be allowed to logon locally not be allowed to log on locally allowed to log on locally except except fora d ~ n i s ~ a t oand r s backup except for administrators and backup operators if backups of the PDC are for ad~nistratorsand backup operators if backups of the PDC are operators if backups of the PDC not done remotely. not done remotely. are not done remotely. After discussionof users and user roles with the network administrator, open User Managerfor Domains and ensure the following:

No.

Cate~or~

12

Security The Guest account should Adminis~ation not be able to view the Activities System EventLog and the Application Event Log.

12

Control ~ ~ j e ~ t i v e s

sk

Control Techni~~es

The System and Application Set the Event Log could contain ~ ~ S t f ~ C t ~ U ~ S t ~ C sensitive information about registry entry with a value the PDC that guests could use of l. to attack the system.

The “Access this Computer If an Administrator accountis Restrict who can access Security Ad~nistration from the Network” standard compromised, it would not be the PDC from the network. Activities user right shouldbe able to compromise thePDC restricted to ensure the PDC from the network. In addition, is secure from outside threats nonauthorized users will not andthat if Administrators be abletoaccessthe PDC accountsarecompromised,fromthenetwork. the entire domainwon’t be.

C ~ 5 5

Set theRestrictGuestAccess registry entry to a valueof 1 by p e r f o r ~ n gthe following steps: 1. Open regedt32. 2. Select the following hives independently:

MKLMUSMstem\CurrentControl SetUSe~ices\EventLog\ Applicat~on 3. Set the key Restrlct

C o m ~ l i ~Assessment ce ~echni¶~es

C o m ~ ~ a n ~erification ce Tech~¶ues

Verify that theRestrictGuest Access registry entry is set to a value of 1 by performing the following steps: 1. Open regedt32. 2. Select the following hives independently:

Review <servername>. event1og.M and ensure the values R e s t r l c t ~ u e s t ~ c c is ~ sset s to 1 for the system, application, and security entries.

ystemUurrentControISet\ )3ervice~ventLog\application

3. Verify that the key Restrlct~uestAccessis set to 1. 4. Close regedt32.

Verify who has the “Access this Computer from the Network” user right by performing the following steps: 1. Open User Manager. 2. Choose Policies from the pulldown menu and choose User Rights. .. 3. Scroll through theRights and tind Access this computer from the network. commensurate with corporate standards. 4. Verify that the list of usersis commensurate with corporate Industry guidelines state: standards and best practices. * Users 5. Click Cancel. * Server Operators 6. Close User Manager. * Account Operators * Print Operators Industry guidelines state: * Backup Operators * Users e Server Operators 5. Click OK on the new window e Account Operators to confirm changes. * Print Operators 6. Close User Mana~er. * Backup Operators

Restrict user rightsby performing the following steps: 1. Open User Manager. 2. Choose ~ ~ l l c i from e s the pulldown menu and choose r Rights. . I1 through the R~ghtsand find “Access this Computer I)

Review the <se~ername>. r l g h t s . ~ and t ensure only authorized users are granted the “Access this Computerfrom the Network” user right. The following guidelines can be used: * Users e Server Operators * Account Operators e Print Operators * Backup Operators

Sk

12

12

Control T@c~ni~u@s

Security The “Add ~ o r ~ t a t i to o nthe Users should not be adding Restrict who can add A ~ ~ s t r a t i o Domain” n standarduserrightmachines to thedomaincomputers Activitiesshouldberestricted to ensureunlesstheyareauthorized. that unauthorized users They might be able to add a cannot add miscellaneous domain controllerand machines to the domain. compromise the SAM.

The “Backup Filesand Security Directories” standard user There should A d ~ i s ~ a t i o right nshould restricted be Activities because anyone with this user right can bypass resource ACLs and readall files.

besegregation a Restrict of duties between backup files. Adminis~ators,users, and individuals who can back up files. Individuals with this user right can bypass the ACL, of a fileand read any file they want.

to the domain.

who can add

T e ~ ~ ~ ~ u ~ s Restrict user rightsby pedoming the following steps: 1. Open User Manager. 2. Choose Polkies from the pulldown menu and choose User Rights. .. 3. Scroll through the Rights and find “Add Workstationto the Domain.” 4. Edit the Grant To list tobe commensurate with corporate standards. Industry guidelines state: * Administrators * Server Operators

5. Click OK on the new window to confirm changes. 6. Close User Manager.

Verify who hasthe “Add Workstation to the Domain” user right by performing the following steps: 1. Open User Manager. 2. Choose Policies from the pulldown menu and choose User Rights. .. 3. Scroll through the Rights and find “Add Workstationto the Domain.” 4. Verify that the list of users is commensurate with corporate standards and best practices. 5. Click Cancel. 6. Close User Manager. Industry guidelines state: * Adminis~ators * Server Operators

Restrict user rightsby performing Verify who hasthe “Backup Files the following steps: and Directories” user right by 1. Open User Manager. p e r f o r ~ n gthe following steps: 2. Choose Policies from the 1. Open User Manager. 2. Choose Policies from the pulldown menu and choose pulldown menu and choose User Rights. . 3. Scroll through the Rights and User Rights. . find “Backup Files and 3. Scroll through the Rights and Directories.” find “Backup Filesand Directories.” 4. Edit the Grant To list to be commensurate with corporate 4. Verify that the listof users is standards. commens~atewith corporate standards and best practices. Industry guidelines state: 5. Click Cancel. * Backup Operators 6. Close User Man~ger. 5. Click OK on the new window to confirm changes. 6. Close User Manager.

Compliance Assessment

rig~ts.txtand ensure only authorized users are granted the “Add Workstation to the Domain” user right. The following guidelines can be used: * Ad~nistrators * Server Operators

Industry guidelines state: * Backup Operators

Review the <sewern rlghktxt and ensure only authorized users are granted the “Backup Files and Directories” user right. The following guidelines can be used: * Backup Operators

Control Objectives

Sk

Cont~olTechni~~es

l2

The “Change the System Accuracy of the system time Restrict who can change Security is a prerequisite for an auditthesystemtime. Adminis~ation Time’, standard user right should be r e s ~ c ~ because ed trail because knowing who ~ctivities anyone with this user right was accessing resources at a can change the system time, specified time could implicate which in turn could a user. The entire audit, event misconfigure the timeon all monitoring, and logging system is based on time and member servers. therefore requires that time not be tampered with. Security policies, suchas those for account lockout and expiration, are basedon the system time

12

Security The “Log on Locally” Individuals that interact with Restrict A d ~ n i s ~ a t i o nstandarduserrightshouldbethe PDCcanusuallygetwiththePDC. Activities restricted so that normal access very tosensitive users cannot interact with thesystem resources or create PDC. denials of service.

who can interact

Restrict user rightsby performing the following steps: 1. Open User Manager. 2. Choose Policies from the pulldown menu and choose

3. Scroll through theRights and find “Change the System Time.’’ 4. Edit the Grant To list tobe c o ~ e n s u r a t ewith corporate standards. Industry guidelines state: * Administrators * Server Operators S. Click OK on the new window to confirm changes. 6. Close User Manager. Restrict user rightsby performing the following steps: 1. Open User Manager. 2. Choose Policies from the pulldown menu and choose User Rlghts. . 3. Scroll through the Rights and find “Log on Locally.” 4. Edit the Grant To list to be c o ~ e n s u r a t with e corporate standards.

~ o ~ ~ l i a Assessment nce Tech~ques

~om~~ance Techniques

~e~lcation

Verify who has the “Change the System Time” user right by performing the following steps: 1. Open User Manager. 2. Choose Policies from the pulldown menu and choose User Rights. . 3. Scroll through theRlghts and find “Change the System Time.” 4. Verify that the listof users is co~mensuratewith corporate standards and best practices. 5. Click Cancel. 6. Close User Manager.

Review the <se~ername>. rights.txt and ensure only authorized users are granted the “Change the System Time” user right. The following guidelines can be used: * Admi~s~ators * Server Operators

Industry guidelines state: * Adminis~ators * Server Operators

Verify who hasthe “Log on Locally” user rightby performing the following steps: 1. Open User Manager. 2. Choose Pollcies from the pulldown menu and choose User Rights. .. 3 Scroll through theRig ts h and find “Log on Locally.” 4. Verify that the list of users is commensurate with corporate standards and best practices. S. Click Cancel. 6. Close User Manager. I

Industry guidelines state: * Ad~nistrators * Backup Operators (onlyif the backups are performed locally) Industry guidelines state: * Server Operators * Administrators * Backup Operators (onlyif the S. Click OK on the new window backups are performed locally) to confirm changes. * Server Operators 6. Close User Manager.

Review the <se~ername>. rightrj.txt and ensure only authorized users are granted the “Log on Locally” user right. The following guidelinescan be used: * Ad~nis~ators * Backup Operators (onlyif the backups are performed locally) * Server Operators

NO.

~ontrolObjectives

sk

~ontrol

es

12

Security The “Manage Auditing and A d ~ ~ s t r a t i o Security n Log” standard user Activities right should be restricted so that only designated auditors can view and delete the PDC’s logs.

There should be a segregation Restrict who can audit the PDC. between of duties Ad~nistrators,users, and individuals who can audit the PDC’s logs. Since individu~s with this right can clear a security log, they have the ability to attemptan attack on the system and then delete the log, althougha security control inherent in WindowsHT is that theErrst entry in the new log states that the old was log cleared and by whom. Only authorized individu~s,such as the Security Officer or the Internal Auditor, should be given this right. Those typesof individuals should be members of an Auditors group.

12

Security The “Restore File and Administration Directories” standard user Activities right should be restricted because anyone with this user right can bypass resource ACLs and read and write toall files.

There should be a se~regation Restrict who can add of duties between restore files from backups. Administrators, users,and individuals who can restore files. ~ndividualswith this user right can bypass the ACL of a file and read or writeto any file on the PDC.

Restrict user rightsby performing the following steps: 1. Open User Manager. 2. Choose Pollcies from the pulldown menu and choose 3. Scroll through the Rights and find “Manage Auditing and Security log.” 4. Edit the Grant To list to be c o ~ e n s u r a t ewith corporate standards. Industry guidelines state: * Auditors (must be created) 5 , Click OK on the new window

to confirm changes. 6. Close User Manager. Restrict user rightsby performing the following steps: l. Open User Man~ger. 2. Choose Pollcles from the pulldown menu and choose User Rights. .. 3, Scroll through the Rights and find “Restore Fileand Directories.” 4. Edit the Grant TOlist tobe c o ~ e n s u r a t ewith corporate standards. Industry guidelines state: * Backup Operators

5. Click OK on the new window to confirm changes. 6. Close User Manager.

Com~lianceA$$e$$ment Technique$

Compliance ~ e ~ f i c a t i o n TechNque$

Verify who hasthe “Manage Auditing and Security log” user right by performing the following steps: 1. Open User Manager. 2. Choose Pollcles from the pulldown menu and choose User Rlghts. .. 3. Scroll through the Rights and find “Manage Auditing and Security Log.” 4. Verify that the listof users is commensurate with corporate standards and best practices. 5. Click Cancel. 6. Close User Manager.

Review the <servername>. r/ghts.txtand ensure only authorized users are granted the “Manage ~uditingand Security Log” user right. The following guidelines can be used: * Auditors (must be created)

Industry guidelines state: * Auditors (must be created)

Verify who hasthe “Restore File and Directories” user right by p e r f o ~ n gthe following steps: 1. Open User Manager. 2. Choose Policies from the pulldown menu and choose User Rights. .. 3. Scroll through the Rlghts and find “Restore File and Directories.” 4. Verify that the listof users is commensurate with corporate standards and best practices. 5. Click Cancel. 6. Close User Manager. Industry guidelines state: * Backup Operators

Review the <servername>. rights.txt and ensure only authorized users are granted the “Restore File and Directories” user right. The following guidelines can be used: * Backup Operators

es

12

The “ShutDown the Security s t a n d ~ duser right ~ d ~ n i s ~ a t i System” on should be restricted to Activities prevent unautho~zed individuals from shutting down the PDC and causinga denial of service.

Individuals who can shut down the PDC could cause a denial of service or degrade the performanceof the network dependingon the BDC c o n ~ ~ u ~ a t i o n s ,

12

Security The ‘‘Take ownership of A d ~ i n i s ~ a t i o nFiles or Other Objects” standard user right should be Activities restricted so that no one can manipulate afile they do not dready own.

This is a very powerful user Restrict who can t right becauseindividu~scan ownership of files or other ignore theACL of an object, objects. take ownershipof the object, and change theACL to what they want.

Restrict who can shut down the PDC

Restrict user rightsby performing the following steps:

l.

2. 3.

4.

c o ~ e n s u r a t ewith corporate st~dards.

Industry guidelines state: * ~dminis~ators * Server Operators S, Click OK on the new window

to confirm changes.

Verify who has the “Shut Down the System” user rightby p e r f o r ~ n g the following steps: 1, Open User ~ a n a ~ e r . 2. Choose Policies from the pulldown menu and choose User Rlghts. ..

“Shut Down the System” user right. *

~d~inis~rators Server Operators

4. Verify that the listof users is c o ~ e n s u r a t ewith corporate standards and best practices. 5. Click Cancel 6. Close User nag m

Industry guidelines state: * Ad~nis~ators * Server Operators

Restrict user rightsby p e ~ o ~ n gVerify who has the “Take Ownership the following steps: of Files or Other Objects” user right l. Open User ~ a n a g e r . by performing the following steps: “Take Ownershipof Files or Other 1. Ope Objects” user right. The following 2. Cho uidelines can be used: pull No one User Rights. .. 3. Scroll through the R ~ ~and~ t s find “Take Ownership of Files or Other Objects.” c o ~ e n s ~ awith t e corporate 4. Verify that the list of usersis standards. co~mensuratewith corporate standards and best practices. Industry guidelines state: * No one

5. Click OK on thenew window to confirm changes.

Industry guidelines state: * No one

ory 12

~ o n t r oO~jectives l

The “Act as Partof the Security Administration Operating System” advanced Activities user right should be restricted so that no one can act like the “system.” This rightis required by some applications such as Bindview.

12

isk

The “ActasPart of theRestrict Operating System” right is one of the most powerful rights within WindowsW.It allows the designated accounts to act as a trusted part of the operating system and can therefore do anything regardless of other rights.

~ontrolTechni~ues whocanactasthe

If Everyone is removed from Ensure that Everyone has this userright, POSIXtherighttobypasstraverse compliantapplicationscouldchecking. cause a denial of access when they trytraverse to Note: The “Bypass ote: This is a divergence subdirectories. Checking” right Traverse allows WindowsNT to be from the book, which configured in a POSIXspecifies that the compliant manner. It Ad~nistrator7 Server allows users to traverse Operator, and Backup subdirectories regardless Operator groups are the only of parent p e ~ s s i o n s . ones to have bypass traverse checking on the PDC.

The “Bypass Traverse Security ~ d ~ n i s t r a t i o nChecking” advanced user Activities right shouldbe available to Everyone.

Restrict user rightsby performing the following steps: l, Open User ~ a n ~ ~ e r .

OUI

~dvanced

find “Act as Partof the Opera~ngSystem.” S. Edit the Grant l a list to be commensurate with corporate s~and~ds.

Verify who has the “Act as Part of the Operating System” user right by p e ~ o r ~ the n gfo~~owing steps:

ow ~dvanced

user right. The following ~uidelines can be used: * No one

find “Act as Parto Operating Sy~tern.~’ 5. Verify that the list of usersis commensurate with corporate standards and best practices.

Industry guidelines state: * No one 6. Click OK on the new window to confirm changes.

Industry guidelines state: * No one

Ensure user rightsby performing Verify who hasthe “Bypass Traverse the following steps: Checking” user rightby p e r f o r ~ n g 1. Open User ~ ~ n a ~ ~ the r . following steps: 2. Choos 1. pulldo 2. User 3. Select User 3. OUI ~ ~ v a n c e 4. Scroll find “Bypass Traverse 4, Scroll through the Che~king.’~ find “Bypass Traverse Checking.” 5. special the group t is granted this S. Verify that the listof users is right. c o ~ ~ e n s u r awith t e corporate standards and best practices. 6. Click OK on the new window to confirm changes. 6. Click Cancel. 7. Close U5er ~ a n a ~ ~ r . Industry guidelines state: * Everyone Industry guidelines state: * Everyone

autho~zedusers are granted the “Bypass TraverseChec~ing”user right. The following guidelines can be used: * Everyone ~

No. Cate~ory

Control Objectives

sk

12

The “Logon as a Service” Security Adrninistration advanced user right should Activities be restricted so that no one can actas a service.

The“Log on as a Service”Restrict whocan log on as a service. rightallows a user to log on as a service, sirnilar to those required by virus scanners and faxing software. These services runin the background without any interaction fromany additional users. Some services have Full Control over the system and could be very powerful if configured in that manner.

12

Security “Modify The Firmware “Modify The Firmware Restrict Administration Environment Variables” advanced user right should Activities be restricted so that users can’t modify the system environment variables that affect certain programs.

modify who can Environment Variables” right firmware environment variables. allows usersto modify the system environment variables that affect certain programs. If a variable is modified, it could be set to point ato batch program that launches a Trojan horse or denial of service.

~om~liance ~ssessment T~ch~ques Restrict user rightsby performing the following steps: 1. Open User ~ a n a g e r . pulldown menu and choose User ~ l ~ h t s.. 3. Select the “Show Advanced User ~ i g h t 5check ” box. 4. Scroll through the right^ and find “Log on as a Service.” 5. Edit theGrant To list to be c o ~ e n s u r a t ewith corporate standards. Industry guidelines state: * Replicators

6. Click OK on the new window to confirm changes. Restrict user rightsby performing the foilowing steps:

Verify who has the “Log on as a Service” user right by pedorrning the following steps: 1. Open User Manager. 2. Choose Policies from the pulldown menu and choose User Rights. . . 3. Select the “Show Advanced User Rights” check box. 4. Scroll through the Rights and find “Log on as a Service.” 5. Verify that the list of usersis c o ~ e n s u r a t ewith corporate standards and best practices. 6. Click Cancel. 7. Close User Manager.

Tec~niques Review the <servername>. rights.txt and ensure only authorized users are granted the “Log on as a Service” user right. The following guidelines can be used: * Replicators

Industry guidelines state: 0 Replicators

Verify who has the “Modify Firmware Environment Variables’’ S. user rightby performing the 2. following steps: 1. Open User Manager. 2. Choose Policies from the 3. ow Advanced pulldown menu and choose User Rights. .. 4. 3. Select the “Show Advanced find “Modify Firmware User Rights” check box. Environment Variables.’’ 4. Scroll through theR l ~ h t and s 5. Edit the Grant To list to be find “Modify Firmware commensurate with corporate Environ~entViuiables.” stand~ds. 5. Verify that the list of users is c o ~ e n s ~ awith t e corporate ~ n d u s guidesines t~ state: standards and best practices. * Administrators 6 . Click Cancel. 7 . Close User Manager. 6. Click OK on the new window to confirm changes. Industry guidelines state: * Ad~nistrators

Review the <servername>. r i g h t § . ~ and t ensure only authorized users are granted the “Modify FirmwareEnvironmen~ Variables” user right. The following guidelines canbe used: 0 Administrators

omain ont troll er ~ e c ~ r i t y

Control Objectives

No.

Cate~ory

12

Security Certain advanced user rights Adminis~ation should either be granted to Activities no one or to Administrators only. These rights are listed in the implementation checklist.

Sk

TheseadvanceduserrightsRestrictwhoisgranted could be used to compromise these advanced user rights the PDC if they are granted to (as listed in thewrongindividualsotherimplementationchecklist). than Adminis~ators.They are very powerful and do not need to be granted to normal users.

Technique§ Verify who hascertain user rightsby performing the following steps: 1. Open User Manager. 2. Choose Policies from the pulldown menu and choose pulldown menu and choose User Rights. .. 3. Select the “Eihow ~ d v a n c e ~ 3. Select the “Show ~dvanced User R~ghts”check box. 4, Scroll through theRights and 4. Scroll through the Rights and find the following: find the following:

Restrict user rightsby performing the following steps: l. Open User Manager.

C o m ~ ~ a n~ceer i ~ c a t i o n TechNque§ Review the <sewername>. rights.txt and ensure only authorized users are granted the following user rights. The following guidelines canbe used: Should be granted toAd~nistrators: e Create a pagefile e Debug programs e Increase quotas Increase scheduling priority e Load and unload device drivers e Profile single process e Profile systempe~ormance 0

Should be granted to Ad~nistrators: e Create a pagefile e Debug programs e Increase quotas e Increase scheduling priority e Load and unload device drivers e Profile single process e Profile system performance

Group A: e Create a pagefile e Debug programs e Increase quotas e Increase scheduling priority e Load and unload device drivers e Profile single process e Profile system performance

Should be granted to no one: e Create a token object e Create pe~manent shared objects e Generate security audits e Lock pages in memory 4 Modify firmwaree n v i r o ~ e n t variables Replace a process-level token

e

Group B: Create a token object e Create permanent shared objects e Generate security audits 4 Lock pages in memory 4 Modify firmware environment variables * Replace a process-level token

5. Verify that the list of users is commensurate with corporate standards and best practices. 6. Click Cancel. 7 . Close User Manager.

standards or the above industry guidelines. 6. Click OK on the new window Industry guidelines state: nges. con to 7. Close a ~ ~ g ~ r . e Group A (Adminis~rators) e Group B (No one) ote: The standard user right ote: The standard user right “Force “Force shutdown froma remote Shutdown froma Remote Machine” machine” and the advanced right and the advanced user right “Log on “Log on as a batch job” are not listed anywhere in ESAS because as a Batch Job” are not listed anywhere in ESAS because they are they are not implemented in not implemented in Windows NT4.0 Windows NT 4.0 and have no and haveno consequences. consequences.

Should be granted to no one: Create a token object e Create permanent shared objects e Generate security audits e Lock pages in memory e Modify fmware environ~ent variables e Replace a process-level token

e

Domain Controller~ e c ~ r i t y

No.

C a ~ ~ o rObjectives ~Control

Sk

12

The company’s legal DisplayingalegalwarningSettheregistryvalue Security Adminis~ation department shouldbe ensures that users are aware of Activities consulted, and consideration the consequencesof should unauthorized given be to access “Authorized and Use Only” imple~enting legal a assists conveying in the and “The Use of this warningmessagetobeprotection of corporateassets.System is Restricted to Persons Authorized login. duringdisplayed Only. All Others willbe Prosecuted to the Full Extent of the Law,” respectively.

12

Security Services that compromise Administration the securityof the domain Activities should not be started.

If the company has services Disable any unnecessary running that compromise the or insecure services security of the domain, there running. is an increased risk that domain resources willbe compromised.

12

Security Services provide thatCertain services (Messenger The Adminis~ation enticement information Activities should be disabled.

~ essen g erand and Alerter) allow usersto get Alerter services andany enticement information about other services that provide thedomainanditsresources.usersenticement information shouldbe disabled when possible.

For all servers, enable the display of legal textby p e ~ o ~ the n g following steps: 1, Open the Registry Editor (regedt~~.exe). 2. Select the Softluar~\Microso~\ UJindolus~urrentVerslon\ UJinlogon subkey of the W KIM hive. 3. Enter the appropriate text in the I e g a l N o t i c e ~ a ~ t ~ and on

4. Close the Registry Editor. NiA

NiA

Compliance ~ssessment Tech~qMes

Comp~anceV e ~ ~ c a t i o n TechniqMes

Verify that an appropriate Legal Notice has been created and cleared with the Legal Department. Ensure that the Legal Notice is implemented on all machines by attempting to log on to selected machinesand verifying the existenceof a legal notice.

Review <sewer~ame>. luinlog~n.~t and ensure the I e g a l ~ o t ~ c e ~ a ~and tion Lega~~ot~ceText values contain adequate legal text.

Verify that there areno services running on the PDC that could lead to unnecessary risk and exposure by performing the following steps: 1. Open Sewer Manager. 2. Select thePDC and choose Services. . .from the computer pulldown menu. 3. Review each running serviceto determine if it may compromise the securityof the PDC.

Verify that there areno services running on the PDC that could lead to unnecessaryrisk and exposure,by reviewing <sewername>. sewices.txt and ensuring that unnecessary or insecure services are not running.

Discuss with the network administrator the use of Messenger and Alerter. If these services are not used, be sure that they are stopped.

Review <sewername>. sewices.txt and determine if the Messenger and Alerter services are running. If the services are running, inquire with the company if they are necessary to support applications or services runningon the server (e.g., backup software).

g specific security”re1ated tasks and also c o n t ~ nprocedures s trusted system. Acco so~w~e inte~ty ~ toe a s u r e ve or classified info~ation.’,

for a comprehensive security tasks must bedis~ibutedto er ty Act of 1987 cast new urgency on c o ~ ~ u tsec ulates thatif ~nancialloss occurs asa result e pe~etrator,is liable for damages. Thus,the ~ ~ i i n f go ~ a ~ i lies o n with in rm ~nvironmentof c o o p e r ~ tin ~

atically. Unauthorized persons le havoc to the system.

ty, a ~usinessentity shouldesta~lisha comprehensive see ~ i com~uter n ~ use. computer security policy is a state~entof rules ehavior of users to ensure s y s t and ~ ~ datainteg~ty. it ~anagementto security. ont~olphysical e ~ u i ~ m e n t . what is expected of them.

Design administrative procedures to increase security. ~egregateand c o m p ~ m e n t ~ idata. ze Disconnect unused terminals and mass storage devices. Never perform any task as super user that can be performed with a lesser privilege. Do not trust what others can alter, Require usersto be on the system purposefully, on“need-to-how” a basis. ave users reportany unusual or irresponsible activitiesto authorities. T ~ e s activie ties might include unaccounted-for programs or unexpected software behavior. esides software features,ad~nistrativesupport is essential for achieving a workable security policy.When drafting a security policy, be sure to address the followin

8

What facilities require protection? ich data warrant protection? o is allowed accessto the system and under what circumstances? m a t permissions and protections are required to maintainsecurity? can the system security policy be enforced by physical, procedural,md system anisms?

hysical security safeguards system hardware from damage. It protects softw ruption as a result of envir~nmentalconditions and assures that unautho~zed person~e~ are denied access to areas containing system equipment. Hardware includes the ~entral cessing unit (CPU), system console, terminals, and other peripherals such as drives, and tape drives. Software includes the operating system, progr strict physical access to areas containing system equipment by:

8

* 8

8

Using perimetercontrols, such as locked computer rooms, fenced buil guards at building entrances. Using antitheft protection designed for desktop computers. Issuing keys and ID badges. Physically securing access to terminal wiring and network cables. ~afeguardingsensitive or proprietary data by keeping media archived o locked facility. Erasing obsolete data. Shredding or securely disposingof console logs or printouts.

Although practicesmay differ dependingon the type of computer involved,the p r o c e ~ u ~ a ~ security policy should govern the following: *

Use of equipment and systems operation. anagement of software and data, including the following: How computer-processed information can be accessed, manipulated, an tored tom ~ t a i system n safeguards. 8

the system’slife cycle. ncluding frequencyof audit review and analysis

audit in^ should be performed by authorized sec l t use securityfeatures such as action c o n ~ olist ntai~ingsystem security involves:

a system level, Unix provi~estwo ~ n of a~u t hso ~ ~ comed er user. ~ndividualusers also may be granted or rest~cted s accesscontrol lists. nal file p e ~ § s i o n and diting of computer usageby user, systemcall,

tents and trained in its use.

levels.

rity ~ e a s u r e often s force users to developloopholes to maintain

s y s t e ~a ~ ~ i ~ i s t r aist itoo ~ i s t r i ~ u t e

e syste

ollects v ~ i o u ss y s t e statistics, ~

r super user) a t t e ~ p t sand invali~network

S

online t e r ~ i n

The system programmer,^ tasks are: Installs system upgrades. Performs dump analysis. Writes programs that conform to security criteria,

This section providesa strategic road mapfor setting up a secure system. ered include setting upthe system, enabling auditing, and maintaining the system afterimplementing the security features.

administration tasks.

1 is used to perform security-related system ,a windowenvironmentreserved for userswithsuperuser ca-

through. each step, focuses choices, and protects theuser from c o ~ p t i n gcritical files. It avoids in~oducing~ s t ~orec os m p r o ~ s e that s might breach e following security-related system ad~nistrationtasks can be performed *

Turning auditing on and off. Setting the audit monitor andlog parameters. Viewing audit logs. Viewing and modifying audit optionsfor users, events,and system calls. ~ o n v e ~toi ~ a trusted g system. ana aging user accounts.

t the following area you wish to work in:

interface and the test

The procedures presented here cover all of the tasks required to implement (trusted) system.Deternine whether the following steps were followed: lan prior to conversion. Install the system from tape.

a secure

onvert to a secure ( t ~ s t e dsystem. )

riorto the convers

to evaluateyour audit logsd e t e r ~ n e d ? nts of the work site i~entified? user levels, how were the written e work site established? S i n f o ~ e of d their se-

y risks? This is m a n d a t o ~ files should be examined r e ~ ~ l ~orl when y , a security breachis suspected. How wasit d e t e ~ ~ that e d no proceed in^ to the next section? security breaches existed before

updated but should be installed from tape because the effectivemay be c o m p r o ~ s e dif the system files were altered.The steps

. The file system s~ o u ldbe bac

d up for later recovery of user files.

m the backup media. 1for each product fileseti ~ s t a l l eon~ the system ed as a reference when checkin e onv version. After step4, proceed directly to the conversion task that is described as follows.

an

ass~ o rdthe sfrom with the replaces and file orces all users to use

1

file the to

1.

*,

1

ets the audit flag onfor all files to use thes u b ~ t t e r ’audit s

efore ~ ~ i then conversion g program:

If the system returnsth. d string to copy the file:

Insert these lines if they are not theend of the list of calls in the this file.

ert the subroutine c sectionandinthe I

To convert to a secure ( ~ s t e d system: )

onverted, theuser will resubsystem is now ready to be enabled.

The system supplies defaultauditi~g~ ~ a m e t eatr sinstallation. activated a~tomatically,some have to be enabled.

tem calls can b

cree Primary log file path name Primary log file switch size(AFS)

The full p a ~ n of~ the e file set to collect audit in^ data initially. 5,000 kbytes

Auxiliary log file path name A u x i l i log ~ file switch size CAPS)

onitor wake-up interval

Allowable free space m i l i i ~ (FSS) u~

1,000 kbytes 1 minute

20%

90% trigger w ~ i n g s

h size for the bac

witch point, the~ n i m u m a ~ oofu file nt space allowedon the file system before a

ill

ollowing is an exampleof the possible outputof the kbytes

23,191 207,~67 120,942 121,771

Used

19,388 184,224 13,374 48,273

~ e d ~vailable ~ a p a ~~ i o~ u ~on

1,483 2,316 95,473 61,320

93% 99% 12%. 44%

I /mnt / m f l ~ ~ t ~

hoose a file system with adequate spacefor the audit logfiles. For example, using the system supplied defaultfor the primary audit logfile would mean that: tc file system must have more than5,000 kbytes availablefor the primary audit logfile. . It must have more than20% of its file space available.

(I

The following errors can occurif file system spaceis inadequate: the primary audit log file resides ina file system withless than 20 percentfile ace available, the system immediately switches to the auxiliary audit log file when auditingis invoked. . If the file system chosenhas insufficient spaceto handle the indicated auditfile switch size (i.e., 5,000kbytes), the system issues the followi have completed task .. current audit file 1. le on audit file system, speci diting system unchanged. vide a new pathname for the auxiliary audit log file. The primary and auxiliary aufiles should reside on separate file systems. Since each installationof Unix is nt, it is not known which file systems are available at the user’s installation. ,the default situation has both the primary and auxiliary log files residing on same file system, I . These parameters can now be enabled and auditing turned on. Leave the default d leave the default of (y) at

he system is now ready for normal operation asa secure system.

, should periodically verify file system security and nce the system is up and ~ n n i n gone for security breacheson a regular basis.

for each of the product filesetsinstalled on the system tobe used as a basis for later comparison. The f files created will le-line entryfor each file having the followinginfoma

mbers arelisted for device

~ l ~ o r This i t ~field ~ . reflects the

er user to ese-

fck does not produce output unless it finds discrepancies. Examine the results, paying particular attention to changes in: * Mode permission bits. * Owner ID and group ID. discrepancies.

Use the same procedures as before to verify file consistency for customized systems. rnk Create a prototype file list and run the

1c o ~ a n on d that list to produce a

listed files, runthe fck commandusing the will read eachentry in the file, gather the current statistics, compareit to the baseline, and report any discrepancies.

This section covers basicinfomation on password security, system and userfile pemissions, and file access control usingACLs.

The password is the most important individual user identification symbol. tern authenticates auser to allow access to the system. Since they are vu1 promise when used, stored, or even known, passwords must be kept secret at all times. The System Security Officer and every user on the system must share responsibility for password security.The security policy shouldbe based on the following assumptio~s: *

A password is assigned when a user is added tothe system. A user’s password should be changed periodically. The system must maintain a password database. Users must remember their passwords and keep them secret. Users must enter their passwords at authentication time.

The ~ y s t e mSecurity O ~ l c eperfoms r the following sec~ritytasks: Assigns the initial system passwords. proper aintains p ethe ~ i s s i o n on s / files, Assigns the initial passwords to all new users. Establishes password aging. Deletes or nullifies expired passwords, user I S, and passwordsof users no longereligible to accessthe system.

security violations.

c ~ o o s i na ~assw word:

bserve the following gui en

t must containat least two~ ~ h a ~ e t i c aracters cm include control charac-

o choose not

a wor

youif

spell it b a c ~ w a r ~ s .

I, or re~etitionsof your d words make suitable

t is a securit~ ~iolation for users to sh

atelyafterentryand ssvvord is used inCO

store

sists of seven fields sep-

he fields cont~inthe f o ~ l o ~ i n g i n f o ~ a(liste tion e consistingof up to rd field heldby an nteger less than ~0,OO~.

ser can change the encrypted c o ~ ~ a nthe d ,c o ~ ~ efield nt

file, accessible only r fields s e p ~ a t by e~

The fourfields of the I. in order):

the tain

~ o llo ~ in ingfo r~ a tio n(listed

ting of up to eight c ~ ~ a c t e r s

t any fields in1. eneral use~sc a ~ oalter

users should construct

,the system searches th 7 before creating a file. This restricts o not leave executables where they were developed. Restrict access to executables under development

r m s should be set as restrictively as possible without loset to prevent users from writing to them. These include:

tcl

.Only root shouldbeabletoreadfrom

on encompass entire subsysaccess to filesthey protect or use, the

ility to grant access

enforces the security of all programs en-

f Unix programs areset according to the principle of least privilege, to any object based on ‘heed to knowluse” only. The number of ize the risk of Trojan hors grams have been changed to

Directories to which files are addedor deleted often (dynamic directories) ne mission, for example:

The same guidelinesfor static and dynamic directories x e applicable to executables, scripts, and databases (e.g.,I

Access to all devices in a system is controlled by device special files be device independent. These files have been shipped with permiss proper use andm ~ m u m security. If installing any other special files command manual entry orI the Since device special files can be as vulnerableto t ~ p e r i n gas any otherfile, o b s e ~ e the following precautions: Use only Unix-su~plieddevice drivers in your kernel.I driver, you invalidate theTru Protect the memory and SW since these files contain user i n f o ~ a t i o nthat has a potential for ple, a program that watches memoryfor an invocation of the I copy the password fromio in's buffers when a user types it in. All device files should be kept inId Write-prokt alldisk special files from general users to prevent in Read-protect disk special files to prevent disclosure. Terminal ports on Unix systems may be writable by anyone i to communicate by using the should haveread permission. Individual users should neverown a device file other than at e ~ i n a l sonal printer.

e the lowestpn~ilegelev on m ~ a g i n guser accounts, refer tothe ~

y A ~~ ~ ~i ~ e-

work is con~dential. e ~ s s i o to n general users. Use I

e accounts on,for accounta~i~ity and as-

Include the user’sfull name and a~ork-re~ated identi~er (such as phone number) in include confidential in fo ~ a tio nsince , any-

oradirectoriessuch

as

promote accoun~bility.

er’s account to call at-

ew user account with

auses the user to re-

s it is ~ e c e stos deactiv ~ ~ ccount assoon as it is es

ui~elinescan be used to reactivate a user account: to reactivate a user account. To allow the user to set the passwor~,

e account assoon as a user leaves oran chance of system penetration,r e ~ o v an cess. To r e ~ o v ean account follow theseste~s: &e a backup copy of the user’s d i r e c t o ~tree so that the account can be recon-

Search the system for files owned by the user after removing the home directorystmcRemove referenceto the user in

To remove them,type the following commands:

Remove reference tothe user in Remove the user’s mailbox from /U (1) c o ~ a n to d locate all files in whichthe user is explicitly included in an ACL entry, as follows: If appropriate, notify thefile owner and removethe ACL entry. or redirect the user’s mail, reference to the user in /U

if ap-

A user might have accounts on other systems that one does not admi~ster.Inform other systemadmi~stratorsto removethe user. Use to remove the account.

Moving a user account from one system to another is trickier thanit seems. on the new system. If either the user must be reassigned new a one for the new system, andthe of all of the user’s files must be changed.Do so from the user’s hom

S,

opy the user’s files fromthe old to thenew system. move or deactivate the user from the old system. If ac~uiringa user from a system one does not administer, or the user is moving from a less to more secure environment, check the user’s files carefully for programs that might compromise security.

ecause teamsof employe ne groups of users in the

*

de-

directories,

and .All members of a

have sole access to

hen adding a group:

~ d ~ n ~work. ial

~ s s i o bits n to rant or restrict access

Access control lists are a key enforcement mechanism of discret (DAC), for specifying access to objects by users and groups more tional ‘Unix mechanisms allow, based on the user’s legitimate needfor access. ACLs offer a greater degreeof selectivity than permissionbits b owner or super userto set (permit or deny) access to individual users or An ACL consists of sets of entries associated with a file to S S set a combination utsynta the in resented ACLs are supported for files only.

To understand the relationship between access control lists and traditionalfil consider the following file and its permissions:

-rwxr-xr-

-

karen

adrnln

dat~fii

The file owner’s grou

The file group’s permissions aref-X. The file other permissions aref- -. L, user and group IDScan be represented by narnes or ~ ~ m b efoun rs .The following special symbols can also be used: 96

No specificuser or group Current file owner or group

When a file is created, three base accesscontrol list entries are mapped from th cesspermissionbits to matchafile’s ow group I1and Base ACL entries can be changed by the ) )

Base ACL entry for the file’s owner Base ACL entry for the file’s group ase entryfor other users

(Except where noted, examples are represented in short form notation. ACL notation.)

358

UNlX

Granting Selective Access with Optional ACLs Optional access control list entries contain additional access control information that the user can set with the setacl (1 system call to further allow or deny file access. Up to thirteen additional user-group combinations can be specified. For example, the following optional access control list entries can be associated with the file: (mary. admin, rwx) (george.%,- - -)

Grant read, write, and execute access to user mary in group admin. Deny any access to user george in any group.

Access Check Algorithm ACL entries can be categorized by four levels of specificity based on their user and group IDS. In access checking, ACL entries are compared by effective user and group IDS in the following order: (u.s, rwx) (u.%, rwx)

Specific user, specific group Specific user, any group

(%.g, rwx) (%.%, rwx)

Any user, specific group Any user, any group

Once an ACL entry is matched, only other entries at the same level of specificity are checked. More specific entries that match take precedence over any less specific matches. In the Berkeley model, a process might have more than one group ID, in which case more than one (u.g, mode) or (%.g, mode) entry might apply for that process. (See setgroups(2) in the Unix Reference Manual.) Under these circumstances, the access modes in all matching entries (of the same level of specificity, u.g or %.g) are mode together. Access is granted if the resulting mode bits permit. Since entries are unique, their order in each entry type is insignificant. Because traditional Unix permission bits are mapped into ACLs as base ACL entries, they are included in access checks. If a request is made for more than one type of access, such as opening a file for both reading and writing, access is granted only if the process is allowed all requested types of access. Note that access can be granted if the process has two groups in its groups list, one of which is only allowed read access and the other is only allowed write access. Even if the requested access is not granted by any one entry, it may be granted by a combination of entries as a result of the process belonging to several groups.

ACL Uniqueness All ACL entries must be unique. For every pair of u and g values, there can be only one (u.g, mode) entry; one (u.%, mode) entry for a given value of u; one (%.g, mode) entry for a given value of g; and one (%.%,mode) entry for each file. Thus, an ACL can have a (23.14, mode) entry and a (23.%, mode) entry, but not two (23.14, mode) entries or two (23.%,. mode) entries.

How to Use ACL Notation Supported library calls and commands that manage ACLs recognize three different symbolic representations:

MANAGING USER ACCOUNTS

operator form

Used to input entire ACLs and modify existing ACLs in a syntax similar to that used by the chmod(l1command.

short form

Easier to read, intended primarily for output. The chaclIll command accepts this form as input to interpret output from the IsaclIll command.

long form

A multiline format easiest to read, but supported only for output.

359

The base ACL entries of our example file are represented in the three notations as follows: Operator form Short form Long form

karen.%.= rwx, %.adrnin = rx, %.% = r (karen.%,rwx) (%.admin , r-x) (%.%, r- -) rwx karen.% r-x %.admin r- -%.%

Some library calls and commands use a variant format known as ACL Patterns (described later in this section).

Operator Form of ACLs (Input Only) Each entry consists of a user identifier and group identifier, followed by one or more operators and mode characters, as in the mode syntax accepted by the chmod(1) command. Multiple entries are separated by commas. u s e r . group operator mode [ operator mode]

...,...

The entire ACL must be a single argument, and thus should be quoted to the shell if it contains spaces or special characters. Spaces are ignored except within names. A null ACL is legitimate and means either “no access” or “no changes” depending on context. Each user or group ID may be represented by: name

Valid user or group name.

number Valid numeric ID value. % Any user or group, as appropriate. @ Current file owner or group, as appropriate; useful for referring to a file’s u.% and %.g base ACL entries.

An operator is required in each entry. Operators are:

=

+ -

Set all bits in the entry to the given mode value. Set the indicated mode bits in the entry. Clear the indicated mode bits in the entry.

The mode is an octal value of zero through seven or any combination of r, w, and X. A null mode denies access if the operator is =, or represents “no change” if the operator is + or -. Multiple entries and multiple operator-mode parts in an entry are applied in the order specified. If more than one entry or operator for a user and group are specified, the last specified entry or operator takes effect. Entries need not appear in any particular order.

~ s e r to s only r ~ a d i ~

be ~ o l l o wallows i ~ ~ use

space.

ies arnated.Forconsistencywithoperatorform,adot (.)is usedto entifiers. r and n output, no spaces are printed except in names (if any). Identifier numbe~sare printed if no matching names are known. Either identifier can be printed as% for 66anyuser or group.” The mode is always represented by three characters: (r, U,and X) and padded with hyphensfor unset mode bits.If the ACL is read fromthe system, entries are ordered by specificity thenby numeric valuesof identifier parts.On input, the entire ACL must be delimited by quotation marksto retain its quality as a single argument, since it might contain spaces or special characters such as parentheses. Spaces are ignored except within ate and means either “no access” “no orchanges” depending names. A contex on identifiers are represented operator in as form. The mode is presented by an octal value of zero through seven orany combi dundancy does not result in error; the last entry for any U takes effect. Entries need not appearany in particular order.The

The following is a sampleACL as it might be printed. It allows userj t: to read or execute the file while in group access to the file whil to only read the file,any 0th r usermay only readthe file.

On input,the following ex The following sets uJri

ss for user bill in any group:

The following sets the entry for user 1 cl “l

The following setsthe base ACL entry for the file’s owner to allow both r capabilities for other (%,%)users:

ut. The mode appears first in a fixed-width field, bits) for easy vertical scanning. Each user and group identifier

st to least specific then at least three entries, th

L as in an earlier ex

r-

-

~.~

e library calls and c o s a l l ~wsoperations on all f o ~ l o ~ways: in~

~ reco~

~

s

e v a ~ ~of e sbase

This sectiondescri~esthe new ~ r o ~ ravailable a ~ s tom r the detailed s~eci~cations, refer toth

control list,

S

Unix commands, system calls, and subThis section identifies issues critical to ush access controllists are implemented. For e ~thea specific 2 entry. the detailed specifications, refer to the Unix ~ e ~ e ~~ e ~~ cn for The general purpose commands and system calls are: ,

dl) is executed. Use store the p e ~ s s i o nbits of ACL

I

hose ACL entries match or include specificACL patterns. indicates the existence of ACLs by displaying a+ after h file’s p e ~ s s i o nbits. ilx does not support optional ACL entries on lu5rl These programs copy optional ACL entries to the new files they create.

he file chive commands are:

1 Use only these progrms to selectively recover and

-

backup files. However,use the option when b a c ~ n g up and recovering files for use on systems thatdo not implement ACLs. S do not retain ACLs when archiving

The configuration ~ o n t r o ~

c o ~are: ands

The c o ~ a n d in s these packages do not support ACLs. As a general practice,do not place optional ACL entries on system software. They are not preserved across updates.

~ c c e s s c Q ~ lists t r Q 1use Q ~ s i ~them e r hen usi

~ a n eun ~~i e s~ u n ~ e these r cir

n t e ~ r ethe t p r e ~ e ~ i nlisting g as follows:

user (%I)from any o p e r ~ s s i o n s(- -)o

-

The following section

rectory to be accessible to on1 c o ~ a ton grant ~ orrestrict

Since both the an a ~ ~ ehow n eofs s

interact is ne cess^.

I c o m a n d is a supersetof the or e~ample,~ u ~ you ~ use o s ~ allow make other ously

only yourself an exception andall than yourself and yo specifiedby the

Create new a ACL entry allowing the user write (=rw) access to rngfil

CYC in

any group (%)r

chacl ‘cyc.%=rw’rnyfile

Modify an existing ACL entry allowing all users(94)in all groups (%)r (+r) access to fooflle. Modify an existing ACL entry denying all users (%)in the curite [-W) access to afile.

L entry denying userion in the mkt group read, write, rch access to olddir.

To S ecifthatyourer,who access to

is in a d i ~ e r e n ~

If a directory is writ le, anyone can removeits files, ~ardlessof the per S. The only way to ensure that n files can be removed from a directory is to p e ~ s s i o nfrom that directory. r ~ a s i ~ ~rotection um this technique can be lied to the d ~ r e c t oof~a user accou~t. hide the directory’s name from routi~eview, use a

. List the ~ e ~ i s s i o on n sthe directory.

rectory.

tools that one can use to: mess s y s t e ~files for ~ o t~ n tial s ~ c u sis r ity iew s y s t e files ~ for routine security Locate sus~iciousfiles in case of securit~b r e ~ c ~ .

suspect any breach of sec

ote whichp r o ~ r ase ~ s tay vi~ilantof any

ate further any programs that appear to b hange the p e ~ i s s i o nof any unn

programs in the hierarchy, list the files returned by the find command:

programs in system directories:

~ v i ~thewoutput for the following unexpected results: me p e r ~ s s i o n as s shown programs are the most significant,

ow what that programmay be doing. x~minethe code of all programs importedfrom external sourcesfor destructi~epro-

ow ~ ~ a cwhat t l ~they do.

sword file should be perrnitted. The converis leaves a potential for security breach ord fields or fields that force nce the system has been convertedto a trusted system, periodical~ylook for pass-

omesho~ld dire~tories

files from them, To fin

not be w

re~ove ‘\

m e ~ b e r sbe denie

files should not be~ rita b leby an oneother t h ~ se that are writable by

..”m e ~ that s theuser does not

as pre~entinganyone readable or writable .r ’\

readable or writable by anyone other than its owner. files, run:

ome systems~ a i n t a i nan I

takes severalm o m ~ ~tot s~~, ret~rnsinode andfile ~ a m e rs listing of the ~ n ~ o ~ n t e If decidin cia1 file with its I

~onsiderthis only a tempor s sec~~ty. elete the fileif it t ~ e a t e n system

ers sons, ~rocesses,or devices that cause i n ~ o ~ a t i otonflow e the s ~ s t state. e ~ Allsubjects are a

ects are passiveentities: files, directory trees, programs, bits, bytes, fi isters, video displays, keyboards, clocks, printers, network nod that contains or receivesi n f o ~ a t i o non a system. ecause access to an cess to the informationthe object contains, objects re ~ u ir e ~ ro te c tio ~ . objects require special attention: oot directory. ensitive files such as.F onfiguration files such ublic directories. og files. To ensuresecurity,set

U

asrestrictivelyaspossibleandassign l i ~ tFor . further direction^, r

he principle of least privil requires each subject in a systemto be granted only as much privile~eas is needed to pe authori~edtasks. Users should be able to access i n f o ~ a how.” These criteria help to limit daxna tion based only on a valid to “need accident, error, orunauthori~eduse.

ensure that individual users are heldaccounta~lefor their activities online,the converusted system creates an audit identifies every user uniquely user with every process inv and Unix. auditing functionalpersonnel ed evaluate to au w ~ i are c ~actions potentially capable of allowing access to, generatin tion on auditing including auditIDS,

programs have the following ch~acteristics.These c o ~ e n t also s

)position of the file

the

erm mission modes.

is set to its owner^ r

bit is set to its group,

cess with four numbers: real and effec-

with the owner to thatof the object. The e object, giving the user the s ~ access ~ e f the process are set to that of the owner

of the file. of the file,

bit isw e d on, the privileges of the process ~ are c h ~ ~ e ~

ystem are dueto operator error! owever, a system attacker progra~s,most often in oneof rogram executec o ~ a n d defined s by the attacker,

e data createdby a p r o g r a ~ .

y those values necessary for the proper operation t e ~ i n e dvalues: ard output,and s t a n d ~ derror are

hese sa~eguardsincreas~the assurance thatlsnown programs are executed in a known environ~ent.

me programs because do to so would inhibit their grams have been carefully e x ~ n e for d flaws: r e t ~ n e dwhen the er than standard input, standard output,

e e n v i ~ o n ~ eisn tpassed along unchanged.

,once ~ a v i n glogged in the user has accessto virtuh nix has n u ~ e r o u sbuilt-in softwarerest~ctions group ~ a n a g e ~ e nand t , accesscon~ol),it i r~ctionor compro~iseof ater rial or data,

hostile program as a system program. A, clasy captu~ngthe person’s login and password. query for their passwordonce logged in.

circu~ventssystemrotec-

ly useful c o ~ p u t epro ~ a ~ a ~ i l i ttoi ethe ~ d e t ~ ~ e

Trojan horses als

~ i l i t ahosts, t ~ and

0

0 0 0

Protecting passwords when using RFA. et: to restrict outside access. Denying access with I ~ o u n t i n gfiles in an NFS environment. Safeguardinglink-levelaccess.

An a d ~ ~ s t r a t i domain ve is a group of systems connectedby network services that allow users to access one another without password ve~fication.An a ~ ~ n i s t r a t i vdomain e assumes their host machine has already verified system vices assume security is established atthe system level. ministrative domains. d not enter a password to read anN verified the password when the use ad~nistrativedomain.

the user to provide a pas istrative domain.

administrative domain.

in Ad~inistrativ~ Domains

. '

\

LA

syntax and use of this file.

the file transfer protocolse ice request is received at stricted account name must appear alone on a line in the fi

skips the securitycheck,

aintain consistentfile usage. rovide a lean, cooperative user environment, le-sh~ng bet nd client systems by controlli file. ~ n ~provide i ine s p e ~ i s s i omount nto existing onthe server ontoany client machine. Oncea file systemis put into I ailable to anyonewho can do an NFS mount. client user can accessa server file system without having logged in to and disklessclusters also provide access to files h o o k e ~up to a re,but do not bypass password authentication.

erver security is maintained by setting restrictive e ~ i s s i o n son the maintained across Net System (NFS). Thus, having root stem does not provide special access to the server. The server performsthe same p e ~ s s i o nchecking remotelyfor the clientas it does r side controls access to server by files the clientby comwhich it receives viathe network with the user occurs within the kernel, lient can exploit that privilege to any file system to a node on W granted more leniently than from your own node’s policy.

In earlier releases ystem reside for to workstation had client disk. theon m now allows mafor the ining the jor and rninor numbers of a client-~ounteddevice to exist onthe server side. This opens the possibility for someone to create a Trojan horse that overrides permissionsset on the

client’s ~ o ~ n t de d server side.

~ssions:

or other misc~ief).

and table only by root.

rovides t e c h ~ i ~for ~ ecs

i ~ e n t i ~and y control an administr~tived o ~ a i n . n reach on your network are named for cor-

at you are working aonma-

e of a file system followed uters. Any entry consistme is a file ~ystemavailassociated withspecific com uters. You can find

ists the names of computers with equivalent password files.

trative d o ~ a i ~ .

e in the a~ministratived o m ~ nA . user

can be com~aredb

-

in the ad~nistrativedosistency with system

aintain consistency am0 working on syste m is remotely mounte

les are inco~sistent.The one or bothof the files,

n both cases,you if

see no ou

files are consistent and

you are done.

heir correct values are om these values should

s h o ~ l d n ebe ~ e rwritableby the public.am on^ these are:

emote hosts allowed accesse~uivalnt to the local host ervices name~ ~ t a ~ a s e ist of file systems bein rotocol n ~ database e

Internet configurationfile List of networkwide groups

file defines which file systems can be exported to other systems. ave at least two fields: theis the firstname of the file system bein the second and subsequent name the systems to which the file system can be export than two fields are present, the file system can be shipped anywhere in the world. Verify that nofile system can be universally exported:

i This command examines I removes all comment lines, removes all null lines (lines containing only spacesor tabs), and then searches thefile for lines with fewer than two fields.

If a network security breach occurs because of an unknown cause: *

e

Shut down the network and telephone access tothe computer. Inform the network administratori ~ e d i a t e l y . Allow external access to the computer only after identifying an problem.

A security breach can present itself in many different ways: *

e

Someone might report unexpectedor destructive behaviorby a conlmon program. The user might notice a sudden increase in the system’s load avera computer not to respond well. permissions ownership or might be changed from what i s expected.

*

The byte countof any system files changes unex~ectedly.

*

sug Anything that seems to deviate from normal system behavior might one suspects a security breach, such as a virus or worm, one shouldbyhandle l i ~ t iitn gits immediate impact.

Shut down the system.If users can be given a warning, use the more co~lrteousshutdown command: or

. Bring the system to a sudden halt is actively corrupting the system might allow more time for furthe system load. :Once rebooted, some systems would ask to autoboot from the ~rimaryboot path enabled. Others would return without asking, Press any key w it~ in10 seconds

only. thin^ in t e ~ofs what went login filesfor clues. c o ~ ~ dassdesc~bed , in ste

been found and ad~isableto rein-

et have a lot to do with the Unix o~erating more features and utility ~ n c t i o nthan s an all of these powerful features made it a secu

un: You can run the command line i at any time to see a list of interces cu~ently config~ed and their par : The sending host specifies how long ( I) in seconds live. Once e packetis discarded. O~tions:The options that are infrequently used inI datagrams follow: :A list of internet addresses through which the d a t a g r ~must pass. :The nodes which the datagram passes through arei n s ~ c t e dto return their Internet address. Thus, wemay d e t e ~ n the e route takenby a datagrans. :The time it takes for the d a t a g r to ~ passt ~ o u g hthe nodes is rehost. This allows measurement and c o m p ~ s o n sof network performance. ot :A host cansendthe I a remote system'sInternet Protocol is up and op mand uses this message.

Provides a login to a remote system. Provides a remote login to a remote system and a suite of commands to perform specialfunctions such as copyingfiles over the network. oes remote copyingof files over the network. Executes commands on a remote system over the network. A file transfer program that providessuite a of file transfer utilities. Provides statistics that measurethe load and efficiency of the network's hardware and data transfer environments. Examines network connectivity and efficiency of the network intransfe~ingpackets. Some other commonlyused active processes are:

7"

omain Name Services (DNS) Network File System (NFS) outing ~nformationProtocol (

applicationsthatprovideservicestotheuser's

inter-

aps IP addresses to the names assigned to the network devices. Allows file systems and rectories to be shared by various hosts on the net ing of datagranss through the network t ~ o u g hdesignated devices assignedby ~nternetaddress.

he three network name services that provide p~eceding the capabilities and provide

ervices m a y be in use, the host table may still be needed to: ide i n f o ~ a t i o nabout impo~anthosts (includingitself) when DNS or NIS is not ing. ad~itional info~ation.

is to be connected d to the machine^

twork, onemust have a rangeof et Central Network~ u t h o r i t E ~.

networ~must be as

e ~ t e ~~e t ~w oer ~~ .

tive: f of the l i s t e ~files are security threats.

B

invoked, looks system in

file, gets phone number

I)

For these systems, figured into the ker-

rvices at multiuser boot times. Which configuration of the system and the

time butmay be invoked on ’),sometimes calledthe Int on demand,thus savcess completes its exn to invoke processes

The ~oint-to-pointprotocol only startsif con~guringan file. The Simple Network only be startedif con files are configured,

nter.net. The I n t e ~ e t n willonly start if an file has been created. This line printer will only start if any ofthe p ~ n te rshave been configured aseither print serversor clients and thus have an file on the system.

d

le.

securityriskbecausenopassword

is requiredto re

all takes the proper attention to rotocols such as: Never have a gateway broadcast or rebroadcast (with tside theenterprize network (i.e., onto the Internet). S from outside your enterprise network into your network. irectory access by e ~ s u r i n ~ started with the arguments f is the name of the direct0 insonlydownloaded files. p netpublicly readable, yet This prevents malicious ensure that it is not installedby default and review the

use such as control of what kind revent users from access in^ e accounts. Also account names presented

*

Nothaveanullassword.

Trusted Access allows users to utilize the enterprise network inway a that is more convenient and more secure via the rl in command. If trusted access is not confi~uredfor the in command, it will prompt usersfor a password, This password is transnitted across the network andmay even be onthe Internet. Packets containing these passwords are relatively easyto intercept and identifyand thus cancompronise the securityof the enterprise ep in nind the following: If trusted accessis set up, no pass If trusted access is not set up, the Trusted Access canbe set up at the host or user levelor both.

ds do not even work.

c o ~ a n d s ~ i t hproout can be created for users for users or they can do it for themselves by in the user’s home directo~.The format is the

S

same as inthe I

lems associated wi are typically the result cause of the traffic c involve several factors:

of

ysical layer perform e t ~ o r card ~ n p~erfo ~ an ce.

ata c o ~ p t i o n . tion of resources to a p ~ r o p ~ anodes te and networks. If the network a ~ p e to~ be s p e ~ o ~poorly, n any combination of the may be the cause.

a echoes. perly t e r ~ n a t cable. ~d etectin~echoes with acable scanner. §mitted toa host faster thanits n e tw o r~ n card canbuffer the

e problemsmay also be due to overload in^ ~hysicallayer capa-

stribute a d ~ n i s ~ a t i accounts ve if the passw e same onall machines ~ ~ i n g password on one machine on th nes on the network.Lf my m S allowed to set the binding uld send the hosts a command thatcauses them e account names all ready server. This person (i.e., rootp~vileges).This person cannow control the hosts.

ctionality is con~guredby the following: le in initializing the

be tuned for better p e ~ o ~ a n and c e functionality.

cord user accessto objects. The resulting record can show such S by a user to assume a level of privilege that exceedsthe user’s

and conversion to asecure ( ~ s t e d system, ) you are ready to subsystem allows one to audit selected users performing se-

(a number ranging from 0 to 60,000) is kept in the file, which can only be read by super users. When an audited user iting) p e ~ o ~ by e that d user is traceable to the user r such asfile deletions. Choose to auditany action either succeeds or fails.

To simplify the selection of actions to be audited, system

event types. Selectin grouped together in categories called automatically turns auditing on for all processes in that c diting can be selected without selecting the event type th lected for auditing because of their a s s ~ i a with ~ o a~ p Exhibit 6.5 shows the event types (andthe proc be selected for a u ~ i t i n ~ .

vent Type

escri~tionof ~ c t i o n

Create

Log all creationsof objects (files, directories, other file objects)

Delete

Log all deletionsof objects (files, directories, otherfile objects)

Moddac

Log all modificationsof objects’ Discretionary Access Controls

Nodaccess

Ilnk(21, unIlnk(~1, chd than Discretionary Access Controlsc~root(2), setgroups( rename~21,s~mctl(2),

Log all access ~ o d i ~ c a t i o other ns

Open

Log all openingsof objects (file open, other objects open)

open(21, execv(2),p

Close

Log all closings of objects (file close, other objects close)

close(2)

Process

Log all operationson processes

Remova~l~

Log all removable media events (mounting and unmounting events)

Login

Log all loginsand logouts

Adrnln

Log all ad~inistrativeand privileged events

Ipccreate

Log all ipccreateevents

lpcopen

Log all lpcopen events

Ipcclose

Log all ~pcclose events

lpcdgfam

Log [PC datagram transactions

udp[71user datagram

uevent l, uevent2

Log user-defined events

See the following section “Streamlining Au

ipcfecvcn(~)

write their ownpro~ramsto streamli~eausystem calls to sus end rocess-~-process

"I

I"

*I

"I

t*l

"l

s ~ c c e s s f ~but l l ~no , a u ~ i t i nrecor ~ ~e~ere~c efer the to ~~~~

time ethe

~

r

o is run, ~ r

write tohow on ation

~

r~turns self-

For each event audited, the following i n f o ~ a t i o nis recorded in the audit log file: ate and timeof event. of the user generating the event. ubject (user/process). Type of event. uccess andlorfailure of event. )for identificatio~authenticationevents. Name of an object introduced to or deleted from a user’s address space. ~escriptionof modifications madeby the systemad~nistratorto the user/system security databases. ther i n f o ~ a t i o nrelevant tothe event.

All auditing datais written to an audit log file. One can specify two files to collect auditing data, the ~ ~ m alog r yfile and the option^) auxiliary log file. These files should reside on two differentfile systems. The growth of these files (and the file systems on which they ren, side) is closelymonitored by the audit overflow monitor that no audit data is lost. The primary log file is where be collected. When this file a proaches a predefined capacity (its tem on which it resides approaches size), the auditing subsystem issues a warning. When ei primary log file is reached, the auditing subsystem atte file for recording audit data. If no auxiliary log file is hibits 6.7 and 6.8 show what happens as thisfile grows. The example assumes that: nly the p r i m ~ yaudit logfile has been specified. It resides on a file system with no other user filesCO auditloghasreached 90 percent of its M S si a,which is monitoring the state of the auditing system, issues the warning message shown to the sys The primary audit log has passed the first warning pointand reached The system attemptsto switch to an auxiliary audit log file, but finding none dicated m~ssage pe~odically to the system console. In Exhibit 6.9, the primary audit log has grown past its size and reached 90 percent of the space allocated to it on the file system. The mess ent indicates that the audit file S stem is approaching capacity. 6.10,the primarylog file hasreached .The message shownis sent pesystem console.If other activitiescon space on the file system, or the file system chosen has insu~cient itch point could be reached before the 0

AF

90% of Log File illed

Primary Audit LogFile Message:“Currentauditfilesize

is

kilobytes.An a ~ e ~top switch t to the b

S and usersto audit decided? ncy to evaluatethe nt of an overall security policy. re the security re~uirementsof the W re the written guidelines at both fleet the realistic needsof the work site establi§hed? W were all perso~el-adminis~ator§ an

hat procedures werein. place to keep se

. Were all existing files on the system inspected for the first time a secure (trusted) systemis installed. ined r e g ~ l ~or l ywhen asecu ~ tybreach is su

A ~ e ~ p ttoi n switch ~ to auxiliary auditfile

ile ~ y s t e m

S

% free space

I

~ e m pto switch t

to the backup

ded since it focuses choices

or dis~laysaudit file

~ ~ r n alog r y file path name = 1.

nitor w ~ einterval - ~ =~ 1 owable free space ~ n i r n u m

onal area win,and whenau-

Secure the system and perform the following steps:

. Take one of the following actions: To turn auditingon, from the “Actions” menu9choose To turn auditing08from the “Actions” menu, choose You are informedby a message boxof the change you have requested. Activate

. The ‘‘User Audit Status” window now indicates the change requested. to turn auditing on andoff when auditlog file and monitor pahen changing audit logfile and monitor parameters, choosethe .menu itemto make the changes and turn auditing on or off.

An audit flag is set to on for all existing users at initial conversion to a trusted system. To change the selection of audited userson the systemdo the following procedure.

Secure the system andf o l l these ~ ~ steps:

S

of the highli~htedusers, choose one of the following

of each hi~hlighteduser will be hanged to reflect the m are automatically audited. You must enter this screen that youdo not wish to have audi ct at next login. For example,i

ecure the s~ stemand follow these steps:

ose one of the fol-

iting a ~ c ~ ~ u l aa tlot e sof data. want to view.

Follow these steps:

Use the default settings on this screen alter or them tosuit particular needs. : It ay take afew ~ n u t eto s prepare the record for viewing when working with large audit logs.

The following sample record from an audit log file shows a failed attempt to openthe secure password file: Users and aids:

elected the following events:

The initial lines identify i n f o ~ a t i o nfor which the audit logfile was searched. Following in t a ~ uform l ~ the record shows: he year, month, and day (inthis case 1989,June, 20th). ime of day (in this case 1400 hours, 31 ~ n u t e s30 , seconds). d (in thiscase F for failed). Event numberidenti~edwith the event type (in this case 5).

Eectlve UserID (in this case69).

ounts of data, be d i s c r i ~ i ~ a t i n of all events andall users ell as a very rapid ~ l l of~ n ~ for the operation can help e a w ~ of e the fo l~ o win ~ when p r o ~ r that ~ s call auditabl

nts and users for a~ditin

S

when a d ~ i n i s t e ~ n

eview the audit logfor unusual activities such as: Late hours login. * Loginfailures. Failed access to system files. * Failed attempts to perform secu~ty-relatedtasks. ickly remove users who no longer have access to the system. nt overflowof the audit file by archiving daily. e current selectable events periodically. Revise audited users periodically. t follow any pattern or schedule for event or user selection. . Set site guidelines. Involve usersand management ind e t e ~ n i n gthese guidelines. 4

Auditing increasesthe system overhead. When pe~ormanceis a concern (such as ainrealtime environment), the system administrator to hasweigh security versus pe~o~ance. ing selective about what events and users are audited can help reduce the impactof auditing to an acceptable level.

diskless a context nare files log Audit clients, each cluster data. audit node merged into a single audit when using the“View Audit Files’, wind I/. ify thecdf wanted. For example, type

dus

All

Since implementing Unix security features requires thatone completely install (not update) Unix pera at in^ System, one needs to back up and recoverthe entire file s y s t e ~ . tion provides security guidance tosupple~entother i n f o ~ a t i o nsources and p curity guidelinesfor file system manage~enttasks such as: ackup and recovery. ounting and unmounting file a system.

For basicinst~ctionson backing up system files, refer to the~ y s t ~e ~ ~ i n i ~ ~t r ~~ t si ~ ~n 1in the Unix ~ e ~ e r e~~ c~e i ~ e .

user error. Ensure that a

retain access control lists ben backing up and recove it should be ensured thatthe user’s

rial. Allow access to the media only

is ~ o u n t e don the correct output device. e sure that the tape

ars the user to coworkers t is critical to ~ ~ o t e c t i n y, recovery of c ~ e ndata the ~ollowing preca~tions:

tain access controllist in-

1"- allows one to overwrite a file. owever, the file retains the pemis-

9

Ls set when the file was backed up. enrecoveringfilesfromanothermachine,onemighthave to executethe n[l) command to set the user ID and groupfor the system on which they now reside if the userand group do not exist on the new system, If files are recovered to a new system that does not havethe specified group, the files will take on the group ownership of the personrunning Fr 1. If ownerandgroupnameshavedifferent meaningson different systems, recoveryresults might be unexpected. ep the recovery system tape locked up or otherwise physically secured. Allow access to the archive onlyon the basis of proven need. ever, if someone reports a lost file after Power failure should not cause file loss. apowerfailure, look for it in /I fore restoring it fromabackuptape. To verify contents of the tape being recovered, use the-Ioption of preview the index of files on the tape. Note, howev that existing p e ~ s s i o n of s a file systemarekept intact by thebackup; fr preventsone from readingthe file if the permissions onthe file forbid it. E x ~ n the e file listing for overlylib Change attributesif warranted, using the ACLs might be present. See the Un Never recover in place an critical stead, restore the file ato preventing anyoneelse verifying theiridentities and moving them to their final destinations. Compare the restored files with those to be replaced, to ensure that allc u ~ e ndata t is preserved. any necessary changes then move the files into place. If this precaution is not followed, system e after the system has / le hasbeenchangedwould be beenbackedupandpossiblyafterthe unable to log in unless the ~ u ~ eand n t archival files had beenreconci~ed. V files in place.If one does and then tries to reboot, the system is like1 to hang and willbe unable to reboot. ne must then manually create any missevice files can be recovered in /t hat is on the tape and recovered /tto very s c e n ~ o , s u ~ p othe s edisk had ed and one had no way to recover from their own system. A coworker might have a ~ n n i n gsystem. could then roll their disk over to their coworker's t and with p e ~ s s i o n set s to -.Then one could

ensure to turn auditing on.

ountin~a file system can create security problems f not done carefully. f the media being mounted contain co~promisingfiles.

-confi~uredcomputer enviro~ment. is section is intend~dtoprov I systems and disksor disk p ~ i t i o n s . The mount c o ~ a n uses d a file c ~ l 1~ d eir p er~ ssio n s.The ut readableby others. disk:

of the file system’s root direc

trol accessto disks, drives and disks.

quests thatyou mount a ~ersonalfile system.

in its desired location. sure to unmount all mo~ntedfile systems of a user W ose account you are dis-

h ~ t d o is ~ used n to halt the system in an orderly fashion for ~aintenance,installation, down, without adversely a ~ e c t i n the file s y s t e ~After , a 11s all u ~ e c e s processes. s ~ s W ~ t t to e ~the Fo~cesthe contents of the file sy ste~ ’ sl1 b u ~ ~tor be co~a~d). or mode, nistration sinlaces the in system

hutd down can also abruptlyhalt or reboot the system. Since it is run onlyfrom the system console by a user logged in withroot privileges, shutdown mustbe performed conscientiously to ~ a i n t system ~n security. Observe the following security precautions when bringing down the system: I n s t ~ cusers t tolog out before starting final shutdown procedures. hen invoking the shutdown command, set a grace period to allow stragglersto log out and processesto complete. lwaysuserebootorshutdownto halt the yousimplypull the plug or push theresetbutton, all theprocesses halt andcannotwritethememorybuffers on to the disk. (S) run level any longer than Never leave the system in the syste~-ad~nistration necessary. Shutdown does not self-audit, and it turns auditing off. Do notphysically writ tectamounted file system, since thisprevents sync from updatingthe hard Complete the shutdown before taking off-line any diskordrives other peripherals. Do not takea disk off-line without syncing and unmounting file the system on the disk. f the computer is halted andthe last command involving output to the file system was not a reboot shutdo~n, or a superblock might be corrupted. The fstk program canbe used to detect superblock inconsistency.

udit

he auditing system monitor iscretion~yaccess c o n ~ o l (

means of restric

ne cess^ to p e r f o their ~ tasks. system- define^ saturation private c ~ ~ a c tstring e r used toau i~e~tity. The current file usedby au data. ven ~ a ~ ~that a gs ei ~ ~ l rograms that can sus c e ~ a i n~rocesses.

A. program whose groupI is set to grant a user

Trap door Trojan horse

Trusted computingbase (TCB)

Trusted system

Virus VVOlXl

privileges e~uivalentto thatof the program A program whose userID is set to rant a user privileges equivalentto that of the owner. A hidden softwareor hardware m e c h ~ i s mthat circumvents system security. ram c o n t ~ ~ additional ng ~nctionalitythat exploitsthe program’s capabilities for destructive ends. All protectionmecha~smswithin a computer system (including hardware, ware, and software) responsiblefor enforc policy. Securitye~ectivenessis mechanisms andits correct implementation by system adminis~ativepersonnel. A. system that employssuf~cienthardware and software security measures to allow its use for processing sensitive material. Code segmentsthat replicate themselvest ~ o u ~ h a system destructively. A program that migrates through a system for harmful purposes.

entire

n ~ r o ~ e ~ontrol nt ea tu res

NI5 is a distributed database system that letsmany computer systems share password files, group files, and other files over the network.

1

Check for the existence of NIS with /usr/~in/~puthlch.

2

Review the output of Domainnames and command: domalflnam~. guess. easy are toguess. used can be with It NIS to

MS Server names

D o m a i n n ~ eshould be hard

to

grab password files. 3

Review NI5 password user All identification codes This increases risk the that file with command: defined in the NI5 password file unauthorized users log in to these gpcat pa5swd. password. unprotected have this accounts. Once a access is achieved, the unauthorized user has accessto a user’s configuration filesand any system processes ownedby that user.In addition, the usermay then attempt to gain further accessto the system by exploiting other weaknesses.

4

Review the NZS password Root level identi~cationcodesareThisincreasestheriskthat filewiththeprecedingdefinedonlocalserversandarenot ad~nistrativeusershaveprivileged commandlookingforanyprovideddomainwideaccessthroughaccesstosystemsthatarenot user account the that has a NI5password file. required for their job functions. UID of 0. these to access have that Users systems asroot have the ability to modify or delete system configuration files, system processes, and modify or delete sensitive user data files.

5

Duplicate UIDs are not permitted and should not exist in the NI password file.

6

Only users who requiredomainwideUserswithdomainwideaccess may access are included in the NI5 have privileges that go beyond their job responsibilities. They may

Review thescriptoutput of the gptatpassutd password file. the command. Note unauthorized perform functionsnumber as listed of users the with compared user population.Review the list with the system a d ~ n i s ~ a tand o r verify that the levelof access is appropriate for the listed users.

Duplicate UIDs increase the risk that unauthorized users will modify or delete files created by another user, and accountability is in jeopardy.

or

Avoid using obviousdom~nname.

The system ad~nistratorshould immediately assign passwordsto these accounts, then notify each user of their assigned password andask that they log in and change their password. If no user is associated with the user ID, the user ID should be removed from the NI5 password file.

The system administrator should remove any privileged identification codes from

The system administrator should delete any duplicate UIDs and create new unique identification codes for each user. The ownershipof any files owned by the duplicate users should be changed to match the newly created UIDs. The system administrator should restrict users access where appropriateby removing users from theNI5 password file.

0.

7

access have

Review the script output

at p a 5 5 ~ d

Identify users that unauthorized to the shell (i.e., access to

End users are not provided command line accessto the Unix operating system.

Access to the commandline via a shell (the commandline inte~reter) increases the risk that users access comands, data, and files. configuration

password file. Review the list with the system ad~nistratorand verify that users with shell access require that accessfor their job functions. 8

10

Review thescriptoutput The use of genericuser identifica~on surd codes is notpermittedand not commandandidentifyevidentwithinthesystem. generic user identification codes, Review the listof generic users with the system a d ~ n i s ~ a tto or define their use and purpose.

Review output of command:Verifythatthereare r~up. duplicate GIDs.

d!

11

Review output of gpcat group.

no

Generic user identification codes limit accountabilityon user action performed while logged in asa generic user. Evenif the systemis logging all events of the generic user. In addition, default, generic identi~cationcode aren o ~ a l l y targeted by intruders atte~ptingto gain access to a system.

'This increases the risk that unau~orizedusers will modify or delete files createdby another user.

Verify that only authorized and Identi~cationcodes listed in approved user codes are members rivileged groups such as 0 have access to group of privileged groups. writable files createdand owned by ot user. This increases the risk that sensitive system configuration files willbe changed or deleted.

In orderof eEectiveness:

1. Replace the shell located in the last field of the NI5 password file with a menu program. 2. Give usersa restricted shell with no access to cd, rm, cat,and other sensitive commands.

The system ad~nistratorshould deactivate the generic users and remove them from theNI5 password file. It should be investigated whether or not allusers who currently access the system via the generic ID can be moved to individual I D S with a similar env~onment.

The systemad~nistratorshould delete any duplicate GIDs and create new unique group identification codes for each group. The group ownershipof any files owned by the duplicate groups should be changed to match the newly createdGIDs. The system administrator should remove any user codes that do not need access to the GI D =0 group.

0.

port” of 21.

is configured on the “well-known port” of 23. The mailor srntp service defined “well-known port”of 25. Review 13 output the

of

~

authorize valid, Only 14

port other than the “well-known port” increases the risk that unauthorized users will bypass the controls of the routerACLs. Many publicly available programs called “‘port scanners” will identify open ports and the service to which they are assignedon the host.

only properly configured and Many t ~ r d - p software ~ y packages approvedservicesarebeingprovidedrequiretheability to ~ o ~ u ~ i c a t e inthenonprivilegedportrange.tootherhosts on thenetworkwithin (Ports greater than 1,023.) ports increase the risk that unauthorjzed users willgain access to the system.

.~

Unneeded or unauthorized hosts in

t Review file. Review the listW a d ~ n i s ~ a t and o r verify that all approved be to a

with the system administrator. Verify that all hosts are witkin the NI5 domain.

nning of

l6

of

output 17

Review provides the pmxding. provides

It

host.

risk ess gives an about the host, including when the machine was last booted, how muchCPU it is using, how many disks it has,and how many packets have reached it, load average, network Ira&, etc. ~ f o ~ a on ~ o n the information on how busy the machine is and on login accounts an intruder can use in an attack. ~ baccountt ~ i ~ o r ~ a can ~ obenused by a scanner or attackerin a brute force attack.

~

(Network ~ f o m a t i o nService) contains data suchas host files, password files, andemail aliases for entire

map info~ation.An i n ~ d e who r ~ssessesthe M S d o ~ (often ~ set up as a derivative of the public domainname) can stealinfomation helpfulin guessing passwords and gaining unauthorized access.

~

e

If the FTF?Telnet, and SNTP services are configured on ports20 and 21,23 and 25 respectively, norecom~endationis required. However, if the serviceis configured onany other port, the system ad~nistratorshould reconfigure the service on to the standard ports.

If the open ports are required, no r e c o ~ e n d a t i o nis required. However, the system administrator should remove unnecessary ports from the list.

If all hosts are required, no reco~endation is required. However, the system

a d ~ ~ s t r a tshould or remove any unnecessary hosts from the list.

If all hosts are required, no recommendation is required. However, the system

a d ~ n i s ~ a t should or remove any unnecessary hosts from the list. Disable serviceby com~entingout the rstat entry in the/etc/inetd.canf file. Restart theinetd process.

Disable serviceby commenting out the rusers entry in the/etc/inet~.canffile.

If possible a different approach should be taken to the distributionof this typeof information to servers. There are several commercial packagesas well as many homegrown systems that accomplish these tasks in a more secureway.

sk

0.

19

of

Review output the

The password file should Unshadowed be password files shadowed and does not include encry~tedpasswords.

systemthe field Note second if the in the file contajns “X, *,I” or an encry~ted

increase the riskthat unautho~~ed users will attemptto gain accessto by c r a c ~ user n~ passwords.

access is achieved theunautho~zed user has accessto a user% configuration files,and any system processes ownedby that user. In addition, the usermay then attem~t to gain further accessto the system by exploiting other weaknesses.

22

23

Of

wd for

duplicate that Verify UlDs are not p e r ~ t t and e ~ do not exist in the local password delete created files orfile.

Review thescriptoutput Sers access that have unauthorized to the

last field of the password

file. Review the list with the system a d ~ i n i s ~ a t o r and verify that users with shell access require that access for their job functions.

riskDuplicate the crease that unaut users will modify by another user, and accoun~abili~ i s in jeopardy.

command Access to the command line via a lineaccess to the Unix operatingshell(thecommandlineinterpreter) system, risk the increases access that users c o ~ a n d sdata, , and confi~urationfiles.

End usersarenotprovided

The system administrator should shadow the password file.

The systemad~nistratorshould immediately assign passwords to these accounts, then notify each user of their assigned password and ask that they log in and change their password.If no user is associated with the user ID, the user ID should be removed from the local password file.

The system administrator should remove =0 identification codes, except root.Users should be required to log in to theirown unprivileged identification codes and “su” to root.

The system administrator should delete any duplicate UIDs and create new unique iden~ificationcodes for each user. The ownership of any files ownedby the duplicate users should be changed to match the newly createdUIDs. ~

In order of effectiveness: 1. Replace the shell located in the last field of the password file with a menu program. 2. Give users a restricted shell with no access to cd, rm, cat, and other sensitive commands.

” .

~

NO.

24

The useof generic user identification Review thescriptoutput of the codes is not permitted and not evident within the system. mm fY neric user identification codes. Review the listof generic user with the system adminis~atorto define theiruse and purpose.

25

26

Review output oE

Generic useridenti~cationcodes limit accountabilityon user action er formed while logged inas a generic user. Even if the systemis logging all events of the generic user. In addition, default, generic identification code aren o ~ a l l y targeted by intruders a t t e m ~ t i nto~ gain access toa system.

Duplicate GIDs are not permitted and should not exist in the group file.

Duplicate G D s increase therisk that unau~orizedusers will modify or delete files created by another user,and accountability is in jeopardy.

Verify that only authorized and approved user codes are mem of privileged groups. Such as

Identi~cationcodes listed in privileged groups, such have access to group wr created and owned by the root user. This increases therisk that sensitive system c o n ~ ~ u r a tfiles i o ~ willbe changed or deleted.

.

The system administrator should deactivate the generic users and remove them from the password file. It shouldbe investigated whether or not all users who currently access the system via the generic ID can be moved to individual I D S with a similar environment.

The systema d ~ n i s ~ a t should or delete any duplicate GIDsand create new unique identi~cation codes for each group. The ownership of any files ownedby the duplicate groups should be changed to match the newly created GDs. The system a ~ n i s ~ a tshould or

remove any user codes that do not need access to theGID=O group.

27 n is

could user exported. being

modify

The root partition of host a Unix is not exportedfor use by any other system, files. exported the to

ot access to exported file tems may allowa privileged user on a remote system unrestri access

not any files on the exported file system.

Unauthorized exported file systems being exportedmay allow users on remote systems unrestricted access users These files. exported to the any files on the exported system.

Only authorized file systems are exported by use for other systems. h o s t n ~ for e the machine the that exports then can is telling.

-

29

~

" .

Review theoutput of File system partitions, such /as U X P O ~ Verify ~ . shouldbeexportedread-only. the risk thatunautho~zedusers will

exported system theto changes file make systems. con~gurationfiles. These changes may lead to additional ~nauthorized access ora denial of the services being providedby the system. 30

Application or user file systems should be exported with the n o s ~option. i~

Exporting file systems without the uld option increasesthe risk that non~rivilegedusers on the By obt~ningprivileges on the system the userwould be able to modify or delete files. ~" " "

31

qualified d o m a i n n ~ e s .

32

General W S

Exporting to hosts without fully qualified names increases risk the that a co m p r o ~ sedDNS server will allow access to the exported file systems.

Finding

Control T ~ c h ~ ~ ~ e s If a requirement exists to export theroot partition the system administrator should export the file system with read-only permissions. However,if the file system is not requiredto be exported the system administrator should remove the file from the letcl~xparts file. If these file systems are required, if possible, explicitly specify each node All exported file systems should be listed in letclexports preferably withRead access. If the file systems have not been approved, they should be removed from /etclexpa~s. If the file systemis required to be exported the system administrator should con~gure the export tobe read-only within the letclexparts file.

The system administrator should export application or userfile systems with the "nosuld"parameter.

Ensure that only fully qualified hostnames are usedin d e ~ ~ hosts n g in the letc/export~file.

Ensure that export lists do not exceed 256 characters.

NO.

33

Review theoutput of the c o ~ ~ d : Verify that there are no entries within this file. In addition, verify that there isno "+"entry in this file, whichwould allow any user on any hosts unauthenticated access to the system.

34

Review theoutput of the

Verify that thesewas no file found in the root directory.~dditionally, review the policies and procedures surround in^ these files with the system a d ~ i n i s t r ~ ~ o s .

Ensurethatthereare hosts within the network. risk that

no trusted

Any entriesin this file increasethe an unauthorized user will gain access to the system from a remote system withoutenter in^ a uses could modify or delete files and may have accessto sensitive processes ~ ~ i onntheg system.

The existenceof this file increases the risk that unauthorized users will

nintended purposes. For example, hackers who break into computer systems frequentlyadd easily break into the systems in the future.

35

Review theoutput of theTheuse and creation of .hostsfilesTheexistence of thesefilesincrease shouldnotbepermittedwithinthetheriskthatunauthorizeduserswill the accounts onuserenvironment. toaccess gain system. Verify that there wereno tiles found on the system.

36

Review thefilesoutput of the individualrho5t files from the prior step.

The existenceof these files increase the risk thatunautho~zedusers will gain access to user accounts on the system.

The system adminis~atorshould either all entries from within it.

The systema d ~ ~ s ~ ashould t o r remove

The system adminis~atorshould remove all . ~ ~files s t located s on the system.In addi~on,the system administrator should create acrcm job which searchesfor and removes these files on a regular basis (i.e., weekly). Ensure thatany , ~ ~ files ~ that tares required on the system contain only hostnames that are directly controlled within the same network. The systems Adminis~atorshould remove any hosts that do not fit this criteria.

Verify 37

the operating Discuss with the system level and application and schedule hostnme patches upgrades. security vulnerabilities have thewith arethat command: name -a.

a ~ i ~ s t r a tthe Older o r versions unpatched or of security versions of operatings systems often or

remotely either exploitable locally on the server.

Review theservicesoutputThe FrP servicedefined is configured Manyrouter-basedaccesscontrol with the command: on the “well-known port” of 21. lists (ACLs) filter TCPflP packets cat / e t c / s e ~ ~ ~accessed. e ~ being port the on based netstat -a. The teln~t service defined is Configuring these services anyon configuredonthe“well-knownport”portotherthanthe“well-known increases risk port” ofthe 23. ifverify And the services that the running bypass are will unauthorized usersor not, especially ifthey areonThemailor srntp servicedefined is controls of therouterACLs. Many the nonstandardports.configuredonthe“well-knownport”publicly available progrms called open identifywill scanners” “portof 25. ports and the service to which they are assigned on the host. 38

39

Review the output of Only properly configured and cat / e t c / ~ e ~ i c e s approved services are being provided in the nonprivileged port range. (Ports greater than 1,023 .)

40

Review theoutput of Ensure that only necessary services are The standard Unix “out of the box” the command: con~gurationleaves many running on the hostout of the cat /et~~ne~d,con~. inetd daemon. unnecessary services running which could open the server up to denial of service failures as wellas additional entry ori n f o ~ a t i o ngathering points to an intruder.

41

Ensure that the finger service is not running.

Many t h i r d - p ~software ~ packages require the ability to communicate to other hostson the network within the nonp~vilegedport range. Open ports increase the risk that unauthorized users will gain access to the system.

The fingerdaemon increases the risk that unauthorized users obtain sensitive i n f o ~ a t i o nabout users on the network that could enable them to gain unauthorized accessto user accounts.

It isr e c o ~ e n d e dthat the operating system be upgraded or that allsecurity patches be applied.

,Telnet and 'F°5 services are configured on ports 20 and 21,23 and 25 respectively, nor e c o ~ e n d a t i o nis required. However, if the serviceis configured onmy other port, the systema d ~ n i s ~ a t should or r ~ c o n ~ g uthe r e serviceon to the standard ports.

If the open ports are required, no r e c o ~ e n d a ~ is o nrequired. However, the system a ~ i n i s ~ a tshould or remove unnecessary ports fromthe list, and add definitions for needed ones to/ e t c / s e ~ ~ ~ e 5 .

Limit the numberof services that are ~ n n i n gon the server to those that are any services have more secure r~~lacements.

The systemadminis~atorshould remove the finger ernon on from the system start-up files or

0.

42

st

(trivial

that Ensure disabled unauth been transfer pro across option. secure or the is running with

file at

AIX net,across the flags: -1 Logs the IP address of thecallingfile machine messages. error with passwords.

Use of the /et

could a user run a cracker p r o g r on ~ the password and obtainunauthorized

-n Allows the remote user to create files on your machine. -r Attempts to convert theI the appropriate host name beforelogs it messages. This flag must be used with the -l Rag or the-v flag. -S Turns on soc~et-leveldebug gin^.

-v Logs information messageswhen any file is successfully transferredby the tftpd daemon. This logging keeps track of who is remotely ans sf erring files toand from the system with the tftpd d 43

if ed

Review output of This is potentially an TFTP reads throught command: cat /etc/tftpacce~~.ctl that start withallou: trol lines are ignored. If th access is allowed. The allowed directories and files minus the denied directories and files can be accessed. For example, the lusr directory might be allowed and the/ u ~ r / u c ~ directory mightbe denied. This means that any directory or filein the lusr directory, except the/u~r/uc~ directory, can be accessed. The entries in the file must be absolutep a t h n ~ e s .

syste~

a d ~ n i s should ~ a t o r removeit

restricts its use to a specific directory.

reco~nizethe existen~eof the file and allows access to the entire system.

absolute ~ a t h n a ~Iteseaches . the

const~ctedby adding the nextcom~onent from the file pathna~e.The Ion matched is the one allowed. It then does the same with denied names, s t ~ t i with n ~ the longest allowed pathname~ a t c h e ~ . ne I For example,if the file ~ a ~ n a l were

be allowed.

one de~iedmatch s t ~ t i n with g I and also contained allowed namesare searched first.

0.

st

Risk

eview theoutput of theTheuse of the FTP (filetransferWithouttheexistence of the command: cat letclftpusers protocol) should be restricted. /etc/ftpusers file any user listed in the access to review ftp the / etransfer t c / pcan a s sfile ~~ files restrictions. increases the risk that unauthorized files are transferred across the network.

oss

iew theaboveoutput.SystemidentificationcodesshouldSystemuserswhoarenotlisted Note the system users be restricted from using FTP, the / e t c / ~ ~ u s efile rcan stransfer This network.the across filesReview inclu~ed it. within he ncreases systemthe with list the the across transferred a ~ ~ n iare s t r a tto ofiles rdetermine o users which system

46

in

End users not listed in the / e t c / ~ p ~ s efile r s can transfer files across the network. This increases the risk that unauthorized files are transferred across the network.

Review theaboveoutput. Users who do not s ~ e c i ~ c ~require l l y useof P should be identified and restricted from using system administrator to d e t e ~ n which e users

such

filesconfiguration

as

files.

unauthorized users delete or modify these

of the systembut are not writableby any user other thanroot.

writable only by root.

these files, including files created other users.

by

The systema d ~ n i s ~ a tshould or create the i-5 file and at a m i ~ m u m the following identification codes should be included: This includes the root account, any guest accounts, uucp accounts, accounts with restricted shell,and any other account which should not be copying files across the network. The systema d ~ n i s ~ a tshould or include the following system users in the / e t ~ f t ~ ~ file: root, bin, uucp, nuucp, sync, hpdb, and sys as well as other system ids.

The systemadminis~atorshould include the following users in the I any guest accounts, accounts with restricted shells, and any other account which should not be copying filesacross the network.

The systema d ~ n i s ~ a tshould or reduce the permission settingson these filesto be writable onlyby root.

~-

The systemad~nistratorshould reduce the permission settingson these filesto

The systemadminis~atorshould reduce the permission settings on these files to be writeable onlyby root.

0.

~ontrol~ ~ j e c t i v e

st

sk

Review theoutput of the X11-based softwarehasbeenconfiguredUnsecured X Windows access commands: xhort and in a secure manner by explicitly allows an unauthorized individual to tC/X~.hO~t~ allowing access to only those capture user keystrokes to obtain ew Xll-based addresses the network on that login IDSand passwords. In addition, access. require settings. could unauthorized user an issue keystrokes as if the user on the

50

the entireX screen to a remote co~puteron the network.

SUlD files are authorized, inventoried. Files that increase the risk that the U ng the file will escape to a shell. Once at the shell prompt, the user would retain the same accessas the actual ownerof the file.

51

Review the output

52

Review the output of theApplicationanduserfilesshould This increases theriskthat command: find not writable any by user other than unauthorized users modify delete or rm -2 I -type I -print. owner. these files.

of the

Review the list with the system adm~stratorto identify any files that are proprietary, sensitive, or confidential. 53

54

Review theoutput of theTheuse of scriptsorreferencefilesTheexistence of referencefilesor c o ~ a n dfind : l c ~ n t a i ~ unencrypted ng passwords scripts with unencrypted passwords -name .netrc -print. should not be permitted within increases the risk that unauthorized userenvironment. to access gain thewill users output Review files the by identification codes system. on the this command.

Review theoutput of theUserfilecreationdefaultsettingsare com~ands:cat letclprofile configured to restrict write access to and thefilesoutputby:files by otherusers. find l -namE! .profileprint print find l-name .cshrc print find l-name.ttashrc print

-

Improperly setting the mas^ vhable in the user’s.profile, .login or .chsrc file increases the risk thatunauthori~edusers will modify or delete files created by other users.

The systema d ~ n i s ~ a t should or execute the command:xhost -. Other security steps include: l.~ p e c i f y i ~individual g computers that are permitted to access the X-Windows server. 2. Protecting the commandxhost by making the ownerroot and givingit the permissions of 700, this will allowread, curite, and secure manner.Do not execute the-noauth command when starting theX windows. 4. If ~ ~ i then NIT g X server use IC-CO~~IE by entering the following command: The systema d ~ n i s ~ a t should or verify that these files are proper and needed for the functioning of the system, reducing p e ~ i s s i o n where s possible, Additionally, the systemadminis~atorshould create a static inventory listof the remaining files and create a cronjob that searchesfor and reports any newly created SUlD files on a regular basis (i.e. weekly). The systema d ~ n i s ~ a t should or reduce the p e ~ i s s i o nsettings on these files where possible.

The systema d ~ n i s ~ a t should or remove trc files located on the system. In addition, the systema d ~ n i s ~ a tshould or create a cron job that searches for and removes these files ona regular basis (i.e., weekly).

The systema d ~ ~ s ~ ashould t o r correct any problems notedby changing the umask command in the.login, .cr;hrc,or .profile script filefor these users to 027. This results in the following accessany to files createdby the user: Owner:read, write, @xecut@:Group: r World: no access.

o

0.

it Test

55

Review theoutput of the preceding commands.

56

Review output the configured isable of the preceding commands.

Users are restricted from exiting Improperly set traps allow users to start-up scripts prior to their completion.break outof login shells or scripts and access thec o ~ m a n dline. Once command line accessis achieved users can read sensitive con~gurationfiles and attemptto gain further system privileges.

bogus IS program could be executed.

57

Review the

of the Users are required to log in as S: unprivileged users from every terminal except the console. host

/ e t c / ~ et fa~t u l ~ l o ~ ~ ~ system.HPUX: the cat / ~ t ~ / 5 ~ t u r ~ t t ~ .

58

appropriate.

Review theoutput of the c o ~ a n d rpci~fo : -p.

all RPC that Verify are programs

gain to

will access

on the networ~,including PCs increases the risk that an user unauthorized privileged

Onlyknown RPCprogramsshould beUnkaownorunauthorized running on TCP and UDP ports. access gain

will unauthorized users

s

e system ~ d ~ i n i s ~ ashould t o r correct

The system a d ~ n i s ~ a tshould or cons~ct variable so that directories are

(if neede~). t no time should a world w ~ t ah l e

directory he included in any user Proper setup should include: the opera tin^ system the method to secure this function will vary. For those systemsnot specified the control must be placed in the individu~luser’s profile. file, only the console entry e script outputof th has beenu n c o ~ m ~n t ed . eview the script output of th

the file. e s y s t e ad~inistrator ~ s sable any u n ~ o w or n unaut~oriz rams ~ n n i on n ~the system.

0.

59

t

sk

Review the output of the All network interfaces are This increases the risk that commands: configured appropriately network (i.e., sniffer promiscuousmode is notenabled),activated

a

is could beactive or by anunauthorizeduser.

Verify that all network address c o n ~ g ~ a t i o nare s appropriate.

60

traffk is properlyImproperlyroutednetworktraffic unauthorized allow mayusers view the network traffic.

Rev~ewtheoutput of theEnsurenetwork co~and: corporate routed through the

to

Verify that all routes are appropriate.

61

of authorized Only the hosts should network Unknown the beon hosts available to communicateontheincreasestheriskthatunauthorized

system. the access tonetwork. gain will are users hosts allVerify that appro~riate.

6

of the Ensure that users who access root have that access logged and that the m / ~ u l o ~log is reviewed on a regular basis. system. with theAdm~istratorto ensure that only authorized users are accessingroot.

63

Review theoutput of theThesystem

output e

is restartedonly when

Users accessing root have the ability to modifyordeleteanyfileonthe

Unauthorizedsystemrestarts may indicate an unauthorized user

access privileged gain policy attempting to restarts, of system configuration orserious a note that any discrepancies. or application problem exists. is adequateloggingInsufficientloggingwillresultin a an event the of intrail audit of an unau~orizedaccess. With good logging and monitoring Admi~stratorsare often given early warnings for hardware and software errors or problems.

64

Reviewtheoutput of theEnsurethatthere c o ~ ~ ~ d : of system activities. lack

65

Review theoutput of theEnsurethatthecorrectnameserversThewronginformationcould anddomainnamearebeingused on substantially slowdownmany lookups reverseifrequests machine. network the are used.

Finding The system administrator should reconfigure any network interface that has been ~scon~gured.

The system administrator should work with the network group (or administrator) to configure the network routing appropriately.

The system administrator should investigate and remove any unknown and unauthorized hosts on the network. The system administrator should change the root password and ensure that only authorized users receive it.

The system administrator should review the system messages on a regular basis and investigate any unplanned system restarts.

The administrator shouldreview the system log messageson an active basis with alerts being sentoff if there are problems.

Ensure that theON5 lookup i n f o ~ a t i o n in /etc/resolv,conf is correct.

at at

etting more than one computer buil~ingblock functionby transpo~in

(~icrochannel~ c ~ t ebus-based c ~ e on the originalIBM’s P52) (~c~itecture for the ~acintosh)

S

I

~nshieldedtwisted pair

Low

Easy if inside walls, outside walls, around corners

High

DifIicult trans~ssionif wire is broke-no ~ ~ s ~ s s i o n

band wid^ capacity: amount of i n f o ~ a t i o nthat can be~ a n s ~ t t at e dthe same time

Fiberoptic

I

High

(ii) Satellite

Infrared-la se^

1 5

point

to

(i) Point

Difficult Very high

"

(ii) power, High single High frequency Difficult Moderate spectrum(iii) Spread

Diffcult

"

~a~acity 10 Mbps

30 therefore Low, nodes per Moderate longvulnerability segment of cable distance transmission

Up to 10 Mbps; can go toMbps (i.e., 155

2 nodes per segment High, therefore shortHigh 2 connections, distance one at each end of cable, pointto point)

vulner~bility ~ans~ssion

2 nodes per segment, High, therefore shortModerate vulnerability trans~ssion hub)

l Mbps 155 toup or point to (point Mbps

Resistance to trafficon the network. High attenuation meanslow distances, low attenuation means long distances

EM1 (interference): noise gets in or ~ o ~ sniEed ~ out o Up to 2 Gbps (typically 100 Mbps (e.g., Mbps 1-10 between two large buildings) Mbps, 1-10 larger distances

affected

than Less

n

Point to point(2 nodes per segment)

Low, therefore logon distance uph2 km

2 nodes

Depends onatmospheric High conditions (e.g., ~ ~ d e ~ t o ~ )

2 nodes

Depends on vulnerability High atmospheric conditions

Application Depends quality dependent

1Application MbpsDepends

Not vulnerable to sniffing, good for vulnerability

on Vulnerability light

= 0, only by intense light vulnerableto interception.

onVulnerability light

= 0, only

intense lightaffected by purity dependent and quality vulnerable to interception.

1-10 Mbps

1-10 Mbps High

2-43Mbps secure than (i)or (ii) above

he second building block c o~pa s s e the s ability to e S stems. The most well-

g is interoperability. tion on between si ability solution is the In er ability solution is

e t e ~ i n how e much thought was put into the esign of the netwo selected and how?

The first networks were ti~e-sharingnetworks that used~ainframesan uch environments werei~plementedby both

cess sharedresour~essuch as file servers.

is an interconnected groupof systems that coversa single geograp~clocation or S are typicallyused for dataservices an voice. ~xamplesof solutions include: ernet (10, 100,1,000

( S) interconnected L deareanetworks r media), thereby inter~onnectin ~ o g r a ~ h ic a lly ~ is p users. erse~

ation system that interconnects are ty~icallyused for voice, d

S

tions include: elay

e

*

TI,T3

Today, high-speed LANs and switched internetworks are becoming widely us cause they operate at very high speeds and support such h ig h -b ~ d wi voice and videoconferencing. Internetwor~ngevolved as a solution to three key problems:

. Isolated LANs . Duplication of resources . Lack of network management Isolated LANs made electronic c o ~ u n i c a t i o nbetween different offices or impossible. Duplicationof resources meant that the same hardwar supplied toeach office or department, as did a separate support st management meant thatno centralized methodof managing and existed.

Implementing a functional internetwork is no simple t ially in the areas of connectivity, reliability, network area is key in establishing an efficient and effective int Reliable c o m m ~ c a t i o is n the first consideration ious systems is to support c o ~ u n i c a t i o nbetween disparate techno for example, may use different typesof media, or Another essential consideration, reliable se work. Individual users and entire o r g ~ z a t i o ndepen s work resources. ana age ability is the ability to manage andCO see the conditions as they work.F u ~ e r m o r enetwork , ized support and troubleshooting capabilities in anint pe~ormance,and other issues must be adequately a tion smoothly. Flexibility, the final concern, is necessary fo tions and services amongother factors.

Large networks typically are organized as hierarchies. A such advantages asease of management, flexibility,and Thus, the~ t e ~ a t i o n a l ~ r g ~ for z a Standardization tion rninology conventionsfor addressing network entities. tion include end system (ES), intermediate system (IS An ES is a network device that does not perform tions. The typicalES includes such devices as termin An IS is a network device that performs routi The typical IS includes such devices as routers, swi works exist: intradomainIS and interdom~nIS.

454

NETWORKS

An intradomain IS communicates within a single autonomous system. An interdomain IS communicates within and between autonomous systems. An area is a logical group of network segments and their attached devices. Areas are subdivisions of autonomous systems. An AS is a collection of networks under a common administration that share a common routing strategy. Autonomous systems are subdivided into areas, and an AS is sometimes called a domain. Networking is a complex endeavor, and breaking it into digestible pieces is why a layered network model was developed. The OSI model enables the network to be broken down into logical layers (i.e., the seven layers), which ideally specifies and groups the functions that need to be performed at each layer. These functions within each layer are further broken down into tasks. The layered network task model facilitates specialization by the age-old concept of division of labor, and this in turn enhances simplicity and increases standardization, which further helps competition and drives costs down. More importantly, this layered approach facilitates intervendor product interoperability. Now one can determine what products are in use and how much interoperability is taking place.

OSI MODEL OSI (Open Systems Interconnection) is a standard description or reference model for how messages should be transmitted between any two points in a telecommunications network. Its purpose is to guide product implementors so that their products will consistently work with other products. The reference model defines seven layers of functions that take place at each end of a communication. Although OSI is not always strictly adhered to in terms of keeping related functions together in a well-defined layer, many, if not most, products involved in telecommunication make an attempt to describe themselves in relation to the OSI model. It is also valuable as a single reference view of communication that furnishes everyone a common ground for education and discussion. Developed by representatives of major computer and telecommunications companies in 1983, OSI was originally intended to be a detailed specification of interfaces. Instead, the committee decided to establish a common reference model for which others could develop detailed interfaces that in turn could become standards. OSI was officially adopted as an international standard by the ISO. Currently, it is Recommendation X.200 of the ITU-TS. The ITU-T (for Telecommunication Standardization Sector of the International Telecommunications Union) is the primary international body for fostering cooperative standards for telecommunications equipment and systems. It was formerly known as the CCITT. It is located in Geneva, Switzerland. The V Series Recommendations from the ITU-TS are summarized below. They include the most commonly used modem standards and other telephone network standards. Prior to the ITU-T standards, the American Telephone and Telegraph Company and the Bell System offered its own standards (Bell 103 and Bell 212A) at very low transfer rates. Another set of standards, the Microcom Networking Protocol, or MNP Class 1 through Class 10 (there is no Class 8), has gained some currency, but the development of an international set of standards means these will most likely prevail and continue to be extended.

OSI MODEL

455

The V Series Recommendationsfrom the ITU-TS Meaning Provides 1200 bits per second at 600 baud (state changes per second) The first true world standard, it allows 2400 bits per second at 600 baud Provides 4800 and 9600 bits per second at 2400 baud Provides 14,400 bits per second or fallback to 12,000,9600,7200, and 4800 bits per second V.32terbo Provides 19,200 bits per second or fallback to 12,000,9600,7200, and 4800 bits per second; can operate at higher data rates with compression; was not a CCITTDTU standard Provides 28,800 bits per second or fallback to 24,000 and 19,200 bits per v.34 second and backward compatibility with V.32 and V.32bis Provides up to 33,600 bits per second or fallback to 31,200 or V.34 transfer V.34bis rates The trunk interface between a network access device and a packet network v.35 at data rates greater than 19.2 Kbps. V.35 may use the bandwidths of several telephone circuits as a group. There are V.35 Gender Changers and Adapters. Same transfer rate as V.32, V.32bis, and other standards but with better error V.42 correction and therefore more reliable Provides up to 56,000 bits per second downstream (but in practice somewhat V.90 less). Derived from the x2 technology of 3Com (US Robotics) and Rockwell’s K56flex technology. Standard v.22 V.22bis V.32 V.32bis

An industry standard, Integrated Services Digital Network (ISDN) uses digitally encoded methods on phone lines to provide transfer rates up to 128,000 bits per second. Another technology, Digital Subscriber Line, provides even faster transfer rates. The main idea in OSI is that the process of communication between two end points in a telecommunications network can be divided into layers, with each layer adding its own set of specially related functions. Each communicating user or program is at a computer equipped with these seven layers of function. So, in a given message between users, there will be a flow of data through each layer at one end down through the layers in that computer and, at the other end, when the message arrives, another flow of data up through the layers in the receiving computer and ultimately to the end user or program. The actual programming and hardware that furnishes these seven layers of function is usually a combination of the computer operating system, applications (such as the Web browser), TCPIIP or alternative transport and network protocols, and the software and hardware that enable a signal to be put on one of the lines attached to the computer. OSI divides a telecommunications network into seven layers. The layers are in two groups. The upper four layers are used whenever a message passes from or to a user. The lower three layers (up to the network layer) are used when any message passes through the host computer. Messages intended for this computer pass to the upper layers. Messages destined for some other host are not passed up to the upper layers but are forwarded to another host.

7

A~~iic~tion Layer ~resentati~n L

a field of the layer below it. This eonbe split up into multiple s ~ a l l e secr the network, and the destination

sical Layer,which consists of the h ~ d w at echmical level. It ivi

ng and s y n ~ h ro n i~ ~ tio n s ~ s s i o ndistm

V35

The trunk in te~ ace between a network access device and a packet network at data rates greater than 19.2 PS. V35 may use the bandwidths of several telephone circuits as a group.There are V.35 Gender Changers and Adapters.

(ISDN), there are two levels of service d for the home and small enterprise, and the Prim r larger users. Both rates include a numberof arry data, voice, and other services. The D channel carries con64-Kb s B channels and one 16-Kbps D service. The PR1 consists of 2 es or 30 B channels and 1D ch Rate usage in a city like Kingston, New York,is about $125 for phone company installation,~ 3 0 for 0 the ISDN adapter, and extra an $20 a monthfor a line that supports ISDN.

ed Serial Interface (HSSI)is a TEDCE interface developedby Cisco Sy us Networ~ngto address the nd for high-speed c o ~ u n i c a t i o nover I specificationis available to any organ SS1 is now in the anNationalStandard 0.2 cormnittee for formal stand~dizati moved into the ITU-T (formerly the Consultative ~ommitteefor I n t e ~ a t i o ~T~legraph al ne[GCITT])and the IS0 and is expected to dardized by thesebodies. CE inte~aces.It therefore definesboth the electrical and the physical c o ~ e s ~ o nto d sthe Physical Layerof the OS1 reference model. HSSI technical characteristics are summarized below. ~~

*

~ a l ~ e ~ a x i m u msignaling rate

52 &%bps

~ ~ i m cable u m length

50 feet

Number of connector pins

50

Interface

D'IB-DCE

Electrical technology

Differential ECL

Typical power consumption

610 mW

Topology

Point to point

Cable type

Shielded twisted pair wire

rror ~ o d i ~ c a t i o(end n st~tio~s)

in today’s r e ~ l - ~ o r netld a y ~ 1r and ~ 2 com~in~d

low co n tro l~ o n tro ls in fo ~ ation

o

~ in the r networ~ ~ computer to use the

in which multipledata channels are combined into a single data ultiplexing can be imp mented at any of the lexing is the process of separati multiple~eddata ch le of multiplex in^ is when d from ~ u l t i p l eap~lications is er-layer data packet combined into a sin

a ~ultiplexer). es multiple data streams into emultiple~the channels into the use of the andw width of traffic sources. ome meth-

y a calculation thatis

.First, the

source device

+Transpo~.The upper-l This layer sets up, coordinates, and tween the applications at each end. It S tasks associated with establis tation Layer (Layer6) entities. mat~on ~rotocol), which coordinates

This is a layer, usually part of an data from one presentation fo dow with the newly Layer handles tasks associat task items i ~ c l u ~ e : ata representationfo ) ata co~pressio~deco~pression ata encryption and deencry tionco~munication( S

This is the layer at whichc o ~ u n i c er authentication and p ~ v a c yare tified. (Thislayer is not the applica lication Layer functions.) lication Layeris the the ~ e t w o resource r~ ~ ~ e n t i fcommunication yi~~ e t e ~ i n i resou~ces n~ available ynchronizi~~ co~mu~icatio~

S

e 10 Base 7:

10 Base F

30 Base 5

UTI?

10 Mbs

Star

S0 m s

us

S0 Mbs

Bus

10 Base T - E ~ e ~ e Network t

Fibero~tic

50-ohm thin coax

50-hm thin coax

token ring network is computers all a local hconnected are in a ring or star topology and a binary digit- or t the collisionof data between two computers stand~d versio~, specified as a transfer rates of either 4 or

n frames areconti~uous~y circulated on thering, has a message to send, it inserts a token in an empty changing a 0 to a 1 in the tokenbitpart of the frame) ageand a destination identifier in the frame. The frameis then examinedby each successive workstation.If the workstation sees that it is the destinati it copies the message from the frame and changes the token back to0.

terfaces have a p tolerance, and the use of ~beroptics.

de area networktec~ologiesconsist of two ty

t t

stics

serial links,

), etw work Control

eci~cationsinclude:

ee

cells.

103

\

R&D

ala Link l~entifier for er~anentVirtual Circuits(PVC)

e

= Ter~in 1 =Term

I

The basic i n t e ~ ~ t ~devices o r ~ nare: ~

router § ~ ~ c i ~ c a t iare: on§

7

an

S

Y

103 and 10

ress

ort

etric

210,157.64.1

1

10

210.1~7.64.2

2

10

210.157.64.3

3

10

\

Layer 1Layer 2-

tru

owest level ofaccess

o ~ p l e t eac~essto allc o ~ a n d and s c o n ~ ~ u r a tio n

for router buffer pools.

-Shows ~atio~. * ~ o n ~ g u r ~register ~ i o n value: ~on~gur a tio n re~isister

Visible in resultsof 66show version” in privilege^ mode

all selected interfaceinfor-

ayers 3 and 4 sensiti~ity

11. ta

of t

Stop connections thatdo

moment atthe need for ument that details an e up a rew wall without a

The best approachis usuall~a combination of all four.

here are scores of threats on the inte lems that a firewall will attempt to fix:

a few of

the more insidio~sprobort service. There are

iI has often been the hacker’s choice of entry (via its security tion that han~lesall

c o n ~ oal connection ed on the source and ~estinationadused in thatsession, acket-~lter~ r e w(which ~ l is one of one that inspects each ssion d e s to grant or a second destination ad l, but it makes upfor that in t have to do any thin^ special, fined as accepting traffic, the rough. This also means that e port number could pass through the firewall.

the “’state’, and “context” of the user’s request so that when the data are returned via the firewall, it is able to verify whetheror not the data was speci~callyrequested. spection attempts to track open, valid connection without the need to process a rule for each packet.

enerally less expensive

ort user authentication tically hide netwo so on) b, Java, and

n a ~ l t e r environm~nt s (such as time of day accesscontrol

rect connectio~between i n t e ~ and a ~ ~xternal

enerally offers higher levelof secu~ ty reat deal of c u s t o ~ z ~ t i o mands, protocols,or services rect connection betwe d user authentication

an automatically hide network and system addresses from public view ble to providetime of day accesscontrol

enerally more complex

e wants to use through the f ir e ~ a ll bandwidth canbe a tati ion

ore secure thana stan

plication level attack system addresses from

11vendor would make such rc h ~ l e n does ~ e not prove

t have a baseline testing not mean that no~roblemsexist. And would not wantto ~ublicizethe security vulwant the vendor to ship a defective product awards that the firewall vendor has. Even Show9’ award,that does not n e c e s s ~ l y t for an organi~ation,

ecision about thea ~ ~ r o p r i afirewall te is with a security audit.A zation9sinternal security staff,or an external staE, p e ~ o ~ an g

had thep~vilegesto do the need to connect mac what it was originally ~ e a ntot be.

isk or data~asefile

lowing securityproble~s:

es stealing the supe

quires s u p e ~ s e rpri t ~ o ~ ~the ~ netw o u t retaliation.

a s e c ~ r elevel by elixni-

These software and hardware barriers stand etw wee^ the privatei ~ t enetwork ~ ~ l and its connection to the outside worl such as the i n t e ~ e tThe . ~ ~ e w a l l ~ ~ oanv iextra d e s layer of protectio~and regulates andcontrols c o ~ u n i c a t i o n .

ow do users who have an internet connection ensure that tr c between their netd the outside world is secure and controlled? If one can tolerate the restrictions imposed with this typeof connection, use it to reduce the e ronment.

Numerous options are available for c o ~ e c t i n ga personal modem on an existing network. These options include analog, I ous flavors of digital subscriber linesn a robust firewall? Cable modems, for exmple, use a fixed, -allocated address rangekno more about network security resources, such as personalfiles, are availablefor public consumption.

hat about the browser? Hackers spend dispropo~io ucts like terne et Explorer ( ).There are a numbero and malicious Web sites to sh the browser or wor Navigator is safe either. ny problems by steering clearof ,and ActiveX unless absolutely the browser version thats u p p o ~ strong s enc )whenever personali n f o ~ a t i o nis sent.

Leased line networks and remote accesse~uipmenthave been replacedin favor of virtual private networks(VPNs) offering substantialin ~ ra s t~ c tuand r e suppo~in enable secure privatec o ~ u n i c a t i o n simplement , the following: *

Authentication E nc~ p tio n Key management technologies

V ecause these technologies are ‘~battle-hardened~9 not will remainso until the emerging protocols, standards, and products mature. Three critical VPN components are: Security (access control, authentication9and enc~ption) . Traffic management (makingsure that critical applications are delivered reliably and with the highest possiblep e ~ o ~ a n c e ) . Policy-based network management (the ability to manage the entire network from one central console to one easy-to-install turnkey solution).

e

ow does one stay familiar with the latest viruses and fixes as well as other security issues b sites such aswww.ce~.orgor www.NTSecurity.net? The enemy is likely more exlike firewalls that perienced, but little a prevention cango a longway. Often the technology,

ess have not been

process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT conserves also o addresses that a company needs and lets the company use a sing1 is often part of a CO NAT is included as part of a rou ad~nistratorscreate a NAT table that does the global-to-local andlocal dress mapping.NAT can alsobe used in conjunction with policy routi ically defined,or it can be set up to d y n a ~ c a l l translate y from and to a PO allows internal internet addresses or internet protocols to be hi firewall will appear to have been sent from the ~ e w ~external ' s adender invisible to the internet, which makes it d i ~ c u lfor t hackersto track down the network i ~ o ~ a t i and o n addresses required. Statefix1 inspection is the most sophisticated technology availab around this technology interrogate the packets based on source, dest c o ~ u n i c a t i o n port. s Is stateful inspection tec based on source, destination, protocol, oes the design provide both router and urations? The router setup is most c o ~ o for n c o ~ e r c i afirewalls l that receive a packet, compareit to the rules defined, and either permitor deny access to another network. This scenariore qoften u ~ eseveral s network changes including managing static routing tables, and it can makeit an easy targetfor hackers. To address these issues, the firewall was built on top ofa s e c ~ operating e system.

Another signi~cantrequirement is monitori tools is incre~iblyimportant to reactingto a three crucial~uestions: hat is being detected? ow quickly canit be detected? ow often is the detection tool updated? Even with detection, few ~ompanieshave

idea what to do if

has become c o ~ o knowledge n that most do very little, except perhap

curity system. Few companies legally pursue hackers according to in Thus, there have tobe procedures available to react toa breach even if it will not be pursued legally.

The critical security tasks include network protocol analysis and security networ~ and management solutions. These tasks should be followed during all sta es of network development and secu&y from planningand design toimple~entationand ongoing management. They include: per at ion^ tasks oftware distributions Event alerts System monitorsof Total Virus Defense from within the IT env~onment

e they reside on the system witha o ~ n e r of s the a ~ ~ ~ i c a t iand o n susers,

locking distributionof viruses, spam, andother inappropriate message content. E-mail cannow be used tod i s ~ b u t confidential e or inapprop~ateinfo can raise a number of serious legalissue Can di~erentfilters be applied to of people at different timesof the day? ow is the corporate policy implemented and centrally controlledby the company’s IT that the filter is effective and has-

S and digital “sledgehammers.,’ ~ t t e m pto t bypass it withbasicscans,fragmentedpacketscans,and ~ t t e m pto t overwhelmit with les are well designed and d y n ~ port c selecti allis often di~lcult,but solutions i~cludede masks let you define the next se uence o e a

etennine that the connectionto an external network, such as the internet, is secured with an application gateway firewall and that the firewall is properly configured to secure internettrfllc. in a detailed network diagram of the firewall networkCO server, firewall host system, Web server, andso on) with hos etemine that all of the physical andlogical component are managed by the same group and that thecontrol procedures and policies are well documented and updated regularly. eview the firewall network operations andcontrol proce res to ensure that procedures are documented and in place to back up security and confi to properly restore these files after system failures and software tern upgrades. Using the network diagram asa guide, observe the physical connections between the various components noting proper labeling of all physical c o ~ e c t i o nand s that all physical connectio~sare consistent with the diagram. ~vestigateany connections thatlink portions of the firewall network to networks links r not documented in the network diagram. etemine that the firewall has only two network inte~aces:the li nal network andthe link to theinternal network.

password controls-autho~~ations for viewandassess the use of groupstoassignserviceaccesscapabilitiesto users. F o r generic proxy programs that may be in use, review the source and destinationrest~ctionsto ensure that they areCO strict this traffic. Assess the need and implementation of such as router filters. For each proxy,d e t e ~ n that e adequ and that logs are reviewed ontime1 a e t e ~ n that e audit alerts have been ade~uately a real-time basis of security events that require traps, e-mail messages, pagers, and and assess theappropriateness of s ~ a to r with s accessto viewand modify the firewall configuration. wall products supportthis) and investig to ensure they area u t h o ~ ~ changes. ed ore detailedi n ~ o ~ a t i on o na t t, refer to the section twork ~ecurity’,in Chapter6. te the subsections “Technic anaging ~ e t w owith r~ I

n f o ~ a t i o nquickly ained on theirlocal

c ~ o data ~ cinterchange(€331) sig~fi~antly in the past five replace paper~ansactions with routine business ~ n c tio nmay s ystem is not operating.

orks, and ~crocomput-

no longer the domain business assets rests

ecause today's~utomatedinforin momentsof a d i s ~ ~ t i in o nsys-

pecifically, the plan should responsibilities, the distribufeasi~ility,plan testing, recovency i n f o ~ a t i o nthat may cific statements regarding eachof these lete enough to~ n i ~ z e 'S

overy plan, the direct support bility for disaster recovery ulsponsi~ilityfor the assets e resources are available recovery planning tobe ining its c o ~ i t m e n to t

ader d i s ~ i b ~ t i oofn r the sole provider no longer isolated in the controlled environ-

sources affected. It is possi worst-case s c e n ~ o sThis .

covery p l ~ n e r ssh o u l ~solici to resources and assi~nrnent with r n ~ a ~ e r ntoe c~ot ~ r n u n ~ c ~ t

plan, availa~i~ity of approp~ate

w e ~ e s s e in. s the e~istin

~ ~ nthe~ o ~~ ~r ~ sn i z~ ~ t inoto~se ~ its i~n f o ~la t i o ~n t e c ~ n o l o ~ yc ~ ~ s e s s i ~ n ~ c s ~ ~ i c ~ s . loss of ~ s s ~ ~ ~ i ~ l h it might be perceived as such. Thus,there are classificationsof exposu~e: ~~~

ant i n t e ~ p t i o ndepending , on its duration and a1 of the o~ganization. ing a disasterinclude the degree of dependency placedon

er canp e ~ required o ~ recovery tasks. uld be as co~prehensiveas possible and should d o c u ~ e npreestablished t ions in a crisis atmosphere. The plan should also provide

e ~ p h a s i the ~ e actions intended to protect the organizase who would take ad-

sic ~ t e ~ ~that, ~ ifo not n asd ~ e s s e d e ~ c i e n t ~ y , ntial causesof business ~ t e ~ p t i oinclude: ns

Fraud

Te~oristactions

Theft 00

e t e ~ n i the ~ gpotentia~impact of a disaster is to i~entifythe esat need p ro t~ ctio ~ne . way to do this is to p e ~ ano impact ~ study. Some

498

DISASTER RECOVERY PLANNING

essential assets (e.g., facilities, hardware, and software) might be tangible and easily identified and their value easily calculated. However, the value of data is more difficult to assess because it depends on its relative value to management. The following categories should be considered when developing an inventory of essential assets requiring protection: Facilities Data Software Personnel Data processing hardware Communications circuits Communications hardware These assets are susceptible to any of the threats listed as probable causes of business interruptions. Management is responsible for recognizing the probable causes of business interruptions and, to the extent possible, taking steps necessary to protect critical information technology operations. Auditors should assess the risk of exposure and the adequacy of precautionary steps to prevent or minimize the effects of disaster. It can be expensive to develop and maintain a DRP. Designing a DRP is a labor-intensive task and can take a year or more to complete.

BUILDING A CASE FOR DISASTER RECOVERY Audit has an opportunity to communicate the need for a DRP program to senior management. Audit must emphasize the risks of not being ready and able to recover and continue the firm’s critical business functions, not complying with regulatory requirements, not meeting contractual obligations and service level agreements, and not providing an adequate level of awareness within the organization. Audit may also be well positioned to compile information throughout the organization on risks and potential threats to facilities and business processes because of their close examination of these areas during other scheduled audits. Furthermore, audit can often compile and share DRP benchmarking data and leading-practices information across business units and locations. Audit could also obtain information on DRP plans, strategies, and practices from similar organizations or other firms within an industry grouping, which can assist in a company’s DRP efforts.

BUSINESS IMPACT ANALYSIS The business impact analysis (BIA) is the foundation of effective disaster recovery planning. It must originate from the individual business areas and should highlight business strategy as well as inherent risks and critical threats to achieving business goals. As such, it will represent the business area’s risk assessment of its financial, operational, competitive, and systems environments. The more defined the BIA is, the easier it will be to justify the expense of the disaster recovery program to senior management. Audit should help make this process less subjective and more quantifiable through the use of appropriate measurement tools and risk assessment techniques. Remember, this is what audit does regularly. This is an area of expertise.

KEY COMPONENTS OF A SUCCESSFUL DISASTER RECOVERY PLAN

499

Audit’s most significant contribution to the BIA process is one of validation. At a minimum, they should review and validate the following components: Business process inventories Business process owners Resource listings, including systems inventories Business impact information (financial and nonfinancial) Critical time periods Interdependencies Recovery time frame objectives Recovery resource requirements Obtaining audit’s evaluation and validation of the preceding items will enhance the DRP’s framework and serve to strengthen its effectiveness not only for the eyes of management but also in the event of a disruption.

STRATEGY SELECTION Disaster recovery strategies range from providing fully functional alternate sites to “quick ship” programs, which may be internally or externally provided. Based on the BIA, a suitable strategy should be selected to provide the organization with the necessary recovery resources within its predetermined recovery time objectives (RTOs). Audit should review the strategy to ensure that it is in line with the overall business process and fits the organization’s bigger picture. Audit can also perform independent reviews of vendor contracts and agreements as well as liaise with procurement and legal departments during this process. The key is to ensure that the selected recovery strategies and all assumptions surrounding those strategies have been adequately and independently reviewed. These assumptions may include: Assuming that the alternate facility will be available at crisis time. Assuming that the alternate facility is a certain distance away and unlikely to be affected. Assuming that key personnel will be available to facilitate recovery. Assuming that identified vendors and alternates will be available to provide products and services. Audit should work with the disaster recovery planner to ensure that there are no “surprise” audit findings after the DRP program is implemented. It is far more efficient and effective to build audit requirements into the DRP process during development than to retrofit a DRP program with audit-required controls.

PLAN PREPARATION Since individual business managers are ultimately responsible for the successful execution of the plan in the event of disruption, they should assume ownership of the plan. They should provide the time and resources to clearly document the detailed recovery procedures necessary to resume and continue critical business activities.

plans have never really been te

excuse withor~anizations a s ~ ~ p ~ i e r a ~for r e re ~ e n t

The ~ e t h o d o l o ~describ y to prove the accuracy and is to keep pace with chan

testing is to verifythe validity and functionality of the recovery procedures components are combined,If you are able to testall modules, even if you e ~ o r ma h11 test, then you can be confident that the business will survive a when aseries of co~ponentsare combined without inles of m~ d u letests are: lternate site activatio~

~pplicationrecovery un production processing

The full test verifies that each component within every ~ o d u l is e workable and satisfies the irements detailed in the recovery plan. The test also verifies the modules to ensure that progression from one moduleto mout problems orloss of data. objectives associated with full a test: ed time to establish that the production env~onmentmeets

the recovery plan to ensure a smooth flow from module to To achieve the first objective, a computer system of the similar capacity and speed must be available for the ~stimatedtime frame as stipulated in the This plan.is not critical to achieve second objective.

ned ~ o u n ad worst-case scenario for equipment since this will e ~ a ~ i n while e d catering to all possible disastrous si~ations. around best-case scenario for stafing to ensure that all p ~ i c i p a n t are s involved and to understand and resolve each issue in the processof buildsonnel should note any weaknesses or oppo~unitiesto improve the ce confident that the recovery plan is effective, other scenarios for that the procedures are complete and can when every requirement associated with nent has been doc~mentedand verified can the recovery be plan said tobe comaspects of the test are properlye x a ~ n e d st, some considerations will be necessary that perhaps wouldbenot r example, a testmay require agreement with~usinessunits to prection, or require thatall change controlbe frozen for a period, or

place. The role of the observer is to give an unbiased view and to comment on areas of success or concernto assist infuture testing.

There will need to be some assumptions made. This allows a test to achieve the results withbound by other elements of the recovery plan that may not have been verified yet. ons allow prerequisitesof a particular componen~moduleto be established out-

All technical inforrnation documented the in plan, including appendices,is complete and accurate. 11purchases (equipmen~furni~re, etc.) can be madein the time frame required. es and other equipment recalled from off-site are valid and usable.

efore any test is a~empted,it must be verified that the recovery plan is fully documented m all sections, includin~all appendices and attachrnents referencedto each process. Each ~ i c i p a t i nteams ~ in a test must be aware of how their role relates to other teams, when and how they are expectedto perform their tasks, and what tools are permissible. It is the responsibility of each team leader to keep a logof the proceedings for further irnprovement and top r e p ~ better e for future tests.

o matter whetherit is a hypothetic^, component, module,or full test, a briefing session r the teamsis necessary. The boundaries of the test are explained, and theo p p o ~ n i t yto discuss any technical u n c e ~ ~ n t i eprovided. s, ~e pe nd in gon the complexity of the test, additional briefing sessions may be required, one to outline the general boundaries, another to discuss any technical queries, nd perhaps one to brief senior ana ent on the test’s objectives. The size of the exrcise and number o determine the time between the briefing session(s) and the test. me period must provide suf~cientopportunity for person~elto prepare a~equately,p ~ i c u l a r l ythe technical staff. It is recom~endedthat the final briefing be held no more than two days prior to a test date to ensure that all activities are fresh in the minds of the p~ticipantsand the test is not impacted throu~hmiss or tardiness. da would be: Team objectives enario of the disaster Location of each team e s ~ c t i o non s specific teams Assumptions of the test rerequisites for each team

S

Can you restore each subsystem and are they documented in the plan? o you h o w what time and day you have to recover to? Start of current day (SOD)? nd of previous day? idd day? Is this in the plan? your recovery procedures reflect the correct backup tapes tobe used? (For exam,if recovering to SOD, the backup tapes will probably have the previous day’s

o you h o w the recovery point (e.g., OD or end of day [EOD] checkpoint recovery?) Is this documente~in the plan? Can you recover the databases to the SOD?

uestions to ask about the plan include: you ~ o ~ ard -reco vthe er databasesto the point of €ailwe?Is this documented in

*

o you b o w how to verify the i ~ t e ~ iand t y currency of the databases? ho is to perfom this task andis it documented in the plan? oes this person needto f o ~ a l l y a u t h o this ~ z e fact? Can you IPL the system andis it fully documentedin the plan? Are theseproce~uresaccurate; thatis, can your manager use them to load the system? Are thereany processes thatare not included inthe recovery plan?If not, why not? as yourvendor/supplier/mai~t~ner checked and verifiedall procedures? o you have documented and verified procedures to: * Initialize disk drives * Restore system (reload) eboot from stand-alone backup * Performrestarts estore other libraries Initialize catalogues

*

~pplicationrestore Databaserestore et unit addresses Perfom restarts

uestions to ask about the cold site include: oes everyoneh o w the locationof the recovery site? ave all those who will be located there visited the site? ave you checkedthe access to andfrom the location?

Is the equipment st

oes the site have a security system and do you h o w how to p r o g r ~ u s eit? Are all the cables, phones, ower, telex, and modems of the a u a n ~ t yto meet recovery needs? ave you verified as functional, the air conditioners,li cient floor and office space to meet your needs? ave you checked the access for en and exit of equipment and s t a ~ ? o you have a d i a g r showing ~ th tworkhystem c o n ~ g ~ r a ~ and o nflo o you h o w the e ency ~vacuationprocedures of the sit hting equipment meet the required s t ~ d ~ dand s , hasit

Is all this documented in asite manual? o you have a copy of the site manual in your possession? oes the site satisfy all your recoveryco~unications/netwo S anyone else situate If so, are they totally isolated from your equiprnen moves, security risk, physic Is a method inplace to che Are all critical consumable (special forms) located in con~olledcon multiple locations?

uestions to ask aboutt h i r d - ~ hot ~ y site checks include: hat peripher~equipment do you require to meet your disaster needs as stated in recovery plan? hat system si~e/capacity o you re~uireto run in disaster Is the hot site equipment (e.g., system, peripherals, corn

oes the site have tape library facilities? o you regularly reviewthe site to checkall these items?

tion under recovery mode?

~uestionsto ask about warrn/hot site checks include:

Do you have aDRP machine at this location? Is the system a development or second production machine? P system and all its re~uirementsto be Is the system large enough to allow the loaded (e.g., CPWdislc capacity, tape/cart drives, speed to meet user satisfaction)? Do you h o w which ~ les~ ib raries you need to remove from the vide sufficient space? Do you wish to keepthe data on theDRP machine and restoreit after a testor actual disaster? If not, do you have a plan to clear or prepare this system for both testing purposes and the actual disaster? Do you have procedures to perform this clearing function (backupdelete)? and Do you havecleanup procedures for the DRP machineat the completionof the test to enable return to normal processing?

While testing is in itself beneficial, an effective recovery plan canbeonly achieved by constructive analysisof each test andthe test’s results through a postmortem. Thisalso maintains the momentum gained from the test, whichis critical to the process of buildin able plan. any staffs see disaster recovery as an additional workload; however, with time con~tructiveand regular involvement, staffs develop a greater commitment.

If the company has a dedicated D team or coordinator assigned p e ~ a n e n tlythen , this team or coordinator would havethe responsibility of conducting theb r ie ~ n gand debriefing sessions. If not, the responsibilitylies with the command team leader. The format is to discuss the results and~ n d in g of s the test with view a to improving the recovery planfor future exercises. From these discussions, a set of objectives is developed for later inclusion in the report. An agenda could be:

e

Overall performance Team pe~ormance ~s ~rv atio n s Areas of concern Next test (type and time)

test, The Each team leader has the responsibility of maintaining alog of events during each i n f o ~ a t i o ngat here^ from these logs, in addition to the postmortem reportby the test man-

eas of i ~ ~ r o v e ~are e nnt en a realisticco~pletion

o test is cons id ere^ a failure, as any infor~ation enefit, evenif the o~Jectives

an i ~ e d i a tupdate to the

controls.

As mentioned before, audit should be an ally in the disaster recovery process. the case, a reevaluation and rede~nitionof roles mightbe in order. Audit shouldbe the independent group to monitor and report the progress and effectiveness of the disaster recovery program. They should also confirm that senior management is receiving the right message and not a false sense of security when it comes to disaster recovery readiness. The following statements shouldbe considered “warning signs” that may indicate afalse sense of security among anorgani~ation’s manag~ment: have a disaster recovery plan for te~hnology.~’ conduct annual plantests at our vendor facility.” software package,” Tf I am affectedby disaster, so are my competitor^.^^ Statementssuchastheseindicatethatthecompany’sprogram maynotbecomprehensive. Audit should recognize these symptoms r and e c o ~ e n solutions d for b ~ n g in gthe DRP pro~ramto the appropriate level. Audit should work with disaster recovery planners and business managers to identify synergies with other ente~rise-wideactivities, such as corporate standards, self-assessment compliance p r o g r ~ s , a w ~ e ~ e s s DRP p r oex~r~s, pense reporting, plan development, and the development andofuse monitoring tools. Audit may often feel like 6‘referees9’ in a largec o ~ o r a t eeffort. They are r e ~ ~ l a r l y asked to “enforce the rules’’ of a well-con~olledand operated environment. ery planningis clearly one area in which audit can shed the “striped shirts,” pany9s“team colors,” and participate and add value to the critically import

embers of disaster recovery teams and senior managers should receiveofathecopy comsider providing copies of the plan to external groups at may help with disaster prevention and recovery. ed a prop~etarydocument, and they should not be distri~uted indisc~~nately, either i n t e ~ a ~or ly As describedin the previoussection,thehouldnot be dependenton the participation of any individual or team, A disaster could result in the unavailability, injury,or death of key recovery team members.It is also possible that essential membersof the recovery team may findthe recovery process o v e ~ h e l ~ and n g resign from their positions. Therefore, to help prevent chaos following a disaster, the S should contain enough detail to allow available staff to begin implementing the recovery process as quickly as possible f o l l o w i ~a ~disaster.A complete, up-to-dateset of plans should alsobe maintained in an accessible off-site location ensure to accessibility when needed.

saster Recovery Strategies

iate

site, notification req u ~ edbefore occupying the site, length of stay p e ~ i t t e d testing , procedures, assistance available from the backup site, and adequacy of office space.

adequately describe operations and procedures presently in use at nter, plus any unique procedures developedfor use at the internal backupsite? ati ion allowsstaffmembers ( thanthosemostfamiliarwith the tasks)to esume critical processing. The shoulddefine critical data, documentation, and supplies that are be to stored at the i n t e backup ~ ~ site. It should alsoinclude notificaand how to move personnel, equipment, and supplies to the alterId address the adequacy of the computer room layouts, building

o the periodic testsof the DRP fulfill audit objectives by: e t ~ r ~ n i the n g adequacyof the off-site storage facilities and existing recovery procedures?I n ~ o ~ a t i will o n be obtained concerning availability of off-site files andthe documentation necessaryfor efficient recovery. * Identifying deficiencies in recovery capabilities and related internal controls? Plan testing will also help assess manageme~t’scommand of the situation and its ability to adapt to unusual situations. Identifying and evaluating thecost and effectiveness of continuing operations at an alternate site? Audit should compare the criticality of the controls being tested with the strength of the test results. If they are equal (i.e.,there if is high criticality and a high level of compliance), then the disaster recovery procedures should be considered adequate. Differences between compliance and criticality may suggest that resources associated with the control are being overused or underused

P adequately identifycritical files necessary for operation and e E cient recovery? It is important to verify that adequate procedures exist for backup, documentation, and storageof critical files.

Is the DRP designed to protect and recover d all levels within the organizaS shouldalsoprovidepolicies additiontoaddressingmainframe-based data users for and proceduresfor protecting and recovering programs data and developed by end use on personal computers.

.Does the organization maintain adequate insurance coverage to ensure restoration following a disaster? The orga~zation’sinsurance should also protect a ~ ~ nbusiness st losses resulting fromthe inadequate performanceof a third-party vendor.

~ d e ~ ~ ~ c aoft critical i o n data?

sults p e r f o ~ e dand a conclusion d r a ~ n ?

stat~mentof objectives andassu~ptions? of indivi ifferent levelsof d is ~ p tio nsuch as disaster, loss components,andtemp loss of r e s o ~ r c e ~ ? ~ e s c ~ b e s c efor n each ~ o s po a ~ ~ lofe potential s disasters include: ~ n t ~ ~ poftc io ~o m~ ~ n i c a t i o n ~

e what a disaster is, who may declare one, d bow to i ~ ~ l e ~ ~ n t

*

define proceduresfor each recoveryarea identified as a resultof the cess? For example: ~pplicationsystem recovery Teleco~unicationssystem recovery Systemssoftwarerecovery describe alternate operating and processing proceduresof electronic oes the DRP also describe maintaining communications with the value-added net-

Is there ana u ~ o r i ~ list e d for u~datingthe How fre~uentlyis it reviewed or revised? o is responsible for updating the plan to reflect changes in nel, software, and telecommunications? enefits of a hot versus a coldsite processing facility? Does the DEW require storage of at least one complete, current copy of the plan at a secure and accessible off-site location? oes the D W identify the test team and the procedures the team should follow in o c ~ m e n t i nthe ~ physical testingof the plan? specify proceduresfor conducting regularly schedule ocumentin~those results? oes the recovery team include key representatives from the following business

. Data processing management . Data a d ~ n i s ~ a t i o n e. User d e p ~ m e n t s . Telecommunications (voice and data) . Facilitiesmanagement Computer operations . Systems and applications p r o g r a ~ i n ~ Personnel, security, audit, and vendor representatives e senior managers officially assigned the respon$ibilityfor initiating disaster recovery procedures? Does the DRP provide for assigned alte ~ a tefor s each p e ~ a n e nteam t member? the alternate team members know of this assi~nment?Do they know their job responsibilities? ses and telephone numbers of the team members, users, ar procedurefor notifying vendors and alte~ate-siteconning recovery team membersfulfill to their assigned roles? . Does the DRP address the defini~ionof team members functions at the task level?

si~ilitie§ would include:

nerd c o ~ ~ ~ n~rocedure§ ity desi~ned to notifythe entire workforce, by in the eventof a seriou§ disaster?

Are management personnel able to run the computer center in the event that nonmanagement personnel are unavailable? S a personal skills inventory been conducted to identify special employee skills at could be used during anemer~ency? Is access to the data library restricted to designatedl i b r ~ a ~even s , during disaster periods? as a recovery team beenassi~nedso that they can begin work immediately in the event of a disaster? Is user management heavily involved in computer disaster recoveryp l ~ n i n g ? Are computer personnel in key positions of authority bonded? as the staff been trainedfire inalarm, bomb threat, and other emergency procedures? Has the staff been adequately instructed in what to do when an emergency alarm sounds? e computer center personnel been trained to protect con~dentialdata during pes of disaster recovery? Do all security procedures remain in effect during a disaster recovery period? Are disaster recovery responsibilities includedthe in appropriate job desc~ptions? Are new or transferred employees immediately trained in disaster recovery procedures and assigned appropriate responsibilities? of forms av~lableat a second site? Is there a complete listing of allsupplies and copies all been reviewed by senior management and approve by all responsible managers? If extracopies of the disasterrecovery plan are maintained, are they regularly updated? In the eventof a disaster, havesuEkient funds been allocatedfor transpo~ation,operating expenses,emer~encysupplies, andso on?

The following questions must be answere by member§ of mana~ementwho own a vital business process: ave you ensured that the vital business process can fulfill its mission inthe event of a disaster? (C) All processesevaluated (A)Targetdate (AE) Target date ave you prepared disaster recovery plans that include vital business process recovery requ~ementsas well as service c o ~ ~ i ~requ~ements e n t from sL~p~liers of service? isaster recovery plans prepared (A)Targetdate (AE) Target date

ave you planned conducted a review of the disaster recovery plan in the past vin any de~cienciesdiscovered during the review? eviewed within thepast year (A) et date (AE) T ~ g edate t as a disaster re cove^ test been conducted withinthe last two years, resolvingany prob~emsor exposure iscovered d u ri n ~the test? sted withinthe past two years (A)Targetdate facility (i.e., local area networ~s, rting the vital business process, have you answered the Supupplier of service sectiona~plicable/notapplicable (A) Targetdate (AE) Target date ction plan in progress, Ai3"ction plan ending date,

The following questions must be answered by members of management who are suppliers of services essential to the recovery of the vital business process (i.e., information systems services, site services, site security) and who must negotiate service level a~reementswith owners of vital business processes defining servicesc o ~ t t e in d the period followinga disaster untiln o ~ aoperations l are restored. ave you negotiated service level agree~entswith ownersof vital business processes ho are on your service/system?

(C)

are disaster recovery plans covering their service commitments and protect it oE-site. ou havea disaster recovery plan for your servicelsystem that will recover the vital business processes as c o ~ i t t e in d the service level agreement? (6)

S your disaster recovery plan for y upd~tedwithin thelast twelve mo

In a ~ ~ i t i to o nthe effort in

(C>

(A) Targetdate

e C10 when testing is not in compliance

(A) Targetdate (AE) Target date See E x ~ i ~8.1 i t for a sample disaster recovery plan.

U

$

c

.i

b E

E Y

Access, 129, 144, 145, 146 Access control, 191 Access control lists (ACL), 188 ACL entries, 360 ACL notation, 358 ACL patterns, 362 ACCs and file~ ~ s s i o n357 s, file mode permissions, 358 long form of ACES, 361 operator form of ACL, 359 short form of ACL's, 360 ACL Functionality c o ~ ~andd programs, s 363 network environment, 365 Unix core programs, 364 ACL, (see Access control lists) Account policy, 202 Accountability, 24 Admi~strative domains, 382 Adopt authority, 109, 147 Airducts, 78 Application development tools, 89 Application layer, 462 Architecture, 83 Assumptions, 14, 16 Attacks, 374 Attacks and defenses, 224 Attention program, 136 Audit, 479 Audit approach, 73 Audit checklist, 73, Audit policy, 204 Audit tests,49,57, 153 Auditing, 398,512 administering, 413 audit record,400,403,408 auditing tasks, 406

diskless enviro~ent, 414 enable auditing, 342 event types, 399,410 key concerns, 386 mounting and unmountinga file system, 416 select users, 409 system calls, 410 system parameters, 404 turn on or off, 408 Authority holders, 148 Authority parameter, 89 Authori~ation lists, 108, 146 Automatic c o ~ g ~ a t i o136 n, Automatic sprinkler system, 66 Auxiliary storage pools, 96 Backup and recovery, 96, 152 Behaviors, norms & values, 5, 14 rowser, 484 Build a case for disaster recovery, 498 Business continuity, 130 Business impact analysis, 498 Carbon dioxide, 65 CHACL commands, 367 Change model,6,7 Checklist, 5 15 Checksum protection, 97 Classification, 70 C o ~ ~ e 5, n 11 t , Compliance,5 Computer room, 13 1 Con~g~ation, 485 Conflict awareness, 33 Conflict resolution,32,33 ~onnection-oriented, 146 Connectionless, 461

ontrol re~~rements, 53,452 ontrolled access areas,44 onv version plan, 341

us tom er satisfaction, 1, 14

evice sessions, 135 isabling and deleting user accounts, 216 isaster ~re~aredness, 496 isaster recovery, 498 iscretionary access control, 70, 183,373 accountabi~ty, 374 least Privilege, 374 objects, 374 subjects, 373

is~osingof media, 56,73 ocumentation questions,5 15 omain objects, 133 o m ~ nand s trusts, 222 ropped ceilings, 77 ust, 67 y n ~culture, c 1,2,4,6,8, 10 ynamic cultureat~ibutes,10 ynamic culture self-assessment, 11 - c o ~ e r c e494 , lectrical noise, 60 lectronic data interchange, 494 End-user c o ~ ~ u t i493 n~, Environmental controls, 59 Ethernet, 463

File system consistency, 345 File system export, 385 Filters, 477 Fire, 65 Firewall, 474,476 Focus inward,4 FTTP, 470 Function keys, 56 Gateways, 478 General controls, 127,131 Glass walls, 78 Glossary of Unix terms, 419 Ground rules, 36 Group profiles,108 Guidelines: adding a group, 355,356 network security breaches, 385 t, overallrisk m~ a ~ e me n373 user account, 353,354,355 Hardware, 82 High-risk utilities, 149 Home directories, 2 18 Hub, 474 Human resources, 19,22,23,25 Hu~difier,65 ~ - s u ~ ~ profiles, l i e d 141 Info~ationsecurity, 1,2 ~nstaIlin~ the system, 341 Integration, 85 Interfaces, 464,465 International0rga~zationfor (Em),453 Internet operating system, 472 Internet threats, 475 Internetwor~ng,448,453,468 Intro~uction,8 1 I S 0 (see International0rgani~ationfor §tandardi~ation) Issue ~oordinator,34 Job descriptions, 147 Job time-out, 139

buted Data Interface) ile security, 368,369, 372

Key subsystems, 350 Key switches, 56

LAN (see Local access network) Leading, 5, 16, 18 Libraries, 94 Library, 140 Lighting, 62 Link-level access, 382 Local access network (LAN), 452 Logon process, 184 Logon scripts, 218 Management c o ~ t m e nand t funding, 494 Manager~leaderroles, 2,5, 15, 17,24,25,31 ~anaging,5,16 M ~ a g i n ggroups, 209 M ~ a g i n gnetwork with /etc/hosts table, 389 Mana~inguser accounts, 212 Ma~ke~lace, 14 Modem, 63,484 Name servers, 389 Narning nomenclature, 94 NAT (see Network Address Translation) Network Address Translation (NAT), 485 Network file systemenviron~ent: client ~lnerability,38 l files mounted in networke n v ~ o ~ e n38t ,1 s~eguarding,382 server vulnerabi~ty,38 1 Network Layer, 458 Network transfer protocols, 224 Network topologies, 463 Networks, 493 Number of device sessions, 135 Object and security, 185 Object ownership, 148 Object-based operating system,88 Operating system, 369,373 Open SystemsInter-co~ection(OSI), 454,456, 458,459,461,462 Orga~zationalstructure, 128 Password security, 346 encryption, 347 file security, 370 m ~ i p u l a ~ npassword g files, 349 password aging, 354 protection, 380 pseudo accounts, 348 responsibilities, 346 Passwords, 133 Pdfs (see Product Description Files)

People, 69 Performance, 485 Per~ssions,186,200 Physical access controls, 42 Physical layer, 456 Physical protection of storage media,53 Physical security, 41 Physical security Plan, 43 Physically securing company's installatio~,42 Plan preparation, 499 Planning, 198 Policy planning, 202 Portable storage media,58 Positive resolution, 34 Power supply, 62 Power, 59 Presentatioll layer, 462 Preventing theft, 77 Process improvement, 4 Product Description Files (pdfs),344,346 Productivity, 15 Profiles, 141, 144 Program development, 129 Program m~ntenance,129 Protecting backups, 54 Protecting data,'79 Raised floors, 77 RAID (see R e d u n d ~ array t of independent disks) Recog~zingtraits, 8,26 Recovery team, 496 Eedundant array of independent disks (RAID), 97 Reengineered processes, 4 Remote file access(RFA),380 Remote sign-on controls, 135 Residual info~ation,55 RFA (see Remote file access) Risk analysis and acceptance, 47 RisWexposure, 53,70 Risk management, 373 Root, 349 Routers, 473 SAM (see System Ad~nistrationManager) S ~ t i z i n g55 , Secure (trusted) system, 341 Secure systemmainten~ce,344,377 Secured area access,50 Secured area deter~nation,50 Secured area inspection,51

ystem shut down, 417 ystem utili~es,91

Users and ~ r o ~36~ s ,